Tag Archives: Nginx

HPKP nginx apache

HPKP nginx apache

To enable HPKP, you should create the base64 string:

From key file

openssl rsa -in my-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64

From csr file

openssl req -in my-signing-request.csr -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

From crt file

openssl x509 -in my-certificate.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

You need 2 pins. One primary, second for backup.

Nginx

add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains';

Apache

Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"

Scoring A+ 100 100 100 100 on SSL Labs

Scoring A+ 100 100 100 100 on SSL Labs

If you like to get 100% and A+ on SSL Labs, with Apache and Nginx. You should set the following options:

Apache

SSLEngine on

SSLCertificateFile /etc/apache2/ssl/www_safematix_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_safematix_com.key

SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLCACertificateFile /etc/apache2/ssl/ca.pem

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCompression off

Header always set Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"

SSLCipherSuite 'AES256+EECDH:AES256+EDH:!aNULL'

Nginx

First you should create the dh (Diffie-Hellman) key file.

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;

ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;
ssl_trusted_certificate /etc/nginx/ssl/ca.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
add_header Strict-Transport-Security max-age=15768000; # six months

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

Nginx index directory

Nginx index directory

To create a download directory is autoindex very practical.

Enable autoindex on /

...
location / {
autoindex on;
}
...

Full configuration for the download page

server {
 listen [2a01:4f8:210:3101::13]:443 ssl spdy ipv6only=on;
 listen 443 ssl spdy;
 spdy_headers_comp 5;

server_name download.safematix.com;

root /srv/www/download.safematix.com/htdocs;

access_log /srv/www/download.safematix.com/log/download.safematix.com_ssl.access.log;
error_log /srv/www/download.safematix.com/log/download.safematix.com_ssl.error.log;

ssl_certificate /etc/nginx/ssl/safematix/download.safematix.com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/download.safematix.com.key;

ssl_dhparam /etc/nginx/ssl/safematix/download.safematix.com-dhparam.pem;

location / {
autoindex on;
}

include global/ssl.conf;
}

Links:

http://nginx.org/en/docs/http/ngx_http_autoindex_module.html

HHVM Nginx Ubuntu with multiple Site

HHVM Nginx Ubuntu with multiple Site

To run HHVM on Nginx with Ubuntu 14.04 and multiple Site per Server you can use this Howto. I work with Nginx variables, this make it easy to have short Nginx configs.

First step is to install HHVM on the server

sudo apt-get install software-properties-common

sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0x5a16e7281be7a449
sudo add-apt-repository 'deb http://dl.hhvm.com/ubuntu trusty main'
sudo apt-get update
sudo apt-get install hhvm

Now you get the following information

********************************************************************
* HHVM is installed.
* 
* Running PHP web scripts with HHVM is done by having your webserver talk to HHVM
* over FastCGI. Install nginx or Apache, and then:
* $ sudo /usr/share/hhvm/install_fastcgi.sh
* $ sudo /etc/init.d/hhvm restart
* (if using nginx)  $ sudo /etc/init.d/nginx restart
* (if using apache) $ sudo /etc/init.d/apache restart
* 
* Detailed FastCGI directions are online at:
* https://github.com/facebook/hhvm/wiki/FastCGI
* 
* If you're using HHVM to run web scripts, you probably want it to start at boot:
* $ sudo update-rc.d hhvm defaults
* 
* Running command-line scripts with HHVM requires no special setup:
* $ hhvm whatever.php
* 
* You can use HHVM for /usr/bin/php even if you have php-cli installed:
* $ sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60
********************************************************************

Now run the install script

sudo /usr/share/hhvm/install_fastcgi.sh
sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60

So now you have install the HHVM. Now you must setup the multiple instances.

sudo cp /etc/init.d/hhvm /etc/init.d/hhvm_www_safematix_com
sudo cp /etc/default/hhvm /etc/default/hhvm_www_safematix_com
sudo cp /etc/hhvm/server_www_canus_at.ini /etc/hhvm/server_www_safematix_com.ini

Now you must edit the configs.

/etc/init.d/hhvm_www_safematix_com

sudo vi /etc/init.d/hhvm_www_safematix_com
...
NAME=hhvm_www_safematix_com
...
PIDFILE=/var/run/hhvm/pid_$NAME

/etc/default/hhvm_www_safematix_com

## This is a configuration file for /etc/init.d/hhvm.
## Overwrite start up configuration of the hhvm service.
##
## This file is sourced by /bin/sh from /etc/init.d/hhvm.

## Configuration file location.
## Default: "/etc/hhvm/server.ini"
## Examples:
##   "/etc/hhvm/conf.d/fastcgi.ini" Load configuration file from Debian/Ubuntu conf.d style location
CONFIG_FILE="/etc/hhvm/server_www_safematix_com.ini"

## User to run the service as.
## Default: "www-data"
## Examples:
##   "hhvm"   Custom 'hhvm' user
##   "nobody" RHEL/CentOS 'www-data' equivalent
RUN_AS_USER="www_safematix_com"
RUN_AS_GROUP="www_safematix_com"

## Add additional arguments to the hhvm service start up that you can't put in CONFIG_FILE for some reason.
## Default: ""
## Examples:
##   "-vLog.Level=Debug"                Enable debug log level
##   "-vServer.DefaultDocument=app.php" Change the default document
#ADDITIONAL_ARGS=""

## PID file location.
## Default: "/var/run/hhvm/pid"
#PIDFILE="/var/run/hhvm/pid"

/etc/hhvm/server_www_safematix_com.ini

; php options

pid = /var/run/hhvm/pid_www_safematix_com

; hhvm specific 

hhvm.server.port = 9001
hhvm.server.type = fastcgi
hhvm.server.default_document = index.php
hhvm.log.use_log_file = true
hhvm.log.file = /var/log/hhvm/error_www_safematix_com.log
hhvm.repo.central.path = /var/run/hhvm/hhvm.hhbc

Now edit the nginx settings

location ~ \.(hh|php)$ {
    fastcgi_keep_conn on;
    fastcgi_pass   127.0.0.1:$siteport;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

vhost config

server {
	listen [2a01:4f8:210:3101::12]:443 ssl spdy;
	listen 443 ssl spdy;
	spdy_headers_comp 5;

	server_name www.safematix.com safematix.com;

	root /srv/www/www_safematix_com/htdocs;
	index index.php index.html index.htm;

	access_log   /srv/www/www_safematix_com/log/www.safematix.com_ssl.access.log;
        error_log    /srv/www/www_safematix_com/log/www.safematix.com_ssl.error.log;

        ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
        ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

        ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;

	set $siteport 9001;

	include global/ssl.conf;
	include global/restrictions.conf;
	include global/wordpress.conf;
	include global/php.conf;
}

Now enable HHVM at boot and reload service

sudo update-rc.d hhvm_www_safematix_com defaults
sudo service hhvm_www_safematix_com start
sudo service nginx reload

 

 

 

External Links:
https://github.com/facebook/hhvm/wiki/Prebuilt-packages-on-Ubuntu-14.04
https://github.com/facebook/hhvm/wiki/Getting-Started
https://kinsta.com/blog/real-world-wordpress-benchmarks-with-php5-5-php5-6-php-ng-and-hhvm/
http://webdevstudios.com/2014/07/17/setting-up-wordpress-nginx-hhvm-for-the-fastest-possible-load-times/

Nginx global config

Nginx global config for you sites-enabled in Ubuntu / Debian.

Every time when you have the same config per vhost then it is better to work with global settings.

Here is an example with the SSL config in Nginx. When you have one global config it is easy to don’t forget something.

/etc/nginx/global/ssl.conf

	ssl on;

	ssl_trusted_certificate /etc/nginx/ssl/ca.pem;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:10m;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	add_header Strict-Transport-Security max-age=63072000;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
	add_header Strict-Transport-Security max-age=15768000; # six months
	# use this only if all subdomains support HTTPS!
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

/etc/nginx/sites-enabled/www_safematix_com

server {
	listen [2a01:4f8:210:3101::12]:443 ssl spdy;
	listen 443 ssl spdy;
	spdy_headers_comp 5;

	server_name www.safematix.com safematix.com;

	root /srv/www/www_safematix_com/htdocs;
	index index.php index.html index.htm;

	access_log   /srv/www/www_safematix_com/log/www.safematix.com_ssl.access.log;
        error_log    /srv/www/www_safematix_com/log/www.safematix.com_ssl.error.log;

        ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
        ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

        ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;

	set $siteport 9001;

	include global/ssl.conf;
	include global/restrictions.conf;
	include global/wordpress.conf;
	include global/php.conf;
}

Nginx 1.7 Ubuntu 14.04

Nginx 1.7 ubuntu 14.04
nginx

When you have Nginx 1.7 you can also use SPDY 1.3 and other cool features.

To install Nginx 1.7 on a Ubuntu 14.04 Linux. You can use this:

curl http://nginx.org/keys/nginx_signing.key | apt-key add -
echo -e "deb http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx\ndeb-src http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx" > /etc/apt/sources.list.d/nginx.list

Update source and install or upgrade Nginx:

aptitude update
aptitude install nginx
aptitude dist-upgrade

When you use php, add this to /etc/nginx/fastcgi_params :

# add for nginx 1.7
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

 

Links: http://nginx.org/en/linux_packages.html#stable

Nginx worker_connections exceed open file resource

Nginx worker_connections exceed open file resource
nginx

When you restart the nginx service and you see this meassage then you have a problem with the file limits.

root@web01:/var/log/nginx# service nginx restart

* Restarting nginx nginx nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024
 nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024

You can set in manual

ulimit -n 65536

When you like to see the open files limit you can see it with

root@web01:/var/log/nginx# ulimit -n
65536

You can also see all limits with

root@web01:/var/log/nginx# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 256697
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 256697
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

On Ubuntu and Debian you can set the limits in /etc/security/limits.conf with

* soft nofile 65536
* hard nofile 65536

Nginx client intended to send too large body

If you look in the error log from your site

2015/01/25 13:01:31 [error] 7477#0: *11490 client intended to send too large body: 1424254 bytes, client: 2a02:168:66b9:0:dc3c:5449:d617:86f6, server: www.safematix.com, request: "POST /wp-admin/async-upload.php HTTP/1.1", host: "www.safematix.com", referrer: "https://www.safematix.com/wp-admin/post-new.php"

Open the nginx.conf and edit the http tag

 vi /etc/nginx/nginx.conf
 http {
 client_max_body_size 50M;
 ...
 ...
 }

It is also possible to put the settings per location tag.

location {
 client_max_body_size 50M;
 ...
 ...
 }

Don’t forget the reload from the nginx service.

service nginx reload

Nginx SSL Labs A+

Nginx SSL Labs A+

To get a high secure SSL installation on Nginx you should use the following config. With this settings you also get on A+.

SSL Labs A+
SSL Labs A+

It is important to create the Forward Secrecy & Diffie Hellman Ephemeral Parameters.

You can create the dhparm.pem with openssl

openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on;
ssl_certificate /etc/nginx/ssl/safematix/www_safematix_com.crt;
ssl_certificate_key /etc/nginx/ssl/safematix/www_safematix_com.key;
ssl_trusted_certificate /etc/nginx/ssl/safematix/ca.pem;

ssl_dhparam /etc/nginx/ssl/safematix/www_safematix_com_dhparam.pem;

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";