Skip to main content

Directadmin

Verbeter de prestaties en beveiliging van uw webserver

04 ~ Nginx + HTTP2 + SSL

Door | 22 January 2019

BRON en informatie : https://www.pcre.org PCRE - Perl Compatible Regular Expressions
 
# pcre installatie
cd /usr/local/src
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
tar xzf pcre-8.42.tar.gz
cd pcre-8.42
./configure --enable-utf8 --enable-unicode-properties
make CPPFLAGS=-I/usr/kerberos/include
make test
make install
ldconfig

BRON en informatie : https://github.com/google/ngx_brotli  
# ngx_brotli installatie 
# if brotli error exequte : yum -y install git python python-devel gcc zlib perl libxml2 libxslt
cd /usr/local/src
git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init

BRON en informatie : https://www.zlib.net  
# zlib installatie
cd /usr/local/src
wget https://zlib.net/zlib-1.2.11.tar.gz
tar -zxf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make
sudo make install

Installeer benodigdheden  
yum -y install autoconf automake bind-utils wget curl unzip gcc-c++ pcre-devel zlib-devel libtool make nmap-netcat ntp pam-devel

 
# custombuild some config files
cd /usr/local/directadmin/custombuild/
mkdir /usr/local/directadmin/custombuild/custom
mkdir /usr/local/directadmin/custombuild/custom/nginx
mkdir /usr/local/directadmin/custombuild/custom/nginx/conf

cp /usr/local/directadmin/custombuild/configure/nginx/configure.nginx /usr/local/directadmin/custombuild/custom/nginx/configure.nginx
> /usr/local/directadmin/custombuild/custom/nginx/configure.nginx
nano /usr/local/directadmin/custombuild/custom/nginx/configure.nginx

 
#!/bin/sh
./configure \
	"--prefix=/usr" \
	"--sbin-path=/usr/sbin" \
	"--conf-path=/etc/nginx/nginx.conf" \
	"--error-log-path=/var/log/nginx/error_log" \
	"--http-log-path=/var/log/nginx/access_log" \
	"--pid-path=/var/run/nginx.pid" \
	"--user=nginx" \
	"--group=nginx" \
	"--without-mail_imap_module" \
	"--without-mail_smtp_module" \
	"--with-ipv6" \
	"--with-http_ssl_module" \
	"--with-http_realip_module" \
	"--with-http_stub_status_module" \
	"--with-http_gzip_static_module" \
	"--with-http_dav_module" \
	"--with-http_v2_module" \
	"--with-cc-opt='-D FD_SETSIZE=32768'" \
	"--with-pcre-jit" \
	"--with-ld-opt=-lrt" \
	"--with-pcre=/usr/local/src/pcre-8.42" \
	"--with-zlib=/usr/local/src/zlib-1.2.11" \
	"--with-openssl=/usr/local/src/openssl-1.1.1" \
	"--with-openssl-opt='enable-tls1_3'" \
	"--add-module=/usr/local/src/ngx_brotli" \
	"--with-compat" \
	"--with-file-aio" \
	"--with-threads" \
	"--with-http_addition_module" \
	"--with-http_auth_request_module" \
	"--with-http_flv_module" \
	"--with-http_gunzip_module" \
	"--with-http_mp4_module" \
	"--with-http_random_index_module" \
	"--with-http_secure_link_module" \
	"--with-http_slice_module" \
	"--with-http_degradation_module" \
	"--with-http_sub_module" \
	"--with-mail" \
	"--with-mail_ssl_module" \
	"--with-stream" \
	"--with-stream_realip_module" \
	"--with-stream_ssl_module" \
	"--with-stream_ssl_preread_module"

 
# generate dhparam 4096 Bit
openssl dhparam -out /etc/nginx/dhparam.pem 4096 & bg
chown root:nginx /etc/nginx/dhparam.pem

 
cp /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf
nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf

# remove ssl on; # After server_name $hostname |IP|;  
	if ($host  ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) {
                return 301 https://|DOMAIN|$request_uri;
        }
        return 301 https://$server_name$request_uri;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# After ssl_certificate_key /etc/nginx/ssl.key/server.key;  
	ssl_trusted_certificate /etc/nginx/ssl.crt/server.crt.combined;
	ssl_stapling on;
	ssl_stapling_verify on;

	add_header X-Frame-Options "ALLOW-FROM https://*.|DOMAIN|" always;
	add_header X-Content-Type-Options "nosniff";
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "strict-origin";
	add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues";
	add_header Expect-Staple "max-age=31536000; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload";
	add_header Content-Security-Policy "frame-ancestors https://*.|DOMAIN| https://|DOMAIN|";

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

nano /usr/local/directadmin/conf/directadmin.conf add :: SPACE_HTTP2= http2 add :: SSL_TEMPLATE=1 cp /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-defaults.conf /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf > /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf default_type application/octet-stream; tcp_nopush on; tcp_nodelay on; sendfile on; log_format bytes '$bytes_sent $request_length'; keepalive_timeout 15; types_hash_max_size 2048; disable_symlinks if_not_owner from=$document_root; server_tokens off; client_max_body_size 1024m; client_body_buffer_size 128k; server_names_hash_bucket_size 128; server_names_hash_max_size 10240; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 & bg # chown root:nginx /etc/nginx/dhparam.pem ssl_dhparam /etc/nginx/dhparam.pem; ssl_session_cache shared:SSL:20m; ssl_session_timeout 60m; ssl_session_tickets off; proxy_read_timeout 1800s; # https://mozilla.github.io/server-side-tls/ssl-config-generator/ intermediate configuration. ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; brotli on; brotli_static on; brotli_types *; resolver 8.8.8.8 4.4.4.4 valid=300s ipv6=off; resolver_timeout 10s; # END +++++++++++ http://help.directadmin.com/item.php?id=2 cd /usr/local/directadmin/data/templates mkdir /usr/local/directadmin/data/templates/custom cp /usr/local/directadmin/data/templates/nginx_server_secure.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure.conf cp /usr/local/directadmin/data/templates/nginx_server_secure_sub.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure_sub.conf nano /usr/local/directadmin/data/templates/custom/nginx_server_secure.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure_sub.conf # remove ssl on; # Lodewijkhosting # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.141:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:b0b0:0:0:0:141]:443 ssl|SPACE_HTTP2|; # Lodewijk ict # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.142:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:142]:443 ssl|SPACE_HTTP2|; # Torrenttop100 # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.143:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:143]:443 ssl|SPACE_HTTP2|; # After ssl_certificate_key |KEY|; ssl_trusted_certificate |CERT|; ssl_stapling on; ssl_stapling_verify on; add_header X-Frame-Options "ALLOW-FROM https://*.|DOMAIN|" always; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin"; add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues"; add_header Expect-Staple "max-age=31536000; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload"; #add_header Content-Security-Policy "frame-ancestors https://*.|DOMAIN| https://|DOMAIN|"; #add_header X-Robots-Tag none; # niet gebruiken 26-11-2016 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #add_header X-Content-Type-Options nosniff; #add_header X-XSS-Protection "1; mode=block"; #add_header X-Robots-Tag none; #add_header Referrer-Policy "strict-origin"; #add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues"; #add_header Expect-Staple "max-age=30; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload"; #add_header Content-Security-Policy "frame-ancestors 'none'"; # END cp /usr/local/directadmin/data/templates/nginx_server.conf /usr/local/directadmin/data/templates/custom/nginx_server.conf cp /usr/local/directadmin/data/templates/nginx_server_sub.conf /usr/local/directadmin/data/templates/custom/nginx_server_sub.conf nano /usr/local/directadmin/data/templates/custom/nginx_server.conf /usr/local/directadmin/data/templates/custom/nginx_server_sub.conf # Lodewijkhosting # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.141:80; |MULTI_IP| listen [2a00:1ca8:5f:b0b0:0:0:0:141]:80; # END # Lodewijk ict # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.142:80; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:142]:80; # After server_name |DOMAIN| www.|DOMAIN| |SERVER_ALLASES|; |*if SSL_TEMPLATE="0"| if ($host ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) { return 301 https://|DOMAIN|$request_uri; } return 301 https://$server_name$request_uri; |*else| add_header Strict-Transport-Security max-age=63072000; |*endif| # END # Torrenttop100 # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.143:80; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:143]:80; # After server_name |DOMAIN| www.|DOMAIN| |SERVER_ALLASES|; |*if SSL_TEMPLATE="0"| if ($host ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) { return 301 https://|DOMAIN|$request_uri; } return 301 https://$server_name$request_uri; |*else| add_header Strict-Transport-Security max-age=63072000; |*endif| # END cp /usr/local/directadmin/data/templates/nginx_ips.conf /usr/local/directadmin/data/templates/custom/nginx_ips.conf cp /usr/local/directadmin/data/templates/nginx_server_redirect.conf /usr/local/directadmin/data/templates/custom/nginx_server_redirect.conf nano /usr/local/directadmin/data/templates/custom/nginx_ips.conf /usr/local/directadmin/data/templates/custom/nginx_server_redirect.conf # remove ssl on; ## SSL (http://www.directadmin.com/features.php?id=1828) # Lodewijk Hosting cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.lodewijkhosting.nl 4096 # Lodewijk ICT cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.lodewijkict.nl 4096 # Torrenttop100 cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.torrenttop100.com 4096 cd /usr/local/directadmin/conf echo 'letsencrypt=1' >> /usr/local/directadmin/conf/directadmin.conf perl -pi -e 's/SSL=0/SSL=1/' directadmin.conf perl -pi -e 's/cacert/#cacert/' directadmin.conf perl -pi -e 's/cakey/#cakey/' directadmin.conf echo "cacert=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.cert" >> directadmin.conf echo "cakey=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.key" >> directadmin.conf echo "carootcert=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.cacert" >> directadmin.conf echo "force_hostname=lodewijkict.nl" >> directadmin.conf echo "ssl_redirect_host=lodewijkict.nl" >> directadmin.conf echo "enable_ssl_sni=1" >> directadmin.conf echo "dns_ttl=1" >> directadmin.conf cd /usr/local/directadmin/custombuild ./build set redirect_host lodewijkict.nl ./build set redirect_host_https yes // Finished? echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=rewrite&value=nginx" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 cd /usr/local/directadmin/custombuild/ ./build clean ./build update ./build used_configs ./build nginx ./build php d ./build exim ./build dovecot ./build rewrite_confs service directadmin restart service nginx restart service exim restart service dovecot restart nginx -t Test :: https://tools.keycdn.com/http2-test Test :: https://hstspreload.org // * * * // echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=rewrite&value=nginx" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 cd /usr/local/directadmin/custombuild/ ./build update ./build nginx ./build rewrite_confs service directadmin restart service nginx restart nginx -t // * * * // nginx -t nginx -s reload nano /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-vhosts.conf nano /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf Bronnen : https://forum.directadmin.com/archive/index.php/t-51344.html http://nginx.org/en/docs/http/ngx_http_v2_module.html https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033 https://www.cloudinsidr.com/content/how-to-activate-http2-with-ssltls-encryption-in-nginx-for-secure-connections