Nginx

Name: Nginx is named after engine X. Utility:

backward proxy (pre-distribute request to application)
make computer clusters each consists of different nodes
cache static resources
some mail service: IMAP/POP3/SMTP

Common Backend Architecture. Nginx belongs to API Gateway Service

Common Gateway Includes

MS ISS: for asp.net
Weblogic, Jboss: traditional, non-web companies
Tomcat, Jetty: J2EE
Apache, Nginx: static cache, backward proxy
Netty: for chat application

Web Architecture

request -> web server -> application server -> webapplication

Examples:

Request: whatever sent in to the server
Webserver (Cache, Proxy): Apache, Nginx
Application Server (link between Webserver and Web Application): Gunicorn, uWSGI
Web Application (Actual Logic and Database): Flask, Django

This video explains the common web architecture really well

Nginx Install

sudo apt install nginx should install and activate nginx for you.

Configuration files:

Path	Purpose	Ref.
./conf.d/*.conf	Extra configuration files.	#conf.d, #appincludes
./fastcgi.conf	Commonly configured directives (nginx packaging team)	#params
./fastcgi_params	Commonly configured directives (upstream version)	#params
./koi-utf	Nginx Character Set	#charset
./koi-win	Nginx Character Set	#charset
./mime.types	Maps file name extensions to MIME types of responses	#mimetypes
./nginx.conf	The primary configuration file.	#nginx.conf
./proxy_params	Commonly configured directives	#params
./scgi_params	Commonly configured directives	#params
./sites-available/*	Extra virtual host configuration files	-
./sites-enabled/*	Symlink to sites-available/ to enable vhost	-
./snippets/*.conf	Configuration snippets that can be included in configs	-
./apps.d/*.conf	Files included by /etc/nginx/sites-available/default	#appincludes
./uwsgi_params	Commonly configured directives	#params
./win-utf	Nginx Character Set	#charset

There are a few files you need to pay attention to:

/var/www/html/ndex.nginx-debian.html: nginx will generate this testing page when installed
/etc/nginx/nginx.conf: main config file of nginx program, don't touch it. You should see include /etc/nginx/conf.d/*.conf and include /etc/nginx/sites-enabled/*.
/etc/nginx/conf.d/default.conf or /etc/nginx/sites-enabled/default: default site generated for testing (direct to /var/www/html/ndex.nginx-debian.html)
/etc/nginx/sites-avaliable/: directory of all possible site configurations
/etc/nginx/sites-enabled/: directory of enabled site configurations

Nginx Commands

nginx version: nginx/1.18.0 (Ubuntu)
Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]

Options:
  -?,-h         : this help
  -v            : show version and exit
  -V            : show version and configure options then exit
  -t            : test configuration and exit
  -T            : test configuration, dump it and exit
  -q            : suppress non-error messages during configuration testing
  -s signal     : send signal to a master process: stop, quit, reopen, reload
  -p prefix     : set prefix path (default: /usr/share/nginx/)
  -c filename   : set configuration file (default: /etc/nginx/nginx.conf)
  -g directives : set global directives out of configuration file

Some highlights:

use sudo nginx -t to check your config file
use sudo nginx -s reload to reload nginx service

Nginx Server Config File

Here is an example of my config file:

We can initialize site config file by sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/xxx.conf

You put your xxx.conf inside /sites-avaliable/ and link to /sites-enabled/. sudo ln -s /etc/nginx/sites-available/kokecacao.conf /etc/nginx/sites-enabled/

After you successfully add and reload configuration for your new site, it is safe to run sudo certbot --nginx.

/etc/nginx/sites-available/kokecacao.conf

# handel Upgrade request typically present as
# implementation of wss and ws (websocket) protocol
# this sets the variable `$connection_upgrade` we can use later
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # we are listening to these two sites
    server_name kokecacao.me www.kokecacao.me;

    # write logs
    access_log /var/log/nginx/kokecacao.access.log;
    error_log /var/log/nginx/kokecacao.error.log;

    # speed up stuff
    # ssl_session_timeout 1d;
    # ssl_session_tickets off;
    ssl_session_cache shared:MozSSL:10m;

    # for socket.io endpoint, we add extra settings to
    # pass upgrade request to application
    location /socket.io {
        if ($http_upgrade != "websocket") {
            return 404;
        }
        include proxy_params;
        proxy_redirect off; # The off parameter cancels the effect of the proxy_redirect directives inherited from the previous configuration level. So we don't modify the URL.
        proxy_cache_bypass $http_upgrade # another method to turn off cache
        proxy_http_version 1.1; # socket.io protocol upgrade
        proxy_buffering off; # disable caching for socket.io connection
        proxy_set_header Upgrade $http_upgrade; # socket.io protocol upgrade
        proxy_set_header Connection $connection_upgrade; # socket.io protocol upgrade
        # We could pass the request to a linux-based .sock file
        # or instead write `proxy_pass http://127.0.0.1:12222;` to a port
        proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock;
    }

    # if not `/socket.io`, then we pass request to other virtual server
    location / {
        # points to `/etc/nginx/proxy_params`
        include proxy_params;
        proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock:/socket.io;
    }

    # ssl certificate managed by letsencrypt.
    # These should be generated automatically.
    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl;
    ssl_certificate /etc/letsencrypt/live/kokecacao.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/kokecacao.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Handel http redirection to https for security
server {
    if ($host = www.kokecacao.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = kokecacao.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    listen 80;
    server_name kokecacao.me www.kokecacao.me;
    return 404; # managed by Certbot
}

Note that include proxy_params will add whatever in this file /etc/nginx/proxy_params to current configuration. The default proxy_params is the following:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

$http_host equals always the HTTP_HOST request header. $host equals $http_host, lowercase and without the port number (if present), except when HTTP_HOST is absent or is an empty value. In that case, $host equals the value of the server_name directive of the server which processed the request. (from Stackoverflow)

It is a good practice to generate SSL Certificate automatically. To do so, we first write a simpler config.

server {
  listen 80;
  server_name kokecacao.me www.kokecacao.me;

  access_log /var/log/nginx/kokecacao.access.log;
  error_log /var/log/nginx/kokecacao.error.log;

  location / {
    include proxy_params;
    proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock;
  }
}

And then install and activate cert-bot

echo "Removing certbot if exists. It will automatically stop service...\n" && \
sudo snap install core && sudo snap refresh core && \
sudo apt-get remove certbot ; \
echo "Removing letsencrypt directory...\n" && \
sudo rm -rf /etc/letsencrypt/ ; \
sudo rm -rf /var/lib/letsencrypt/ ; \
sudo rm -rf /var/log/letsencrypt/

echo "Installing certbot...\n" && \
sudo snap install --classic certbot && \
sudo ln -s /snap/bin/certbot /usr/bin/certbot && \
echo "Registering SSL. Please enter some info below:\n" && \
sudo certbot --nginx && \
echo "Installation Complete. Replacing nginx config\n"

When you run sudo systemctl list-timers, you should see a snap.certbot.renew.timer unit that runs snap.certbot.renew.service. This is for periodic refresh of certificate.

After done, you should configure your cloudflare and test your settings using SSL Labs to see compatible device and strength of encryption. You should modify your encryption accordingly with the suggestion.

Certbot

Adding New Domain to Certbot

To see all current certificates: sudo certbot certificates

You should see the following structure


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: deepvocab.kokecacao.me
    Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key Type: RSA
    Domains: deepvocab.kokecacao.me
    Expiry Date: 2022-11-15 19:06:56+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/deepvocab.kokecacao.me/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/deepvocab.kokecacao.me/privkey.pem
  Certificate Name: kokecacao.me
    Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key Type: RSA
    Domains: kokecacao.me www.kokecacao.me
    Expiry Date: 2022-10-26 03:34:51+00:00 (VALID: 58 days)
    Certificate Path: /etc/letsencrypt/live/kokecacao.me/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kokecacao.me/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A certificate can contain multiple domains. Right now you see the certificate above deepvocab.kokecacao.me only contain one domain (deepvocab.kokecacao.me). However, the certificate kokecacao.me contain two domains (kokecacao.me and www.kokecacao.me).

To modify (both add and remove) the domains one certificate contains use the command: certbot certonly --cert-name example.com -d example.org,www.example.org

Table of Content