Services/Nginx

From Fundamental Ramen
Jump to navigation Jump to search

Quick References

TODO Command
List directory 
autoindex on;
Catch all server 
server_name _;
Prevent 413 Too Large ... 
client_max_body_size 128m;

Install nginx on Ubuntu 24

Install

# Install
sudo apt install nginx

# Check service status
sudo systemctl status nginx

# Check tcp port
ss -lnt4 | grep ':80'

# Edit config
cd /etc/nginx/sites-available
sudo vim my-vhost

Setup virtual host proxy

server {
  server_name my-vhost.xxx.com;
  root        /home/myaccount/vhost/my-vhost
  access_log  /var/log/nginx/my-vhost.access.log;
  error_log   /var/log/nginx/my-vhost.error.log;

  location / {
    proxy_pass http://192.168.25.90:12345;
    proxy_read_timeout 60;
    proxy_connect_timeout 10;
  }
}

cd /etc/nginx/sites-enabled
sudo ln -s /etc/nginx/sites-available/my-vhost my-vhost
sudo nginx -t
sudo systemctl reload nginx
sudo systemctl status nginx

# check permission of static file
sudo -u www-data ls -l /home/myaccount/vhost/my-vhost

Add self-signed certificate

cd ~
openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001
cat key.pem >> cert.pem
cp cert.pem /etc/nginx/sites-available

server {
  server_name my-vhost.xxx.com;
  root        /home/myaccount/vhost/my-vhost
  access_log  /var/log/nginx/my-vhost.access.log;
  error_log   /var/log/nginx/my-vhost.error.log;
  ssl_certificate     /etc/nginx/sites-available/cert.pem;
  ssl_certificate_key /etc/nginx/sites-available/cert.pem;

  location / {
    proxy_pass http://192.168.25.90:12345;
    proxy_read_timeout 60;
    proxy_connect_timeout 10;
  }
}

Certbot 2.x (Let's Encrypt)

sudo snap install --classic certbot
# sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install nginx on macOS 10.13+

Default nginx package in Homebrew is missing many modules.

Tap 3rd party package is useful for development. 

brew tap denji/nginx

brew install nginx-full \
  --with-echo-module \
  --with-autols-module \
  --with-geoip2-module \
  --with-http2 \
  --with-upload-module \
  --with-upload-progress-module

Running nginx as nobody is inconvenient for development. Running as login account is better.

/usr/local/etc/nginx/nginx.conf:2 

#     user      group
user  myaccount admin;

When using nobody, response would be 403 forbidden and hard to debug.

Like this: (/usr/local/var/log/nginx/error.log) 

2019/02/18 15:42:47 [crit] 25478#0: *78 stat() "/Users/myaccount/Documents/0x01.Source/myvhost/public" failed (13: Permission denied)

Certbot trouble shooting

sudo certbot renew -d wiki.tacosync.com --dry-run

Firewall Issue

  • Certbot need http access, so firewall should allow both http & https access.
Retrieved from "https://wiki.fundamental-ramen.com/index.php?title=Services/Nginx&oldid=1968"