You are here: Home / Nginx

Nginx and Rails and PHP

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you about Nginx and Rails and PHP:

As you could probably guess, my blog (and several sites of my friends) are hosted on a lovely Linux VPS provided by Linode.  I honestly can’t say enough nice things about the service and reliability I’ve received from Linode (and no they don’t pay me to speak highly of them!).  But that’s not really the point of this post.  The point is actually quite simple:  My VPS doesn’t have a lot of memory, and I’m always wary of my resource consumption.  A few months ago, I moved from Apache to lighttpd for this reason, alone.  Let’s face it… Apache is a memory hog, and that problem is well-documented, so I won’t really go into details here.  “Lighty” has served me well for the past few months, but for reasons I’m about to explain, I felt the need to move to a different platform.

Filed under Nginx, PHP · Tagged with Nginx Rails, Nginx Rails PHP, nginx windows rails

Add SSL support to nginx

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Add SSL support to nginx:

$ cd /tmp
$ wget http://sysoev.ru/nginx/nginx-0.7.67.tar.gz
$ tar zxf nginx-0.7.67.tar.gz
$ /opt/ruby-enterprise/bin/passenger-install-nginx-module
    –nginx-source-dir=/tmp/nginx-0.7.67
    –prefix=/opt/nginx –auto 
    –extra-configure-flags=–with-http_ssl_module

Filed under Nginx · Tagged with nginx ssl, nginx SSL support, nginx windows ssl

Install SSL Certificate on Nginx

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Install SSL Certificate on Nginx:

Download and copy your certificate files to your server

Download your SSL certificate and support files by clicking on the download link in your fulfillment email or from your GeoCerts SSL Manager account. Unzip the files and copy them into the directory where you will keep your certificates. Some files in the zip may or may not be used depending on your server type.

Concat server cert and intermediate into a single file

Nginx requires a single file that contains the SSL Server Certificate stacked on top of the GeoTrust intermediate. The SSL Server Certificate (your_domain_com.txt) must be first in the stack. You can accomplish this by running this command:

cat GeoTrust_Intermediate.txt >> your_domain_com.txt

This will append the intermediate to SSL cert file.

Next change the filename for your_domain_com.txt to your_domain_com.crt.

Filed under Nginx · Tagged with nginx ssl, nginx SSL Certificate, nginx windows ssl

Set up Nginx with Server Name Indication TLS Extensions on CentOS

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Set up Nginx with Server Name Indication TLS Extensions on CentOS:

Using this strategy, the following steps have been identified:

  1. produce an OpenSSL v0.9.8e version 6 package
  2. produce an OpenSSL v1.0.0 version 10 package (with TLS extensions enabled – the default)
  3. produce an Nginx package compiled against the new OpenSSL library
  4. acquire/produce server certificates
  5. install and configure Nginx

Filed under Nginx · Tagged with Nginx CentOS, Nginx with Server Name Indication TLS Extensions

NginX Reverse Proxy Configuration

June 23, 2011 by admin · Leave a Comment 

Here is a good wiki show you about NginX Reverse Proxy Configuration:

nginx.conf

The functionality of NginX is controlled pretty much completely through conf\nginx.conf. The general format of the file is that of directives, for example,

events {
  worker_connections  1024;
}

This defines 1024 workers, effectively setting a limit on the total concurrent number of users in the process.

The simple example of a complete nginx.conf is,

### General Server Settings             ###

worker_processes  1;

events {
  worker_connections  1024;
}

### Reverse Proxy Listener Definition  ###

http {
 server {
  listen 		80;
  server_name 		www.example.com;
  location / {
   proxy_pass 		http://internal-www-server:80;
   proxy_set_header 	host www.example.com;
  }
 }
}

Filed under Nginx · Tagged with , NginX Reverse Proxy

Setting up SSL for Nginx

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Set up SSL for Nginx:

Remove the password from the key file:

If you don’t do this with every configtest or reload/restart of nginx you’ll have to type in the PEM password.


mv ssl.key bak.key
openssl rsa -in bak.key -out ssl.key

Filed under Nginx · Tagged with nginx ssl, Nginx Windows, nginx windows ssl, SSL for Nginx

Configure HTTPS servers in Nginx

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Configure HTTPS servers in Nginx:

To configure an HTTPS server you must enable the SSL protocol in the server block, and specify the locations of the server certificate and private key files:

server {
    listen               443;
    server_name          www.nginx.com;
    ssl                  on;
    ssl_certificate      www.nginx.com.crt;
    ssl_certificate_key  www.nginx.com.key;
    ssl_protocols        SSLv3 TLSv1;
    ssl_ciphers          HIGH:!ADH:!MD5;
    ...
}

The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access, however, it must be readable by nginx’s master process. The private key may alternately be stored in the same file as the certificate:

    ssl_certificate      www.nginx.com.cert;
    ssl_certificate_key  www.nginx.com.cert;

in which case the file access rights should also be restricted. Although the certificate and the key are stored in one file, only the certificate is sent to a client.

The directives “ssl_protocols” and “ssl_ciphers” may be used to limit connections to strong SSL protocol versions and ciphers. Since version 0.8.20, nginx uses “ssl_protocols SSLv3 TLSv1” and “ssl_ciphers HIGH:!ADH:!MD5” by default, so they should only be set for earlier nginx versions.

HTTPS server optimization

SSL operations consume extra CPU resources. On multi-processor systems you should run several worker processes: no less than the number of available CPU cores. The most CPU-intensive operation is the SSL handshake. There are two ways to minimize the number of these operations per client: the first is by enabling keepalive connections to send several requests via one connection and the second is to reuse SSL session parameters to avoid SSL handshakes for parallel and subsequent connections. The sessions are stored in an SSL session cache shared between workers and configured by an “ssl_session_cache” directive. One megabyte of the cache contains about 4000 sessions. The default cache timeout is 5 minutes. It can be increased by using the “ssl_session_timeout” directive. Here is a sample configuration optimized for a quad core system with 10M shared session cache:

worker_processes  4;

http {
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;

    server {
        listen               443;
        server_name          www.nginx.com;
        keepalive_timeout    70;

        ssl                  on;
        ssl_certificate      www.nginx.com.crt;
        ssl_certificate_key  www.nginx.com.key;
        ssl_protocols        SSLv3 TLSv1;
        ssl_ciphers          HIGH:!ADH:!MD5;
        ...

 

SSL certificate chains

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

$ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt

The resulting file should be used in the “ssl_certificate” directive:

server {
    listen               443;
    server_name          www.nginx.com;
    ssl                  on;
    ssl_certificate      www.nginx.com.chained.crt;
    ssl_certificate_key  www.nginx.com.key;
    ...
}

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:

SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.

Browsers usually store intermediate certificates which they receive and which are signed by trusted authorities, so actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle. To ensure the server sends the complete certificate chain, you may use the “openssl” command line utility, for example:

$ openssl s_client -connect www.godaddy.com:443
...
Certificate chain
 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US
     /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc
     /OU=MIS Department/CN=www.GoDaddy.com
     /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b)
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
     /OU=http://certificates.godaddy.com/repository
     /CN=Go Daddy Secure Certification Authority
     /serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc.
     /OU=http://certificates.godaddy.com/repository
     /CN=Go Daddy Secure Certification Authority
     /serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc.
     /OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc.
     /OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc.
     /OU=ValiCert Class 2 Policy Validation Authority
     /CN=http://www.valicert.com//[email protected]
...

In this example the subject (“s”) of the www.GoDaddy.com server certificate #0 is signed by an issuer (“i”) which itself is the subject of the certificate #1, which is signed by an issuer which itself is the subject of the certificate #2, which signed by the well-known issuer ValiCert, Inc. whose certificate is stored in the browsers’ built-in certificate base (that lay in the house that Jack built).

If you have not added the certificates bundle, you will see only your server certificate #0.

A single HTTP/HTTPS server

It is good practice to configure separate servers for HTTP and HTTPS protocols from the very start. Although their functionalities currently seem equal, this may change significantly in the future and using a consolidated server may become problematic. However, if HTTP and HTTPS servers are equal, and you prefer not to think about the future, you may configure a single server that handles both HTTP and HTTPS requests by deleting the directive “ssl on” and adding the “ssl” parameter for *:443 port:

server {
    listen               80;
    listen               443  ssl;
    server_name          www.nginx.com;
    ssl_certificate      www.nginx.com.crt;
    ssl_certificate_key  www.nginx.com.key;
    ...
}

 

Prior to 0.8.21, nginx only allows the “ssl” parameter to be set on listen sockets with the “default” parameter:

listen  443  default  ssl;

 

Name-based HTTPS servers

A common issue arises when configuring two or more HTTPS servers listening on a single IP address:

server {
    listen           443;
    server_name      www.nginx.com;
    ssl              on;
    ssl_certificate  www.nginx.com.crt;
    ...
}

server {
    listen           443;
    server_name      www.nginx.org;
    ssl              on;
    ssl_certificate  www.nginx.org.crt;
    ...
}

With this configuration a browser receives the certificate of the default server, i.e., www.nginx.com regardless of the requested server name. This is caused by SSL protocol behaviour. The SSL connection is established before the browser sends an HTTP request and nginx does not know the name of the requested server. Therefore, it may only offer the certificate of the default server.

The oldest and most robust method to resolve the issue is to assign a separate IP address for every HTTPS server:

server {
    listen           192.168.1.1:443;
    server_name      www.nginx.com;
    ssl              on;
    ssl_certificate  www.nginx.com.crt;
    ...
}

server {
    listen           192.168.1.2:443;
    server_name      www.nginx.org;
    ssl              on;
    ssl_certificate  www.nginx.org.crt;
    ...
}

 

A SSL certificate with several names

There are other ways to share a single IP address between several HTTPS servers, however, all of them have drawbacks. One way is to use a certificate with several names in the SubjectAltName certificate field, for example, www.nginx.com and www.nginx.org. However, the SubjectAltName field length is limited.

Another way is to use a certificate with a wildcard name, for example, *.nginx.org. This certificate matches www.nginx.org, but does not match nginx.org and www.sub.nginx.org. These two methods can also be combined. A certificate may contain exact and wildcard names in the SubjectAltName field, for example, nginx.org and *.nginx.org.

It is better to place a certificate file with several names and its private key file at the http level of configuration to inherit their single memory copy in all servers:

ssl_certificate      common.crt;
ssl_certificate_key  common.key;

server {
    listen           443;
    server_name      www.nginx.com;
    ssl              on;
    ...
}

server {
    listen           443;
    server_name      www.nginx.org;
    ssl              on;
    ...
}

 

Server Name Indication

A more generic solution for running several HTTPS servers on a single IP address is TLSv1.1 Server Name Indication extension (SNI, RFC3546), which allows a browser to pass a requested server name during the SSL handshake and, therefore, the server will know which certificate it should use for the connection. However, SNI has limited browser support. Currently it is supported starting with the following browsers versions:

  • Opera 8.0;
  • MSIE 7.0 (but only on Windows Vista or higher);
  • Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
  • Safari 3.2.1 (Windows version supports SNI on Vista or higher);
  • and Chrome (Windows version supports SNI on Vista or higher, too).

In order to use SNI in nginx, it must be supported in both the OpenSSL library with which the nginx binary has been built as well as the library to which it is being dynamically linked at run time. OpenSSL supports SNI since 0.9.8f version if it was built with config option “–enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:

$ nginx -V
...
TLS SNI support enabled
...

However, if the SNI-enabled nginx is linked dynamically to an OpenSSL library without SNI support, nginx displays the warning:

nginx was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available

 

Compatibility

  • The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
  • The “ssl” parameter of the “listen” directive has been supported since 0.7.14.
  • SNI has been supported since 0.5.32.
  • The shared SSL session cache has been supported since 0.5.6.

 

  • Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3 and TLSv1.
  • Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.

 

  • Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
  • Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
  • Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
    “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.

 

written by Igor Sysoev
edited by Brian Mercer

Filed under Nginx · Tagged with ,

Create a password file for Nginx basic authentication

June 23, 2011 by admin · Leave a Comment 

Here is a good tutorial show you how to Create a password file for Nginx basic authentication:

Nginx documentation only mentions Use crypt(3) encryption for passwords, so I tried so hard with htpasswd.exe but could not generate a file recognised by Nginx. Hours later I found Apache documentation mentions -d is

the default on all platforms but Windows, Netware and TPF. Though possibly supported by htpasswd on all platforms, it is not supported by the httpd server on Windows, Netware and TPF.

Filed under Nginx · Tagged with nginx authentication, Nginx basic authentication

nginx + windows integrated auth/ntlm/ldap/etc/etc

June 23, 2011 by admin · Leave a Comment 

Here is a discussion about nginx + windows integrated auth/ntlm/ldap/etc/etc:

I’ve revised this after talking to a coworker… I’d like to revise
the technical details of this original request.

I want to get SPNEGO-capable authentication into nginx, so it can be
adopted and used inside of enterprises with Active Directory for SSO -
not using pam_smb or LDAP only, as that doesn’t make for an entirely
seamless experience. I want Kerberos support for Integrated Windows
Authentication – that is what is expected in our enterprise and not
having to prompt the user for their username/password and such.

I’ve posted this on RentACoder – it’s not live yet, but when it is it
will be bid request ID 1064860.

If anyone is interested, please let me know! I am willing to pay, and
may in fact be able to raise extra cash by other parties for this.
Please email me on or off list.

It should be as simple as a couple libraries (openldap, openssl,
libkrb5? I don’t know) and some simple configuration like:

auth_spnego on;
auth_spnego_controller adserver1.foo.com adserver2.foo.com; (if this
makes sense)
auth_spnego_timeout 7d; (if not defaulted by the libraries etc.)
… etc …

Here’s some links/info about SPNEGO and some source code in various
languages to use for example…

http://en.wikipedia.org/wiki/SPNEGO

http://modgssapache.sourceforge.net/ – probably the best C source to
leverage

http://mbechler.eenterphace.org/blog/index.php?/ar…
- mod_krb5 – quite possibly even better C source

http://meta.cesnet.cz/cms/opencms/en/docs/software…

http://msdn.microsoft.com/en-us/library/ms995329.aspx

http://msdn.microsoft.com/en-us/library/ms995330.aspx

http://tools.ietf.org/html/rfc2478 – possibly might have info

http://osdir.com/ml/encryption.kerberos.general/20…
- modgssapache uses APIs from microsoft, tested on linux/solaris,
mod_spnego tested on all major platforms

http://bofriis.dk/spnego/spnego_client.html – java implementation

http://www.ibm.com/developerworks/websphere/librar…
- websphere implementation

http://dev.taglab.com/sites/taglab-public/support/… -
another java implementation

http://www.openldap.org/lists/openldap-devel/20080… -
possibly added into openldap

mod_auth_kerb for apache might also have some source

samba 3.0.7+ might have source (see a reference to libsmb/spnego.c)

http://www.ioplex.com/ – PHP support for SPNEGO

Filed under Nginx · Tagged with auth/ntlm/ldap/etc/etc, Nginx Windows

« Previous Page — Next Page »