Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Installing NGINX mainline

Install NGINX from the repository

  1. Run sudo apt install curl gnupg2 ca-certificates lsb-release to install the prerequisites.

  2. Run the following to set up the repository for mainline packages:

    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

  3. Run curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - to import an official NGINX signing key so apt can verify the package's authenticity.

  4. Run sudo apt-key fingerprint ABF5BD827BD9BF62 to verify you have the proper key - the output should contain the full fingerprint: 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

  5. Run sudo apt update and sudo apt install nginx.

Install Certbot

These steps are a work in progress

Open the server to port 80 (HTTP), both in GCP firewalls and ufw on the server.

Follow the instructions here up to Step 7: https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic. In Step 7, run the first command: sudo certbot --nginx - the final step of this (installing the certificate into NGINX) will fail. Continuing with the instructions here will install the certificate manually.

Configure NGINX

  1. Run sudo rm /etc/nginx/conf.d/default.conf to remove the default configuration.

  2. Run sudo vim /etc/nginx/conf.d/phixflow.conf and paste in the following, replacing [subdomain] with the appropriate subdomain of the server:

    server {
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;

    server_name [subdomain].phixflow.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }

    ssl_certificate /etc/letsencrypt/live/[subdomain].phixflow.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[subdomain].phixflow.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    client_max_body_size 40M;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}

  3. Restart NGINX:

    sudo nginx -s reload
sudo service nginx stop
sudo service nginx start

    You may need to reboot the server as well in order for NGINX to restart successfully.

  4. Run netstat -tln to check the server is listening on port 443 rather than 80.

  5. Check the PhixFlow application loads in the browser. Check the security settings in the browser console.

  6. Run nginx -V to check the version.

Configure SSL cipher restriction

This is based on recommendations given at: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations. Note that there is a scheduled audit to review these on a regular basis and update our build instructions to continue to comply with the recommendations.

Open the file at /etc/letsencrypt/options-ssl-nginx.conf. It should look similar to the following:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

Edit the ssl_protocols parameter to be:

ssl_protocols TLSv1.3;

Edit the ssl_ciphers parameter to be:

ssl_ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";

Close and save the file.

Run the following to reload the NGINX configuration:

sudo nginx -s reload

Restart the NGINX service:

sudo service nginx restart

Switching NGINX from stable branch to mainline

This section should no longer be used, but has been retained for reference

  1. Run sudo apt remove nginx to remove the current installation of NGINX while preserving the configuration files.

  2. Run sudo apt install curl gnupg2 ca-certificates lsb-release to install the prerequisites.

  3. Run the following to set up the repository for mainline packages:

    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

  4. Run curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - to import an official NGINX signing key so apt can verify the package's authenticity.

  5. Run sudo apt-key fingerprint ABF5BD827BD9BF62 to verify you have the proper key.

  6. The output should contain the full fingerprint 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

  7. Run sudo apt update and sudo apt install nginx.

  8. Run sudo rm /etc/nginx/conf.d/default.conf to remove the default configuration.

  9. Run sudo vim /etc/nginx/nginx.conf and add include /etc/nginx/sites-enabled/*; below the line include /etc/nginx/conf.d/*.conf;.

  10. Run sudo nginx -s reload.

  11. Run sudo service nginx stop.

  12. Run sudo service nginx start.

  13. Run netstat -tln to check the server is listening on port 443 rather than 80.

  14. Check the PhixFlow application loads in the browser. Check the security settings in the browser console.

  15. Run nginx -V to check the version.

  • No labels