Linux.nginx

Aus OrgaMon Wiki
Zur Navigation springen Zur Suche springen

Überblick

  • Ich verwendet nginx als HTTP/2 Server auf einem Raspberry Pi
  • PHP soll in allen Stufen möglich sein

Auslieferung von Android-Apps

  • Hinzufügen zu /etc/nginx/mime.types
   application/vnd.android.package-archive     apk;


Authentifizierung

  • System-Voraussetzung
apt-get install apache2-utils
  • in der Host.conf
   auth_basic           "Administrator’s Area";
   auth_basic_user_file /etc/apache2/.htpasswd;
  • in der Kommandozeile
htpasswd -bc /srv/ngx/orgamon-2.dyndns.org/.htpasswd username ***pwd***

Stufe 1, :80 HTTP-Server

apt-get install nginx
apt-get install php-fpm php-mbstring php-xml php-mysql
  • orgamon-2.dyndns.org
server {
       listen 80 default_server;
       listen [::]:80 default_server;

       root /srv/ngx/orgamon-2.dyndns.org;

       index index.html index.htm index.nginx-debian.html;

       server_name orgamon-2.dyndns.org;

       location / {
               # First attempt to serve request as file, then
               # as directory, then fall back to displaying a 404.
               try_files $uri $uri/ =404;
       }

       location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
       }

}

Stufe 2, :443 HTTPS-Server (TLS 1.2)

  • Port 80 + 443 auf den Server lenken
apt-get install certbot
certbot certonly --rsa-key-size 4096
  • /etc/nginx/sites-enabled/orgamon-2.dyndns.org
server {

       listen 443 ssl default_server;
       ssl_protocols TLSv1.2;

       root /srv/ngx/orgamon-2.dyndns.org;

       index index.html index.htm index.nginx-debian.html;

       server_name orgamon-2.dyndns.org;

       ssl_certificate /etc/letsencrypt/live/orgamon-2.dyndns.org/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/orgamon-2.dyndns.org/privkey.pem;

       location / {
               # First attempt to serve request as file, then
               # as directory, then fall back to displaying a 404.
               try_files $uri $uri/ =404;
       }

       location ~ \.php$ {
               include snippets/fastcgi-php.conf;
               fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
       }
}

Stufe 3, :443 HTTP/2 Server mit TLS 1.2

server {

      listen 443 ssl http2;
...

Stufe 4, :443 HTTP/2 Server mit TLS 1.3 (only!)


wget https://github.com/MatthewVance/nginx-build/raw/master/build-nginx.sh
# ich versuche den Debug-Mode mit hineinzukompilieren: http://nginx.org/en/docs/debugging_log.html
# und habe beim Build-Skript --with-debug hinzugemacht


chmod 777 build-nginx.sh
./build-nginx.sh
  • Probier aus, ob wirklich openssl-1-1-1 verwendet wird
nginx -V

dhparam

openssl dhparam -out /etc/nginx/dhparam-4096.pem 4096


  • Das dauerte bei mir von 14:58 h bis 23:03 h, also ca. 8 Stunden

nginx.conf

  • LÖSUNG: einfach einen aktuellen Browser verwenden, TLS 1.3 "final" war einfach für die Browser zu aktuell, die hätten einen "Draft xx" erwartet.
   server {

      # Content
      #
      server_name orgamon.com;
      root /srv/ngx/orgamon.com;
      index index.php;
      #
      location / {
              index index.php index.html;
              try_files $uri $uri/ =404;
      }
      #
      location ~ \.php$ {
              include fastcgi-php.conf;
              fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
      }

      # Transport
      #
      listen 443 ssl http2;
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers on;
      ssl_ecdh_curve auto;
      ssl_dhparam /etc/nginx/dhparam-4096.pem;
      ssl_certificate /etc/letsencrypt/live/orgamon.com/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/orgamon.com/privkey.pem;

      # Session
      #
      ssl_session_cache shared:SSL:20m;
      ssl_session_timeout 15m;
      ssl_session_tickets off;

      # Logging
      #
      error_log /srv/ngx/orgamon.com/error.log debug;
   }

todo

CAA 1 issue “letsencrypt.org”
         ssl_stapling on;
         resolver 192.0.2.1;
         ssl_trusted_certificate chain_path;
         ssl_stapling_verify on;
TLS1.2 ECDHE-RSA-AES256-GCM-SHA384


openssl s_client -connect orgamon.com:https -alpn h2 -debug
https://scotthelme.co.uk/ecdsa-certificates/
  • ECDSA
https://community.letsencrypt.org/t/howto-obtain-ecdsa-cert-in-addition-to-rsa-with-certbot/61687

Script zur Erstellung von Servern

program massConf;

{$mode objfpc}{$H+}

uses
 Classes, SysUtils, Unix;


function split(s:string; Delimiter:string=';'):TStringList;
var
 n : Integer;
begin
 result := TStringList.create;
 repeat
  n := pos(Delimiter,s);
  if (n>0) then
  begin
   result.add( copy(s,1,pred(n)));
   s := copy(s,succ(n),MaxInt);
  end else
  begin
   result.add(s);
   break;
  end;
 until false;
end;

var
 sHeaders : TStringList;
 sValues : TStringList;

const
 Param = 'ablagen';


function eval(s:string):string;
var
 n,m : Integer;
begin
 if (pos('~',s)>0) then
 begin
  for n := 0 to pred(sHeaders.count) do
  begin
   m := pos('~'+sHeaders[n]+'~',s);
   if (m>0) then
   begin
    s :=
     copy(s,1,pred(m)) +
     sValues[n] +
     copy(s,m+length(sHeaders[n])+2,MaxInt);
    if (pos('~',s)=0) then
     break;
   end;
  end;
 end;
 result := s;
end;

var
 sConf : TStringList;
 sParameter : TStringList;
 sTemplate : TStringList;
 sOutPut : TStringList;
 sData : TStringList;
 sCopy : TStringList;
 n,m : Integer;
 StartDataFlag : boolean;

 // Parameter
 pOutput : string;

begin
 sConf := TStringList.create;
 sConf.loadfromFile(Param+'.conf');

 StartDataFlag := false;
 sTemplate := TStringList.create;
 sParameter := TStringList.create;
 for n := 0 to pred(sConf.count) do
 begin
  if StartDataFlag then
  begin
   sTemplate.add(sConf[n]);
  end else
  begin
   if (pos('#',sConf[n])<>1) then
     sParameter.add(sConf[n]);
  end;
  if not(StartDataFlag) then
   if (sConf[n]=':') then
    StartDataFlag := true;
 end;
 sConf.free;

 // Load the parameter, more to come
 pOutPut := sParameter.values['Output'];

 sData := TStringList.create;
 sData.loadfromFile(Param+'.csv');

 sHeaders := split(sData[0]);

 for n := 1 to pred(sData.count) do
 begin

  // prepare Data
  sValues := split(sData[n]);

  // assume [0] is speakfull
  write( sValues[0] + ' ... ' );

  // Dateien sicherstellen?
  for m := 0 to pred(sParameter.count) do
   if (pos('cp ',sParameter[m])=1) then
   begin
    sCopy := split(eval(sParameter[m]),' ');
    if not(FileExists(sCopy[2])) then
     fpsystem('cp '+sCopy[1]+' '+sCopy[2]);
    sCopy.free;
   end;

  // Template ausbelichten
  sOutPut := TStringList.create;
  for m := 0 to pred(sTemplate.count) do
   sOutPut.add( eval(sTemplate[m]));
  sOutPut.saveToFile(eval(pOutPut));
  sOutPut.free;

  // unprepare
  sValues.free;

  writeln('OK');

 end;

 sData.free;
 sHeaders.free;
 sTemplate.free;
 sParameter.free;

end.


Meilensteine

13.09.2018

  • kein Erfolg, der firefix Client sagt Protokoll-Error

06.10.2018

  • Es gibt neue SSL Debug Strings
  • Ich will es nochmal mit TLS 1.3 versuchen
  • OpenSSL 1.1.1
  • nginx 1.15.5
  • geht wieder nicht (TLS 1.2 geht jedoch)!
  • FireFox meldet
 SSL_ERROR_PROTOCOL_VERSION_ALERT
  • Nginx-Debug
2018/10/05 20:18:47 [debug] 3021#3021: epoll add event: fd:9 op:1 ev:00002001
2018/10/05 20:19:05 [debug] 3021#3021: accept on 0.0.0.0:443, ready: 0
2018/10/05 20:19:05 [debug] 3021#3021: posix_memalign: 01F3F810:256 @16
2018/10/05 20:19:05 [debug] 3021#3021: *1 accept: 79.246.106.81:52415 fd:3
2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer add: 3: 60000:78931291
2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 1
2018/10/05 20:19:05 [debug] 3021#3021: *1 epoll add event: fd:3 op:1 ev:80002001
2018/10/05 20:19:05 [debug] 3021#3021: *1 http check ssl handshake
2018/10/05 20:19:05 [debug] 3021#3021: *1 http recv(): 1
2018/10/05 20:19:05 [debug] 3021#3021: *1 https ssl handshake: 0x16
2018/10/05 20:19:05 [debug] 3021#3021: *1 tcp_nodelay
2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_do_handshake: -1
2018/10/05 20:19:05 [debug] 3021#3021: *1 SSL_get_error: 1
2018/10/05 20:19:05 [info] 3021#3021: *1 
 SSL_do_handshake() failed 
 (SSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol) while SSL handshaking, 
 client: 79.246.106.81, server: .0.0.0:443
2018/10/05 20:19:05 [debug] 3021#3021: *1 close http connection: 3
2018/10/05 20:19:05 [debug] 3021#3021: *1 event timer del: 3: 78931291
2018/10/05 20:19:05 [debug] 3021#3021: *1 reusable connection: 0
2018/10/05 20:19:05 [debug] 3021#3021: *1 free: 01F3F810, unused: 36
root@pi3x02:~/build/openssl-1.1.1/apps# ./openssl s_client -servername orgamon.com -connect orgamon.com:443 -tls1_3 -debug
openssl s_client -connect orgamon.com:https -tls1_3 -servername orgamon.com -tlsextdebug -debug -msg -state

26.02.2019