====== Fichier de configuration ======
# CoreModule
#
user _nginx _nginx;
worker_processes 2;
#worker_cpu_affinity 0001 0010 0100 1000;
pid /var/run/nginx.pid;
# EventsModule
#
events {
#use epoll;
worker_connections 1024;
}
http {
# HttpCoreModule
#
include mime.types;
default_type application/octet-stream;
keepalive_timeout 65 65;
sendfile on;
# cache configuration
open_file_cache off;
open_file_cache_errors off;
open_file_cache_min_uses 1;
open_file_cache_valid 60;
# HttpCharsetModule
#
charset utf-8;
# LogModule
#
# Caution: these are the global nginx logs, *not* the virtual hosts logs.
# The default format for the access log is "combined".
access_log off;
error_log /var/log/nginx/error.log crit; # HttpMainModule
open_log_file_cache off;
# GzipModule
#
gzip on;
gzip_buffers 256 4k;
gzip_comp_level 1;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_min_length 0;
gzip_proxied off;
gzip_types text/plain text/xml
text/javascript application/x-javascript
text/css
application/atom+xml application/rss+xml;
gzip_vary off;
# HttpHeadersModule
#
expires 4h;
# AutoIndex
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
include default_vhost;
include machine.name;
include sites/virtual_host;
}
# virtual_host
# HTTP
server {
listen 80;
server_name virtual_host;
access_log /var/log/nginx/directory/virtual_host/access_log combined;
error_log /var/log/nginx/directory/virtual_host/error_log warn;
ssl off;
location / {
root /var/nginx/directory/virtual_host;
index index.php index.html index.htm;
}
# PHP fastcgi
# managed by spawn-fcgi on localhost:9003
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9003;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/nginx/directory/virtual_host$fastcgi_script_name;
#fastcgi_param HTTPS on;
include fastcgi_params;
}
# Mailman
# proxy to CGI managed by thttpd on localhost:8000
location /listes/ {
rewrite ^/listes/$ /listes/listinfo last;
proxy_pass http://127.0.0.1:8000/;
proxy_set_header Host $host;
proxy_intercept_errors on;
}
location /admin {
proxy_pass http://127.0.0.1:8000/admin;
proxy_set_header Host $host;
proxy_intercept_errors on;
}
location /listes/images/mailman/ {
alias /usr/local/lib/mailman/icons/;
}
location /pipermail/ {
alias /usr/local/lib/mailman/archives/public/;
}
# protecting the Dokuwiki internal data directories
location ~ /wiki/(data|conf|bin|inc)/ {
deny all;
}
# protecting the Dokuwiki internal data directories
location ~ /random/wiki/(data|conf|bin|inc)/ {
deny all;
}
# protecting the Dokuwiki internal data directories
location ~ /load/wiki/(data|conf|bin|inc)/ {
deny all;
}
location ~ /\.ht {
deny all;
}
}
# virtual_host
# HTTPS
server {
listen 443;
server_name virtual_host;
access_log /var/log/nginx/directory/virtual_host/access_log combined;
error_log /var/log/nginx/directory/virtual_host/error_log warn;
ssl on;
ssl_certificate /etc/ssl/virtual_host.crt;
ssl_certificate_key /etc/ssl/private/virtual_host.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers HIGH:!ADH:!AECDH:!PSK:!3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSLcachevhost:1m;
location / {
root /var/nginx/directory/virtual_host;
index index.php index.html index.htm;
}
# PHP fastcgi
# managed by spawn-fcgi on localhost:9003
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9003;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/nginx/directory/virtual_host$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
# Mailman
# proxy to CGI managed by thttpd on localhost:8000
location /listes/ {
rewrite ^/listes/$ /listes/listinfo last;
proxy_pass http://127.0.0.1:8000/;
proxy_set_header Host $host;
proxy_intercept_errors on;
}
location /admin {
proxy_pass http://127.0.0.1:8000/admin;
proxy_set_header Host $host;
proxy_intercept_errors on;
}
location /listes/images/mailman/ {
alias /usr/local/lib/mailman/icons/;
}
location /pipermail/ {
alias /usr/local/lib/mailman/archives/public/;
}
# protecting the Dokuwiki internal data directories
location ~ /wiki/(data|conf|bin|inc)/ {
deny all;
}
# protecting the Dokuwiki internal data directories
location ~ /random/wiki/(data|conf|bin|inc)/ {
deny all;
}
location ~ /\.ht {
deny all;
}
}
====== Configuration ======
blah
===== HTTPS =====
* [[http://wiki.nginx.org/HttpSslModule]] ;
* [[http://nginx.org/en/docs/http/configuring_https_servers.html]] ;
* [[https://wiki.mozilla.org/Security/Server_Side_TLS]] ;
* [[http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance]] ;
* [[https://www.ssllabs.com/ssltest/analyze.html?d=www.mouet-mouet.net]] ;
* [[https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy]] ;
* [[http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/]] ;
* [[https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL]] ;
* [[https://bettercrypto.org/static/applied-crypto-hardening.pdf]] ;
* [[http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using]] ;
* [[http://en.wikipedia.org/wiki/Transport_Layer_Security]] ;
* [[http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/]] ;
* [[https://www.imperialviolet.org/2010/12/04/ecc.html]] ;
* etc.
====== journaux d'activité ======
Rotation des logs :
grep "/2013:" access_log > access_log_2013 && \
grep "/2014:" access_log > access_log_2014 && \
rm -rf access_log && \
mv access_log_2014 access_log &&\
gzip access_log_2013 && \
grep "^2013/" error_log > error_log_2013 && \
grep "^2014/" error_log > error_log_2014 && \
rm -rf error_log && \
mv error_log_2014 error_log && \
gzip error_log_2013
====== Bibliographie ======
* site web officiel :
* Wikipedia :
* etc.