Skip to content

nginx

install

# apt install gnupg2
# wget -q -O /etc/apt/trusted.gpg.d/nginx_signing.asc https://nginx.org/keys/nginx_signing.key
# apt update
# apt install nginx

config

/etc/nginx/nginx.cong
http {
    # increase timeout (sec) on time-consuming requests
    proxy_connect_timeout   300;
    proxy_read_timeout      300;
    proxy_send_timeout      300;
    # if request is processed thru uwsgi (no need for proxy_*_timeout options)
    uwsgi_read_timeout      300;
}

HTTPS + websocket, starlette listenning on 8300

Redirection http to https.
https and websocket sent to 8300.

/etc/nginx/conf.d/default.conf
server {
    listen      80;
    server_name <SUBDOMAIN>;
    return 301  https://<SUBDOMAIN>$request_uri;
}

server {
    listen              443 ssl;
    server_name         <SUBDOMAIN>;
    ssl_certificate     /etc/letsencrypt/live/<DOMAIN>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<DOMAIN>/privkey.pem;

    location / {
        proxy_set_header        Host $http_host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_redirect          off;
        proxy_buffering         off;
        proxy_pass              http://localhost:8300;
    }

    location /wss {
        proxy_pass              http://127.0.0.1:8300;
        proxy_http_version      1.1;
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        Connection "upgrade";
        proxy_read_timeout      3600;
    }
}

rate limit

limit_req_zone $binary_remote_addr zone=<ZONE_NAME>:10m rate=10r/s

server {
    location / {
        limit_req zone=<ZONE_NAME>;
        ...
    }
}
16K IPs take 1m in shared memory.
Source

letsencrypt

config

# apt install certbot 
# python3-certbot python3-certbot-nginx   # renew with nginx running
# certbot --nginx -d <HOSTNAME.DOMAIN.COM> <...> --cert-name <CUSTOM_NAME>

renewal

On modern systems renewal is automatic via systemd (or cron.d)

# certbot certificates
# journalctl -u certbot.service
# systemctl list-timers

fail2ban

apt install fail2ban

config

Config files can be /etc/fail2ban/jail.local or atomic files in /etc/fail2ban/jail.d/.

fail2ban-client status gives info on running jails
fail2ban-client status <FILTER> more verbose on specific filter

nginx

[nginx-http-auth]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
This would apply rules localed in /etc/fail2ban/filter.d/