To generate chained.crt file you need following 2 files:
Concatenate above 2 files in the same order to generate chained.crt file.
$ cat server.crt IntermediateCA.crt > chained.crt
Add these 2 lines in Nginx config:
ssl_certificate /etc/nginx/ssl/chained.crt
ssl_certificate_key /etc/nginx/ssl/your_domain_name.key;
Once it is done restart the Nginx.
To host/serve Android apk with Nginx following changes are required:
Adding mime type in /etc/nginx/mime.types:
Add following line in mime.types file
application/vnd.android.package-archive apk;
Explicitly adding header *.apk in site conf:
Update following configuration in your site conf file
location ~* \.(apk)$ {
......
add_header Content-Type application/vnd.android.package-archive;
......
}
Finally restart Nginx.
sudo service nginx restart
These steps are used to to deploy SSL certificate issued by digicert.
Before starting make sure that you download ssl certificate issued by digicert.
Now create single file by concatenating your_domain_com.crt and DigiCertCA.crt, name it as chained.crt
You can use following command to generate chained.crt
$ cat your_domain_com.crt DigiCertCA.crt > chained.crt
chained.crt file is used as ssl_certificate in nginx in this case.
Now configure nginx virtual hosts file for the website you wanted to secure as shown below:
server {
listen 443 ssl default_server;
ssl_certificate /etc/nginx/ssl/chained.crt
ssl_certificate_key /etc/nginx/ssl/your_domain_name.key;
server_name your.domain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}
Finally restart nginx.
$ service nginx restart
After restarting your website can be accessed with https.
To disable logging in nginx we need to change values of access_log and error_log to off.
Lets say if you have config file for website example.com in sites-enabled and you want to disable logging for it.
Just open configuration file related to your website and look for access_log & error_log in server block, change their values to off.
server {
listen 80 default;
server_name *.example.com;
root /var/www/;
index index.php;
access_log off;
error_log off;
....
....
....
}
We can also disable logging for specific patters also, lets say for images or for particular path.
To disable logging for images add following code in in server block:
location ~* \.(gif|jpg|png) {
access_log off;
...
}
To disable logging for particular path(here I am blocking /images/):
location ^~ /images/ {
access_log off;
...
}
After doing any changes in your site nginx conf, just restart nginx and test.
After restarting nginx logging should be disabled.
While trying to configuring Nginx with ssl I got error saying that “ssl_error_rx_record_too_long“.
After debugging about the issue, following change in configuration file resolved the issue:
In my nginx.conf file I have written as:
listen 443;
I changed above configuration as following:
listen 443 ssl;
After changing configuration I restarted Nginx and it worked without any issue.
To redirect all www request to domain name in Nginx use following rule:
server {
server_name www.domain.com;
rewrite ^(.*) http://domain.com$1 permanent;
}
server {
server_name domain.com;
#The rest of your configuration goes here#
}Above rule will redirect all requests coming to http://www.domain.com to domain.com
In other way above rule will strip www from url.
After adding above rule restart nginx to make the rule work.
Recently when I am playing with nginx stuck with following error
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Whenever this kind of error occurs I used to get port details with netstat and kill that process using process ID.
This time I am unable to get port usage details with netstat and stuck with this error for some time.
After exploring little bit on web following command is helped me to resolve above issue:
$ sudo fuser -k 80/tcpOutput:
80/tcp: 28461
fuser command will identify process using files or socket.
Here I am using socket to identify the process and killed the process with -k argument.
After running above command the issues is resolved and I am able to start nginx.
To view nginx status some configuration upgrade is required in nginx.conf
I used following configuration to get nginx status:
location = /nginx_status {
stub_status on;
allow 192.168.2.20;
deny all;
}
Since its not a good idea to give access of nginx_status url, I am allowing only one IP and denying all.
After changing configuration restart nginx and view configuration from url http://yourhostname/ngins_status
Output of url looks something like below:
Active connections: 1 server accepts handled requests 10 10 55 Reading: 0 Writing: 1 Waiting: 0
To allow only one IP to access add following line in nginx.conf file:
server {
listen 80;
server_name www.example.com;
location / {
root /var/www/;
allow add.your.ip.here;
deny all;
}
}Two lines that are bold in above configuration are important to achieve this functionality.
After adding above configuration restart nginx and try to test. Expect from your IP is should not allow access to any other IP.
Whenever there was requirement to protect a webiste or a particular folder in website with some username and password, we are used to do it with Apache2/Apache HTTP.
This time I thought to try with Nginx.
Here I am proxy passing all requests with upstream and I wanted to protect it some username and password.
Again I used apach2-utils module to protect website.
Install apache2-utils:
$ apt-get install apache2-utils
Now create a user with some password:
$ htpasswd -c /etc/nginx/conf.d/.htpasswd/passwd username
where username is some username as you wish, it will ask for password just enter some password.
After creating usename and password add following configuration nginx.conf’s http module.
upstream appcluster {
server 192.168.2.20:8080;
}
server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;
}
Upstream module will proxy pass all request that are coming to your hostname to port 8080 of ip 192.168.2.20.
After adding above configuration restart nginx and try to access you hostname, it should ask username and password.
In above configuration following 2 lines are responsible for protecting your website:
auth_basic "Restricted"; auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
After adding all configurations in nginx.conf, following is my http module:
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
upstream appcluster {
server 192.168.2.20:8080;
}
server {
listen *;
location / {
proxy_pass http://appcluster;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd/passwd;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
Sany's Linux and Open Source Blog 