Nginx: Unterschied zwischen den Versionen
Aus SchnallIchNet
Cbs (Diskussion | Beiträge) |
Cbs (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
some nginx hints | some nginx hints | ||
| + | |||
| + | |||
| + | == Logging stuff == | ||
| + | |||
| + | |||
| + | |||
| + | === logformat === | ||
| + | |||
| + | i'm using nearly standard apache log-format, but prefixed with <br/> | ||
| + | the serving virtual-host in front... | ||
| + | |||
| + | log_format vhost '$server_name $remote_addr - $remote_user [$time_local] "$request" ' | ||
| + | '$status $body_bytes_sent "$http_referer" ' | ||
| + | '"$http_user_agent" "$http_x_forwarded_for"'; | ||
| + | |||
| + | so, by stripping the vhost in the 1st field of a logline, you may simply use std. log-parsers <br/> | ||
| + | for logfile analysis... | ||
| + | |||
| + | |||
| + | |||
| + | === enable rewrite-log === | ||
| + | |||
| + | to turn on rewrite-log you will have to put these 2 statements: | ||
| + | |||
| + | server { | ||
| + | [...] | ||
| + | rewrite_log on; | ||
| + | error_log /var/log/nginx/error.log notice; | ||
| + | [...] | ||
| + | } | ||
| + | |||
| + | be sure to set the 'notice' behind the error-logfile because <br/> | ||
| + | rewrites are logged to error-logfile with 'notice' level... | ||
Version vom 27. Mai 2014, 13:44 Uhr
some nginx hints
Inhaltsverzeichnis
Logging stuff
logformat
i'm using nearly standard apache log-format, but prefixed with
the serving virtual-host in front...
log_format vhost '$server_name $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
so, by stripping the vhost in the 1st field of a logline, you may simply use std. log-parsers
for logfile analysis...
enable rewrite-log
to turn on rewrite-log you will have to put these 2 statements:
server {
[...]
rewrite_log on;
error_log /var/log/nginx/error.log notice;
[...]
}
be sure to set the 'notice' behind the error-logfile because
rewrites are logged to error-logfile with 'notice' level...
SSL stuff
hardening SSL
post snowden ssl-hardening:
ssl_prefer_server_ciphers On; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
PFS
cd /path/to/your/certs/ openssl dhparam -out dhparam.pem 2048
and edit nginx config:
ssl_dhparam /path/to/your/certs/dhparam.pem;
HSTS
HTTP Strict Transport Security.
if possible run https ONLY pages...
in post-snowden age this should be done... so add to your port-80-vhost:
server {
[...]
add_header Strict-Transport-Security max-age=15768000;
return 301 https://www.traumartig.de$request_uri;
[...]
}
SSL test
test you ssl-implementation here:
