...
If PhixFlow users encounter problems loading files into PhixFlow, you may need to further increase this setting. Only authenticated users are able to trigger a file upload, and even then only certain users will have access to funtions that cause a file upload. Even in an instance of PhixFlow that is available through the public internet, general users who are not athenticated on PhixFlow are not able to upload arbitrary files into PhixFlow.
Upload size
150MB for NGINX file upload size? this is now needed on ops live, have raised this as it seems very large to me - however, only authenticated users can use this function - is there a way to have user specific limits in NGINX, don't see how
Installing with apt
The instructions below are based on installation on a Debian-based distribution of Linux, and use the apt command. If you are installing on a RedHat-based distribution of Linux, the equivalent yum commands for NGINX installation are well documented on the web.
...
An email address (for urgent renewal and security notices): e.g. security.notifications@mycompany.com
Terms of service: you must agree to these (press Y)
Agreement to share your email address with EFF: you can choose either option, i.e. Y or N
The domain name assigned to this service: e.g. phixflow.mycompany.com
Configure NGINX
...
| Info |
|---|
You can run |
Configure NGINX
Most distributions of NGINX no longer include sites-enabled and sites-available directories. This example installation is based on distribution that does not include these directories, and places the configuration file in the /etc/nginx/conf.d directory. If your installed version of NGINX includes sites-enabled and sites-available directories, consult the NGINX documentation for further guidance.
...
| Code Block |
|---|
ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; |
Edit the ssl_protocols parameter to be:
| Code Block |
|---|
ssl_protocols TLSv1.3; |
...
openssl-1.1.1 and later
At version 1.1.1 OpenSSL changed the method of configuring ciphersuites for TLS1.3. This has an impact on configuration of ciphersuites in NGINX (https://trac.nginx.org/nginx/ticket/1529).
To determine if you are using OpenSSL at a version of 1.1.1 or later, take note of the version of libssl on your linux distribution rather than openssl itself. On Debian based distributions of linux, you can find these packges with the command dpkg --list | grep ssl (this will probably show other ssl related packages, but you can ignore them for this assessment).
E.g. from Ubuntu 18.04:
...
In practice on Ubuntu, for example, on 22.04 the newer version of OpenSSL is used; on 18.04, the older version.
If you aren’t sure, try the configuration in this section, if you get an error when trying to start NGINX, try the other configuration below.
Edit the ssl_protocols parameter to be:
| Code Block |
|---|
ssl_protocols TLSv1.3; |
Update the file to replace the current line that starts ssl_ciphers to be:
| Code Block |
|---|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; |
Save and close the file.
Before openssl-1.1.1
Edit the ssl_protocols parameter to be:
| Code Block |
|---|
ssl_protocols TLSv1.3; |
Edit the ssl_ciphers parameter to be:
| Code Block |
|---|
ssl_ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"; |
Save and close the file.
Restart NGINX
Run the following to reload the NGINX configuration:
...