https://calee0219.github.io/tag/web/WebHugoBlox Kit (https://hugoblox.com)en-us©Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/media/icon_hu_da05098ef60dc2e7.pnghttps://calee0219.github.io/tag/web/https://calee0219.github.io/blog/nginx/Mon, 09 Aug 2021 07:48:37 +0800https://calee0219.github.io/blog/nginx/<h2 id="certbot"> </h2> <p>(let&rsquo;s encrypt 簽 https)</p> <h3 id="install">Install</h3> <p> </p> <ul> <li>Ubuntu <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">$ sudo apt-get update </span></span><span class="line"><span class="cl">$ sudo apt-get install software-properties-common </span></span><span class="line"><span class="cl">$ sudo add-apt-repository ppa:certbot/certbot </span></span><span class="line"><span class="cl">$ sudo apt-get update </span></span><span class="line"><span class="cl">$ sudo apt-get install python-certbot-nginx </span></span></code></pre></div></li> <li>Fedora <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo dnf install certbot-nginx </span></span></code></pre></div></li> </ul> <h3 id="簽署">簽署</h3> <ul> <li>自動幫改 nginx 設定檔</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo certbot --nginx </span></span></code></pre></div><ul> <li>手動改 nginx 設定檔</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo certbot --nginx certonly </span></span></code></pre></div><ul> <li>自動更新憑證</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sudo certbot renew --dry-run </span></span></code></pre></div><ul> <li>手動更新憑證</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">certbot renew </span></span></code></pre></div><h2 id="redirect-to-https">Redirect to https</h2> <ul> <li>301 <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">server <span class="o">{</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> listen <span class="m">443</span> ssl<span class="p">;</span> <span class="c1"># managed by Certbot </span> </span></span><span class="line"><span class="cl"> ssl_certificate /etc/letsencrypt/live/notebook.calee.xyz/fullchain.pem<span class="p">;</span> <span class="c1"># managed by Certbot</span> </span></span><span class="line"><span class="cl"> ssl_certificate_key /etc/letsencrypt/live/notebook.calee.xyz/privkey.pem<span class="p">;</span> <span class="c1"># managed by Certbot</span> </span></span><span class="line"><span class="cl"> include /etc/letsencrypt/options-ssl-nginx.conf<span class="p">;</span> <span class="c1"># managed by Certbot</span> </span></span><span class="line"><span class="cl"> ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem<span class="p">;</span> <span class="c1"># managed by Certbot</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$scheme</span> !<span class="o">=</span> <span class="s2">&#34;https&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="m">301</span> https://<span class="nv">$host$request_uri</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div></li> <li>rewrite <ul> <li>除了 301 redirect 之外，nginx 還有一個 Force HTTPS 是用 rewrite 來處理 不過要小心也可能出現 Mixed Content too many 的問題</li> <li> </li> <li> </li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">rewrite ^ https://<span class="nv">$server_name$request_uri</span>? permanent<span class="p">;</span> </span></span></code></pre></div></li> </ul> <h3 id="redirect-too-many">Redirect too many</h3> <p>如果你的 domain 有上 CDN，會有 redirect too many 的問題，解法是偵測請求協定是否為 http，若是，才可以 redirect 了 通常出現在 DNS 是由 cloud flare 代管，並且有上 CDN 的情況下 </p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">server <span class="o">{</span> </span></span><span class="line"><span class="cl"> listen 80<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$http_x_forwarded_proto</span> <span class="o">=</span> <span class="s2">&#34;http&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="m">301</span> https://<span class="nv">$server_name$request_uri</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><h2 id="hsts">hsts</h2> <p> </p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">server <span class="o">{</span> </span></span><span class="line"><span class="cl"> listen <span class="m">443</span> ssl<span class="p">;</span> </span></span><span class="line"><span class="cl"> add_header Strict-Transport-Security <span class="s2">&#34;max-age=31536000; includeSubDomains&#34;</span> always<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># Because this &#39;location&#39; block contains another &#39;add_header&#39; directive,</span> </span></span><span class="line"><span class="cl"> <span class="c1"># we must redeclare the STS header</span> </span></span><span class="line"><span class="cl"> location /servlet <span class="o">{</span> </span></span><span class="line"><span class="cl"> add_header X-Served-By <span class="s2">&#34;My Servlet Handler&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> add_header Strict-Transport-Security <span class="s2">&#34;max-age=31536000; includeSubDomains&#34;</span> always<span class="p">;</span> </span></span><span class="line"><span class="cl"> proxy_pass http://localhost:8080<span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span></code></pre></div><ul> <li>includeSubDomains: always; 會讓所有 subdomains 都上 hsts，此處需要小心</li> <li>(servlet) 如果有一個的 block 本身有自己加 header，需要重新把 hsts 寫進去，不然會被覆蓋掉</li> </ul> <h2 id="加密檢測">加密檢測</h2> <ul> <li> </li> <li> <ul> <li>如果你透過Chrome瀏覽器發現網站的連線變成「https」然後是灰色，你可以點一下即可查資訊，他會顯示「這個網頁含有其他不安全的資源」，那代表網站有使用到非https的圖片、js、css的資源，那就得修正了。</li> <li>有時候可能是 hsts subdomain 還沒全部生效，重轉幾次就好了 (?)</li> </ul> </li> </ul> <h2 id="problem">Problem</h2> <ul> <li>permission deny 問題: <ul> <li>簡言之，nginx 要全部的歷遍權限都有才能讀檔案，所以路徑上的 file 都要 o+x</li> </ul> </li> <li>SELinux reverse proxy: <ul> <li> </li> <li>SELinux 有擋 reverse，隨便的 port 不能開 http (可能怕 SSRF ?)</li> <li>需要下 <code>semanage port -a -t http_port_t -p tcp {to port no.}</code></li> <li>上面那個好像不用下，下這個就好 <code>setsebool -P httpd_can_network_connect 1</code></li> <li>(待釐清)</li> </ul> </li> </ul> <h2 id="load-balance">Load Balance</h2> <p>這裡指的是 proxy pass 的 load balance</p> <p>利用 upstream 參數，參考 </p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">upstream backend { </span></span><span class="line"><span class="cl"> server backend1.example.com weight=5; # 可以設定權重 </span></span><span class="line"><span class="cl"> server backend2.example.com:8080; # 可以用 port </span></span><span class="line"><span class="cl"> server unix:/tmp/backend3; # 可以用 unix domain socket </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> server backup1.example.com:8080 backup; # 備援 </span></span><span class="line"><span class="cl"> server backup2.example.com:8080 backup; </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">server { </span></span><span class="line"><span class="cl"> listen 443 ssl http2; </span></span><span class="line"><span class="cl"> location / { </span></span><span class="line"><span class="cl"> proxy_pass https://backend; # 記得使用 upstream 定義的參數 </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><h2 id="ipv6-enable">IPv6 enable</h2> <p>其實很簡單，參考 nginx.conf 也有寫的，只要多加 ipv6 的 ip 在 port 前面，沒寫 ip 預設只有 ipv4。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">server { </span></span><span class="line"><span class="cl"> listen 443; </span></span><span class="line"><span class="cl"> listen [::]:443; </span></span><span class="line"><span class="cl"> listen 80; </span></span><span class="line"><span class="cl"> listen [::]:80; </span></span><span class="line"><span class="cl">} </span></span></code></pre></div>