List available modules
nginx -VSSL
cp *.crt /etc/ssl/certs/ cp *.key /etc/ssl/private/ service nginx restart
Sites
# cat /etc/nginx/sites-enabled/default server { listen 80 default_server; listen [::]:80 default_server; server_name _; location / { proxy_pass http://127.0.0.1:4440; } } # /etc/nginx/sites-available/www.example.com.conf server { server_name www.example.com; listen 443 ssl; root /usr/share/nginx/www/; ssl_certificate /etc/ssl/certs/example.com.pem; ssl_certificate_key /etc/ssl/private/example.com.key; sub_filter_once off; sub_filter "Welcome" "Sello"; } server { server_name www.example.com; listen 80; root /usr/share/nginx/www/; access_log /var/log/nginx/access_www.example.com.log; error_log /var/log/nginx/error_www.example.com.log debug; sub_filter_once off; sub_filter "Welcome" "Hello"; }
Options
# allow body size / upload up to 10 MB http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size client_max_body_size 10M; <strong>Snippets</strong> location /foo { if ( $request_method != 'POST' ) { return 400; } }
Configuration
service nginx configtest # disable cache location stuffyoudontwanttocache { proxy_no_cache 1; # don't cache it proxy_cache_bypass 1; # even if cached, don't try to use it } # expires 1s; # redirect to https if ($ssl_protocol = "") { return 301 https://$server_name$request_uri; } # directory listing / autoindex https://www.keycdn.com/support/nginx-directory-index/ server { ... location / { autoindex on; ... } ... }
https://www.nginx.com/resources/wiki/modules/fancy_index/
https://github.com/aperezdc/ngx-fancyindex
apt-get install -y nginx-extras cat /etc/nginx/sites-available/default ... location /foo/ { fancyindex on; fancyindex_exact_size off; } location / { fancyindex on; fancyindex_ignore "lost\+found"; } <strong>Hide directories</strong> # /etc/nginx/sites-enabled/default # hide .git directory location ~ /\.git { deny all; } # hide all .* directories and files location ~ /\. { deny all; }
IMAPS forward
# /etc/nginx/nginx.conf stream { server { listen 993; allow 10.0.1.10; deny all; proxy_pass 10.0.3.187:993; } }
Proxy over SSH tunnel
ssh -g -R 8182:gitlab.example.com:80 nginx.example.com ip addr add 127.0.0.2/32 dev eno1:1 echo "127.0.0.2 gitlab.example.com" >> /etc/hosts cat <<EOF> /etc/nginx/conf.d/gitlab.example.com.conf server { listen gitlab.example.com:80; server_name gitlab.example.com; location / { proxy_pass http://127.0.0.1:8182; } } service nginx reload
Rate Limiting
https://www.nginx.com/blog/rate-limiting-nginx/
https://medium.freecodecamp.org/nginx-rate-limiting-in-a-nutshell-128fe9e0126c
https://product.reverb.com/first-line-of-defense-blocking-bad-post-requests-using-nginx-rate-limiting-507f4c6eed7b
https://serverfault.com/questions/177461/how-to-rate-limit-in-nginx-but-including-excluding-certain-ip-addresses
Dynamic module load
https://fancyte.ch/nginx-unknown-directive-after-upgrading-to-ubuntu-18-lts/
Block SQL injections
error_page 403 =404 /404.gif; if ($query_string ~* ("union|select|concat|insert|dual|where|synchronize|version|from\(|hex\(|char\(|const\(")) { return 403; } # check logs # grep " 404 " /var/log/nginx/access.log | grep -v Version | egrep --color=always -i "union|select|concat|insert|dual|where|synchronize|version|from\(|hex\(|char\(|const\("
Links
https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/#TCPLB
http://wiki.nginx.org/Configuration
http://wiki.nginx.org/HttpSubsModule
http://wiki.nginx.org/NginxHttpSubsModule
https://askubuntu.com/questions/553937/what-is-the-difference-between-the-core-full-extras-and-light-packages-for-ngi
https://www.nginx.com/resources/admin-guide/restricting-access/
http://openresty.org/en/