Nginx Server For Hosting Files Ubuntu 22.04: Difference between revisions
(Created page with "==Spin up a Server == Using <b>Vultr</b> i am going to deploy a <b>Ubuntu 20.04</b> Server.<br \> $5 a month, 1 cpu, 1024MB ram, 25GB ssd, 1000GB Bandwidth.<br \> I have been given the IP:<b>192.248.155.201</b> <br \> ===DNS=== make a <b>A RECORD</b> for subdomain server IP address<br> {| class="wikitable" |+ Dns |- |Type |Host |Ip address |TTL |- |A record |xml |192.248.155.201 |auto |- |} ==Enable Basic FireWall== <code>ufw allow 22/tcp</code><br> <code>ufw allow 44...") |
imported>AwesomO |
||
(8 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
==Spin up a Server == | |||
==With DNS - cert by LetsEncrypt== | |||
[[Nginx_Server_For_Hosting_Files_Ubuntu_22.04#No_DNS_using_IP_and_SelfSigned_Certs|No DNS Using IP and Self Signed Certs for https]] | |||
===Spin up a Server === | |||
Using <b>Vultr</b> i am going to deploy a <b>Ubuntu 20.04</b> Server.<br \> | Using <b>Vultr</b> i am going to deploy a <b>Ubuntu 20.04</b> Server.<br \> | ||
$5 a month, 1 cpu, 1024MB ram, 25GB ssd, 1000GB Bandwidth.<br \> | $5 a month, 1 cpu, 1024MB ram, 25GB ssd, 1000GB Bandwidth.<br \> | ||
Line 22: | Line 26: | ||
|} | |} | ||
==Enable Basic FireWall== | ===Enable Basic FireWall=== | ||
<code>ufw allow 22/tcp</code><br> | <code>ufw allow 22/tcp</code><br> | ||
<code>ufw allow 443/tcp</code><br> | <code>ufw allow 443/tcp</code><br> | ||
Line 29: | Line 33: | ||
<code>ufw enable</code><br \> | <code>ufw enable</code><br \> | ||
==Auto | ===Enable Auto Updates=== | ||
[[Ubuntu_unattended-upgrades#Quick_Start_-_Up_and_running_auto_updates|Setup Basic Auto Updates for your Server so you don't have to keep logging into server to update]] | |||
===Install NGINX=== | |||
<code>apt install nginx -y</code><br> | |||
< | You should now be able to see the <b>Welcome to nginx!</b> site on your subdomain (or just use server ip address).<br> | ||
Only <b>http</b> will work as we have not yet setup are <b>https</b><br> | |||
< | |||
</ | |||
< | |||
</ | |||
<br | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
Default NGINX Before Certbot - Placed here just for notes:<br> | |||
<code>cat /etc/nginx/sites-available/default</code> | |||
<div class="mw-collapsible-content"> | |||
<pre> | <pre> | ||
// | ## | ||
// | # You should look at the following URL's in order to grasp a solid understanding | ||
// | # of Nginx configuration files in order to fully unleash the power of Nginx. | ||
# https://www.nginx.com/resources/wiki/start/ | |||
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ | |||
# https://wiki.debian.org/Nginx/DirectoryStructure | |||
# | |||
# In most cases, administrators will remove this file from sites-enabled/ and | |||
# leave it as reference inside of sites-available where it will continue to be | |||
# updated by the nginx packaging team. | |||
# | |||
# This file will automatically load configuration files provided by other | |||
# applications, such as Drupal or Wordpress. These applications will be made | |||
# available underneath a path with that package name, such as /drupal8. | |||
# | |||
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. | |||
## | |||
# Default server configuration | |||
# | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
// | # SSL configuration | ||
// | # | ||
/ | # listen 443 ssl default_server; | ||
# listen [::]:443 ssl default_server; | |||
# | |||
# Note: You should disable gzip for SSL traffic. | |||
# See: https://bugs.debian.org/773332 | |||
# | |||
# Read up on ssl_ciphers to ensure a secure configuration. | |||
# See: https://bugs.debian.org/765782 | |||
# | |||
# Self signed certs generated by the ssl-cert package | |||
# Don't use them in a production server! | |||
# | |||
# include snippets/snakeoil.conf; | |||
root /var/www/html; | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
server_name _; | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
} | |||
/ | # pass PHP scripts to FastCGI server | ||
# | |||
#location ~ \.php$ { | |||
# include snippets/fastcgi-php.conf; | |||
# | |||
# # With php-fpm (or other unix sockets): | |||
# fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |||
# # With php-cgi (or other tcp sockets): | |||
# fastcgi_pass 127.0.0.1:9000; | |||
#} | |||
# deny access to .htaccess files, if Apache's document root | |||
/ | # concurs with nginx's one | ||
# | |||
#location ~ /\.ht { | |||
# deny all; | |||
#} | |||
} | |||
/ | # Virtual Host configuration for example.com | ||
/ | # | ||
# You can move that to a different file under sites-available/ and symlink that | |||
# to sites-enabled/ to enable it. | |||
# | |||
#server { | |||
# listen 80; | |||
# listen [::]:80; | |||
# | |||
# server_name example.com; | |||
# | |||
# root /var/www/example.com; | |||
# index index.html; | |||
# | |||
# location / { | |||
# try_files $uri $uri/ =404; | |||
# } | |||
#} | |||
</pre> | </pre> | ||
</div> | |||
</div> | |||
===LetsEncrypt=== | ===LetsEncrypt=== | ||
Line 107: | Line 149: | ||
===Setup NGINX=== | ===Setup NGINX=== | ||
CertBot did the work for us :) Good Bot.<br> | |||
The nginx default site should look like this:<br> | The nginx default site should look like this:<br> | ||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
<code>cat /etc/nginx/sites-available/default</code><br> | <code>cat /etc/nginx/sites-available/default</code><br> | ||
<div class="mw-collapsible-content"> | |||
<pre> | <pre> | ||
## | ## | ||
Line 275: | Line 321: | ||
} | } | ||
</pre> | </pre> | ||
</div> | |||
</div> | |||
We just need to add one line <code>autoindex on;</code>in the <b>location { }</b> | We just need to add one line <code>autoindex on;</code>in the <b>location { }</b> | ||
<code>$EDITOR /etc/nginx/sites-available/default</code><br> | <code>$EDITOR /etc/nginx/sites-available/default</code><br> | ||
Line 449: | Line 496: | ||
} | } | ||
</pre> | |||
</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
Same File with Comments removed for easier read: | |||
<div class="mw-collapsible-content"> | |||
<pre> | |||
# Default server configuration | |||
# | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
root /var/www/html; | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
server_name _; | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
} | |||
} | |||
server { | |||
root /var/www/html; | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
server_name xml.completenoobs.com; # managed by Certbot | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
# To allow browsing of directory | |||
autoindex on; | |||
} | |||
listen [::]:443 ssl ipv6only=on; # managed by Certbot | |||
listen 443 ssl; # managed by Certbot | |||
ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot | |||
ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
server { | |||
if ($host = xml.completenoobs.com) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
listen 80 ; | |||
listen [::]:80 ; | |||
server_name xml.completenoobs.com; | |||
return 404; # managed by Certbot | |||
} | |||
</pre> | |||
</div> | |||
</div> | |||
====More Info==== | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
<b>autoindex on;</b> directive: | |||
<div class="mw-collapsible-content"> | |||
The <b>autoindex on;</b> directive in an Nginx configuration file enables directory listing for the specified location. | |||
In other words, if a user requests a URL that corresponds to a directory (rather than a specific file), and '''autoindex on;''' is specified for that location in the Nginx configuration file, then Nginx will generate a directory listing page that shows the contents of that directory. | |||
This can be useful for making files available for download or for providing an easy way to browse the contents of a directory. However, it can also be a security risk if sensitive files are inadvertently made available for download or if a user gains access to a directory listing page that they should not be able to access. | |||
To mitigate this risk, it's important to ensure that the '''autoindex on;''' directive is only used when necessary and is not enabled for sensitive directories or files. It's also a good idea to customize the appearance of the directory listing page to make it clear what files are available and to restrict access to the directory listing page using Nginx authentication or other security measures. | |||
</div> | |||
</div> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
Nginx Config File: | |||
<div class="mw-collapsible-content"> | |||
<pre> | |||
# Default server configuration | |||
# | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
######^^^ | |||
These two lines specify that the server block is listening on port 80 (the default HTTP port) for IPv4 and IPv6 connections. The default_server parameter indicates that this block will be used as the default server block for any incoming connections that do not match any other server blocks. | |||
################################################# | |||
root /var/www/html; | |||
######^^ | |||
This line sets the root directory for the server block. This is the directory where Nginx will look for files to serve in response to incoming requests. | |||
########################################## | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
##########^^ | |||
This line specifies the order in which Nginx should look for index files in the root directory when serving requests. In this case, Nginx will first look for index.html, then index.htm, and then index.nginx-debian.html. | |||
########################################################## | |||
server_name _; | |||
#######^^ | |||
This line specifies the server name for the block. The underscore _ indicates a catch-all server name, meaning that this block will handle any requests that do not match a server name defined in another server block. | |||
####################################################### | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
###############^^ | |||
This block specifies the location directive for requests that match the root directory of the server block. The try_files directive specifies that Nginx should first try to serve the request as a file, then as a directory, and then return a 404 error if the file or directory cannot be found. | |||
###################################################### | |||
} | |||
} | |||
server { | |||
root /var/www/html; | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
server_name xml.completenoobs.com; # managed by Certbot | |||
######^^ | |||
This block specifies the server configuration for requests that match the server name xml.completenoobs.com. The root directive specifies the root directory for this server block, and the index directive specifies the order in which Nginx should look for index files when serving requests. The server_name directive specifies the name of the server that this block handles. | |||
###################### | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
# To allow browsing of directory | |||
autoindex on; | |||
} | |||
###########^^ | |||
This block specifies the location directive for requests that match the root directory of the server block. The try_files directive specifies that Nginx should first try to serve the request as a file, then as a directory, and then return a 404 error if the file or directory cannot be found. The autoindex directive enables directory listing for this location. | |||
############################## | |||
listen [::]:443 ssl ipv6only=on; # managed by Certbot | |||
listen 443 ssl; # managed by Certbot | |||
ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot | |||
ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot | |||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |||
} | |||
##################^^ | |||
These lines specify the SSL configuration for the server block, including the SSL certificates and keys, the SSL protocol settings, and the SSL Diffie-Hellman parameters. The listen directive specifies that the server block should listen for HTTPS connections on port 443, and the ssl parameter indicates that SSL/TLS should be used for these connections. The remaining lines specify the SSL certificates and keys, as well as the SSL options and Diffie-Hellman parameters managed by Certbot. | |||
######################### | |||
server { | |||
if ($host = xml.completenoobs.com) { | |||
return 301 https://$host$request_uri; | |||
} # managed by Certbot | |||
########^^ | |||
This block specifies that if the incoming request matches the server name xml.completenoobs.com, Nginx should return a 301 HTTP status code (Moved Permanently) and redirect the request to HTTPS. | |||
####################### | |||
listen 80 ; | |||
listen [::]:80 ; | |||
server_name xml.completenoobs.com; | |||
return 404; # managed by Certbot | |||
} | |||
##########^^ | |||
These lines specify the server configuration for requests that match the server name xml.completenoobs.com on port 80 (the default HTTP port). The listen directives specify that the server block should listen for HTTP connections on both IPv4 and IPv6. The server_name directive specifies the name of the server that this block handles. The return 404 directive specifies that Nginx should return a 404 HTTP status code for all requests that match this server block. | |||
Note that this server block is likely intended to be used in conjunction with another server block that handles HTTPS requests for xml.completenoobs.com, since the HTTP requests will be redirected to HTTPS by the if directive in this block. | |||
############################ | |||
</pre> | </pre> | ||
</div> | </div> | ||
Line 486: | Line 719: | ||
==Transfer Files to Sharing Directory== | ==Transfer Files to Sharing Directory== | ||
NOTE: [[Scp_only|If you are receiving file from another server (setup server to send with script and ssh-keys), you may wish to create another account which can only receive '''scp''' to path]] | |||
===scp=== | ===scp=== | ||
Check [[ | Check [[SCP_Examples|SCP_Examples]] for more examples:<br> | ||
To send direct from MediaWiki server (Example file 'xmlDump-03-03-2023')<br> | To send direct from MediaWiki server (Example file 'xmlDump-03-03-2023')<br> | ||
Will be prompted to enter password:<br> | Will be prompted to enter password:<br> | ||
Line 493: | Line 728: | ||
===sshfs=== | ===sshfs=== | ||
[[Sshfs_ubuntu|Read the sshfs page for more info]]<br> | |||
Can be useful if you are transferring a large number of files from your computer to server and want to use the GUI file explorer.<br> | Can be useful if you are transferring a large number of files from your computer to server and want to use the GUI file explorer.<br> | ||
<br> | <br> | ||
Line 516: | Line 752: | ||
<code>/etc/nginx/sites-available/default</code>: Before | <code>/etc/nginx/sites-available/default</code>: Before | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
<pre> | |||
## | ## | ||
# You should look at the following URL's in order to grasp a solid understanding | # You should look at the following URL's in order to grasp a solid understanding | ||
Line 679: | Line 916: | ||
} | } | ||
</pre> | |||
</div> | </div> | ||
</div> | </div> | ||
Line 685: | Line 923: | ||
<code>/etc/nginx/sites-available/default</code>: After | <code>/etc/nginx/sites-available/default</code>: After | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
<pre> | |||
## | ## | ||
# You should look at the following URL's in order to grasp a solid understanding | # You should look at the following URL's in order to grasp a solid understanding | ||
Line 852: | Line 1,091: | ||
} | } | ||
</pre> | |||
</div> | </div> | ||
</div> | </div> | ||
Line 933: | Line 1,172: | ||
Restart Nginx:<br> | Restart Nginx:<br> | ||
<code>systemctl restart nginx</code><br> | <code>systemctl restart nginx</code><br> | ||
==No DNS using IP and SelfSigned Certs== | |||
===Update system=== | |||
<code>apt update && apt upgrade -y</code><br \> | |||
===Install NGINX=== | |||
<code>apt install nginx -y</code><br> | |||
You should now be able to see the <b>Welcome to nginx!</b> site on your subdomain (or just use server ip address).<br> | |||
Only <b>http</b> will work as we have not yet setup are <b>https</b><br> | |||
===Create keys for encrypted https connection=== | |||
Note: If you are just building a quick website to test this out you can use <b>Blank</b> (just press enter) for all fields and it will still work.<br \> | |||
<code>openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt</code><br \> | |||
<div class="toccolours mw-collapsible mw-collapsed"> | |||
quick explanation: | |||
<div class="mw-collapsible-content"> | |||
:* '''openssl''': This command invokes the OpenSSL tool, which is a software library that provides a variety of cryptographic functions and utilities. | |||
:* '''req''': This is a subcommand of OpenSSL that is used for creating and managing X.509 certificate signing requests (CSRs) and self-signed certificates. | |||
:* -'''x509''': This option specifies that the output should be a self-signed X.509 certificate rather than a CSR. | |||
:* '''-nodes''': This option specifies that the private key should not be encrypted with a password, allowing for automatic startup of services that use SSL/TLS. | |||
:* -days 365: This option specifies the number of days that the certificate will be valid for before it expires. | |||
:* '''-newkey rsa:4096''': This option generates a new RSA private key with a key length of 4096 bits, which provides a higher level of security than shorter key lengths. | |||
:* '''-keyout /etc/ssl/private/nginx-selfsigned.key''': This option specifies the path and filename of the private key file that will be generated by OpenSSL. | |||
:* '''-out /etc/ssl/certs/nginx-selfsigned.crt''': This option specifies the path and filename of the self-signed certificate file that will be generated by OpenSSL. | |||
Overall, this command generates a self-signed SSL/TLS certificate and private key that can be used to secure an Nginx web server. The certificate and key are saved to the specified locations for use in the Nginx server configuration. It's important to note that while self-signed certificates can provide some level of encryption for your web traffic, they do not provide any form of authentication or verification of identity, and should not be used in production environments where security is a top priority. | |||
</div> | |||
</div> | |||
/etc/ssl/private/nginx-selfsigned.key<br> | |||
/etc/ssl/certs/nginx-selfsigned.crt | |||
===Create diffhelman=== | |||
<code>openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048</code><br \> | |||
You can upgrade from 2048 to 4096 but it might take a while.<br \> | |||
<code>$EDITOR /etc/nginx/snippets/ssl-params.conf</code><br> | |||
Nginx configuration directives related to SSL/TLS: | |||
<pre> | |||
ssl_protocols TLSv1.2; | |||
#This directive specifies the SSL/TLS protocols that the server will use for secure connections. In this case, only TLS version 1.2 is allowed. | |||
ssl_prefer_server_ciphers on; | |||
#This directive tells the server to prefer the ciphers specified by the server over those requested by the client. | |||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; | |||
#This directive specifies the SSL/TLS ciphers that the server will use for secure connections. These ciphers prioritize the use of elliptic curve cryptography (ECDHE) for key exchange and advanced encryption algorithms such as AES256 and CHACHA20-POLY1305 for encryption. | |||
ssl_ecdh_curve secp384r1; | |||
#This directive specifies the elliptic curve Diffie-Hellman (ECDH) curve that the server will use for key exchange. In this case, the secp384r1 curve is used. | |||
ssl_session_cache shared:SSL:10m; | |||
ssl_session_tickets off; | |||
#These directives configure SSL session caching, which can improve performance by allowing the server to reuse SSL session parameters for multiple connections. The ssl_session_cache directive specifies the type of session cache to use, and the ssl_session_tickets directive specifies whether session tickets should be used. | |||
# need to turn ssl_stapling off for selfsigned or will get errors in /var/log/nginx/error.log | |||
ssl_stapling off; | |||
ssl_stapling_verify off; | |||
#These directives configure OCSP stapling, which can improve security by allowing the server to provide proof of the SSL/TLS certificate's validity without requiring the client to contact the certificate authority. The ssl_stapling directive specifies whether stapling should be used, and the ssl_stapling_verify directive specifies whether the server should verify the OCSP response from the certificate authority. | |||
resolver 8.8.8.8 80.80.80.80 valid=300s; | |||
resolver_timeout 5s; | |||
#These directives configure DNS resolution for OCSP stapling. The resolver directive specifies the DNS servers to use for resolving OCSP requests, and the valid parameter specifies the duration for which DNS responses will be cached. The resolver_timeout directive specifies the timeout value for DNS resolution. | |||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |||
add_header X-Frame-Options DENY; | |||
add_header X-Content-Type-Options nosniff; | |||
#These directives add security-related HTTP headers to responses sent by the server. The Strict-Transport-Security header specifies that SSL/TLS should always be used for connections to the server, and the X-Frame-Options and X-Content-Type-Options headers help protect against clickjacking and MIME sniffing attacks, respectively. | |||
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |||
#This directive specifies the location of the Diffie-Hellman parameters file used for SSL/TLS key exchange. The ssl_dhparam directive is used to specify the path to the file that contains the Diffie-Hellman parameters. | |||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | |||
# self-signed certificate file | |||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; | |||
# private key file | |||
</pre> | |||
====Nginx==== | |||
<code>$EDITOR /etc/nginx/sites-available/default</code><br \> | |||
<b>MAKE SURE TO CHANGE IP 12.34.56.78 to YOUR servers Public IP address</b><br \> | |||
<pre> | |||
server { | |||
listen 80 default_server; | |||
listen [::]:80 default_server; | |||
server_name 12.34.56.78; ## change ip to match your server ip | |||
return 302 https://$server_name$request_uri; | |||
} | |||
server { | |||
# SSL configuration | |||
# | |||
listen 443 ssl default_server; | |||
listen [::]:443 ssl default_server; | |||
include snippets/ssl-params.conf; | |||
root /var/www/html; | |||
# Add index.php to the list if you are using PHP | |||
index index.html index.htm index.nginx-debian.html; | |||
server_name _; | |||
location / { | |||
# First attempt to serve request as file, then | |||
# as directory, then fall back to displaying a 404. | |||
try_files $uri $uri/ =404; | |||
# To allow browsing of directory | |||
autoindex on; | |||
} | |||
} | |||
</pre> | |||
====Restart Nginx==== | |||
<code> systemctl restart nginx</code><br \> | |||
====Allow Nginx pass firewall==== | |||
<code>ufw allow 80/tcp</code><br \> | |||
<code>ufw allow 443/tcp</code><br \> | |||
====Create a Directory to share store files==== | |||
<code>mkdir /var/www/html/files</code><br \> | |||
====Create an html file==== | |||
<code>$EDITOR /var/www/html/index.html</code><br \> | |||
<pre> | |||
<!DOCTYPE html> | |||
<html> | |||
<head> | |||
<title>Files For Download</title> | |||
</head> | |||
<body> | |||
<a href="files">Click here for are latest files</a>.</p> | |||
</body> | |||
</html> | |||
</pre> | |||
====Transfer_Files_to_Sharing_Directory==== | |||
[[Nginx_Server_For_Hosting_Files_Ubuntu_22.04#Transfer_Files_to_Sharing_Directory|Same as with using certbot]]<br><br> | |||
[[Nginx_Server_For_Hosting_Files_Ubuntu_22.04#Require_Username_and_Password_to_view_website/files_(Optional_-_Placed_here_for_educational_reasons)|Require Username and Passwd to view files]] |
Latest revision as of 12:26, 17 April 2023
With DNS - cert by LetsEncrypt
No DNS Using IP and Self Signed Certs for https
Spin up a Server
Using Vultr i am going to deploy a Ubuntu 20.04 Server.
$5 a month, 1 cpu, 1024MB ram, 25GB ssd, 1000GB Bandwidth.
I have been given the IP:192.248.155.201
DNS
make a A RECORD for subdomain server IP address
Type | Host | Ip address | TTL |
A record | xml | 192.248.155.201 | auto |
Enable Basic FireWall
ufw allow 22/tcp
ufw allow 443/tcp
ufw allow 80/tcp
ufw enable
Enable Auto Updates
Setup Basic Auto Updates for your Server so you don't have to keep logging into server to update
Install NGINX
apt install nginx -y
You should now be able to see the Welcome to nginx! site on your subdomain (or just use server ip address).
Only http will work as we have not yet setup are https
Default NGINX Before Certbot - Placed here just for notes:
cat /etc/nginx/sites-available/default
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #}
LetsEncrypt
snap install certbot --classic
certbot --nginx -d xml.completenoobs.com
You should now be able to view the Welcome to nginx! page with https
Setup NGINX
CertBot did the work for us :) Good Bot.
The nginx default site should look like this:
cat /etc/nginx/sites-available/default
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #} server { # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot }
We just need to add one line autoindex on;
in the location { }
$EDITOR /etc/nginx/sites-available/default
/etc/nginx/sites-available/default
After appending autoindex on;
:
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #} server { # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # To allow browsing of directory autoindex on; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot }
Same File with Comments removed for easier read:
# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } } server { root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # To allow browsing of directory autoindex on; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot }
More Info
autoindex on; directive:
The autoindex on; directive in an Nginx configuration file enables directory listing for the specified location.
In other words, if a user requests a URL that corresponds to a directory (rather than a specific file), and autoindex on; is specified for that location in the Nginx configuration file, then Nginx will generate a directory listing page that shows the contents of that directory.
This can be useful for making files available for download or for providing an easy way to browse the contents of a directory. However, it can also be a security risk if sensitive files are inadvertently made available for download or if a user gains access to a directory listing page that they should not be able to access.
To mitigate this risk, it's important to ensure that the autoindex on; directive is only used when necessary and is not enabled for sensitive directories or files. It's also a good idea to customize the appearance of the directory listing page to make it clear what files are available and to restrict access to the directory listing page using Nginx authentication or other security measures.
Nginx Config File:
# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; ######^^^ These two lines specify that the server block is listening on port 80 (the default HTTP port) for IPv4 and IPv6 connections. The default_server parameter indicates that this block will be used as the default server block for any incoming connections that do not match any other server blocks. ################################################# root /var/www/html; ######^^ This line sets the root directory for the server block. This is the directory where Nginx will look for files to serve in response to incoming requests. ########################################## # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; ##########^^ This line specifies the order in which Nginx should look for index files in the root directory when serving requests. In this case, Nginx will first look for index.html, then index.htm, and then index.nginx-debian.html. ########################################################## server_name _; #######^^ This line specifies the server name for the block. The underscore _ indicates a catch-all server name, meaning that this block will handle any requests that do not match a server name defined in another server block. ####################################################### location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; ###############^^ This block specifies the location directive for requests that match the root directory of the server block. The try_files directive specifies that Nginx should first try to serve the request as a file, then as a directory, and then return a 404 error if the file or directory cannot be found. ###################################################### } } server { root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot ######^^ This block specifies the server configuration for requests that match the server name xml.completenoobs.com. The root directive specifies the root directory for this server block, and the index directive specifies the order in which Nginx should look for index files when serving requests. The server_name directive specifies the name of the server that this block handles. ###################### location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # To allow browsing of directory autoindex on; } ###########^^ This block specifies the location directive for requests that match the root directory of the server block. The try_files directive specifies that Nginx should first try to serve the request as a file, then as a directory, and then return a 404 error if the file or directory cannot be found. The autoindex directive enables directory listing for this location. ############################## listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } ##################^^ These lines specify the SSL configuration for the server block, including the SSL certificates and keys, the SSL protocol settings, and the SSL Diffie-Hellman parameters. The listen directive specifies that the server block should listen for HTTPS connections on port 443, and the ssl parameter indicates that SSL/TLS should be used for these connections. The remaining lines specify the SSL certificates and keys, as well as the SSL options and Diffie-Hellman parameters managed by Certbot. ######################### server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot ########^^ This block specifies that if the incoming request matches the server name xml.completenoobs.com, Nginx should return a 301 HTTP status code (Moved Permanently) and redirect the request to HTTPS. ####################### listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot } ##########^^ These lines specify the server configuration for requests that match the server name xml.completenoobs.com on port 80 (the default HTTP port). The listen directives specify that the server block should listen for HTTP connections on both IPv4 and IPv6. The server_name directive specifies the name of the server that this block handles. The return 404 directive specifies that Nginx should return a 404 HTTP status code for all requests that match this server block. Note that this server block is likely intended to be used in conjunction with another server block that handles HTTPS requests for xml.completenoobs.com, since the HTTP requests will be redirected to HTTPS by the if directive in this block. ############################
Hosting XML files for easy Downloading
we are going to delete the default index page and create another.
rm /var/www/html/index.nginx-debian.html
$EDITOR /var/www/html/index.html
Insert:
<!DOCTYPE html> <html> <head> <title>CompleteNoobs-XML_Dumps</title> </head> <body> <h1> <a href="xmlDumps/">Click here for are latest XML Dumps</a>.</p> </h1> </body> </html>
Create a Directory to place are dumps
mkdir /var/www/html/xmlDumps
This is the directory we will place are dumps for sharing and easy downloads.
chown -R www-data:www-data /var/www/html/xmlDumps
systemctl restart nginx
now create a test file with some content and test.
$EDITOR /var/www/html/xmlDumps/test.txt
Check you can see/read on web browser.
This is the directory where we will send are mediawiki dumps.
Transfer Files to Sharing Directory
scp
Check SCP_Examples for more examples:
To send direct from MediaWiki server (Example file 'xmlDump-03-03-2023')
Will be prompted to enter password:
scp /path/to/xmlDump-03-03-2023 root@xml.completenoobs.com:/var/www/html/xmlDumps/
sshfs
Read the sshfs page for more info
Can be useful if you are transferring a large number of files from your computer to server and want to use the GUI file explorer.
NOTE:replace $USER with your user account (Example: mine is 'ubunix' so i will replace '$USER' with 'ubunix')
Install sshfs on your computer
sudo apt install sshfs
Create a Directory you are going to mount remote server directory to:
mkdir /home/$USER/ServerMount
sudo sshfs -o allow_other,default_permissions root@xml.completenoobs.com:/var/www/html/xmlDumps/ /home/$USER/ServerMount/
To umount use:
sudo umount /home/$USER/ServerMount
Require Username and Password to view website/files (Optional - Placed here for educational reasons)
apt install apache2-utils
In your /etc/nginx/sites-available/default
Append the lines(see before and after files to see where):
auth_basic "Hello Please Login"; auth_basic_user_file /etc/nginx/.htpasswd;
/etc/nginx/sites-available/default
: Before
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #} server { # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot }
/etc/nginx/sites-available/default
: After
## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #} server { # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name xml.completenoobs.com; # managed by Certbot location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # To allow browsing of directory autoindex on; auth_basic "Hello Please Login"; auth_basic_user_file /etc/nginx/.htpasswd; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = xml.completenoobs.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name xml.completenoobs.com; return 404; # managed by Certbot }
Create a login Username and Password to view your website
Add user; change user1 to username of your choice; you will be prompted for password.
htpasswd -c /etc/nginx/.htpasswd user1
The -c flag is only needed the first time to create the file /etc/nginx/.htpasswd
Add second user; the same method is used to add has many users has you want.
htpasswd /etc/nginx/.htpasswd user2
To update or change passwd for user, repeat command with username of account you wish to change; enter new password.
htpasswd /etc/nginx/.htpasswd user1
Restart Nginx:
systemctl restart nginx
And try site.
Fail2Ban to Block IP's Which Enter Incorrect Username and/or Password
Install Fail2Ban:
apt install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$EDITOR /etc/fail2ban/jail.local
Note: Can append to the very bottom of the page.
# Reject Connections that failed username password _action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp] actionx = %(_action_tcp_udp)s [nginx-cup] #the name in brackets above is what you use for status # fail2ban-client status nginx-cup enabled = true filter = nginx-correct-up port = http,https logpath = /var/log/nginx/error.log findtime = 3m bantime = 3m maxretry = 3 #ignoreip = <your-ipaddress> #Note: Can find your ipaddress using `curl ifconfig.me` or visit `whatismyip.com`
$EDITOR /etc/fail2ban/filter.d/nginx-correct-up.conf
[Definition] failregex = client:\s<HOST> ignoreregex =
Check Fail2Ban for errors
fail2ban-client -d
restart nginx and fail2ban so updated setting can take effect
systemctl restart fail2ban.service
systemctl restart nginx.service
And test.
Remove need for username and password
Comment out (or delete) the following lines from your nginx config file:
$EDITOR /etc/nginx/sites-available/default
auth_basic "Hello Please Login"; auth_basic_user_file /etc/nginx/.htpasswd;
Can comment out lines by placing a '#' in front.
#auth_basic "Hello Please Login"; #auth_basic_user_file /etc/nginx/.htpasswd;
Restart Nginx:
systemctl restart nginx
No DNS using IP and SelfSigned Certs
Update system
apt update && apt upgrade -y
Install NGINX
apt install nginx -y
You should now be able to see the Welcome to nginx! site on your subdomain (or just use server ip address).
Only http will work as we have not yet setup are https
Create keys for encrypted https connection
Note: If you are just building a quick website to test this out you can use Blank (just press enter) for all fields and it will still work.
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
quick explanation:
- openssl: This command invokes the OpenSSL tool, which is a software library that provides a variety of cryptographic functions and utilities.
- req: This is a subcommand of OpenSSL that is used for creating and managing X.509 certificate signing requests (CSRs) and self-signed certificates.
- -x509: This option specifies that the output should be a self-signed X.509 certificate rather than a CSR.
- -nodes: This option specifies that the private key should not be encrypted with a password, allowing for automatic startup of services that use SSL/TLS.
- -days 365: This option specifies the number of days that the certificate will be valid for before it expires.
- -newkey rsa:4096: This option generates a new RSA private key with a key length of 4096 bits, which provides a higher level of security than shorter key lengths.
- -keyout /etc/ssl/private/nginx-selfsigned.key: This option specifies the path and filename of the private key file that will be generated by OpenSSL.
- -out /etc/ssl/certs/nginx-selfsigned.crt: This option specifies the path and filename of the self-signed certificate file that will be generated by OpenSSL.
Overall, this command generates a self-signed SSL/TLS certificate and private key that can be used to secure an Nginx web server. The certificate and key are saved to the specified locations for use in the Nginx server configuration. It's important to note that while self-signed certificates can provide some level of encryption for your web traffic, they do not provide any form of authentication or verification of identity, and should not be used in production environments where security is a top priority.
/etc/ssl/private/nginx-selfsigned.key
/etc/ssl/certs/nginx-selfsigned.crt
Create diffhelman
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
You can upgrade from 2048 to 4096 but it might take a while.
$EDITOR /etc/nginx/snippets/ssl-params.conf
Nginx configuration directives related to SSL/TLS:
ssl_protocols TLSv1.2; #This directive specifies the SSL/TLS protocols that the server will use for secure connections. In this case, only TLS version 1.2 is allowed. ssl_prefer_server_ciphers on; #This directive tells the server to prefer the ciphers specified by the server over those requested by the client. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; #This directive specifies the SSL/TLS ciphers that the server will use for secure connections. These ciphers prioritize the use of elliptic curve cryptography (ECDHE) for key exchange and advanced encryption algorithms such as AES256 and CHACHA20-POLY1305 for encryption. ssl_ecdh_curve secp384r1; #This directive specifies the elliptic curve Diffie-Hellman (ECDH) curve that the server will use for key exchange. In this case, the secp384r1 curve is used. ssl_session_cache shared:SSL:10m; ssl_session_tickets off; #These directives configure SSL session caching, which can improve performance by allowing the server to reuse SSL session parameters for multiple connections. The ssl_session_cache directive specifies the type of session cache to use, and the ssl_session_tickets directive specifies whether session tickets should be used. # need to turn ssl_stapling off for selfsigned or will get errors in /var/log/nginx/error.log ssl_stapling off; ssl_stapling_verify off; #These directives configure OCSP stapling, which can improve security by allowing the server to provide proof of the SSL/TLS certificate's validity without requiring the client to contact the certificate authority. The ssl_stapling directive specifies whether stapling should be used, and the ssl_stapling_verify directive specifies whether the server should verify the OCSP response from the certificate authority. resolver 8.8.8.8 80.80.80.80 valid=300s; resolver_timeout 5s; #These directives configure DNS resolution for OCSP stapling. The resolver directive specifies the DNS servers to use for resolving OCSP requests, and the valid parameter specifies the duration for which DNS responses will be cached. The resolver_timeout directive specifies the timeout value for DNS resolution. add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; #These directives add security-related HTTP headers to responses sent by the server. The Strict-Transport-Security header specifies that SSL/TLS should always be used for connections to the server, and the X-Frame-Options and X-Content-Type-Options headers help protect against clickjacking and MIME sniffing attacks, respectively. ssl_dhparam /etc/ssl/certs/dhparam.pem; #This directive specifies the location of the Diffie-Hellman parameters file used for SSL/TLS key exchange. The ssl_dhparam directive is used to specify the path to the file that contains the Diffie-Hellman parameters. ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; # self-signed certificate file ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; # private key file
Nginx
$EDITOR /etc/nginx/sites-available/default
MAKE SURE TO CHANGE IP 12.34.56.78 to YOUR servers Public IP address
server { listen 80 default_server; listen [::]:80 default_server; server_name 12.34.56.78; ## change ip to match your server ip return 302 https://$server_name$request_uri; } server { # SSL configuration # listen 443 ssl default_server; listen [::]:443 ssl default_server; include snippets/ssl-params.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; # To allow browsing of directory autoindex on; } }
Restart Nginx
systemctl restart nginx
Allow Nginx pass firewall
ufw allow 80/tcp
ufw allow 443/tcp
mkdir /var/www/html/files
Create an html file
$EDITOR /var/www/html/index.html
<!DOCTYPE html> <html> <head> <title>Files For Download</title> </head> <body> <a href="files">Click here for are latest files</a>.</p> </body> </html>
Transfer_Files_to_Sharing_Directory
Same as with using certbot
Require Username and Passwd to view files