Nginx: Difference between revisions

Line 1:

~~Nginx~~ is a lightweight webserver. Configuration is handled using the {{nixos:option|services.nginx.}} options.

[https://nginx.org/ {{PAGENAME}}] ([[wikipedia:en:{{PAGENAME}}]]) is a lightweight webserver. Configuration is handled using the {{nixos:option|services.nginx.}} options.

== Replace dependencies like openssl ==

In wake of the 2022 openssl library, nix can support in mitigating the library by downgrading (or replacing) the SSL library. For this, the [[Overlay|overlay]] facility of nixpkgs can be used:

Line 19:

Line 20:

The nginx module for NixOS has native support for Let's encrypt certificates; {{nixos:option|services.nginx.+acme}}. The {{manual:nixos|sec=#module-security-acme-nginx|chapter=Chapter 20. SSL/TLS Certificates with ACME}} explains it in detail.

=== Minimal Example ===

Assuming that <code>myhost.org</code> resolves to the ip address of your host and port 80 and 443 has been opened.

Line 30:

Line 33:

</syntaxHighlight>

This will set up nginx to serve files for <code>myhost.org</code>, automatically request an ACME SSL Certificate and will configure systemd timers to renew the certificate if required.

=== Troubleshooting ===

==== Read-only Filesystem for nginx upgrade to 20.09 ====

With the upgrade to nixos-20.09 the nginx comes with extra hardening parameters, most prominently the restriction of write access to the Operating System Disk.

When you see errors like <code>[emerg] open() "/var/spool/nginx/logs/binaergewitter.access.log" failed (30: Read-only file system)</code> you can add extra paths to nginx service like this:

Line 57:

Line 63:

</pre>

And it should fix nginx so systemd won't go killing your nginx anymore.

==== General ====

Line 120:

Line 125:

==== HTTP Authentication ====

===== Basic Authentication =====

Nginx can require users to login using HTTP Basic Authentication. In NixOS, this is set using the `basicAuth` option:

Line 131:

Line 138:

};

</syntaxhighlight>

===== Authentication via PAM =====

Line 266:

Line 272:

</syntaxhighlight>

==== Using realIP when behind CloudFlare or other CDN ====

~~==== Using realIP when behind CloudFlare or other CDN ====~~

When Nginx is behind another proxy it won't know the true IP address of clients hitting it. It will then pass down those the proxy's IP address instead of the client IP address. By using the nginx realip module, we can ensure nginx knows the real client IP, and we can further inform nginx to only trust the HTTP header from valid upstream proxies.

Line 293:

Line 299:

</syntaxhighlight>

== See more ==

~~<hr />~~

~~== See more ==~~

* [http://nginx.org/en/docs/ Official Documentation]

[[Category:Applications]]

[[Category:Servers]]

@@ Line 1: / Line 1: @@
-Nginx is a lightweight webserver. Configuration is handled using the {{nixos:option|services.nginx.}} options.
+[https://nginx.org/ {{PAGENAME}}] ([[wikipedia:en:{{PAGENAME}}]]) is a lightweight webserver. Configuration is handled using the {{nixos:option|services.nginx.}} options.
 == Replace dependencies like openssl ==
 In wake of the 2022 openssl library, nix can support in mitigating the library by downgrading (or replacing) the SSL library. For this, the [[Overlay|overlay]] facility of nixpkgs can be used:
 <syntaxHighlight lang=nix>
@@ Line 19: / Line 20: @@
 The nginx module for NixOS has native support for Let's encrypt certificates;  {{nixos:option|services.nginx.+acme}}. The {{manual:nixos|sec=#module-security-acme-nginx|chapter=Chapter 20. SSL/TLS Certificates with ACME}} explains it in detail.
 === Minimal Example ===
 Assuming that <code>myhost.org</code> resolves to the ip address of your host and port 80 and 443 has been opened.
 <syntaxHighlight lang=nix>
@@ Line 30: / Line 33: @@
 </syntaxHighlight>
 This will set up nginx to serve files for <code>myhost.org</code>, automatically request an ACME SSL Certificate and will configure systemd timers to renew the certificate if required.
 === Troubleshooting ===
 ==== Read-only Filesystem for nginx upgrade to 20.09 ====
 With the upgrade to nixos-20.09 the nginx comes with extra hardening parameters, most prominently the restriction of write access to the Operating System Disk.
 When you see errors like <code>[emerg] open() "/var/spool/nginx/logs/binaergewitter.access.log" failed (30: Read-only file system)</code> you can add extra paths to nginx service like this:
@@ Line 57: / Line 63: @@
 </pre>
 And it should fix nginx so systemd won't go killing your nginx anymore.
 ==== General ====
@@ Line 120: / Line 125: @@
 ==== HTTP Authentication ====
 ===== Basic Authentication =====
 Nginx can require users to login using HTTP Basic Authentication. In NixOS, this is set using the `basicAuth` option:
@@ Line 131: / Line 138: @@
 };
 </syntaxhighlight>
 ===== Authentication via PAM =====
@@ Line 266: / Line 272: @@
 </syntaxhighlight>
+==== Using realIP when behind CloudFlare or other CDN ====
-==== Using realIP when behind CloudFlare or other CDN ====
 When Nginx is behind another proxy it won't know the true IP address of clients hitting it. It will then pass down those the proxy's IP address instead of the client IP address. By using the nginx realip module, we can ensure nginx knows the real client IP, and we can further inform nginx to only trust the HTTP header from valid upstream proxies.
@@ Line 293: / Line 299: @@
 </syntaxhighlight>
+== See more ==
-<hr />
-== See more ==
 * [http://nginx.org/en/docs/ Official Documentation]
 [[Category:Applications]]
 [[Category:Servers]]