Configuration nginx / DNS

Pour que l'ensemble soit visible et sécurisé, on a besoin de peaufiner la config du serveur. Et c'est un peu pénible. Il s'agit que les applications puissent communiquer entre elles, qu'elles utilisent bien toutes le protocole https , et que le tout soit sécurisé pour éviter les attaques.

Pour un serveur complet, on a à gérer typiquement les adresses :

Ce qui se traduit en terme de config nginx par les 3 fichiers suivants :

[root@tlx : /etc/nginx/sites-enabled]#
l
total 0
lrwxrwxrwx 1 root root 35 sept. 27 17:54 dokuwiki -> /etc/nginx/sites-available/dokuwiki
lrwxrwxrwx 1 root root 36 sept. 20 12:31 nextcloud -> /etc/nginx/sites-available/nextcloud
lrwxrwxrwx 1 root root 36 oct.  19 18:12 wordpress -> /etc/nginx/sites-available/wordpress
   
A noter qu'avec cette logique il est simple de rajouter une config pour, par exemple, dolibarr, ou icecast, etc, etc.

Configuration nginx pour worpress

  /etc/nginx/sites-availables/worpress
  
server {
	listen                        80;
	listen                        [::]:80;
	server_name                   www.tlx.fr tlx.fr;
	return                        301 https://$server_name$request_uri;
}
server {
	listen                        443 ssl http2;
	listen                        [::]:443 ssl http2;
	
	server_name www.tlx.fr tlx.fr;
	
	root /var/www/wordpress;
	index index.php;
	
	ssl                           on;
	ssl_certificate               /etc/letsencrypt/live/www.tlx.fr/fullchain.pem;
	ssl_certificate_key           /etc/letsencrypt/live/www.tlx.fr/privkey.pem;
	ssl_trusted_certificate       /etc/letsencrypt/live/www.tlx.fr/chain.pem;
	ssl_dhparam                   /etc/ssl/certs/dhparam.pem;

	ssl_session_cache             shared:SSL:1m;
	ssl_session_timeout           1440m;
	ssl_buffer_size               8k;
	ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers                   'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
	ssl_prefer_server_ciphers     on;
	ssl_stapling                  on;
	ssl_stapling_verify           on;


	# Add headers to serve security related headers
	add_header                    X-Content-Type-Options nosniff;
	add_header                    X-XSS-Protection "1; mode=block";
	add_header                    X-Robots-Tag none;
	add_header                    X-Download-Options noopen;
	add_header                    X-Permitted-Cross-Domain-Policies none;
	add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
			
	# set max upload size
	client_max_body_size          16M;
	fastcgi_buffers               64 4K;
	
	# Enable gzip but do not remove ETag headers
	gzip                          on;
	gzip_vary                     on;
	gzip_comp_level               4;
	gzip_min_length               256;
	gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
	
	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}
	
	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}
	
	location / {
		# This is cool because no php is touched for static content.
		# include the "?$args" part so non-default permalinks doesn't break when using query string
		try_files $uri $uri/ /index.php?$args;
	}
	
	location ~ \.php$ {
		fastcgi_split_path_info   ^(.+.php)(/.*)$;
		include                   fastcgi_params;
		fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param             PATH_INFO $fastcgi_path_info;
		fastcgi_param             HTTPS on;
		fastcgi_param             modHeadersAvailable true;
		fastcgi_param             front_controller_active true;
		fastcgi_pass              php-handler;
		fastcgi_intercept_errors  on;
		fastcgi_request_buffering off;
		fastcgi_read_timeout      300;
	}
	
	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
		expires max;
		log_not_found off;
	}
}

Configuration nginx pour nextcloud

  /etc/nginx/sites-availables/nextcloud
  
upstream php-handler {
	server                        unix:/var/run/nextcloud.sock;
}
 
server {
	listen                        80;
	listen                        [::]:80;
	server_name                   cloud.tlx.fr;
	return                        301 https://$server_name$request_uri;
}

server {
	listen                        443 ssl http2;
	listen                        [::]:443 ssl http2;
	server_name                   cloud.tlx.fr;
 
	# Path to the root of your installation
	root                          /var/www/nextcloud/;
 
	ssl                           on;
	ssl_certificate               /etc/letsencrypt/live/cloud.tlx.fr/fullchain.pem;
	ssl_certificate_key           /etc/letsencrypt/live/cloud.tlx.fr/privkey.pem;
	ssl_trusted_certificate       /etc/letsencrypt/live/cloud.tlx.fr/chain.pem;
	ssl_dhparam                   /etc/ssl/certs/dhparam.pem;
 
	ssl_session_cache             shared:SSL:1m;
	ssl_session_timeout           1440m;
	ssl_buffer_size               8k;
	ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers                   'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
	ssl_prefer_server_ciphers     on;
	ssl_stapling                  on;
	ssl_stapling_verify           on;


	# Add headers to serve security related headers
	add_header                    X-Content-Type-Options nosniff;
	add_header                    X-XSS-Protection "1; mode=block";
	add_header                    X-Robots-Tag none;
	add_header                    X-Download-Options noopen;
	add_header                    X-Permitted-Cross-Domain-Policies none;
	add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
 
	location = /robots.txt {
		allow                     all;
		log_not_found             off;
		access_log                off;
	}
 
	location = /.well-known/carddav {
	  return                      301 $scheme://$host/remote.php/dav;
	}
 
	location = /.well-known/caldav {
	  return                      301 $scheme://$host/remote.php/dav;
	}
 
	# set max upload size
	client_max_body_size          512M;
	fastcgi_buffers               64 4K;
 
	# Enable gzip but do not remove ETag headers
	gzip                          on;
	gzip_vary                     on;
	gzip_comp_level               4;
	gzip_min_length               256;
	gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
	location / {
		rewrite                   ^ /index.php$uri;
	}
 
	location ~ ^/.well-known/acme-challenge/* {
		allow                     all;
	}
 
	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny                      all;
	}
 
	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny                      all;
	}
 
	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
		fastcgi_split_path_info   ^(.+.php)(/.*)$;
		include                   fastcgi_params;
		fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param             PATH_INFO $fastcgi_path_info;
		fastcgi_param             HTTPS on;
		fastcgi_param             modHeadersAvailable true;
		fastcgi_param             front_controller_active true;
		fastcgi_pass              php-handler;
		fastcgi_intercept_errors  on;
		fastcgi_request_buffering off;
		fastcgi_read_timeout      300;
	}
 
	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files                 $uri/ =404;
		index                     index.php;
	}
 
	# Adding the cache control header for js and css files
	# Make sure it is BELOW the PHP block
	location ~* .(?:css|js|woff|svg|gif)$ {
		try_files                 $uri /index.php$uri$is_args$args;
		add_header                Cache-Control "public, max-age=15778463";
		add_header                X-Content-Type-Options nosniff;
		add_header                X-XSS-Protection "1; mode=block";
		add_header                X-Robots-Tag none;
		add_header                X-Download-Options noopen;
		add_header                X-Permitted-Cross-Domain-Policies none;
		# Optional: Don't log access to assets
		access_log                off;
	}
 
	location ~* .(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files                 $uri /index.php$uri$is_args$args;
		# Optional: Don't log access to other assets
		access_log                off;
	}
}

Configuration nginx pour dokuwiki

  /etc/nginx/sites-availables/dokuwiki
  
server {
	listen                        80;
	listen                        [::]:80;
	server_name                   wiki.tlx.fr;
	return                        301 https://$server_name$request_uri;
}

server {
	listen                        443 ssl http2;
	listen                        [::]:443 ssl http2;

	server_name wiki.tlx.fr;

	root /var/www/dokuwiki;
	index index.php;
	
	ssl                           on;
	ssl_certificate               /etc/letsencrypt/live/wiki.tlx.fr/fullchain.pem;
	ssl_certificate_key           /etc/letsencrypt/live/wiki.tlx.fr/privkey.pem;
	ssl_trusted_certificate       /etc/letsencrypt/live/wiki.tlx.fr/chain.pem;
	ssl_dhparam                   /etc/ssl/certs/dhparam.pem;

	ssl_session_cache             shared:SSL:1m;
	ssl_session_timeout           1440m;
	ssl_buffer_size               8k;
	ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers                   'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
	ssl_prefer_server_ciphers     on;
	ssl_stapling                  on;
	ssl_stapling_verify           on;


	# Add headers to serve security related headers
	add_header                    X-Content-Type-Options nosniff;
	add_header                    X-XSS-Protection "1; mode=block";
	add_header                    X-Robots-Tag none;
	add_header                    X-Download-Options noopen;
	add_header                    X-Permitted-Cross-Domain-Policies none;
	add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
		
	# set max upload size
	client_max_body_size          16M;
	fastcgi_buffers               64 4K;
	
	# Enable gzip but do not remove ETag headers
	gzip                          on;
	gzip_vary                     on;
	gzip_comp_level               4;
	gzip_min_length               256;
	gzip_proxied                  expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types                    application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
	
	location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; }

	location / { try_files $uri $uri/ @dokuwiki; }

	location @dokuwiki {
		# rewrites "doku.php/" out of the URLs if you set the userewrite setting to .htaccess in dok$
		rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
		rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
		rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
		rewrite ^/(.*) /doku.php?id=$1&$args last;
	}

	location ~ ^/(|lib/(exe|plugins/[^/]+)/)[^/]+\.php {

		fastcgi_split_path_info   ^(.+\.php)(/.*)$;
		include                   fastcgi_params;
		fastcgi_param             SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param             PATH_INFO $fastcgi_path_info;
		fastcgi_param             HTTPS on;
		fastcgi_param             modHeadersAvailable true;
		fastcgi_param             front_controller_active true;
		fastcgi_pass              php-handler;
		fastcgi_intercept_errors  on;
		fastcgi_request_buffering off;
		fastcgi_read_timeout      300;
	}
}

Les 3 configs sont très proches, et peuvent être source d'inspiration pour d'autres applis à placer sur le même serveur.

Pour générer les certificats, on utilise let's encrypt

Pour mémoire voici une commande pour générer un certificat associé à un domaine (ou deux domaine synonymes, ici)

certbot certonly --webroot -w /var/www/wordpress --agree-tos --email tech@tlx.fr -d www.tlx.fr -d tlx.fr --rsa-key-size 4096
  • /var/www/dokuwiki/data/pages/2_hostmytlx/1_serveur/nginx_exemples_de_configurations
  • Dernière modification: 20/10/2018 23:05