Ubuntu 22.04 Nginx File Sharing without DNS

From CompleteNoobs
Revision as of 19:47, 11 May 2023 by Noob (talk | contribs) (Created page with "==No DNS using IP and SelfSigned Certs== ===Update system=== <code>apt update && apt upgrade -y</code><br \> ===Install NGINX=== <code>apt install nginx -y</code><br> You should now be able to see the <b>Welcome to nginx!</b> site on your subdomain (or just use server ip address).<br> Only <b>http</b> will work as we have not yet setup are <b>https</b><br> ===Create keys for encrypted https connection=== Note: If you are just building a quick website to test this...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Please Select a Licence from the LICENCE_HEADERS page
 And place at top of your page
 If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following: 

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers. 

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

No DNS using IP and SelfSigned Certs

Update system

apt update && apt upgrade -y


Install NGINX

apt install nginx -y

You should now be able to see the Welcome to nginx! site on your subdomain (or just use server ip address).
Only http will work as we have not yet setup are https


Create keys for encrypted https connection

Note: If you are just building a quick website to test this out you can use Blank (just press enter) for all fields and it will still work.

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt


quick explanation:

  • openssl: This command invokes the OpenSSL tool, which is a software library that provides a variety of cryptographic functions and utilities.
  • req: This is a subcommand of OpenSSL that is used for creating and managing X.509 certificate signing requests (CSRs) and self-signed certificates.
  • -x509: This option specifies that the output should be a self-signed X.509 certificate rather than a CSR.
  • -nodes: This option specifies that the private key should not be encrypted with a password, allowing for automatic startup of services that use SSL/TLS.
  • -days 365: This option specifies the number of days that the certificate will be valid for before it expires.
  • -newkey rsa:4096: This option generates a new RSA private key with a key length of 4096 bits, which provides a higher level of security than shorter key lengths.
  • -keyout /etc/ssl/private/nginx-selfsigned.key: This option specifies the path and filename of the private key file that will be generated by OpenSSL.
  • -out /etc/ssl/certs/nginx-selfsigned.crt: This option specifies the path and filename of the self-signed certificate file that will be generated by OpenSSL.

Overall, this command generates a self-signed SSL/TLS certificate and private key that can be used to secure an Nginx web server. The certificate and key are saved to the specified locations for use in the Nginx server configuration. It's important to note that while self-signed certificates can provide some level of encryption for your web traffic, they do not provide any form of authentication or verification of identity, and should not be used in production environments where security is a top priority.

/etc/ssl/private/nginx-selfsigned.key
/etc/ssl/certs/nginx-selfsigned.crt

Create diffhelman

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
You can upgrade from 2048 to 4096 but it might take a while.


$EDITOR /etc/nginx/snippets/ssl-params.conf
Nginx configuration directives related to SSL/TLS: 

ssl_protocols TLSv1.2;
#This directive specifies the SSL/TLS protocols that the server will use for secure connections. In this case, only TLS version 1.2 is allowed.

ssl_prefer_server_ciphers on;
#This directive tells the server to prefer the ciphers specified by the server over those requested by the client.

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
#This directive specifies the SSL/TLS ciphers that the server will use for secure connections. These ciphers prioritize the use of elliptic curve cryptography (ECDHE) for key exchange and advanced encryption algorithms such as AES256 and CHACHA20-POLY1305 for encryption.

ssl_ecdh_curve secp384r1;
#This directive specifies the elliptic curve Diffie-Hellman (ECDH) curve that the server will use for key exchange. In this case, the secp384r1 curve is used.

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
#These directives configure SSL session caching, which can improve performance by allowing the server to reuse SSL session parameters for multiple connections. The ssl_session_cache directive specifies the type of session cache to use, and the ssl_session_tickets directive specifies whether session tickets should be used.

# need to turn ssl_stapling off for selfsigned or will get errors in /var/log/nginx/error.log
ssl_stapling off;
ssl_stapling_verify off;
#These directives configure OCSP stapling, which can improve security by allowing the server to provide proof of the SSL/TLS certificate's validity without requiring the client to contact the certificate authority. The ssl_stapling directive specifies whether stapling should be used, and the ssl_stapling_verify directive specifies whether the server should verify the OCSP response from the certificate authority.

resolver 8.8.8.8 80.80.80.80 valid=300s;
resolver_timeout 5s;
#These directives configure DNS resolution for OCSP stapling. The resolver directive specifies the DNS servers to use for resolving OCSP requests, and the valid parameter specifies the duration for which DNS responses will be cached. The resolver_timeout directive specifies the timeout value for DNS resolution.

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#These directives add security-related HTTP headers to responses sent by the server. The Strict-Transport-Security header specifies that SSL/TLS should always be used for connections to the server, and the X-Frame-Options and X-Content-Type-Options headers help protect against clickjacking and MIME sniffing attacks, respectively.

ssl_dhparam /etc/ssl/certs/dhparam.pem;
#This directive specifies the location of the Diffie-Hellman parameters file used for SSL/TLS key exchange. The ssl_dhparam directive is used to specify the path to the file that contains the Diffie-Hellman parameters.

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
#  self-signed certificate file

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# private key file

Nginx

$EDITOR /etc/nginx/sites-available/default
MAKE SURE TO CHANGE IP 12.34.56.78 to YOUR servers Public IP address

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name 12.34.56.78; ## change ip to match your server ip
	return 302 https://$server_name$request_uri;
}
server {

	# SSL configuration
	#
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	include snippets/ssl-params.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# To allow browsing of directory 
		autoindex on;
	}
}

Restart Nginx

systemctl restart nginx

Allow Nginx pass firewall

ufw allow 80/tcp
ufw allow 443/tcp

Create a Directory to share store files

mkdir /var/www/html/files

Create an html file

$EDITOR /var/www/html/index.html

<!DOCTYPE html>
<html>
<head>
<title>Files For Download</title>
</head>
<body>

<a href="files">Click here for are latest files</a>.</p>


</body>
</html>

Transfer Files to Sharing Directory

NOTE: If you are receiving file from another server (setup server to send with script and ssh-keys), you may wish to create another account which can only receive scp to path

scp

Check SCP_Examples for more examples:
To send direct from MediaWiki server (Example file 'xmlDump-03-03-2023')
Will be prompted to enter password:
scp /path/to/file2send <user>@<server_address>:/var/www/html/files/
Example:scp /path/to/file2send ubuntu@111.222.33.444:/var/www/html/files/

sshfs

Read the sshfs page for more info
Can be useful if you are transferring a large number of files from your computer to server and want to use the GUI file explorer.

NOTE:replace $USER with your user account (Example: mine is 'ubunix' so i will replace '$USER' with 'ubunix')
Install sshfs on your computer
sudo apt install sshfs
Create a Directory you are going to mount remote server directory to:
mkdir /home/$USER/ServerMount

sudo sshfs -o allow_other,default_permissions <user>@<server_address>:/var/www/html/files/ /home/$USER/ServerMount/
To umount use:
sudo umount /home/$USER/ServerMount

sftp

Rsync

syncthing

FreeFileSync

Seafile

Require Username and Password to view website/files (Optional - Placed here for educational reasons)

apt install apache2-utils
In your /etc/nginx/sites-available/default
Append the lines(see before and after files to see where):

auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;

/etc/nginx/sites-available/default: Before 

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name xml.completenoobs.com; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = xml.completenoobs.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name xml.completenoobs.com;
    return 404; # managed by Certbot


}

/etc/nginx/sites-available/default: After 

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name xml.completenoobs.com; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
		# To allow browsing of directory
		autoindex on;
		auth_basic "Hello Please Login";
		auth_basic_user_file /etc/nginx/.htpasswd;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xml.completenoobs.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xml.completenoobs.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = xml.completenoobs.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name xml.completenoobs.com;
    return 404; # managed by Certbot


}

Create a login Username and Password to view your website

Add user; change user1 to username of your choice; you will be prompted for password.
htpasswd -c /etc/nginx/.htpasswd user1

The -c flag is only needed the first time to create the file /etc/nginx/.htpasswd

Add second user; the same method is used to add has many users has you want.
htpasswd /etc/nginx/.htpasswd user2
To update or change passwd for user, repeat command with username of account you wish to change; enter new password.
htpasswd /etc/nginx/.htpasswd user1
Restart Nginx:
systemctl restart nginx
And try site.

Fail2Ban to Block IP's Which Enter Incorrect Username and/or Password

Install Fail2Ban:
apt install fail2ban

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
$EDITOR /etc/fail2ban/jail.local
Note: Can append to the very bottom of the page.

# Reject Connections that failed username password
_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp]
    %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]


actionx = %(_action_tcp_udp)s

[nginx-cup]
#the name in brackets above is what you use for status
#   fail2ban-client status nginx-cup
enabled = true
filter = nginx-correct-up
port = http,https
logpath = /var/log/nginx/error.log
findtime = 3m
bantime = 3m
maxretry = 3
#ignoreip = <your-ipaddress>
#Note: Can find your ipaddress using `curl ifconfig.me` or visit `whatismyip.com`


$EDITOR /etc/fail2ban/filter.d/nginx-correct-up.conf

[Definition]
failregex = client:\s<HOST>
ignoreregex =

Check Fail2Ban for errors

fail2ban-client -d

restart nginx and fail2ban so updated setting can take effect

systemctl restart fail2ban.service
systemctl restart nginx.service
And test.

Remove need for username and password

Comment out (or delete) the following lines from your nginx config file:
$EDITOR /etc/nginx/sites-available/default

auth_basic "Hello Please Login";
auth_basic_user_file /etc/nginx/.htpasswd;


Can comment out lines by placing a '#' in front.

#auth_basic "Hello Please Login";
#auth_basic_user_file /etc/nginx/.htpasswd;


Restart Nginx:
systemctl restart nginx












Script for Server

#!/bin/bash

# Update and upgrade packages
apt update && apt upgrade -y

# Install nginx and apache2-utils
apt install nginx apache2-utils -y

# Set up UFW rules
ufw allow 80/tcp
ufw allow 443/tcp

# Create self-signed SSL certificate
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

# Generate Diffie-Hellman parameters
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# Get server IP address
server_ip=$(curl -s ifconfig.me)

# Create an SSL configuration snippet
cat > /etc/nginx/snippets/ssl-params.conf <<EOL
ssl_protocols TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL !LOW !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';

ssl_ecdh_curve secp384r1;

ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_stapling off;
ssl_stapling_verify off;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
EOL

# Get username and password for basic authentication
read -p "Enter a username for basic authentication: " username
read -sp "Enter a password for basic authentication: " password
echo

# Create .htpasswd file
htpasswd -cb /etc/nginx/.htpasswd "$username" "$password"

# Replace the default Nginx server configuration
cat > /etc/nginx/sites-available/default <<EOL
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name $server_ip;
	return 302 https://\$server_name\$request_uri;
}
server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	include snippets/ssl-params.conf;

	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name _;

	auth_basic "Hello Please Login";
	auth_basic_user_file /etc/nginx/.htpasswd;

	location / {
		try_files \$uri \$uri/ =404;
		autoindex on;
	}
}
EOL

# Update the server_name directive with the server_ip obtained from ifconfig.me
sed -i "s/\$server_ip/$server_ip/g" /etc/nginx/sites-available/default

# Restart Nginx
systemctl restart nginx

# Create directory for files
mkdir /var/www/html/files

# Create index.html file
cat > /var/www/html/index.html <<EOL
<!DOCTYPE html>
<html>
<head>
<title>Files For Download</title>
</head>
<body>

<a href="files">Click here for our latest files</a>.</p>

</body>
</html>
EOL

# Inform the user of the server IP address
echo "You can visit your server at https://$server_ip"
echo "Transfer files to $server_ip:/var/www/html/files"
Retrieved from "http:///noobs/index.php?title=Ubuntu_22.04_Nginx_File_Sharing_without_DNS&oldid=426"