NixOS Wiki

Nginx: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Iterprise
No edit summary
imported>Exyi
Added basic proxy and HTTP auth examples
Line 40: Line 40:


See {{issue|38144}} for the current status.
See {{issue|38144}} for the current status.
==== General ====
Nginx is run as SystemD service nginx, so <code>systemctl status nginx</code> may say something useful. If you have a problem with configuration, you can find the configuration location in the <code>systemctl status</code>, it should be at <code>/nix/store/*-nginx.conf</code>.


== Sample setups ==
== Sample setups ==


Static blog with ssl enforced in <code>configuration.nix</code>
==== Static blog with ssl enforced in <code>configuration.nix</code> ====


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 61: Line 65:
</syntaxhighlight>
</syntaxhighlight>


LEMP stack (Nginx/MySQL/PHP) in <code>configuration.nix</code>
==== LEMP stack ====
 
(Nginx/MySQL/PHP) in <code>configuration.nix</code>


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 95: Line 101:
</syntaxhighlight>
</syntaxhighlight>


==== HTTP Authentication ====
Nginx can require users to login using HTTP Basic Authentication. In NixOS, this is set using the `basicAuth` option:
<syntaxhighlight lang="nix">
services.nginx = {
    virtualHosts."example.com" =  {
      basicAuth = { user = "password"; anotherUser = "..."; };
      ...
    };
};
</syntaxhighlight>
==== TLS reverse proxy ====


Hardened setup with TLS and HSTS preloading:
This is a "minimal" example in terms of security, see below for more tips.
 
<syntaxhighlight lang="nix">
services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    # other Nginx options
    virtualHosts."example.com" =  {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "https://127.0.0.1:12345";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig =
          # required when the target is also TLS server with multiple hosts
          "proxy_ssl_server_name on;" +
          # required when the server wants to use HTTP Authentication
          "proxy_pass_header Authorization;"
          ;
      };
    };
};
</syntaxhighlight>
 
==== Hardened setup with TLS and HSTS preloading ====


For testing your TLS configuration, you might want to visit [https://www.ssllabs.com/ssltest/index.html].
For testing your TLS configuration, you might want to visit [https://www.ssllabs.com/ssltest/index.html].
Line 178: Line 223:
   }
   }
</syntaxhighlight>
</syntaxhighlight>
== See more ==
Retrieved from "https://wiki.nixos.org/wiki/Nginx"