3.2 KiB
title, description, published, date, tags, editor, dateCreated
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| 01 Nginx | true | 2023-05-03T03:18:59.950Z | markdown | 2023-05-03T01:58:59.345Z |
Install and Configure Nginx
eNGINe X is a very powerful webserver, It can do many things and is highly configurable.
We will use it as a reverse proxy to forward requests to the correct container.
Create some folders in your home directory
mkdir -p ~/docker/nginx
Now create a docker compose file in that directory
vim ~/docker/nginx/docker-compose.yml
Add in the following text
version: '3'
services:
nginx:
image: nginx:latest
container_name: nginx
restart: always
volumes:
- /data/nginx/config:/etc/nginx
- /data/nginx/log/error.log:/var/log/error.log
- /data/nginx/log/access.log:/var/log/access.log
- /etc/letsencrypt/:/etc/letsencrypt/
- /etc/localtime:/etc/localtime:ro
ports:
- 80:80
- 443:443
First we need to create a folder for the configuration
sudo mkdir -p /data/nginx/config
We need to add the nginx configuration file
sudo vim /data/nginx/config/nginx.conf
Add in the following text
# Global Settings
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 1024;
}
# Web Traffic
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
error_log /var/log/error.log warn;
access_log /var/log/access.log;
proxy_cache_path /etc/nginx/cache keys_zone=one:500m max_size=1000m;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 16M;
client_body_buffer_size 16M;
client_header_buffer_size 16M;
large_client_header_buffers 2 16M;
# MIME
default_type application/octet-stream;
# Limits
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_stapling on;
ssl_stapling_verify on;
# Services
include /etc/nginx/services/*.active;
}
Nginx should be good now, lets start the container
sudo docker-compose -f ~/docker/nginx/docker-compose.yml up -d
We will create 2 folders for future use auth is for password protected services and services is where nginx will look for server configuration
sudo mkdir -p /data/nginx/config/services && sudo mkdir -p /data/nginx/config/auth
Now we only need to setup fail2ban for Nginx, so create the following file
sudo vim /etc/fail2ban/filter.d/nginxx.local
add in the following content
[INCLUDES]
before = common.conf
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (400|401|403|404|405|406|407|423|429) .*$
This will ban everyone getting any of the error codes in the failregex line.
Now we need to activate the filter in our main fail2ban configuration file
sudo vim /etc/fail2ban/jail.local
Add the following to the bottom
## Nginx
[nginxx]
enabled = true
logpath = /data/nginx/log/access.log
Restart fail2ban to make the changes take effect
sudo systemctl restart fail2ban