Admin

Nginx

ΠΌΠΎΠΆΠ΅Ρ‚ ΠΏΡ€ΠΎΠΊΡΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒ Π½Π΅ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ http, Π½ΠΎ ΠΈ tcp/udp/ssh.. Ρ‚Ρ€Π°Ρ„ΠΈΠΊ

Настройка ΠΏΠΎ ΠΊΠ½ΠΎΠΏΠΎΡ‡ΠΊΠ°ΠΌ: ΠΏΡ€ΠΎΠ΅ΠΊΡ‚ NginxConfig β€” https://do.nginxconfig.io/

Path Traversal in misconfig aliases: https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/

Π‘ΠΆΠ°Ρ‚ΠΈΠ΅

  • gzip + brotli

ΠŸΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΊΠ° HTTP/2

ΠŸΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ‚ ΠΏΡ€ΠΎΠ³Ρ€ΡƒΠΆΠ°Ρ‚ΡŒ ΠΊΠΎΠ½Ρ‚Π΅Π½Ρ‚ Π² ΠΊΡƒΡ‡Ρƒ ΠΏΠΎΡ‚ΠΎΠΊΠΎΠ² (для HTTP/1.1 Π±Ρ€Π°ΡƒΠ·Π΅Ρ€ ΠΎΠ³Ρ€Π°Π½ΠΈΡ‡ΠΈΠ²Π°Π΅Ρ‚ количСство ΠΏΠΎΡ‚ΠΎΠΊΠΎΠ²)

Preload and HTTP/2 Push

Preload β€” ΠΏΠΎΠ΄Π³Ρ€ΡƒΠΆΠ°Π΅Ρ‚ Ρ„Π°ΠΉΠ»Ρ‹ статики Π΅Ρ‰Π΅ Π² ΠΌΠΎΠΌΠ΅Π½Ρ‚ Π·Π°Π³Ρ€ΡƒΠ·ΠΊΠΈ Π·Π°Π³ΠΎΠ»ΠΎΠ²ΠΊΠΎΠ² (ΠΊΠ°ΠΊ Ρ‚ΠΎ подсовываСт)

HTTP/2 Push (объявлСно deprecated, Π½ΠΎ Π΅Ρ‰Π΅ ΠΏΠΎΠ΄Π΄Π΅Ρ€ΠΆΠΈΠ²Π°ΡŽΡ‚ΡΡ)

ΠŸΡ€ΠΎΠΊΡΠΈΡ€ΠΎΠ²Π°Π½ΠΈΠ΅ Ρ‚Ρ€Π°Ρ„ΠΈΠΊΠ° Π½Π° Π΄Ρ€ΡƒΠ³ΠΎΠΉ сСрвис ΠΈΠ»ΠΈ ΠΊΠΎΠ½Ρ‚Π΅ΠΉΠ½Π΅Ρ€

somedir/
    nginx/
        certs/  β€” это сСрт для TLS (ΠΌΠΎΠΆΠ΅Ρ‚ Π±Ρ‹Ρ‚ΡŒ любой Π²ΠΎΠΎΠ±Ρ‰Π΅, лишь Π±Ρ‹ Π±Ρ‹Π»)
            cert.crt
            cert.key
            domain.csr  
        nginx.conf
    stunnel/  β€” proxy-server для построСния туннСля (ΠΌΠΎΠΆΠ΅Ρ‚ Π±Ρ‹Ρ‚ΡŒ любой сСрвис, Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€ flask)
        certs/
            ...
        Dockerfile
        stunnel.txt
    docker-compose.yml

nginx.conf: ΠΏΠΎ Ρ„Π°ΠΊΡ‚Ρƒ Π³ΠΎΠ²ΠΎΡ€ΠΈΠΌ, Ρ‡Ρ‚ΠΎ Π² зависимости ΠΎΡ‚ Host-Π·Π°Π³ΠΎΠ²ΠΊΠ° Ρ‚Ρ€Π°Ρ„ΠΈΠΊ Π±ΡƒΠ΄Π΅Ρ‚ ΠΏΠ΅Ρ€Π΅Π½Π°ΠΏΡ€Π°Π²Π»Π΅Π½ Π»ΠΈΠ±ΠΎ Π½Π° http Π»ΠΈΠ±ΠΎ Π½Π° stunnel (Π² этом ΠΏΡ€ΠΈΠΌΠ΅Ρ€Π΅)

server {
    listen 443 ssl;
    server_name  example.com;
    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;    
    location / {
        proxy_pass http://example.com:80/;
        error_log /var/log/front_end_errors.log;
    }
}

server {
    listen 443 ssl;
    server_name  evil.com;
    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;    
    location / {
        proxy_pass http://evil.com:80/;
        error_log /var/log/front_end_errors.log;
    }
}

server {
    listen 443 ssl;
    server_name  somesite.com;
    ssl_certificate /etc/nginx/certs/cert.crt;
    ssl_certificate_key /etc/nginx/certs/cert.key;    
    location / {
        proxy_pass http://stunnel:5555/;
        proxy_set_header Host somesite.com;
        error_log /var/log/front_end_errors.log;
    }
}

docker-compose.yml:

version: "3"
services:
  nginx:
    image: nginx
    ports:
      - "443:443"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./nginx/certs:/etc/nginx/certs

  stunnel:
    build: stunnel
    dns:
      - 8.8.8.8
PreviousApacheNextOracle

Last updated