106Nginx - amagerard/Wiki GitHub Wiki
RedHat/Xwiki
| 1- Network | 2- Java | 3- Tomcat | 4- Mariadb | 5- Xwiki |
|---|---|---|---|---|
| 6- Nginx | 7- selinux | 8- GnomeShell | 9 Troubleshoots |
6. Nginx.
5.1 Installation.
Access to xwiki with nginx from outside in secure mode.
dnf install nginx
You need to create an RSA self-signed certificate.
/etc/ssl/certs/xwiki.crt (to be created).
/etc/ssl/private/xwiki.key (to be created).
/etc/ssl/certs/CA.crt (already exists).
Follow the Certificates procedure Chapter 6.3.1.
openssl genrsa -out /etc/ssl/private/xwiki.key 4096
openssl req -new -days 365 -key /etc/ssl/private/xwiki.key -out /etc/ssl/certs/xwiki.csr
openssl ca -config /etc/ssl/openssl.cnf -out /etc/ssl/certs/xwiki.crt -in /etc/ssl/certs/xwiki.csr
chmod 400 /etc/ssl/certs/xwiki.crt
chmod 400 /etc/ssl/certs/CA.crt
chmod 400 /etc/ssl/private/xwiki.key
chmod 400 /etc/ssl/private/CA.key
Add permission nginx.
setfacl -m u:nginx:r /etc/pki/tls/private/xwiki.key
setfacl -m u:nginx:r /etc/pki/tls/private/CA.key
setfacl -m u:nginx:r /etc/pki/tls/certs/xwiki.crt
setfacl -m u:nginx:r /etc/pki/tls/certs/CA.crt
5.2 Custom configuration.
This procedure is based on this example.
IP xwiki: 192.168.60.44/24
Name Server:
xwiki.ol26modk.com
Site configuration file.
mkdir /etc/nginx/sites-available
Sites folder seen by nginx.
mkdir /etc/nginx/sites-enabled
Edit nginx.conf
Before making a backup of your nginx.conf.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_backup
Erase nginx.conf.
> /etc/nginx/nginx.conf
Edit nginx.conf.
vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# -- nginx paranoia--
client_body_buffer_size 1m;
client_max_body_size 1m;
large_client_header_buffers 4 8k;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN" always;
# Add an HSTS header to your nginx server
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; always";
# Cross-site scripting protection
add_header X-XSS-Protection "1; mode=block";
# Prevention of MIME confusion-based attacks
add_header X-Content-Type-Options "nosniff" always;
# Hide X-Powered-By header
proxy_hide_header X-Powered-By;
# Referrer policy
add_header Referrer-Policy "origin-when-cross-origin" always;
#--End nginx paranoia --
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Edit tomcat.conf.
vi /etc/nginx/sites-available/tomcat.conf
Be careful,only the subnets 127.0.0.1 , 192.168.20.0/24 and 192.168.80.0/24 are allowed.
server {
listen 80;
# listen [::]:80;
server_name _;
# redirect to https
return 301 https://$host$request_uri;
}
## Settings for a TLS enabled server.
#
server {
listen 443 ssl http2;
# listen [::]:443 ssl http2;
server_name _;
root /opt/tomcat/;
index index.php index.html;
#
ssl_certificate "/etc/ssl/certs/xwiki.crt";
ssl_certificate_key "/etc/ssl/private/xwiki.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# # Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
#
# Be careful,only the subnets below are allowed.
# restrictions access tomcat and redirect to 8080
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8080;
allow 127.0.0.1;
allow 192.168.20.0/24;
allow 192.168.80.0/24;
deny all;
}
# block access to files starting with.
location ~ /\. {
deny all; access_log off;
log_not_found off;
}
error_page 404 /404.html;
location = /40x.html {
}
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
charset utf8;
}
Create the link of the tomcat.conf file in the sites-enabled folder.
ln -s /etc/nginx/sites-available/tomcat.conf /etc/nginx/sites-enabled/tomcat.conf
systemctl enable --now nginx
Change rules on the firewall.
ufw allow "WWW Full"
Delete rule 8080.
ufw status numbered
[ 9] 8080/tcp ALLOW IN Anywhere
ufw delete 9
ufw status verbose
To Action From
-- ------ ----
80,443/tcp (WWW Full) ALLOW IN Anywhere
netstat -pltn
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 975/java
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 9292/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9292/nginx: master
Open a session http://xwiki.ol26modk.com/xwiki from a remote machine.
You will no longer be able to log in remotely http://xwiki.ol26modk.com:8080