Alpine Linux - User contributions [en]

Nginx as reverse proxy with acme (letsencrypt)

2021-06-16T18:37:55Z

Flaxe: /* Installation */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

See the [[Nginx|NGINX]] page for general information about Nginx, starting/stopping the service etc.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|openssl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk update
apk add nginx acme-client openssl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.
{{Cat|/etc/nginx/nginx.conf|<nowiki># /etc/nginx/nginx.conf

user nginx;
worker_processes 1; # use "auto" to use all available cores (high performance)

# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg

events {
# The maximum number of simultaneous connections that can be opened by a worker process.
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64; # controls the maximum length of a virtual host entry (ie domain name)
server_tokens off; # hide who we are, don't show nginx version to clients
sendfile off; # can cause issues

# nginx will find this file in the config directory set at nginx build time
# Includes mapping of file name extensions to MIME types of responses
include mime.types;

# fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;

# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;

# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

# Sets the path, format, and configuration for a buffered log write.
# Buffer log writes to speed up IO, or disable them altogether
access_log /var/log/nginx/access.log main buffer=16k;
#access_log off;

# include virtual hosts configs
include conf.d/*.conf;
}
</nowiki>}}

==== SSL configuration ====

Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on. 
The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.
{{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https://cipherli.st/

#ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2; # We use TLSv1.2 because current stable nginx release don't support TLSv1.3 yet
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# https://hstspreload.org
add_header Strict-Transport-Security "max-age=63072000" always;
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
</nowiki>}}

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===
To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki># Allow access to the ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge {
allow all;
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:
{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl http2;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx

2017-12-10T17:26:27Z

Flaxe: /* Troubleshooting */

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk update
apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Test configuration ===
When you've made any changes to your nginx configuration files, you should check it for errors before starting/restarting/reloading nginx. 
This will check for any duplicate configuration, syntax errors etc. To do this, run:
{{Cmd|nginx -t}}

You will get a feedback if it failed or not. If everything is fine, you'll see the following and can then move ahead to start the nginx server.
<pre>
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
</pre>

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Reload and Restart Nginx ===
Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. 
Reloading will do a "hot reload" of the configuration without server downtime. It will start the new worker processes with a new configuration and gracefully shutdown the old worker processes. If you have pending requests, then these will be handled by the old worker processes before it dies, so it's an extremely graceful way to reload configs.
If you want to reload the web server, use ''reload''.
{{Cmd|rc-service nginx reload}}
If you want to restart the web server, use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server, use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors. Edit the file in case there are any errors.
{{cmd|nginx -t
vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-10T10:55:19Z

Flaxe:

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

See the [[Nginx|NGINX]] page for general information about Nginx, starting/stopping the service etc.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk update
apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.
{{Cat|/etc/nginx/nginx.conf|<nowiki># /etc/nginx/nginx.conf

user nginx;
worker_processes 1; # use "auto" to use all available cores (high performance)

# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg

events {
# The maximum number of simultaneous connections that can be opened by a worker process.
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64; # controls the maximum length of a virtual host entry (ie domain name)
server_tokens off; # hide who we are, don't show nginx version to clients
sendfile off; # can cause issues

# nginx will find this file in the config directory set at nginx build time
# Includes mapping of file name extensions to MIME types of responses
include mime.types;

# fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;

# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;

# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

# Sets the path, format, and configuration for a buffered log write.
# Buffer log writes to speed up IO, or disable them altogether
access_log /var/log/nginx/access.log main buffer=16k;
#access_log off;

# include virtual hosts configs
include conf.d/*.conf;
}
</nowiki>}}

==== SSL configuration ====

Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on. 
The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.
{{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https://cipherli.st/

#ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2; # We use TLSv1.2 because current stable nginx release don't support TLSv1.3 yet
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# https://hstspreload.org
add_header Strict-Transport-Security "max-age=63072000" always;
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
</nowiki>}}

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===
To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki># Allow access to the ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge {
allow all;
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:
{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl http2;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-10T10:48:04Z

Flaxe: /* Setup */ Separated SSL configuration to its own file to include it at HTTPS server block. SSL parameters is not needed at the HTTP server block.

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk update
apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.
{{Cat|/etc/nginx/nginx.conf|<nowiki># /etc/nginx/nginx.conf

user nginx;
worker_processes 1; # use "auto" to use all available cores (high performance)

# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg

events {
# The maximum number of simultaneous connections that can be opened by a worker process.
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64; # controls the maximum length of a virtual host entry (ie domain name)
server_tokens off; # hide who we are, don't show nginx version to clients
sendfile off; # can cause issues

# nginx will find this file in the config directory set at nginx build time
# Includes mapping of file name extensions to MIME types of responses
include mime.types;

# fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues, disable it
# increase buffer size. still useful even when buffering is off
proxy_buffering off;
proxy_buffer_size 4k;

# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;

# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

# Sets the path, format, and configuration for a buffered log write.
# Buffer log writes to speed up IO, or disable them altogether
access_log /var/log/nginx/access.log main buffer=16k;
#access_log off;

# include virtual hosts configs
include conf.d/*.conf;
}
</nowiki>}}

==== SSL configuration ====

Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on. 
The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.
{{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https://cipherli.st/

#ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2; # We use TLSv1.2 because current stable nginx release don't support TLSv1.3 yet
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# https://hstspreload.org
add_header Strict-Transport-Security "max-age=63072000" always;
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
</nowiki>}}

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===
To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki># Allow access to the ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge {
allow all;
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:
{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl http2;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

include /etc/nginx/conf.d/ssl-params.inc; # SSL parameters

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx

2017-12-10T08:18:05Z

Flaxe: /* Controlling nginx */

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk update
apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Test configuration ===
When you've made any changes to your nginx configuration files, you should check it for errors before starting/restarting/reloading nginx. 
This will check for any duplicate configuration, syntax errors etc. To do this, run:
{{Cmd|nginx -t}}

You will get a feedback if it failed or not. If everything is fine, you'll see the following and can then move ahead to start the nginx server.
<pre>
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
</pre>

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Reload and Restart Nginx ===
Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. 
Reloading will do a "hot reload" of the configuration without server downtime. It will start the new worker processes with a new configuration and gracefully shutdown the old worker processes. If you have pending requests, then these will be handled by the old worker processes before it dies, so it's an extremely graceful way to reload configs.
If you want to reload the web server, use ''reload''.
{{Cmd|rc-service nginx reload}}
If you want to restart the web server, use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server, use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors
{{cmd|vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Nginx

2017-12-10T08:10:34Z

Flaxe: /* Installation */

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk update
apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Reload and Restart Nginx ===
Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. 
Reloading will do a "hot reload" of the configuration without server downtime. It will start the new worker processes with a new configuration and gracefully shutdown the old worker processes. If you have pending requests, then these will be handled by the old worker processes before it dies, so it's an extremely graceful way to reload configs.
If you want to reload the web server, use ''reload''.
{{Cmd|rc-service nginx reload}}
If you want to restart the web server, use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server, use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors
{{cmd|vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Nginx

2017-12-10T08:07:48Z

Flaxe: /* Installation */

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk update
apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -u 1000 -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Reload and Restart Nginx ===
Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. 
Reloading will do a "hot reload" of the configuration without server downtime. It will start the new worker processes with a new configuration and gracefully shutdown the old worker processes. If you have pending requests, then these will be handled by the old worker processes before it dies, so it's an extremely graceful way to reload configs.
If you want to reload the web server, use ''reload''.
{{Cmd|rc-service nginx reload}}
If you want to restart the web server, use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server, use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors
{{cmd|vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Nginx

2017-12-09T13:23:54Z

Flaxe: /* Controlling nginx */

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -u 1000 -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Reload and Restart Nginx ===
Changes made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. 
Reloading will do a "hot reload" of the configuration without server downtime. It will start the new worker processes with a new configuration and gracefully shutdown the old worker processes. If you have pending requests, then these will be handled by the old worker processes before it dies, so it's an extremely graceful way to reload configs.
If you want to reload the web server, use ''reload''.
{{Cmd|rc-service nginx reload}}
If you want to restart the web server, use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server, use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors
{{cmd|vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Tutorials and Howtos

2017-12-09T12:09:36Z

Flaxe: /* HTTP */

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.

We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}
== Storage ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' 
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]

* [[Setting up disks manually]] 
* [[Setting up a software RAID array]]

* [[Raid Administration]]
* [[Setting up encrypted volumes with LUKS]]
* [[Setting up LVM on LUKS]]
* [[Setting up Logical Volumes with LVM]]
** [[Setting up LVM on GPT-labeled disks]]
** [[Installing on GPT LVM]]
* [[Filesystems|Formatting HD/Floppy/Other]] 

* [[Setting up iSCSI]]
** [[iSCSI Raid and Clustered File Systems]]
* [[Setting up NBD]]
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' 
* [[Linux iSCSI Target (TCM)]]
* [[Disk Replication with DRBD]] 

* [[Burning ISOs]] 
* [[Partitioning and Bootmanagers]]
* [[Migrating data]]
* [[Create a bootable SDHC from a Mac]]
* [[Alpine on ARM]]

== Networking ==

* [[Configure Networking]]
* [[Connecting to a wireless access point]]
* [[Bonding]]
* [[Vlan]]
* [[Bridge]]
* [[OpenVSwitch]]
* [[How to configure static routes]]

* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''

* [[PXE boot]]

* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Setting up Satellite Internet Connection]]
* [[Using Alpine on Windows domain with IPSEC isolation]]

* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' 
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''

* [[Experiences with OpenVPN-client on ALIX.2D3]] 

* [[Generating SSL certs with ACF]] 
* [[Setting up unbound DNS server]]
* [[Setting up nsd DNS server]]
* [[TinyDNS Format]]
* [[Fault Tolerant Routing with Alpine Linux]] 
* [[Freeradius Active Directory Integration]]
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[OwnCloud]] ''(Installing OwnCloud)''

* [[Seafile: setting up your own private cloud]]

== Post-Install ==


* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''

** [[Comparison with other distros]]
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services]]

* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]
* [[Upgrading Alpine]]


* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''
* [[Changing passwords for ACF|Changing passwords]]
* [[Ansible]] ''(Configuration management)''

* [[Enable Serial Console on Boot]]

* [[How to get regular stuff working]] ''some notes on need-to-know topics''
* [[Installing Oracle Java]]
* [[Rsnapshot|Setting up periodic backups with <samp>rsnapshot</samp>]]

== Virtualization==

* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
* [[Xen Dom0 on USB or SD]]
* [[Create Alpine Linux PV DomU]]
* [[Xen PCI Passthrough]]
* [[Xen LiveCD]]
* [[qemu]]
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[Docker]]
* [[Install_Alpine_on_VirtualBox]]

== Desktop Environment ==

* [[Awesome(wm) Setup]]
* [[EyeOS]] ''(Cloud Computing Desktop)''
* [[Gnome Setup]]
* [[MATE|MATE Setup]]
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')
* [[Remote Desktop Server]]
* [[Suspend on LID close]]
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]
* [[Installing Adobe flash player for Firefox]]
* [[Sound Setup]]
* [[Printer Setup]]
* [[Default applications]]

== Raspberry Pi ==

* [[Raspberry Pi|Raspberry Pi (Installation)]]
* [[Classic install or sys mode on Raspberry Pi]]
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''
* [[Linux Router with VPN on a Raspberry Pi]]
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]

== Applications ==

=== Telephony ===
* [[Setting up Zaptel/Asterisk on Alpine]]
** [[Setting up Streaming an Asterisk Channel]]
* [[Freepbx on Alpine Linux]]
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

=== Mail ===
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
** [[Hosting Web/Email services on Alpine]]
* [[ISP Mail Server HowTo]] 
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
** [[ISP Mail Server 3.x HowTo]]
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* [[Protecting your email server with Alpine]]
* [[Setting up clamsmtp]]
* [[Setting up dovecot with imap and ssl]]
* [[relay email to gmail (msmtp, mailx, sendmail]]

=== HTTP ===
* [[Lighttpd]]
** [[Lighttpd Https access]]
** [[Setting Up Lighttpd with PHP]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Cherokee]]
* [[Nginx]]
** [[Nginx_with_PHP#Nginx_with_PHP|Nginx with PHP]]
** [[Nginx as reverse proxy with acme (letsencrypt)]]
* [[Apache]]
** [[Apache with php-fpm]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]

* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' 

* [[Setting up Transparent Squid Proxy]] 
** [[SqStat]] ''(Script to look at active squid users connections)''
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[Setting up Explicit Squid Proxy]]

* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[WordPress]] ''(Web software to create website or blog)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[DokuWiki]]
* [[Darkhttpd]]
* [[Tomcat]]

=== Other Servers ===
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''

* [[Setting up a nfs-server]]
* [[Setting up a samba-server]] ''(standard file sharing)''
* [[Setting up a samba-ad-dc]] ''(Active Directory compatible domain controller)''
* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

* [[Patchwork]] ''(Patch review management system)''
* [[Redmine]] ''(Project management system)''
* [[Request-Tracker]] ''(Ticket system)''
* [[OsTicket]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

* [[Cgit]]
** [[Setting up a git repository server with gitolite and cgit]] 
* [[Roundcube]] ''(Webmail system)''
* [[Glpi]] ''(Manage inventory of technical resources)''

* [[How to setup a Alpine Linux mirror]]
* [[Cups]]
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''
* [[How To Setup Your Own IRC Network]] ''(Using {{Pkg|charybdis}} and {{Pkg|atheme-iris}})''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Sending SMS using gnokii]]
* [[IPTV How To|Internet Protocol television (IPTV)]]

=== Monitoring ===
* Setting up [[collectd]]
* [[Traffic monitoring]] 
* [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Setting up monitoring using rrdtool (and rrdcollect)]]
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''
* [[LTTng]] ''(Kernel and userspace tracing)''
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' 
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 

* [[IP Accounting]] 
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[SqStat]] ''(Script to look at active squid users connections)''

* [[Piwik]] ''(A real time web analytics software program)''
* [[Awstats]] ''(Free log file analyzer)''
* [[Intrusion Detection using Snort]]
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''

* [[Webmin]] ''(A web-based interface for Linux system)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Linfo]]

* [[Setting up lm_sensors]]

* [[ZoneMinder video camera security and surveillance]]

== Misc ==

* [[:Category:Shell]]
* [[:Category:Programming]]
* [[Running glibc programs]]
* [[:Category:Drivers]]
* [[:Category:Multimedia]]
* [[Kernel Modesetting]]
* [[CPU frequency scaling]]

== Complete Solutions ==
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]
* [[Building a cloud with Alpine Linux]]

* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]

User:Flaxe

2017-12-09T12:07:23Z

Flaxe:

Hello :)

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:36:47Z

Flaxe: /* Installation */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk update
apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

{{Cat|/etc/nginx/nginx.conf|<nowiki>
# /etc/nginx/nginx.conf

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
#ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2; # We use TLSv1.2 because current stable nginx release don't support TLSv1.3
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</nowiki>}}

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki>location /.well-known/acme-challenge {
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:26:13Z

Flaxe: /* NGINX HTTP */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

{{Cat|/etc/nginx/nginx.conf|<nowiki>
# /etc/nginx/nginx.conf

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
#ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2; # We use TLSv1.2 because current stable nginx release don't support TLSv1.3
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</nowiki>}}

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki>location /.well-known/acme-challenge {
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:16:02Z

Flaxe: /* Common configuration includes */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

{{Cat|/etc/nginx/conf.d/proxy_set_header.inc|<nowiki>proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</nowiki>}}

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki>location /.well-known/acme-challenge {
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:15:29Z

Flaxe: /* acme-client */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

{{Cat|/etc/nginx/conf.d/acme.inc|<nowiki>location /.well-known/acme-challenge {
alias /var/www/acme;
}
</nowiki>}}

And add this to your proxy configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:14:02Z

Flaxe: /* Per site HTTPS configuration */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:12:54Z

Flaxe: /* Complete host example with IPv6 support */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:11:14Z

Flaxe: /* Redirect HTTP to HTTPS */

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</nowiki>}}

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-09T07:06:34Z

Flaxe: /* Installation */ Fixed broken link

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-08T20:31:39Z

Flaxe: Replaced openssl with libressl

== Introduction ==

This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of [https://letsencrypt.org/ letsencrypt] certificates and secure https (according to '''ssllabs ssltest'''). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.

== Installation ==

For this howto, we need three tools: [[NGINX]], {{pkg|acme-client}} and {{pkg|libressl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]).

{{Cmd|apk add nginx acme-client libressl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global <code>nginx.conf</code>. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section):

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.

==== Per site configuration files (conf.d) ====

Since Alpine v3.5, we ship '''NGINX''' with a <code>default.conf</code> within the {{path|/etc/nginx/conf.d}} directory.

To add support for another website, you can add files with the '''.conf''' extension to this directory:

{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</nowiki>}}

==== Common configuration includes ====

If you need to setup multiple proxy setups, you can include duplicated data such as shown below:

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow '''NGINX''' to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generation of certificates ====

Create the following file:
{{Cat|/etc/periodic/weekly/acme-client|<nowiki>#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</nowiki>}}

Make it executable:
chmod +x /etc/periodic/weekly/acme-client

This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.

If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys, you have to run this manually the first time:

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When it's finished, you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem
/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

{{Cat|/etc/nginx/conf.d/redirect_http.inc|<nowiki>
location / {
return 301 https://$host$request_uri;
}
</nowiki>}}

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-06T20:33:51Z

Flaxe: /* Automatic generate certificates */

== Introduction ==

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware you first need to setup regular HTTP server to be able to generate your HTTPS certificates and keys. After you have generated them you can add your HTTPS host based configuration.

== Installation ==

For this howto we need three tools, NGINX, acme-client and openssl (for generating Diffie–Hellman Parameters).

{{Cmd|apk add nginx acme-client openssl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global nginx.conf. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st . Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration ssl_dhparam is used so we need to generate a global dhparam file. We want to use a 4096 key size but this can take a very long time. Because of this we are adding an extra option (dsaparam) to generate our dhparam file (see: https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS)

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point you should be able to (re)start your nginx server but it will not use any of the security features (yet).

==== Per site configuration files (conf.d) ====

Since Alpine v3.5 we ship NGINX with an default.conf within the /etc/nginx/conf.d directory.
To add support for another website you can add files with the .conf extension to this directory.

/etc/nginx/conf.d/alpinelinux.org.conf:

<pre>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Common configuration includes ====

If you need to setup multiple proxy setups you can include duplicated data like shown below.

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow NGINX to support https we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generate certificates ====

Create the following file and make it executable:
/etc/periodic/weekly/acme-client
chmod +x /etc/periodic/weekly/acme-client

<pre>
#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</pre>

This script will run weekly to verify if one of your certificates is outdated and renew them when needed.
 
If you have several domains, you can add them to the '''hosts=''' variable with a space between each domain. This will create a separate certificate and key for each:
<pre>
hosts="alpinelinux.org example.com foo.org bar.io"
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys you have to run this manually the first time.

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When its finished you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem

/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

/etc/nginx/conf.d/redirect_http.inc

<pre>
location / {
return 301 https://$host$request_uri;
}
</pre>

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-06T20:31:55Z

Flaxe: /* Automatic generate certificates */

== Introduction ==

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware you first need to setup regular HTTP server to be able to generate your HTTPS certificates and keys. After you have generated them you can add your HTTPS host based configuration.

== Installation ==

For this howto we need three tools, NGINX, acme-client and openssl (for generating Diffie–Hellman Parameters).

{{Cmd|apk add nginx acme-client openssl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global nginx.conf. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st . Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration ssl_dhparam is used so we need to generate a global dhparam file. We want to use a 4096 key size but this can take a very long time. Because of this we are adding an extra option (dsaparam) to generate our dhparam file (see: https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS)

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point you should be able to (re)start your nginx server but it will not use any of the security features (yet).

==== Per site configuration files (conf.d) ====

Since Alpine v3.5 we ship NGINX with an default.conf within the /etc/nginx/conf.d directory.
To add support for another website you can add files with the .conf extension to this directory.

/etc/nginx/conf.d/alpinelinux.org.conf:

<pre>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Common configuration includes ====

If you need to setup multiple proxy setups you can include duplicated data like shown below.

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow NGINX to support https we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generate certificates ====

Create the following file and make it executable:
/etc/periodic/weekly/acme-client
chmod +x /etc/periodic/weekly/acme-client

<pre>
#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</pre>

This script will run weekly to verify if one of your certificates is outdated and renew them when needed.
 
If you have several domains, you can add them to the '''hosts=''' line with a space between each. This will create a separate certificate and key for each:
<pre>
...
hosts="alpinelinux.org example.com foo.org bar.io"
...
</pre>

==== Initial generation of keys and certificates ====

To create your initial certificates and keys you have to run this manually the first time.

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When its finished you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem

/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

/etc/nginx/conf.d/redirect_http.inc

<pre>
location / {
return 301 https://$host$request_uri;
}
</pre>

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

User:Flaxe

2017-12-04T17:57:53Z

Flaxe:

Hello, I am Flaxe from Sweden :)

User:Flaxe

2017-12-04T17:57:37Z

Flaxe: Created page with "Hello, I am Flaxe :)"

Hello, I am Flaxe :)

Hosting services on Alpine

2017-12-04T17:57:05Z

Flaxe: Fixed broken links etc

= Introduction =
Alpine is well suited for hosting email-, web- or other network-related services. 
Your biggest task is to figure out what you want your system to do.

== Preparing Alpine ==
First you need to get alpine up and running. 
Follow the [[Installation]] instructions on how to get your Alpine booted.

If nothing else is mentioned in the below instructions, you should use the latest stable release:{{downloads|alpine}}

=== VServer or not ===
VServer itself has nothing to do with the various services. 
But if you intend to run multiple services on same box (e.g. mail and webhosting) it might be wise to run the various services in separate vserver-guests.

* [[Setting up a basic vserver]] | ''Basic information on how to set up vserver hosts/guests''

== Mail ==
We split the 'Mail' section into various tasks. 
One task is to gather and process mail. Some other task would be to prevent spam and virus etc. 
Finally we need to make sure the user can fetch/read his mail.

=== Receive mail ===

* [[Setting up postfix with virtual domains]] | ''Postfix can be configured in multiple ways - Here we do it with virtual domains''

=== Processing mail - Virus protection ===

* [[Protecting_your_email_server_with_Alpine#Setting_up_the_Virus_scanner|Setting up ClamAV for Postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''

=== Processing mail - Spam protection ===

* [[Protecting_your_email_server_with_Alpine#Setting_up_the_Greylisting_Server|Setting up Gross for Postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''
* [[Protecting_your_email_server_with_Alpine#Setting_up_the_SMTP_filter|Setting up ClamSMTP]] | ''Use ClamSMTP to provide advanced content and virus filtering for spam''
* [[Protecting_your_email_server_with_Alpine#Setting_up_SaneSecurity_.26_MSRBL_extra_definitions|Setting up SaneSecurity & MSRBL extra definitions]] | ''Another good way of catching SPAM is Sanesecurity and MSRBL definitions''

=== Delivering mail to the user ===

* [[Setting up dovecot with imap and ssl]] | ''Secure way to fetch you mail from the mailer daemon''
* [[Setting up dovecot with imap and tls]] | ''Secure way to fetch you mail from the mailer daemon''

=== Other Mail-related documents ===

* [[Hosting Web/Email services on Alpine]] | ''Describes multiple services on same document''
* [[Protecting your email server with Alpine]] | ''Describes multiple services on same document''

== Web ==

* [[Setting up trac wiki]] | ''A ticket/wiki system''
* [[Lighttpd]] | ''Lighttpd web server''
* [[Cherokee]] | ''Cherokee web server''
* [[Apache]] | ''Apache web server''
* [[Darkhttpd]] | ''Darkhttpd web server''
* [[Nginx]] | ''Nginx web server''

== SSH ==

* [[Setting up a ssh-server]] | ''OpenSSH and Dropbear SSH servers''

== DNS ==

* [[Setting up unbound DNS server]] | ''A validating, recursive, and caching DNS resolver that supports DNSSEC''
* [[Setting up nsd DNS server]] | ''An authoritative-only DNS server''

== Proxy ==

* [[Setting up Explicit Squid Proxy]] | ''Configuring an explicit Squid proxy server''
* [[Setting up Transparent Squid Proxy]] | ''Configuring a transparent Squid proxy server''

= Also see =

You'll probably also want to look at [[Tutorials and Howtos]]

[[Category:Server]]
[[Category:Mail]]

Hosting services on Alpine

2017-12-04T17:39:31Z

Flaxe: /* Web */ Added Nginx web server

= Introduction =
Alpine is well suited for hosting email-, web- or other network-related services. 
Your biggest task is to figure out what you want your system to do.

== Preparing Alpine ==
First you need to get alpine up and running. 
Follow the [[Installing_Alpine]] instructions on how to get your Alpine booted.

If nothing else is mentioned in the below instructions, you should use the latest stable release:{{downloads|alpine}}

=== VServer or not ===
VServer itself has nothing to do with the various services. 
But if you intend to run multiple services on same box (e.g. mail and webhosting) it might be wise to run the various services in separate vserver-guests.

* [[Setting_up_a_basic_vserver]] | ''Basic information on how to set up vserver hosts/guests''

== Mail ==
We split the 'Mail' section into various tasks. 
One task is to gather and process mail. Some other task would be to prevent spam and virus etc. 
Finally we need to make sure the user can fetch/read his mail.

=== Receive mail ===

* [[Setting_up_postfix_with_virtual_domains]] | ''Postfix can be configured in multiple ways - Here we do it with virtual domains''

=== Processing mail - Virus protection ===

* [[Setting_up_clamav_for_postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''

=== Processing mail - Spam protection ===

* [[Setting_up_gross_for_postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''
* [[Setting_up_clamsmtp]] | ''Use ClamSMTP to provide advanced content and virus filtering for spam''
* http://www.sanesecurity.co.uk/ | ''Another good way of catching SPAM is Sanesecurity and MSRBL definitions''

=== Delivering mail to the user ===

* [[Setting_up_dovecot_with_imap_and_ssl]] | ''Secure way to fetch you mail from the mailer daemon''
* [[Setting_up_dovecot_with_imap_and_tls]] | ''Secure way to fetch you mail from the mailer daemon''

=== Other Mail-related documents ===

* [[Hosting_Web/Email_services_on_Alpine]] | ''Describes multiple services on same document''
* [[Protecting_your_email_server_with_Alpine]] | ''Describes multiple services on same document''

== Web ==

* [[Setting_up_trac_wiki]] | ''A ticket/wiki system''
* [[Lighttpd]] | ''Lighttpd web server''
* [[Cherokee]] | ''Cherokee web server''
* [[Apache]] | ''Apache web server''
* [[Darkhttpd]] | ''Darkhttpd web server''
* [[Nginx]] | ''Nginx web server''

== SSH ==

* [[Setting_up_a_ssh-server]] | ''OpenSSH and Dropbear SSH servers''

== DNS ==

* [[Setting_up_unbound_DNS_server]] | ''A validating, recursive, and caching DNS resolver that supports DNSSEC''
* [[Setting_up_nsd_DNS_server]] | ''An authoritative-only DNS server''

== Proxy ==

* [[Setting up Explicit Squid Proxy]] | ''Configuring an explicit Squid proxy server''
* [[Setting up Transparent Squid Proxy]] | ''Configuring a transparent Squid proxy server''

= Also see =

You'll probably also want to look at [[Tutorials and Howtos]]

[[Category:Server]]
[[Category:Mail]]

Nginx with PHP

2017-12-04T17:38:23Z

Flaxe: Added Category:PHP

{{:Nginx}}

=== PHP Installation ===
PHP packages is available in the Alpine Linux repositories. To install php5 with modules run:
{{cmd|apk add php5-fpm php5-mcrypt php5-soap php5-openssl php5-gmp php5-pdo_odbc php5-json php5-dom php5-pdo php5-zip php5-mysql php5-mysqli php5-sqlite3 php5-apcu php5-pdo_pgsql php5-bcmath php5-gd php5-xcache php5-odbc php5-pdo_mysql php5-pdo_sqlite php5-gettext php5-xmlreader php5-xmlrpc php5-bz2 php5-memcache php5-mssql php5-iconv php5-pdo_dblib php5-curl php5-ctype}}

Perhaps you do not need all these PHP modules. Install modules according to your needs.

=== Configuration ===

Defining ENV variables which will be used in configuration.
{{cmd|<nowiki>PHP_FPM_USER="www"
PHP_FPM_GROUP="www"
PHP_FPM_LISTEN_MODE="0660"
PHP_MEMORY_LIMIT="512M"
PHP_MAX_UPLOAD="50M"
PHP_MAX_FILE_UPLOAD="200"
PHP_MAX_POST="100M"
PHP_DISPLAY_ERRORS="On"
PHP_DISPLAY_STARTUP_ERRORS="On"
PHP_ERROR_REPORTING="E_COMPILE_ERROR\|E_RECOVERABLE_ERROR\|E_ERROR\|E_CORE_ERROR"
PHP_CGI_FIX_PATHINFO=0</nowiki>}}
Modify variables according to your needs.

Modifying configuration file php-fpm.conf
{{cmd|<nowiki>sed -i "s|;listen.owner\s*=\s*nobody|listen.owner = ${PHP_FPM_USER}|g" /etc/php5/php-fpm.conf
sed -i "s|;listen.group\s*=\s*nobody|listen.group = ${PHP_FPM_GROUP}|g" /etc/php5/php-fpm.conf
sed -i "s|;listen.mode\s*=\s*0660|listen.mode = ${PHP_FPM_LISTEN_MODE}|g" /etc/php5/php-fpm.conf
sed -i "s|user\s*=\s*nobody|user = ${PHP_FPM_USER}|g" /etc/php5/php-fpm.conf
sed -i "s|group\s*=\s*nobody|group = ${PHP_FPM_GROUP}|g" /etc/php5/php-fpm.conf
sed -i "s|;log_level\s*=\s*notice|log_level = notice|g" /etc/php5/php-fpm.conf #uncommenting line </nowiki>}}

Modifying configuration file php.ini
{{cmd|<nowiki>sed -i "s|display_errors\s*=\s*Off|display_errors = ${PHP_DISPLAY_ERRORS}|i" /etc/php5/php.ini
sed -i "s|display_startup_errors\s*=\s*Off|display_startup_errors = ${PHP_DISPLAY_STARTUP_ERRORS}|i" /etc/php5/php.ini
sed -i "s|error_reporting\s*=\s*E_ALL & ~E_DEPRECATED & ~E_STRICT|error_reporting = ${PHP_ERROR_REPORTING}|i" /etc/php5/php.ini
sed -i "s|;*memory_limit =.*|memory_limit = ${PHP_MEMORY_LIMIT}|i" /etc/php5/php.ini
sed -i "s|;*upload_max_filesize =.*|upload_max_filesize = ${PHP_MAX_UPLOAD}|i" /etc/php5/php.ini
sed -i "s|;*max_file_uploads =.*|max_file_uploads = ${PHP_MAX_FILE_UPLOAD}|i" /etc/php5/php.ini
sed -i "s|;*post_max_size =.*|post_max_size = ${PHP_MAX_POST}|i" /etc/php5/php.ini
sed -i "s|;*cgi.fix_pathinfo=.*|cgi.fix_pathinfo= ${PHP_CGI_FIX_PATHINFO}|i" /etc/php5/php.ini</nowiki>}}

To add PHP support to Nginx we should modify Nginx configuration file:
{{cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm index.php;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}
</pre>
In our configuration we have line: "fastcgi_pass 127.0.0.1:9000" 
It should be corresponing to the line "listen = 127.0.0.1:9000" in PHP configuration file /etc/php5/php-fpm.conf

=== Timezone ===
For configuring Timezone you may use tzdata package which can be installed by running:
{{cmd|apk add tzdata}}

Timezone configuration
{{cmd|<nowiki>TIMEZONE="Europe/Helsinki"
cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime
echo "${TIMEZONE}" > /etc/timezone
sed -i "s|;*date.timezone =.*|date.timezone = ${TIMEZONE}|i" /etc/php5/php.ini</nowiki>}}

=== Sample PHP page ===
{{cmd|vi /www/phpinfo.php}}
<pre>
<?php
phpinfo();
?>
</pre>

=== Starting Nginx with PHP ===
Nginx should be restarted because we have changed it's configuration. Restart it by running:
{{cmd|rc-service nginx restart}}

After the installation PHP is not running. Start it by running:
{{cmd|rc-service php-fpm start}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx and PHP to the needed runlevel.
{{cmd|rc-update add nginx default
rc-update add php-fpm default}}

Now they should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx and PHP are started run command:
{{cmd|<nowiki>ps aux | grep 'nginx\|php-fpm'</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
291 root 0:00 php-fpm: master process (/etc/php5/php-fpm.conf)
302 www 0:00 php-fpm: pool www
303 www 0:00 php-fpm: pool www
310 root 0:00 grep nginx\|php-fpm
</pre>

=== Testing Nginx with PHP ===
This section is assuming that nginx is running and sample html page "/www/phpinfo.php" is created. Launch a web browser and point it to
<pre>
http://X.X.X.X/phpinfo.php
</pre>
where X.X.X.X is IP address of your web server 
 
If everything was set up correctly, you should see information about your web server.

=== Troubleshooting ===

If PHP is not started check php-fpm log file
{{cmd|less /var/log/php-fpm.log}}

Make sure that configuration files do not contain errors
{{cmd|vi /etc/php5/php-fpm.conf
vi /etc/php5/php.ini}}

[[Category:Web Server]]
[[Category:PHP]]

Nginx

2017-12-04T17:37:07Z

Flaxe: /* Nginx with PHP */ Added link to setup with Acme (letsencrypt) and Category:Web Server

[https://nginx.org/en/ Nginx] (engine x) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server

== Installation ==
Nginx package is available in the Alpine Linux repositories. To install it run:

{{Cmd|apk add nginx}}

Creating new user and group 'www' for nginx
{{Cmd|adduser -D -u 1000 -g 'www' www}}

Create a directory for html files
{{Cmd|mkdir /www
chown -R www:www /var/lib/nginx
chown -R www:www /www
}}

== Configuration ==
You may want to make backup of original nginx.conf file before writting your own
{{Cmd|mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig}}

Configuring Nginx to listen to port 80 and process .html or .htm files
{{Cmd|vi /etc/nginx/nginx.conf}}
<pre>
user www;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
access_log /var/log/nginx/access.log;
keepalive_timeout 3000;
server {
listen 80;
root /www;
index index.html index.htm;
server_name localhost;
client_max_body_size 32m;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
</pre>

== Sample page ==
{{Cmd|vi /www/index.html}}
<pre>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>HTML5</title>
</head>
<body>
Server is online
</body>
</html>
</pre>

== Controlling nginx ==

=== Start Nginx ===
After the installation Nginx is not running. To start Nginx, use ''start''.
{{Cmd|rc-service nginx start}}

You will get a feedback about the status.
<pre>
* /run/nginx: creating directory
* /run/nginx: correcting owner [ ok ]
* Starting nginx ... [ ok ]
</pre>

=== Restart Nginx ===
After changing the configuration file nginx needs to be restarted.
If you want to restart the web server use ''restart''.
{{Cmd|rc-service nginx restart}}

=== Stop Nginx ===
If you want to stop the web server use ''stop''.
{{Cmd|rc-service nginx stop}}

=== Runlevel ===
Normally you want to start the web server when the system is launching. This is done by adding Nginx to the needed runlevel.
{{Cmd|rc-update add nginx default}}

Now Nginx should start automatically when you boot your machine next time. To test that run:
{{cmd|reboot}}

To make sure that Nginx is started run:
{{cmd|<nowiki>ps aux | grep nginx</nowiki>}}

You should get something like this:
<pre>
263 root 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
264 www 0:00 nginx: worker process
310 root 0:00 grep nginx
</pre>

== Testing Nginx ==
This section is assuming that nginx is running and sample html page "/www/index.html" is created. Launch a web browser and point it to your web server.
You should get:
<pre>Server is online</pre>

== Troubleshooting ==
If Nginx is not started check Nginx log file
{{cmd|less /var/log/nginx/error.log}}

Make sure that configuration file does not contain errors
{{cmd|vi /etc/nginx/nginx.conf}}

== Nginx with PHP ==

[[Nginx_with_PHP#Nginx_with_PHP|Setting Up Nginx with PHP]] 
[[Nginx_as_reverse_proxy_with_acme_(letsencrypt)|Setting Up Nginx as Reverse Proxy with acme (Let's Encrypt)]]

[[Category:Server]]
[[Category:Web Server]]

Nginx with PHP

2017-12-04T17:34:52Z

Flaxe: Added Category:Web Server

Nginx as reverse proxy with acme (letsencrypt)

2017-12-04T17:33:38Z

Flaxe:

== Introduction ==

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware you first need to setup regular HTTP server to be able to generate your HTTPS certificates and keys. After you have generated them you can add your HTTPS host based configuration.

== Installation ==

For this howto we need three tools, NGINX, acme-client and openssl (for generating Diffie–Hellman Parameters).

{{Cmd|apk add nginx acme-client openssl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global nginx.conf. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st . Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration ssl_dhparam is used so we need to generate a global dhparam file. We want to use a 4096 key size but this can take a very long time. Because of this we are adding an extra option (dsaparam) to generate our dhparam file (see: https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS)

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point you should be able to (re)start your nginx server but it will not use any of the security features (yet).

==== Per site configuration files (conf.d) ====

Since Alpine v3.5 we ship NGINX with an default.conf within the /etc/nginx/conf.d directory.
To add support for another website you can add files with the .conf extension to this directory.

/etc/nginx/conf.d/alpinelinux.org.conf:

<pre>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Common configuration includes ====

If you need to setup multiple proxy setups you can include duplicated data like shown below.

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow NGINX to support https we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generate certificates ====

Create the following file and make it executable
/etc/periodic/weekly/acme-client

<pre>
#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</pre>

This script will run weekly to verify if one of your certificates is outdated and renew them when needed.

==== Initial generation of keys and certificates ====

To create your initial certificates and keys you have to run this manually the first time.

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When its finished you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem

/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

/etc/nginx/conf.d/redirect_http.inc

<pre>
location / {
return 301 https://$host$request_uri;
}
</pre>

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]
[[Category:Web Server]]

Alpine security

2017-12-02T19:29:35Z

Flaxe: /* Network statistics */ Update nethogs URL

{{Note|This is work in progress. Not all packages are available at the moment.}}

== Basics ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| alpine-base
| Alpine base package
| http://alpinelinux.org
|-
| alpine-mirrors
| List of Alpine Linux Mirrors
| http://alpinelinux.org/
|-
| bkeymaps
| Binary keymaps for busybox
| http://dev.alpinelinux.org/alpine/bkeymaps
|-
| network-extras
| Meta package to pull in vlan, bonding, bridge and wifi support
| http://alpinelinux.org
|-
| openssl
| Toolkit for SSL v2/v3 and TLS v1
| http://openssl.org
|-
| tzdata
| Timezone data
| http://www.twinsun.com/tz/tz-link.htm
|}

== Code Analysis ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| rpmlint
| A tool for checking common errors in RPM packages
| http://rpmlint.zarb.org
|-
| pylint
| Analyzes Python code looking for bugs and signs of poor quality
| http://pypi.python.org/pypi/pylint
|-
| flawfinder
| Examines C/C++ source code for security flaws
| http://www.dwheeler.com/flawfinder/
|-
| rats
| A tool to find security related programming errors
| https://www.fortify.com/ssa-elements/threat-intelligence/rats.html
|-
| pychecker
| A analyser for python source code
| http://pychecker.sourceforge.net/
|-
| pyflakes
| A passive checker of Python programs
| https://launchpad.net/pyflakes
|-
| strace
| A useful diagnositic, instructional, and debugging tool
| http://sourceforge.net/projects/strace/
|-
| netsink
| A Network Sinkhole for Isolated Malware Analysis
| https://github.com/shendo/netsink
|}



== Forensics / Data recovery tools ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| dc3dd
| Patched version of GNU dd for use in computer forensics
| http://dc3dd.sourceforge.net/
|-
| ddrescue
| Data recovery tool for block devices with errors
| http://www.gnu.org/s/ddrescue/ddrescue.html
|-
| testdisk
| A powerful free data recovery software
| http://www.cgsecurity.org/wiki/TestDisk
|-
| scrub
| Disk scrubbing program
| http://code.google.com/p/diskscrub/
|-
| ncdu
| A curses-based version of the well-known "du"
| http://dev.yorhel.nl/ncdu
|-
| htop
| An interactive process viewer for Linux
| http://htop.sourceforge.net/
|-
| mac-robber
| A tool that collects data from allocated files in a mounted file system
| http://www.sleuthkit.org/mac-robber/desc.php
|-
| wipe
| Tool for securely erasing files from magnetic media
| http://lambda-diode.com/software/wipe/
|-
| nwipe
| Securely erase disks using a variety of recognized methods
| http://nwipe.sourceforge.net
|-
| jhead
| An Exif jpeg header manipulation tool
| http://www.sentex.net/~mwandel/jhead/
|}



== Reconnaissance ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| arpalert
| Monitor ARP changes in ethernet networks
| http://www.arpalert.org
|-
| arpon
| ARP handler inspection
| http://arpon.sourceforge.net/
|-
| dnsenum
| A tool to enumerate DNS info about domains
| http://code.google.com/p/dnsenum/
|-
| halberd
| A tool to discover HTTP load balancers
| http://halberd.superadditive.com/
|-
| scanssh
| Fast SSH server and open proxy scanner
| http://monkey.org/~provos/scanssh/
|-
| ngrep
| Network layer grep tool
| http://ngrep.sourceforge.net/
|-
| netsniff-ng
| A performant Linux network analyzer and networking toolkit
| http://netsniff-ng.org/
|-
| scapy
| Interactive packet manipulation tool and network scanner
| http://www.secdev.org/projects/scapy/
|-
| socat
| Bidirectional data relay between two data channels ('netcat++')
| http://www.dest-unreach.org/socat/
|-
| tcpdump
| A network traffic monitoring tool
| http://www.tcpdump.org/
|-
| tcptrack
| Displays information about tcp connections on a network interface
| http://www.rhythm.cx/~steve/devel/tcptrack/
|-
| tcpflow
| A tool for monitoring, capturing and storing TCP connections flows
| http://www.circlemud.org/~jelson/software/tcpflow/
|-
| tcpproxy
| Transparent TCP Proxy
| http://www.quietsche-entchen.de/cgi-bin/wiki.cgi/proxies/TcpProxy
|-
| etherdump
| An extremely small packet sniffer
| http://freshmeat.net/projects/etherdump/
|-
| netdiscover
| A network address discovering tool
| http://sourceforge.net/projects/netdiscover/
|-
| nmap
| A network exploration tool and security/port scanner
| http://nmap.org
|-
| arpwatch
| An ethernet monitoring program
| http://www-nrg.ee.lbl.gov/
|-
| nfswatch
| An NFS traffic monitoring tool
| http://nfswatch.sourceforge.net/
|-
| p0f
| Passive traffic fingerprinting tool
| http://lcamtuf.coredump.cx/p0f3/
|-
| hping3
| A ping-like TCP/IP packet assembler/analyzer
| http://www.hping.org
|-
| sslscan
| Security assessment tool for SSL
| http://sourceforge.net/projects/sslscan/
|-
| httpry
| A packet sniffer designed for HTTP traffic
| http://dumpsterventures.com/jason/httpry
|-
| bannergrab
| A banner grabbing tool
| http://sourceforge.net/projects/bannergrab
|-
| dnstop
| A DNS traffic capture utility
| http://dns.measurement-factory.com/tools/dnstop/
|-
| flunym0us
| A vulnerability scanner for wordpress and moodle
| http://code.google.com/p/flunym0us/
|-
| swaks
| A transaction-oriented SMTP test tool
| http://www.jetmore.org/john/code/swaks/
|-
| onesixtyone
| An efficient SNMP scanner
| http://www.phreedom.org/software/onesixtyone/
|-
| mitmproxy
| An interactive SSL-capable intercepting HTTP proxy
| http://www.mitmproxy.org/
|-
| hexinject
| A very versatile packet injector and sniffer
| http://hexinject.sourceforge.net/
|-
| [[Setting up OpenVAS9|openvas]]
| Vulnerability scanner and manager
| http://www.openvas.org/src-doc/openvas-manager/index.html
|}



==Application Testing==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| wbox
| HTTP testing tool and configuration-less HTTP server
| http://www.hping.org/wbox/
|-
| slowhttptest
| An application Layer DoS attack simulator
| http://code.google.com/p/slowhttptest
|-
| nikto
| A web application security scanner
| https://www.cirt.net/Nikto2
|}



== Network statistics ==
{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| iperf
| Tool to measure IP bandwidth using UDP or TCP
| http://iperf.sourceforge.net/
|-
| iptraf-ng
| A console-based network monitoring utility
| https://fedorahosted.org/iptraf-ng/
|-
| iptop
| Command line tool that displays bandwidth usage on an interface
| http://www.ex-parrot.com/~pdw/iftop/
|-
| fping
| A utility to ping multiple hosts at once
| http://fping.sourceforge.net/
|-
| mtr
| Full screen ncurses traceroute tool
| http://www.bitwizard.nl/mtr/
|-
| speedometer
| Measure and display the rate of data across a network connection or data being stored in a file
| http://excess.org/speedometer/
|-
| nfdump
| The nfdump tools collect and process netflow data on the command line
| http://nfdump.sourceforge.net/
|-
| nethogs
| Top-like monitor for network traffic
| http://raboof.github.io/nethogs/
|-
| iptstate
| Top-like interface to netfilter connection-tracking table
| http://www.phildev.net/iptstate/
|}



== Misc tools ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| bash-completion
| Command-line tab-completion for bash
| http://bash-completion.alioth.debian.org/
|-
| clamav
| An anti-virus toolkit for UNIX
| http://www.clamav.net
|-
| p7zip
| A command-line port of the 7zip compression utility
| http://p7zip.sourceforge.net/
|-
| nano
| A simple ncurses text editor
| http://www.nano-editor.org/
|-
| rsync
| A file transfer program to keep remote files in sync
| http://rsync.samba.org/
|-
| screen
| A terminal multiplexer, used to multiplex several virtual consoles. Similar to "tmux" below
| http://www.gnu.org/software/screen/
|-
| tmux
| A terminal multiplexer, used to multiplex several virtual consoles. Similar to "screen" above
| https://tmux.github.io/
|-
| multitail
| A tool to view one or multiple files
| http://www.vanheusden.com/multitail
|-
| shed
| A simple hex editor
| http://shed.sourceforge.net/
|-
| e2fsprogs
| Standard Ext2/3/4 filesystem utilities
| http://e2fsprogs.sourceforge.net/
|-
| openssh
| An open source implementation of SSH protocol versions 1 and 2
| http://www.openssh.org/
|-
| passwdgen
| A random password generator
| http://code.google.com/p/passwdgen/
|-
| partclone
| Back up and restore used-blocks of a partition
| http://partclone.org
|-
| sshguard
| Log monitor that blocks with iptables on bad behaviour
| http://www.sshguard.net/download/
|-
| proxychains
| A tool that forces any TCP connection through proxies
| http://proxychains.sourceforge.net
|-
| knock
| A simple port-knocking daemon
| http://www.zeroflux.org/projects/knock
|-
| logcheck
| A simple utility which is designed to allow a system administrator to view the logfiles
| http://www.logcheck.org
|-
| mc
| A visual file manager
| https://www.midnight-commander.org/
|-
| makepasswd
| Generates (pseudo-)random passwords of a desired length
| http://people.defora.org/~khorben/projects/makepasswd/
|-
| lnav
| A curses-based tool for viewing and analyzing log files
| http://lnav.org
|-
| goaccess
| A real-time web log analyzer and interactive viewer
| http://goaccess.prosoftcorp.com/
|}



== VoIP==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| sipp
| A test tool / traffic generator for the SIP protocol
| http://sipp.sourceforge.net/
|-
| voiphopper
| A VLAN Hop security test
| http://voiphopper.sourceforge.net/
|-
| sipvicious
| Tools for auditing SIP based VoIP systems
| http://code.google.com/p/sipvicious/
|-
| sipcrack
| A SIP protocol login cracker
| http://packages.debian.org/lenny/sipcrack
|-
| sipsak
| SIP swiss army knife
| http://sipsak.org/
|-
| smap
| A simple scanner for SIP enabled devices
| http://www.wormulon.net/smap
|}



== Wireless ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| weplab
| Analyzing WEP encryption security on wireless networks
| http://weplab.sourceforge.net/
|-
| kismet
| A WLAN detector, sniffer, and IDS
| http://www.kismetwireless.org/
|-
| cowpatty
| Attacking WPA/WPA2-PSK exchanges
| http://www.willhackforsushi.com/Cowpatty.html
|-
| wavemon
| Ncurses-based monitoring application for wireless network devices
| http://eden-feed.erg.abdn.ac.uk/wavemon/
|}



== Intrusion detection ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| nebula
| An Intrusion Signature Generator
| http://nebula.carnivore.it/
|-
| snort
| A network intrusion prevention and detection system
| http://www.snort.org/
|}





[[Category:ISO]]

Alpine security

2017-12-02T19:25:16Z

Flaxe: /* Misc tools */

{{Note|This is work in progress. Not all packages are available at the moment.}}

== Basics ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| alpine-base
| Alpine base package
| http://alpinelinux.org
|-
| alpine-mirrors
| List of Alpine Linux Mirrors
| http://alpinelinux.org/
|-
| bkeymaps
| Binary keymaps for busybox
| http://dev.alpinelinux.org/alpine/bkeymaps
|-
| network-extras
| Meta package to pull in vlan, bonding, bridge and wifi support
| http://alpinelinux.org
|-
| openssl
| Toolkit for SSL v2/v3 and TLS v1
| http://openssl.org
|-
| tzdata
| Timezone data
| http://www.twinsun.com/tz/tz-link.htm
|}

== Code Analysis ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| rpmlint
| A tool for checking common errors in RPM packages
| http://rpmlint.zarb.org
|-
| pylint
| Analyzes Python code looking for bugs and signs of poor quality
| http://pypi.python.org/pypi/pylint
|-
| flawfinder
| Examines C/C++ source code for security flaws
| http://www.dwheeler.com/flawfinder/
|-
| rats
| A tool to find security related programming errors
| https://www.fortify.com/ssa-elements/threat-intelligence/rats.html
|-
| pychecker
| A analyser for python source code
| http://pychecker.sourceforge.net/
|-
| pyflakes
| A passive checker of Python programs
| https://launchpad.net/pyflakes
|-
| strace
| A useful diagnositic, instructional, and debugging tool
| http://sourceforge.net/projects/strace/
|-
| netsink
| A Network Sinkhole for Isolated Malware Analysis
| https://github.com/shendo/netsink
|}



== Forensics / Data recovery tools ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| dc3dd
| Patched version of GNU dd for use in computer forensics
| http://dc3dd.sourceforge.net/
|-
| ddrescue
| Data recovery tool for block devices with errors
| http://www.gnu.org/s/ddrescue/ddrescue.html
|-
| testdisk
| A powerful free data recovery software
| http://www.cgsecurity.org/wiki/TestDisk
|-
| scrub
| Disk scrubbing program
| http://code.google.com/p/diskscrub/
|-
| ncdu
| A curses-based version of the well-known "du"
| http://dev.yorhel.nl/ncdu
|-
| htop
| An interactive process viewer for Linux
| http://htop.sourceforge.net/
|-
| mac-robber
| A tool that collects data from allocated files in a mounted file system
| http://www.sleuthkit.org/mac-robber/desc.php
|-
| wipe
| Tool for securely erasing files from magnetic media
| http://lambda-diode.com/software/wipe/
|-
| nwipe
| Securely erase disks using a variety of recognized methods
| http://nwipe.sourceforge.net
|-
| jhead
| An Exif jpeg header manipulation tool
| http://www.sentex.net/~mwandel/jhead/
|}



== Reconnaissance ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| arpalert
| Monitor ARP changes in ethernet networks
| http://www.arpalert.org
|-
| arpon
| ARP handler inspection
| http://arpon.sourceforge.net/
|-
| dnsenum
| A tool to enumerate DNS info about domains
| http://code.google.com/p/dnsenum/
|-
| halberd
| A tool to discover HTTP load balancers
| http://halberd.superadditive.com/
|-
| scanssh
| Fast SSH server and open proxy scanner
| http://monkey.org/~provos/scanssh/
|-
| ngrep
| Network layer grep tool
| http://ngrep.sourceforge.net/
|-
| netsniff-ng
| A performant Linux network analyzer and networking toolkit
| http://netsniff-ng.org/
|-
| scapy
| Interactive packet manipulation tool and network scanner
| http://www.secdev.org/projects/scapy/
|-
| socat
| Bidirectional data relay between two data channels ('netcat++')
| http://www.dest-unreach.org/socat/
|-
| tcpdump
| A network traffic monitoring tool
| http://www.tcpdump.org/
|-
| tcptrack
| Displays information about tcp connections on a network interface
| http://www.rhythm.cx/~steve/devel/tcptrack/
|-
| tcpflow
| A tool for monitoring, capturing and storing TCP connections flows
| http://www.circlemud.org/~jelson/software/tcpflow/
|-
| tcpproxy
| Transparent TCP Proxy
| http://www.quietsche-entchen.de/cgi-bin/wiki.cgi/proxies/TcpProxy
|-
| etherdump
| An extremely small packet sniffer
| http://freshmeat.net/projects/etherdump/
|-
| netdiscover
| A network address discovering tool
| http://sourceforge.net/projects/netdiscover/
|-
| nmap
| A network exploration tool and security/port scanner
| http://nmap.org
|-
| arpwatch
| An ethernet monitoring program
| http://www-nrg.ee.lbl.gov/
|-
| nfswatch
| An NFS traffic monitoring tool
| http://nfswatch.sourceforge.net/
|-
| p0f
| Passive traffic fingerprinting tool
| http://lcamtuf.coredump.cx/p0f3/
|-
| hping3
| A ping-like TCP/IP packet assembler/analyzer
| http://www.hping.org
|-
| sslscan
| Security assessment tool for SSL
| http://sourceforge.net/projects/sslscan/
|-
| httpry
| A packet sniffer designed for HTTP traffic
| http://dumpsterventures.com/jason/httpry
|-
| bannergrab
| A banner grabbing tool
| http://sourceforge.net/projects/bannergrab
|-
| dnstop
| A DNS traffic capture utility
| http://dns.measurement-factory.com/tools/dnstop/
|-
| flunym0us
| A vulnerability scanner for wordpress and moodle
| http://code.google.com/p/flunym0us/
|-
| swaks
| A transaction-oriented SMTP test tool
| http://www.jetmore.org/john/code/swaks/
|-
| onesixtyone
| An efficient SNMP scanner
| http://www.phreedom.org/software/onesixtyone/
|-
| mitmproxy
| An interactive SSL-capable intercepting HTTP proxy
| http://www.mitmproxy.org/
|-
| hexinject
| A very versatile packet injector and sniffer
| http://hexinject.sourceforge.net/
|-
| [[Setting up OpenVAS9|openvas]]
| Vulnerability scanner and manager
| http://www.openvas.org/src-doc/openvas-manager/index.html
|}



==Application Testing==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| wbox
| HTTP testing tool and configuration-less HTTP server
| http://www.hping.org/wbox/
|-
| slowhttptest
| An application Layer DoS attack simulator
| http://code.google.com/p/slowhttptest
|-
| nikto
| A web application security scanner
| https://www.cirt.net/Nikto2
|}



== Network statistics ==
{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| iperf
| Tool to measure IP bandwidth using UDP or TCP
| http://iperf.sourceforge.net/
|-
| iptraf-ng
| A console-based network monitoring utility
| https://fedorahosted.org/iptraf-ng/
|-
| iptop
| Command line tool that displays bandwidth usage on an interface
| http://www.ex-parrot.com/~pdw/iftop/
|-
| fping
| A utility to ping multiple hosts at once
| http://fping.sourceforge.net/
|-
| mtr
| Full screen ncurses traceroute tool
| http://www.bitwizard.nl/mtr/
|-
| speedometer
| Measure and display the rate of data across a network connection or data being stored in a file
| http://excess.org/speedometer/
|-
| nfdump
| The nfdump tools collect and process netflow data on the command line
| http://nfdump.sourceforge.net/
|-
| nethogs
| Top-like monitor for network traffic
| http://nethogs.sourceforge.net
|-
| iptstate
| Top-like interface to netfilter connection-tracking table
| http://www.phildev.net/iptstate/
|}



== Misc tools ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| bash-completion
| Command-line tab-completion for bash
| http://bash-completion.alioth.debian.org/
|-
| clamav
| An anti-virus toolkit for UNIX
| http://www.clamav.net
|-
| p7zip
| A command-line port of the 7zip compression utility
| http://p7zip.sourceforge.net/
|-
| nano
| A simple ncurses text editor
| http://www.nano-editor.org/
|-
| rsync
| A file transfer program to keep remote files in sync
| http://rsync.samba.org/
|-
| screen
| A terminal multiplexer, used to multiplex several virtual consoles. Similar to "tmux" below
| http://www.gnu.org/software/screen/
|-
| tmux
| A terminal multiplexer, used to multiplex several virtual consoles. Similar to "screen" above
| https://tmux.github.io/
|-
| multitail
| A tool to view one or multiple files
| http://www.vanheusden.com/multitail
|-
| shed
| A simple hex editor
| http://shed.sourceforge.net/
|-
| e2fsprogs
| Standard Ext2/3/4 filesystem utilities
| http://e2fsprogs.sourceforge.net/
|-
| openssh
| An open source implementation of SSH protocol versions 1 and 2
| http://www.openssh.org/
|-
| passwdgen
| A random password generator
| http://code.google.com/p/passwdgen/
|-
| partclone
| Back up and restore used-blocks of a partition
| http://partclone.org
|-
| sshguard
| Log monitor that blocks with iptables on bad behaviour
| http://www.sshguard.net/download/
|-
| proxychains
| A tool that forces any TCP connection through proxies
| http://proxychains.sourceforge.net
|-
| knock
| A simple port-knocking daemon
| http://www.zeroflux.org/projects/knock
|-
| logcheck
| A simple utility which is designed to allow a system administrator to view the logfiles
| http://www.logcheck.org
|-
| mc
| A visual file manager
| https://www.midnight-commander.org/
|-
| makepasswd
| Generates (pseudo-)random passwords of a desired length
| http://people.defora.org/~khorben/projects/makepasswd/
|-
| lnav
| A curses-based tool for viewing and analyzing log files
| http://lnav.org
|-
| goaccess
| A real-time web log analyzer and interactive viewer
| http://goaccess.prosoftcorp.com/
|}



== VoIP==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| sipp
| A test tool / traffic generator for the SIP protocol
| http://sipp.sourceforge.net/
|-
| voiphopper
| A VLAN Hop security test
| http://voiphopper.sourceforge.net/
|-
| sipvicious
| Tools for auditing SIP based VoIP systems
| http://code.google.com/p/sipvicious/
|-
| sipcrack
| A SIP protocol login cracker
| http://packages.debian.org/lenny/sipcrack
|-
| sipsak
| SIP swiss army knife
| http://sipsak.org/
|-
| smap
| A simple scanner for SIP enabled devices
| http://www.wormulon.net/smap
|}



== Wireless ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| weplab
| Analyzing WEP encryption security on wireless networks
| http://weplab.sourceforge.net/
|-
| kismet
| A WLAN detector, sniffer, and IDS
| http://www.kismetwireless.org/
|-
| cowpatty
| Attacking WPA/WPA2-PSK exchanges
| http://www.willhackforsushi.com/Cowpatty.html
|-
| wavemon
| Ncurses-based monitoring application for wireless network devices
| http://eden-feed.erg.abdn.ac.uk/wavemon/
|}



== Intrusion detection ==

{| cellpadding="5" border="1" class="wikitable"
|-
! Name
! Description
! URL
|-
| nebula
| An Intrusion Signature Generator
| http://nebula.carnivore.it/
|-
| snort
| A network intrusion prevention and detection system
| http://www.snort.org/
|}





[[Category:ISO]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-01T17:23:09Z

Flaxe: /* Installation */

== Introduction ==

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware you first need to setup regular HTTP server to be able to generate your HTTPS certificates and keys. After you have generated them you can add your HTTPS host based configuration.

== Installation ==

For this howto we need three tools, NGINX, acme-client and openssl (for generating Diffie–Hellman Parameters).

{{Cmd|apk add nginx acme-client openssl}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global nginx.conf. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st . Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration ssl_dhparam is used so we need to generate a global dhparam file. We want to use a 4096 key size but this can take a very long time. Because of this we are adding an extra option (dsaparam) to generate our dhparam file (see: https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS)

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point you should be able to (re)start your nginx server but it will not use any of the security features (yet).

==== Per site configuration files (conf.d) ====

Since Alpine v3.5 we ship NGINX with an default.conf within the /etc/nginx/conf.d directory.
To add support for another website you can add files with the .conf extension to this directory.

/etc/nginx/conf.d/alpinelinux.org.conf:

<pre>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Common configuration includes ====

If you need to setup multiple proxy setups you can include duplicated data like shown below.

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow NGINX to support https we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generate certificates ====

Create the following file and make it executable
/etc/periodic/weekly/acme-client

<pre>
#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</pre>

This script will run weekly to verify if one of your certificates is outdated and renew them when needed.

==== Initial generation of keys and certificates ====

To create your initial certificates and keys you have to run this manually the first time.

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When its finished you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem

/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

/etc/nginx/conf.d/redirect_http.inc

<pre>
location / {
return 301 https://$host$request_uri;
}
</pre>

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]

Nginx as reverse proxy with acme (letsencrypt)

2017-12-01T16:34:45Z

Flaxe: /* Update host configuration */

== Introduction ==

This setup will allow you to have multiple servers/containers be accessible via a single IP address with the added benefit of centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware you first need to setup regular HTTP server to be able to generate your HTTPS certificates and keys. After you have generated them you can add your HTTPS host based configuration.

== Installation ==

For this howto we need two tools, NGINX and acme-client.

{{Cmd|apk add nginx acme-client}}

== Setup ==

=== NGINX HTTP ===

==== Global configuration ====

First step is to refactor our global nginx.conf. Its target at a low traffic http server, to increase performance make changes at top level.

The security settings are taken from https://cipherli.st . Please also read https://hstspreload.org for details about HSTS.

<pre>
# ngnix configuration file

user nginx;

worker_processes 1; # use "auto" to use all available cores (high performance)

events {
worker_connections 1024; # increase if you need more connections
}

http {
# server_names_hash_bucket_size controls the maximum length
# of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
server_tokens off; # hide who we are
sendfile off; # can cause issues

# secure nginx according to https://cipherli.st/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000"; # https://hstspreload.org
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam dhparam.pem;

# nginx will find this file in the config directory set at nginx build time
include mime.types;

#fallback in case we can't determine a type
default_type application/octet-stream;

# buffering causes issues
proxy_buffering off;

# include hosts
include conf.d/*.conf;
}
</pre>

==== Diffie–Hellman Parameters ====

In the above configuration ssl_dhparam is used so we need to generate a global dhparam file. We want to use a 4096 key size but this can take a very long time. Because of this we are adding an extra option (dsaparam) to generate our dhparam file (see: https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS)

{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}}

At this point you should be able to (re)start your nginx server but it will not use any of the security features (yet).

==== Per site configuration files (conf.d) ====

Since Alpine v3.5 we ship NGINX with an default.conf within the /etc/nginx/conf.d directory.
To add support for another website you can add files with the .conf extension to this directory.

/etc/nginx/conf.d/alpinelinux.org.conf:

<pre>
server {
listen 80;
server_name alpinelinux.org;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Common configuration includes ====

If you need to setup multiple proxy setups you can include duplicated data like shown below.

/etc/nginx/conf.d/proxy_set_header.inc:

<pre>
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
</pre>

=== acme-client ===

To allow NGINX to support https we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.

==== ACME responses ====

/etc/nginx/conf.d/acme.inc:

<pre>
location /.well-known/acme-challenge {
alias /var/www/acme;
}
</pre>

And add this to your proxy configuration

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

==== Automatic generate certificates ====

Create the following file and make it executable
/etc/periodic/weekly/acme-client

<pre>
#!/bin/sh

hosts="alpinelinux.org"

for host in $hosts; do
acme-client -a https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf -Nnmv $host && renew=1
done

[ "$renew" = 1 ] && rc-service nginx reload
</pre>

This script will run weekly to verify if one of your certificates is outdated and renew them when needed.

==== Initial generation of keys and certificates ====

To create your initial certificates and keys you have to run this manually the first time.

{{Cmd|/etc/periodic/weekly/acme-client}}

Watch the output and see if all goes well. When its finished you should have files in:

/etc/ssl/acme/alpinelinux.nl/fullchain.pem

/etc/ssl/acme/private/alpinelinux.org/privkey.pem

=== NGINX HTTPS ===

==== Per site HTTPS configuration ====

Add the following below the previous HTTP configuration:

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 443 ssl;
server_name alpinelinux.org
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}
</pre>

=== Redirect HTTP to HTTPS ===

==== Shared configuration ====

Create the following file:

/etc/nginx/conf.d/redirect_http.inc

<pre>
location / {
return 301 https://$host$request_uri;
}
</pre>

==== Update host configuration ====

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
server {
listen 80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}
</pre>

=== Complete host example with IPv6 support ===

/etc/nginx/conf.d/alpinelinux.org.conf

<pre>
# alpinelinux.org

server {
listen 80;
listen [::]:80;
server_name alpinelinux.org;
include conf.d/acme.inc;
include conf.d/redirect_http.inc;
}

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name alpinelinux.org;
ssl on;
ssl_certificate /etc/ssl/acme/alpinelinux.org/fullchain.pem;
ssl_certificate_key /etc/ssl/acme/private/alpinelinux.org/privkey.pem;

location / {
include conf.d/proxy_set_header.inc;
proxy_pass http://downstream_http_server_host;
}
}

</pre>

[[Category:Authentication]]
[[Category:Networking]]