Verbeter de prestaties en beveiliging van uw webserver
BRON en informatie : https://www.pcre.org PCRE - Perl Compatible Regular ExpressionsBRON en informatie : https://github.com/google/ngx_brotli# pcre installatie cd /usr/local/src wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz tar xzf pcre-8.42.tar.gz cd pcre-8.42 ./configure --enable-utf8 --enable-unicode-properties make CPPFLAGS=-I/usr/kerberos/include make test make install ldconfigBRON en informatie : https://www.zlib.net# ngx_brotli installatie # if brotli error exequte : yum -y install git python python-devel gcc zlib perl libxml2 libxslt cd /usr/local/src git clone https://github.com/google/ngx_brotli cd ngx_brotli git submodule update --initInstalleer benodigdheden# zlib installatie cd /usr/local/src wget https://zlib.net/zlib-1.2.11.tar.gz tar -zxf zlib-1.2.11.tar.gz cd zlib-1.2.11 ./configure make sudo make installyum -y install autoconf automake bind-utils wget curl unzip gcc-c++ pcre-devel zlib-devel libtool make nmap-netcat ntp pam-devel# custombuild some config files cd /usr/local/directadmin/custombuild/ mkdir /usr/local/directadmin/custombuild/custom mkdir /usr/local/directadmin/custombuild/custom/nginx mkdir /usr/local/directadmin/custombuild/custom/nginx/conf cp /usr/local/directadmin/custombuild/configure/nginx/configure.nginx /usr/local/directadmin/custombuild/custom/nginx/configure.nginx > /usr/local/directadmin/custombuild/custom/nginx/configure.nginx nano /usr/local/directadmin/custombuild/custom/nginx/configure.nginx#!/bin/sh ./configure \ "--prefix=/usr" \ "--sbin-path=/usr/sbin" \ "--conf-path=/etc/nginx/nginx.conf" \ "--error-log-path=/var/log/nginx/error_log" \ "--http-log-path=/var/log/nginx/access_log" \ "--pid-path=/var/run/nginx.pid" \ "--user=nginx" \ "--group=nginx" \ "--without-mail_imap_module" \ "--without-mail_smtp_module" \ "--with-ipv6" \ "--with-http_ssl_module" \ "--with-http_realip_module" \ "--with-http_stub_status_module" \ "--with-http_gzip_static_module" \ "--with-http_dav_module" \ "--with-http_v2_module" \ "--with-cc-opt='-D FD_SETSIZE=32768'" \ "--with-pcre-jit" \ "--with-ld-opt=-lrt" \ "--with-pcre=/usr/local/src/pcre-8.42" \ "--with-zlib=/usr/local/src/zlib-1.2.11" \ "--with-openssl=/usr/local/src/openssl-1.1.1" \ "--with-openssl-opt='enable-tls1_3'" \ "--add-module=/usr/local/src/ngx_brotli" \ "--with-compat" \ "--with-file-aio" \ "--with-threads" \ "--with-http_addition_module" \ "--with-http_auth_request_module" \ "--with-http_flv_module" \ "--with-http_gunzip_module" \ "--with-http_mp4_module" \ "--with-http_random_index_module" \ "--with-http_secure_link_module" \ "--with-http_slice_module" \ "--with-http_degradation_module" \ "--with-http_sub_module" \ "--with-mail" \ "--with-mail_ssl_module" \ "--with-stream" \ "--with-stream_realip_module" \ "--with-stream_ssl_module" \ "--with-stream_ssl_preread_module"# generate dhparam 4096 Bit openssl dhparam -out /etc/nginx/dhparam.pem 4096 & bg chown root:nginx /etc/nginx/dhparam.pem# remove ssl on; # After server_name $hostname |IP|;cp /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-vhosts.conf /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf# After ssl_certificate_key /etc/nginx/ssl.key/server.key;if ($host ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) { return 301 https://|DOMAIN|$request_uri; } return 301 https://$server_name$request_uri; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";nano /usr/local/directadmin/conf/directadmin.conf add :: SPACE_HTTP2= http2 add :: SSL_TEMPLATE=1 cp /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-defaults.conf /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf > /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-defaults.conf default_type application/octet-stream; tcp_nopush on; tcp_nodelay on; sendfile on; log_format bytes '$bytes_sent $request_length'; keepalive_timeout 15; types_hash_max_size 2048; disable_symlinks if_not_owner from=$document_root; server_tokens off; client_max_body_size 1024m; client_body_buffer_size 128k; server_names_hash_bucket_size 128; server_names_hash_max_size 10240; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 & bg # chown root:nginx /etc/nginx/dhparam.pem ssl_dhparam /etc/nginx/dhparam.pem; ssl_session_cache shared:SSL:20m; ssl_session_timeout 60m; ssl_session_tickets off; proxy_read_timeout 1800s; # https://mozilla.github.io/server-side-tls/ssl-config-generator/ intermediate configuration. ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; brotli on; brotli_static on; brotli_types *; resolver 8.8.8.8 4.4.4.4 valid=300s ipv6=off; resolver_timeout 10s; # END +++++++++++ http://help.directadmin.com/item.php?id=2 cd /usr/local/directadmin/data/templates mkdir /usr/local/directadmin/data/templates/custom cp /usr/local/directadmin/data/templates/nginx_server_secure.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure.conf cp /usr/local/directadmin/data/templates/nginx_server_secure_sub.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure_sub.conf nano /usr/local/directadmin/data/templates/custom/nginx_server_secure.conf /usr/local/directadmin/data/templates/custom/nginx_server_secure_sub.conf # remove ssl on; # Lodewijkhosting # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.141:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:b0b0:0:0:0:141]:443 ssl|SPACE_HTTP2|; # Lodewijk ict # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.142:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:142]:443 ssl|SPACE_HTTP2|; # Torrenttop100 # After listen |IP|:|PORT_443| ssl|SPACE_HTTP2|; listen 93.158.222.143:443 ssl|SPACE_HTTP2|; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:143]:443 ssl|SPACE_HTTP2|; # After ssl_certificate_key |KEY|; ssl_trusted_certificate |CERT|; ssl_stapling on; ssl_stapling_verify on; add_header X-Frame-Options "ALLOW-FROM https://*.|DOMAIN|" always; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin"; add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues"; add_header Expect-Staple "max-age=31536000; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload"; #add_header Content-Security-Policy "frame-ancestors https://*.|DOMAIN| https://|DOMAIN|"; #add_header X-Robots-Tag none; # niet gebruiken 26-11-2016 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #add_header X-Content-Type-Options nosniff; #add_header X-XSS-Protection "1; mode=block"; #add_header X-Robots-Tag none; #add_header Referrer-Policy "strict-origin"; #add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues"; #add_header Expect-Staple "max-age=30; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload"; #add_header Content-Security-Policy "frame-ancestors 'none'"; # END cp /usr/local/directadmin/data/templates/nginx_server.conf /usr/local/directadmin/data/templates/custom/nginx_server.conf cp /usr/local/directadmin/data/templates/nginx_server_sub.conf /usr/local/directadmin/data/templates/custom/nginx_server_sub.conf nano /usr/local/directadmin/data/templates/custom/nginx_server.conf /usr/local/directadmin/data/templates/custom/nginx_server_sub.conf # Lodewijkhosting # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.141:80; |MULTI_IP| listen [2a00:1ca8:5f:b0b0:0:0:0:141]:80; # END # Lodewijk ict # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.142:80; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:142]:80; # After server_name |DOMAIN| www.|DOMAIN| |SERVER_ALLASES|; |*if SSL_TEMPLATE="0"| if ($host ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) { return 301 https://|DOMAIN|$request_uri; } return 301 https://$server_name$request_uri; |*else| add_header Strict-Transport-Security max-age=63072000; |*endif| # END # Torrenttop100 # Remove :: |CUSTOM| # After listen |IP|:|PORT_80|; listen 93.158.222.143:80; |MULTI_IP| listen [2a00:1ca8:5f:5a9a:0:0:0:143]:80; # After server_name |DOMAIN| www.|DOMAIN| |SERVER_ALLASES|; |*if SSL_TEMPLATE="0"| if ($host ~ "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ) { return 301 https://|DOMAIN|$request_uri; } return 301 https://$server_name$request_uri; |*else| add_header Strict-Transport-Security max-age=63072000; |*endif| # END cp /usr/local/directadmin/data/templates/nginx_ips.conf /usr/local/directadmin/data/templates/custom/nginx_ips.conf cp /usr/local/directadmin/data/templates/nginx_server_redirect.conf /usr/local/directadmin/data/templates/custom/nginx_server_redirect.conf nano /usr/local/directadmin/data/templates/custom/nginx_ips.conf /usr/local/directadmin/data/templates/custom/nginx_server_redirect.conf # remove ssl on; ## SSL (http://www.directadmin.com/features.php?id=1828) # Lodewijk Hosting cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.lodewijkhosting.nl 4096 # Lodewijk ICT cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.lodewijkict.nl 4096 # Torrenttop100 cd /usr/local/directadmin/scripts ./letsencrypt.sh request_single mail.torrenttop100.com 4096 cd /usr/local/directadmin/conf echo 'letsencrypt=1' >> /usr/local/directadmin/conf/directadmin.conf perl -pi -e 's/SSL=0/SSL=1/' directadmin.conf perl -pi -e 's/cacert/#cacert/' directadmin.conf perl -pi -e 's/cakey/#cakey/' directadmin.conf echo "cacert=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.cert" >> directadmin.conf echo "cakey=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.key" >> directadmin.conf echo "carootcert=/usr/local/directadmin/data/users/lodewijkict/domains/lodewijkict.nl.cacert" >> directadmin.conf echo "force_hostname=lodewijkict.nl" >> directadmin.conf echo "ssl_redirect_host=lodewijkict.nl" >> directadmin.conf echo "enable_ssl_sni=1" >> directadmin.conf echo "dns_ttl=1" >> directadmin.conf cd /usr/local/directadmin/custombuild ./build set redirect_host lodewijkict.nl ./build set redirect_host_https yes // Finished? echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=rewrite&value=nginx" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 cd /usr/local/directadmin/custombuild/ ./build clean ./build update ./build used_configs ./build nginx ./build php d ./build exim ./build dovecot ./build rewrite_confs service directadmin restart service nginx restart service exim restart service dovecot restart nginx -t Test :: https://tools.keycdn.com/http2-test Test :: https://hstspreload.org // * * * // echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=rewrite&value=nginx" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue /usr/local/directadmin/dataskq d2000 cd /usr/local/directadmin/custombuild/ ./build update ./build nginx ./build rewrite_confs service directadmin restart service nginx restart nginx -t // * * * // nginx -t nginx -s reload nano /usr/local/directadmin/custombuild/configure/nginx/conf/nginx-vhosts.conf nano /usr/local/directadmin/custombuild/configure/nginx_reverse/conf/nginx-vhosts.conf nano /usr/local/directadmin/custombuild/custom/nginx/conf/nginx-vhosts.conf Bronnen : https://forum.directadmin.com/archive/index.php/t-51344.html http://nginx.org/en/docs/http/ngx_http_v2_module.html https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033 https://www.cloudinsidr.com/content/how-to-activate-http2-with-ssltls-encryption-in-nginx-for-secure-connectionsssl_trusted_certificate /etc/nginx/ssl.crt/server.crt.combined; ssl_stapling on; ssl_stapling_verify on; add_header X-Frame-Options "ALLOW-FROM https://*.|DOMAIN|" always; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin"; add_header Expect-CT "enforce; max-age=86400; report-uri=https://|DOMAIN|/reporting_issues"; add_header Expect-Staple "max-age=31536000; report-uri=https://|DOMAIN|/reporting_issues; includeSubDomains; preload"; add_header Content-Security-Policy "frame-ancestors https://*.|DOMAIN| https://|DOMAIN|"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";