Nginx

Nginx

Assuming you have a Website with some higher load, higher demand for availability, or both of them. You can do the following: Duplicate your Webserver (and the Content of Course) as much as you need Put a Loadbalancer in Front the Webserver, best in Combination with a Firewall Ruleset Terminate TLS on the Loadbalancer once, or on each Webserver directly. Whatever you prefer. You can also double the Loadbalancer with two Boxes the get redundancy on this level.

Proxy

### Network Diagramm Unsaved +----------------+ | | | | | www | | | | | +--------+-------+ | +--------+-------+ | | | Loadbalancer | | | +--------+-------+ | +---------------------------------------+ | | | | | | +-------+-------+ +--------+-------+ +--------+-------+ | | | | | | | www1 | | www2 | | www3 | | | | | | | +---------------+ +----------------+ +----------------+ Close sha256: 6c647991d00482767cb565bb8a1948f68d4fa41481ed120ab6afe92df96ce299

OpenBSD & PHP Stuff 7.4

Install NGINX & PHP pkg_add nginx php--%7.4 rcctl enable nginx php74_fpm Edit php.ini sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/' /etc/php-7.4.ini sed -i s'/short_open_tag = Off.*/short_open_tag = On/' /etc/php-7.4.ini Stop 7.3 & Start 7.4 rcctl stop php73_fpm rcctl restart nginx php74_fpm Uninstall PHP 7.3 pkg_del php--%7.3 pkg_del -a sha256: 17490303fe106a6c3a34071338097e6c1aff50c0d4764f1615c0993ce9211bb2

OpenBSD nginx cgi

… and you thought that cgi is dead … nginx.conf cat << 'EOF' > /etc/nginx/nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; access_log syslog:server=unix:/dev/log,severity=notice main; keepalive_timeout 65; server_tokens off; server { listen 80; listen [::]:80; server_name localhost; root /var/www/htdocs; # FastCGI to CGI wrapper server # location /cgi-bin/ { #error_log /var/log/slowcgi/errors; fastcgi_pass unix:run/slowcgi.

Tweak Nginx Webserver with limited Client Certificate

Install NGINX & PHP pkg_add nginx php--%7.3 rcctl enable nginx php73_fpm Edit php.ini sed -i s'/date.timezone = UTC.*/date.timezone = Europe\/Zurich/' /etc/php-7.3.ini sed -i s'/short_open_tag = Off.*/short_open_tag = On/' /etc/php-7.3.ini nginx.conf mkdir /var/log/nginx cat << 'EOF' > /etc/nginx/nginx.conf worker_processes 1; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.types; default_type application/octet-stream; index index.php index.html index.htm; keepalive_timeout 65; server_tokens off; proxy_cache_valid any 0s; log_format main '$remote_addr - $ssl_client_serial - [$time_local] - "$request" - $status - $body_bytes_sent'; map $ssl_client_serial $ssl_access { default 0; WFuDgzQBZXV740D3 1; # Hans Muster EDugUslEX1Et90WX 0; # Beat Breu 2DF3C663741296F5 1; # Ruedi Ruessel } # # HTTP -> Redirect to HTTPS # server { listen 80; server_name localhost; access_log logs/host.

Openbsd Nginx with Client Authentication

Requirement Webserver http Webserver https Protected Folder https://egal.com/protected with Client Certificate /etc/httpd.conf # $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $ server "*" { listen on * port 8080 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } /etc/nginx/nginx.conf # Take note of http://wiki.nginx.org/Pitfalls #user www; worker_processes 1; #load_module "modules/ngx_stream_module.so"; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #error_log syslog:server=unix:/dev/log,severity=notice; #pid logs/nginx.pid; worker_rlimit_nofile 1024; events { worker_connections 800; } http { include mime.

Nginx with Client Certificate

NGINX with Client Certificates root@debian:/etc/nginx/sites-available# server { listen 80; listen [::]:80; server_name host198.planet; root /var/www/host198.planet; access_log /var/log/nginx/host198.planet; index index.html; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl; listen [::]:443 ssl; server_name host198.planet; root /var/www/host198.planet; ssl_certificate /etc/ssl/private/fullchain.crt; ssl_certificate_key /etc/ssl/private/host198.planet.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_client_certificate /etc/ssl/private/ca.crt; ssl_verify_client optional; access_log /var/log/nginx/host198.planet; index index.html; #location / { # try_files $uri $uri/ =404; #} location / { # if the client-side certificate failed to authenticate, show a 403 # message to the client if ($ssl_client_verify !

BasicAuthentication with Nginx

NOT YET WORKING … Install NGINX pkg_add -v nginx rcctl enable nginx rcctl restart nginx Enable BasicAuth server { ... auth_basic "Administrator’s Area"; auth_basic_user_file conf/htpasswd; location /public/ { auth_basic off; } } Create File and User htpasswd -c /etc/apache2/.htpasswd user1 Restart Service rcctl restart nginx Source https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ sha256: a030f2314ac07debef7ffdbc0f71930fd0f1ee51289dd43dd3dc33d26674e3be

Netbox

How to Install Netbox on Debian 10.1 URL: https://github.com/netbox-community/netbox install postgresql apt-get install -y postgresql libpq-dev sudo pg_ctlcluster 11 main start create database # sudo -u postgres psql psql (9.4.5) Type "help" for help. postgres=# CREATE DATABASE netbox; CREATE DATABASE postgres=# CREATE USER netbox WITH PASSWORD 'streng-geheim-und-so'; CREATE ROLE postgres=# GRANT ALL PRIVILEGES ON DATABASE netbox TO netbox; GRANT postgres=# \q psql -U netbox -W -h localhost netbox streng-geheim-und-so netbox=> quit install application apt-get install -y python3 python3-pip python3-dev build-essential libxml2-dev libxslt1-dev libffi-dev graphviz libpq-dev libssl-dev redis-server zlib1g-dev git install a release (we skip that) # wget https://github.