Friday, 15 March 2019

Nginx08-Location-Block-Syntax

Location Block Syntax

Before we cover how Nginx decides which location block to use to handle requests, let's go over some of the syntax you might see in location block definitions. Location blocks live within server blocks (or other location blocks) and are used to decide how to process the request URI (the part of the request that comes after the domain name or IP address/port).
  • Location blocks generally take the following form:
location optional_modifier location_match {
    ....
}
The location_match in the above defines what Nginx should check the request URI against. The existence or nonexistence of the modifier in the above example affects the way that the Nginx attempts to match the location block. The modifiers below will cause the associated location block to be interpreted as follows:
  • (none): If no modifiers are present, the location is interpreted as a prefix match. This means that the location given will be matched against the beginning of the request URI to determine a match.
     location /site {
         ....
     }
    
  • =: If an equal sign is used, this block will be considered a match if the request URI exactly matches the location given.
     location = /page1 {
         ....
     }
    
  • ~: If a tilde modifier is present, this location will be interpreted as a case-sensitive regular expression match.
     location ~ \.(jpe?g|png|gif|ico)$ {
         ....
     }
    
  • ~:* If a tilde and asterisk modifier is used, the location block will be interpreted as a case-insensitive regular expression match.
     location ~* \.(jpe?g|png|gif|ico)$ {
         ....
     }
    
  • ^~: If a carat and tilde modifier is present, and if this block is selected as the best non-regular expression match, regular expression matching will not take place.
     location ^~ /costumes {
         ....
     }
    
  • Nginx evaluates the possible location contexts by comparing the request URI to each of the locations. It does this using the following algorithm:
    • Nginx begins by checking all prefix-based location matches (all location types not involving a regular expression). It checks each location against the complete request URI.
    • First, Nginx looks for an exact match. If a location block using the = modifier is found to match the request URI exactly, this location block is immediately selected to serve the request.
    • If no exact (with the = modifier) location block matches are found, Nginx then moves on to evaluating non-exact prefixes. It discovers the longest matching prefix location for the given request URI, which it then evaluates as follows:
      • If the longest matching prefix location has the ^~ modifier, then Nginx will immediately end its search and select this location to serve the request.
      • If the longest matching prefix location does not use the ^~ modifier, the match is stored by Nginx for the moment so that the focus of the search can be shifted.
    • After the longest matching prefix location is determined and stored, Nginx moves on to evaluating the regular expression locations (both case sensitive and insensitive). If there are any regular expression locations within the longest matching prefix location, Nginx will move those to the top of its list of regex locations to check. Nginx then tries to match against the regular expression locations sequentially. The first regular expression location that matches the request URI is immediately selected to serve the request.
    • If no regular expression locations are found that match the request URI, the previously stored prefix location is selected to serve the request.
It is important to understand that, by default, Nginx will serve regular expression matches in preference to prefix matches. However, it evaluates prefix locations first, allowing for the administer to override this tendency by specifying locations using the = and ^~ modifiers.
It is also important to note that, while prefix locations generally select based on the longest, most specific match, regular expression evaluation is stopped when the first matching location is found. This means that positioning within the configuration has vast implications for regular expression locations.

Thursday, 7 March 2019

Nginx07-SSL-Certificate-Management

SSL Certificate Management

  • Create a directory for SSL certificates in /etc/nginx
# mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
  • Generate a certificate
# openssl genrsa -des3 -out server.key 1024
NOTE : You need to give a pass phrase to generate your key between 4 to 8191 characters
  • Now let us use this key to create a signin certificate request
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:AP
Locality Name (eg, city) [Default City]:Hyderabad
Organization Name (eg, company) [Default Company Ltd]:Linux-Library
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:dev02
Email Address []:vmsnivas@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
NOTE: Leave the extra attributes blank
  • Now we need to remove the pass phrase for the server.key or else NGINX will prompt for the pass phrase every time you restart it.
  • Backup your server.key file
# cp -prv server.key server.key.`date +"%Y%m%d"`.bak
  • Now we can use the backup key file as input and the main file as the output with the pass phrase to remove the pass phrase.
# openssl rsa -in server.key.`date +"%Y%m%d"`.bak -out server.key
NOTE: We need to give the passphrase here but it will rewrite the server.key file without a pass phrase
  • Now we need to sign and create our certificate
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  • We have our certificate ready and all we need to do now is to prepare our server to answer the requests over https on 443 port
  • For this we need to add a new server section to serve the requests to listen on 443 in our custom config file in /etc/nginx/vhost.d
# vi www.lltest1.ll.conf

server {
        listen 443;

        root /var/www/html/lltest1;
        index index.html index.htm index.php;

        server_name www.lltest1.ll lltest1;

        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key
}
  • Here we are saying NGINX to turn on SSL function for this site and use the certificate and the key provided below.
  • Verify the configuration
# nginx -t
  • Reload the NGINX service
# nginx -s reload
  • Now you can verify your website from any browser. It will shows an error as you are not registered your certificate with neither of the third party certificate providers. But there is no issue as yours is a self signed certificate. You can use proceed unsafe option to go ahead and use your site.