5.5. Nginx

Note

This section needs checking

Note

Set up DNS to point to the correct server. Set up Nginx to listen first or it will set it to the default entry and be a pain to clear.

Note

When you use debian-base systems, you should fill /etc/hostname file with FQDN

If there are other websites on the server, do not set this up until you have configured it and got Nginx to listen for it. When I put SG up initially, TC was the default website so it picked up all SG traffic and due to my config set a 301 permanent redirect which was awkward to clear.

In the past I had an error about names being too long for nginx so I had to increase the server_names_hash_bucket_size:

sudo nano /etc/nginx/nginx.conf
  server_names_hash_bucket_size 64;
### On this new server, it just needed uncommenting
sudo reboot

At this point, due to the issues faced regarding HTTPS, I’m setting up a static ‘being upgraded’ page and getting Nginx to serve it before pointing the DNS to it. No 301’s though!

Note

Set up DNS to point to the correct server. Set up Nginx to listen first or it will set it to the default entry and be a pain to clear.

Nginx needs a couple of redirect blocks:

server {
    listen 80;
    server_name www.secretgifter.co.uk secretgifter.co.uk;
    return 302 https://www.secretgifter.co.uk$request_uri;
}

server {

    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl/sg/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/sg/www.secretgifter.co.uk.key;

    server_name secretgifter.co.uk;
    return 301 https://www.secretgifter.co.uk$request_uri;

}

I put 302 for testing but then switched it to 301’s when I knew it was working. I think one of the original problems I had was because the ssl_certificate information was not in the initial redirect block and it did not like it.

I need to add the protocols accepted to the section of code that is needed for Django and serving the files.

5.5.1. Example from Michal’s Blog

upstream hello_app_server {
  # fail_timeout=0 means we always retry an upstream even if it failed
  # to return a good HTTP response (in case the Unicorn master nukes a
  # single worker for timing out).

  server unix:/webapps/hello_django/run/gunicorn.sock fail_timeout=0;
}

server {

    listen   80;
    server_name example.com;

    client_max_body_size 4G;

    access_log /webapps/hello_django/logs/nginx-access.log;
    error_log /webapps/hello_django/logs/nginx-error.log;

    location /static/ {
        alias   /webapps/hello_django/static/;
    }

    location /media/ {
        alias   /webapps/hello_django/media/;
    }

    location / {
        # an HTTP header important enough to have its own Wikipedia entry:
        #   http://en.wikipedia.org/wiki/X-Forwarded-For
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # enable this if and only if you use HTTPS, this helps Rack
        # set the proper protocol for doing redirects:
        # proxy_set_header X-Forwarded-Proto https;

        # pass the Host: header from the client right along so redirects
        # can be set properly within the Rack application
        proxy_set_header Host $http_host;

        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;

        # set "proxy_buffering off" *only* for Rainbows! when doing
        # Comet/long-poll stuff.  It's also safe to set if you're
        # using only serving fast clients with Unicorn + nginx.
        # Otherwise you _want_ nginx to buffer responses to slow
        # clients, really.
        # proxy_buffering off;

        # Try to serve static files from nginx, no point in making an
        # *application* server like Unicorn/Rainbows! serve static files.
        if (!-f $request_filename) {
            proxy_pass http://hello_app_server;
            break;
        }
    }

    # Error pages
    error_page 500 502 503 504 /500.html;
    location = /500.html {
        root /webapps/hello_django/static/;
    }
}

<https://bjornjohansen.no/optimizing-https-nginx> used for configuring the security settings. Only got to stage 3 though. Near the bottom there is a link to ssllabs for analysing the security of my site.

The site only gave me a C rating and said I had SSL3 enabled. The guide said I had to add three accepted TLS protocols and that would sort it but I had that and kept getting the error. In the end I ran the command below that led me to find SSL enabled in the default config I’d used for testing but didn’t actually have symlinked to sites-enabled so shouldn’t have been an issue.

grep -slir "ssl_ciphers" /etc/nginx/

The test has just run again and it still tells me I’ve got SSL3 enabled. I’d also put a bigger list of ciphers which is now listing more as weak.

<http://disablessl3.com/#test>

TURNS OUT the TLS specification and ciphers need to go in the initial redirect block to get picked up. This pushes my rating to B.

<https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html>

Added some settings for Django <https://docs.djangoproject.com/en/1.8/topics/security/>:

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Note

Check about CHANGE NGINX CONFIG FOR LONGER NAMES