Table des matières

Notes nginx

PKI, certificat client : http://reload.eez.fr/blog:2016:01:27:nginx_et_ssl_client_certificate 

location /nginx_status {
  stub_status on;
  access_log off;
  allow 127.0.0.1;
  deny all;
}
location /download {
  autoindex on;
  charset utf-8;
}

HTTPS 

#cat your_domain_name.crt DigiCertCA.crt >> bundle.crt
#cat keys/pkiweb.lan.crt keys/ca.crt > /etc/nginx/ssl/pkiweb.lan.combined.crt
cat keys/pkiweb.lan.crt keys/ca.crt > /etc/nginx/ssl/pkiweb.lan.crt+chain

Reverse Proxy

Voir https://tenzer.dk/nginx-with-dynamic-upstreams/

/etc/nginx/sites-available/plop.acme.fr.conf 

server {
        server_tokens off;
        listen 80;
        server_name www.plop.acme.fr plop.acme.fr;
        rewrite ^ https://$server_name$request_uri? permanent;
}
 
server {
        server_tokens off;
        listen 443 ssl;
        server_name www.plop.acme.fr plop.acme.fr;
 
        ssl_certificate /etc/nginx/ssl/plop.acme.fr.crt;
        ssl_certificate_key /etc/nginx/ssl/plop.acme.fr.key;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
 
        access_log /var/log/nginx/plop.log;
        error_log /var/log/nginx/plop.err;
 
        #client_max_body_size 0;
        #client_body_buffer_size 128k;
 
        location / {
                include /etc/nginx/proxy_params;
                proxy_pass http://192.168.15.149:8000;
                #client_max_body_size 0;
                #proxy_request_buffering off;
                #proxy_connect_timeout  36000s;
                #proxy_read_timeout  36000s;
                #proxy_send_timeout  36000s;
 
        }
 
}

Pb

client intended to send too large body

client_max_body_size 20M;
service nginx reload

Autres

Nginx letsencrypt 

letsencrypt-auto certonly --standalone --email nospam@acme.fr -d acme.fr -d mail.acme.fr

letsencrypt --config-dir=~/etc/letsencrypt/ --logs-dir=~/log/ --work-dir=~/ssl/ certonly --standalone --email nospam@acme.fr -d acme.fr -d mail.acme.fr
letsencrypt --config-dir=$HOME/etc/letsencrypt/ --logs-dir=$HOME/log/ --work-dir=$HOME certonly --standalone --email nospam@acme.fr -d acme.fr -d mail.acme.fr


localtion ~ /.well-known { allow all; }

location ~ /\. { deny all; }

localtion / {
    return 301 https://plop.fr$request_uri;
}


listen [::]:443 ssl http2 ipv6only=on; 
listen 443 ssl http2; 


ssl_certificate /etc/letsencrypt/live/plop.fr/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/plop.fr/pridvkey.pem

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/plop.fr/fullchain.pem;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 3s;

ssl_session_cache shared:SSL:10m
ssl_session_timeout 24h;
ssl_session_tockets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key

ssl_protocols TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_dhparam /etc/nginx/ssl/dhparam4.pem;
https://github.com/appleboy/letsencrypt-with-nginx/blob/master/nginx.conf


openssl rand 48 -out /etc/nginx/ssl/ticket.key
openssl dhparam -out /etc/nginx/ssl/dhparam4.pem 4096

letsencrypt renew

mkdir /var/www/plop.fr/.well-known/acme-challenge
--rsa-key-size 4096 --webroot-path /var/www/plop.fr/ -d 

sudo cerboot --nginx -d belaris.fr -d www.belaris.fr

cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/plop.ini


https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
https://www.youtube.com/watch?v=tgvuQM0qgCE