Re: nginx configuration on Debian sanity check?

To: Ming Kuang <ming@imkuang.com>
Cc: debian-user@lists.debian.org
Subject: Re: nginx configuration on Debian sanity check?
From: David Mehler <dave.mehler@gmail.com>
Date: Sat, 15 Jul 2023 13:06:00 -0400
Message-id: <[🔎] CAPORhP6J9_h9CHm_hY5Mf=1jpgVYKVyfj5Cu81sinU+Ru3FDMQ@mail.gmail.com>
In-reply-to: <[🔎] 000b01d9b73b$3434cf90$9c9e6eb0$@imkuang.com>
References: <[🔎] CAPORhP51ZB_=nGrLwUtzjaK-wPqKd7ADWk0ZcfO8fG6h3xCB=w@mail.gmail.com> <[🔎] 002b01d9b6f7$acdd1e50$06975af0$@imkuang.com> <CAPORhP64VHn3R0y69SCKoU_9-rvuqYpNOUePYdpbgmZqsY=RoA@mail.gmail.com> <CAPORhP69HmneTCiuUEbDZpG+fvH4rwJHxsmgC0fNMU22PJDvLg@mail.gmail.com> <[🔎] 000001d9b73a$24fee110$6efca330$@imkuang.com> <[🔎] 000b01d9b73b$3434cf90$9c9e6eb0$@imkuang.com>

Hello,

Thanks for the feedback on the redirects, that is good to know that
they are working.

If anyone has any ssl impressions let me know.
Thanks.
Dave.


On 7/15/23, Ming Kuang <ming@imkuang.com> wrote:
> BTW, I just checked my config and it's basically the same as your newly
> posted
> one.
>
>> How does the ssl configuration look?
> I'm not familiar with ssl security configuration so sorry I can't give
> suggestions
>
> On Sunday, July 16, 2023 12:34 AM, Ming Kuang wrote:
>> Hello, back to the mailing list
>>
>> For your new configuration, I think the redirection should work fine. If
>> it still
>> shows the redirect too many times error, try clearing your browser cache,
>> or open a incognito mode browser to verify it.
>>
>> In fact I used to do the same thing, the only difference was that I
>> needed
>> to redirect from www to no-www.
>>
>> On Saturday, July 15, 2023 11:26 PM, David Mehler wrote:
>> > Hello,
>> >
>> > Can I get a sanity check this is on the redirects?
>> >
>> > Thanks.
>> > Dave.
>> >
>> > #cat example.com.conf
>> > server {
>> > listen         80;
>> > server_name    example.com www.example.com;
>> > access_log off;
>> > error_log    off;
>> > return         301 https://www.example.com$request_uri;
>> > }
>> >
>> > server {
>> > listen              443 ssl http2;
>> > server_name         example.com;
>> > ssl_certificate     /etc/ssl/example.com/example.com.crt;
>> > ssl_certificate_key /etc/ssl/example.com/example.com.key;
>> > return 301          https://www.example.com$request_uri;
>> > }
>> >
>> > server {
>> > listen              443 ssl http2;
>> > server_name         www.example.com;
>> > root                /var/www/example.com;
>> >
>> > ssl_certificate     /etc/ssl/example.com/example.com.crt;
>> > ssl_certificate_key /etc/ssl/example.com/example.com.key;
>> > ssl_dhparam /etc/ssl/example.com/dhparams.pem;
>> > ssl_prefer_server_ciphers on;
>> > ssl_session_cache shared:SSL:10m;
>> > ssl_session_timeout 10m;
>> > ssl_stapling on;
>> > ssl_stapling_verify on;
>> > ssl_trusted_certificate /etc/ssl/example.com/example.com.fullchain.crt;
>> > add_header Strict-Transport-Security "max-age=31536000;
>> > includeSubDomains" always;
>> >     }
>> >
>> >
>> > On 7/15/23, David Mehler <dave.mehler@gmail.com> wrote:
>> > > Hello,
>> > >
>> > > Thanks for your reply. Yah these redirects are not working. The
>> > > example.com to www.example.com totally either doesn't work or gives
>> > > me
>> > > the error example.com nginx redirected you to many times.
>> > >
>> > > I'm still not seeing it, help still appreciated.
>> > > How does the ssl configuration look?
>> > >
>> > > Thanks.
>> > > Dave.
>> > >
>> > >
>> > > On 7/15/23, Ming Kuang <ming@imkuang.com> wrote:
>> > >> Hi，
>> > >>
>> > >> If you go to http://example.com, you now need two redirects, maybe
>> > >> each
>> > >> redirect could be directed to the final destination?
>> > >>
>> > >> # Redirect http://example.com port 80 to https://www.example.com
>> > >> port
>> 443
>> > >> server {
>> > >> listen      80;
>> > >> access_log  off;
>> > >> error_log   off;
>> > >> server_name example.com;
>> > >> return         301 https://www. example.com /$request_uri;
>> > >> }
>> > >>
>> > >> On Saturday, July 15, 2023 3:21 PM,
>> > >> David Mehler <dave.mehler@gmail.com> wrote
>> > >>>
>> > >>> Hello,
>> > >>>
>> > >>> Can I get a sanity check on this config? I'm running Debian 12,
>> > >>> Nginx
>> > >>> 1.24.0, and PHP 8.2.
>> > >>>
>> > >>> My goal is to have all non-www traffic redirected to the equivalent
>> > >>> www, then all that redirected to https, basically no https no www
>> > >>> no
>> > >>> work. I'd also appreciate an assessment of my ssl ciphers, running
>> > >>> protocols 1.2 and 1.3 only and want to ensure I've got the best
>> > >>> security setup.
>> > >>>
>> > >>> Thanks.
>> > >>> Dave.
>> > >>>
>> > >>> #
>> > >>> # example.com virtual host configuration
>> > >>> #
>> > >>> # enforce HTTPS
>> > >>> # Redirect www.example.com port 80 to www.example.com port 443
>> > >>> server {
>> > >>> listen       80;
>> > >>> server_name www.example.com;
>> > >>> access_log  off;
>> > >>> error_log   off;
>> > >>> return 301   https://$host$request_uri;
>> > >>> }
>> > >>>
>> > >>> # Redirect https://example.com port 80 to https://example.com port
>> > >>> 443
>> > >>> server {
>> > >>> listen      80;
>> > >>> access_log  off;
>> > >>> error_log   off;
>> > >>> server_name example.com;
>> > >>> return         301 https://$server_name$request_uri;
>> > >>> }
>> > >>>
>> > >>> ### redirect https example.com to https www.example.com
>> > >>> server {
>> > >>> listen 443 ssl http2;
>> > >>> server_name example.com;
>> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
>> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key;
>> > >>> return 301 https://www.example.com$request_uri;
>> > >>> }
>> > >>>
>> > >>> # The www.example.com https virtual host
>> > >>> server {
>> > >>> listen       443 ssl http2;
>> > >>>
>> > >>> server_name www.example.com;
>> > >>>
>> > >>> access_log  /var/log/nginx/www.example.com_access.log;
>> > >>> error_log   /var/log/nginx/www.example.com_error.log;
>> > >>>
>> > >>> # TLS/SSL CONFIG
>> > >>> # RSA certificates (dual config)
>> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
>> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key;
>> > >>>
>> > >>> # ECC/ECDSA certificates (dual config)
>> > >>> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt.ecc;
>> > >>> ssl_certificate_key /etc/ssl/example.com/example.com.key.ecc;
>> > >>>
>> > >>> # A little bit of optimization
>> > >>> #ssl_session_timeout 1d;
>> > >>> #ssl_session_cache shared:GoofyPizzaSSL:50m;
>> > >>> #ssl_session_tickets off;
>> > >>> #ssl_dhparam  /etc/ssl/example.com/dhparams.pem;
>> > >>>
>> > >>> # TLS version 1.2 and 1.3 only
>> > >>> #ssl_protocols TLSv1.2 TLSv1.3;
>> > >>> #ssl_ciphers
>> > >>>
>> >
>> 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E
>> > >>>
>> >
>> CDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AE
>> > >>>
>> >
>> S128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA
>> > >>>
>> >
>> 384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES
>> > >>> 128-SHA256';
>> > >>> #ssl_ciphers
>> > >>>
>> >
>> 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-E
>> > >>>
>> >
>> CDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE
>> > >>>
>> >
>> S256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH
>> > >>>
>> >
>> A256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
>> > >>>
>> >
>> AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
>> > >>>
>> >
>> RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECD
>> > >>>
>> >
>> HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-A
>> > >>>
>> >
>> ES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-
>> > >>>
>> >
>> DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA
>> > >>>
>> >
>> 384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!D
>> > >>> SS';
>> > >>> #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
>> > >>> #ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
>> > >>> #ssl_prefer_server_ciphers on;
>> > >>>
>> > >>> # HSTS (ngx_http_headers_module is required)
>> > >>> #
>> > >>>
>> >
>> *****************************************************************
>> > >>> ********
>> > >>> # WARNING - Wrong headers can create problems. Read docs otherwise
>> > >>> #           all 3rd party scripts/ads won't load and in some case
>> > >>> #           browser won't work. Read docs @
>> > >>> https://developer.mozilla.org
>> > >>> #
>> > >>>
>> >
>> *****************************************************************
>> > >>> ********
>> > >>> #add_header Strict-Transport-Security "max-age=63072000" always;
>> > >>> #add_header X-Content-Type-Options "nosniff" always;
>> > >>> #add_header X-Frame-Options "SAMEORIGIN" always;
>> > >>> #add_header X-Xss-Protection "1; mode=block" always;
>> > >>> #add_header Referrer-Policy  strict-origin-when-cross-origin
>> > >>> always;
>> > >>> #add_header Feature-policy "accelerometer 'none'; camera 'none';
>> > >>> geolocation 'none'; gyroscope 'none'; magnetometer 'none';
>> > >>> microphone
>> > >>> 'none'; payment 'none'; usb 'none'" always;
>> > >>> #
>> > >>>
>> >
>> *****************************************************************
>> > >>> **********************************
>> > >>> # WARNING: The HTTP Content-Security-Policy response header allows
>> > >>> sysadmin/developers
>> > >>> # to control resources the user agent is allowed to load for a
>> > >>> given
>> > >>> page.
>> > >>> # Wrong config can create problems for third party scripts/ad
>> > >>> networks. Hence read the following url:
>> > >>> #
>> > >>>
>> >
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-
>> > >>> Policy
>> > >>> #
>> > >>>
>> >
>> *****************************************************************
>> > >>> ***********************************
>> > >>> #add_header content-security-policy "default-src
>> > >>> https://www.example.com:443"; always;
>> > >>> #ssl_stapling on;
>> > >>> #ssl_stapling_verify on;
>> > >>> # Replace with the IP address of your resolver
>> > >>> #resolver 1.1.1.1;
>> > >>> #ssl_buffer_size 8k;
>> > >>>
>> > >>> root /var/www/example.com;
>> > >>>
>> > >>> index index.php index.html index.nginx-debian.html;
>> > >>>
>> > >>> location / {
>> > >>> try_files $uri $uri/ /index.php?$query_string;
>> > >>> }
>> > >>>
>> > >>> # Directives to send expires headers and turn off 404 error
>> > >>> logging.
>> > >>> #location ~*
>> > >>>
>> >
>> ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|pn
>> > >>> g|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
>> > >>> {
>> > >>> #access_log off; log_not_found off; expires max;
>> > >>> #}
>> > >>>
>> > >>> # Pass PHP Scripts To FastCGI Server
>> > >>> location ~ \.php$ {
>> > >>> fastcgi_split_path_info ^(.+\.php)(/.+)$;
>> > >>> fastcgi_pass unix:/run/php/php8.2-fpm.sock; #depends on PHP
>> > >>> versions
>> > >>> fastcgi_index index.php;
>> > >>> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
>> > >>> include fastcgi_params;
>> > >>> }
>> > >>>
>> > >>> # Password-protected directory with autoindex
>> > >>> #location /quickdir/ {
>> > >>> #auth_basic            "Quickdir Access";
>> > >>> #auth_basic_user_file  /var/www/quickdir/htpasswd;
>> > >>> #root /var/www/quickdir/;
>> > >>> #autoindex on;
>> > >>> #}
>> > >>> }
>> > >>
>> > >
>

Reply to:

References:
- nginx configuration on Debian sanity check?
  - From: David Mehler <dave.mehler@gmail.com>
- RE: nginx configuration on Debian sanity check?
  - From: "Ming Kuang" <ming@imkuang.com>
- RE: nginx configuration on Debian sanity check?
  - From: "Ming Kuang" <ming@imkuang.com>
- RE: nginx configuration on Debian sanity check?
  - From: "Ming Kuang" <ming@imkuang.com>

Prev by Date: RE: nginx configuration on Debian sanity check?
Next by Date: Re: latest upgrade to systemd 252.12-1 error about invalid attributes /var/log/journal and slow sshd connections
Previous by thread: RE: nginx configuration on Debian sanity check?
Next by thread: Nvidia graphics driver naming convention
Index(es):
- Date
- Thread