Line 16: |
Line 16: |
| ==Configure== | | ==Configure== |
| | | |
− | link in rc7.d | + | Create a link in rc7.d This enables nginx to start on boot. |
| | | |
− | This enables nginx to start on boot.
| + | ln -s /etc/rc.d/init.d/nginx /etc/rc.d/rc7.d/S87nginx |
| | | |
| Create /var/log/nginx and set permissions if required | | Create /var/log/nginx and set permissions if required |
Line 24: |
Line 24: |
| mkdir -p /var/log/nginx | | mkdir -p /var/log/nginx |
| | | |
| + | {{Warning box| The following may NOT be best practice and may need another approach, but works for testing}} |
| + | |
| + | Adding this MAY open your server up to compromise. You have been warned. |
| + | |
| + | Add user to group so nginx can access files/directories |
| + | |
| + | usermod -a -G shared nginx |
| | | |
| ===Configs=== | | ===Configs=== |
Line 49: |
Line 56: |
| | | |
| signal-event remoteaccess-update | | signal-event remoteaccess-update |
| + | |
| + | Now engine if correctly configured in the conf files will listen on 4483 |
| + | |
| + | Alternatively we can set apache to private so it only listens to local/internal connectins ,and nginx to external ones. |
| + | |
| + | config setprop httpd-e-smith access private |
| + | |
| + | config setprop nginx TCPPort 443 |
| + | |
| + | signal-event remoteaccess-update |
| + | |
| + | Or if you want port 80 as well |
| + | |
| + | config setprop nginx TCPPorts 80,443 |
| + | |
| + | signal-event remoteaccess-update |
| + | |
| + | |
| + | ===Sample configurations=== |
| + | |
| + | These are JUST samples. You will need to work out your own. |
| + | |
| + | |
| + | default.conf |
| + | |
| + | server { |
| + | # Listen on 80 |
| + | listen your.external.ip.address:80; |
| + | # Disable IPv6 |
| + | # listen [::]:80; |
| + | server_name domain.com host.domain.com; |
| + | # Passthru letsencrypt |
| + | location '/.well-known/acme-challenge' { |
| + | default_type "text/plain"; |
| + | #root /tmp/letsencrypt-auto; |
| + | root /home/e-smith/files/ibays/Primary/html; |
| + | } |
| + | |
| + | # Upgrade everything else to https |
| + | location / { |
| + | return 301 https://$server_name$request_uri; |
| + | } |
| + | } |
| + | |
| + | |
| + | |
| + | This is my rocket chat reverse proxy with websockets as an example: |
| + | |
| + | # Upstreams |
| + | upstream backend { |
| + | server 127.0.0.1:3000; |
| + | } |
| + | |
| + | # HTTPS Server |
| + | server { |
| + | listen your.external.ip.address:443; |
| + | server_name domain.com host.domain.com; |
| + | |
| + | # You can increase the limit if your need to. |
| + | client_max_body_size 200M; |
| + | |
| + | error_log /var/log/nginx/rocketchat.access.log; |
| + | |
| + | ssl on; |
| + | #ssl_certificate /etc/nginx/certificate.crt; |
| + | #ssl_certificate_key /etc/nginx/certificate.key; |
| + | ssl_certificate /etc/dehydrated/certs/reetspetit.info/fullchain.pem; |
| + | ssl_certificate_key /etc/dehydrated/certs/reetspetit.info/privkey.pem; |
| + | |
| + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE |
| + | |
| + | location / { |
| + | proxy_pass http://backend/; |
| + | proxy_http_version 1.1; |
| + | proxy_set_header Upgrade $http_upgrade; |
| + | proxy_set_header Connection "upgrade"; |
| + | proxy_set_header Host $http_host; |
| + | |
| + | proxy_set_header X-Real-IP $remote_addr; |
| + | proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; |
| + | proxy_set_header X-Forward-Proto http; |
| + | proxy_set_header X-Nginx-Proxy true; |
| + | |
| + | proxy_redirect off; |
| + | } |
| + | } |
| | | |
| ==Start== | | ==Start== |
| | | |
| /etc/rc.d/init.d/nginx start | | /etc/rc.d/init.d/nginx start |
| + | |
| + | /etc/rc.d/init.d/nginx stop |
| + | |
| + | /etc/rc.d/init.d/nginx restart |