Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
playground:playground [2020/05/11 20:28] – [Nginx webserver] bittwiddlersplayground:playground [2024/08/06 19:36] – testando mguima
Line 1: Line 1:
 ====== PlayGround ====== ====== PlayGround ======
-~~NOTOC~~ 
  
-<WRAP info> +====== Bootlogs ====== 
-The playground is for experimenting. Play around as you like!\\ +==== OEM bootlog ==== 
-This page is for playing around and experimenting only, and can be deleted any time, therefore don't put anything here that shall last long time.\\ +<WRAP bootlog
-Use the [[inbox:start|Inbox]] to create new pages that are WIP, but shall find a permanent place in the wiki once they are considered finished. +<nowiki
- +... TBD ... 
-Add your content below the line and **leave this note in place.** +</nowiki
-</WRAP> +</WRAP>\\
- +
----- +
- +
- +
-====== Nginx webserver====== +
- +
-[[http://wiki.nginx.org/|Nginx]] is a high-performance http-server with other functions as well. +
-It is a perfect candidate to run on OpenWRT due to the performance and memory handling. +
- +
-====== test section====== +
- +
-test section +
-====== Install ====== +
-We can install Nginx with SSL (using libopenssl) by: +
-<code> opkg update && opkg install nginx-ssl </code> +
-If we omit the "-ssl" suffix, we get Nginx without SSL support. +
- +
-Of course there will be port issues if you installed LuCI before or after Nginx, since LuCI package installs uhttpd, which also wants to claim port 80. So configuring and/or portforwarding may be neccessary. There are ways to run LuCI with another http daemon but that is not coverd here. For a quick fix, just change the uhttpd port to something else in /etc/config/uhttpd.  +
- +
-====== Configuration ====== +
- +
-===== Basic ===== +
- +
-We modify the configuration by creating configuration files in the /etc/nginx/conf.d/ directory. The configuration files use the file extensions .locations and .conf (for Nginx with SSL also .crt and .key). For the new configuration to take effect, we must reload it by: +
- +
-<code>service nginx reload</code+
- +
-For OpenWrt we use a special configuration, so that we can make a site available at a specific location in the LAN by creating a .locations file in the /etc/nginx/conf.d/ directory like: +
- +
-''' +
-# /etc/nginx/conf.d/example.locations +
-location /ex/am/ple { +
-    # access_log /var/log/nginx/access.log;  +
-    error_log /dev/null; #disables logging after config file is read. +
-    index index.html; +
-+
-# location /eg/static ... +
-''' +
- +
-This file consists just of some [[https://nginx.org/en/docs/http/ngx_http_core_module.html#location|location blocks]]. +
-Under the latter link, you can find also the official documentation for all available directives of the HTTP core of Nginx. Look for "location" in the Context: list. +
-See other packages using a [[https://github.com/search?utf8=%E2%9C%93&q=repo%3Aopenwrt%2Fpackages+extension%3Alocations&type=Code&ref=advsearch&l=&l=|.locations]] file, too. +
- +
-It is important that all location blocks in all .locations files are different since they are all included in the LAN server part: +
- +
-<code># /etc/nginx/conf.d/_lan.conf: +
-# default_server for the LAN addresses got by: ifstatus lan | grep '"address"' +
-server { +
-    include '/var/nginx_lan.listen'; +
-    server_name _; +
-    include conf.d/*.locations; +
-}</code> +
- +
-Luci can use the root location / to make it available under, e.g. [[https://192.168.1.1|192.168.1.1/]], but, therefore all other location blocks cannot use the location / without suffix. +
- +
-In order to make another site available on a root URI, e.g. on [[https://example.lan|example.lan/]], we need to use a [[#new_server_parts|new server part]] optionally [[ssl_server_parts|with SSL]]. +
- +
-===== New Server Parts ===== +
- +
- +
-[[https://nginx.org/en/docs/http/request_processing.html|processes requests]] +
- +
-<code># example.com.conf: +
-server { +
-    listen 80; +
-    listen [::]:80; +
-    include '/var/nginx_lan.listen'; +
-    server_name example.com; +
-    include 'conf.d/example.com.locations'; +
-+
-</code +
- +
-The file /var/nginx_lan.listen contains the listen directives with the LAN address(es) +
- +
- +
-See other packages providing such [[https://github.com/search?q=repo%3Aopenwrt%2Fpackages+nginx_lan+extension%3Aconf&type=Code|servers]]. +
- +
- +
- +
-===== SSL Server Parts ===== +
- +
- +
- +
-Redirect to ssl by the default server installed at /etc/nginx/conf.d/_redirect2ssl.conf automatically: +
-<code># /etc/nginx/conf.d/_redirect2ssl.conf: +
-# acts as default server if there is no other. +
-server { +
-    listen 80; +
-    listen [::]:80; +
-    server_name _; +
-    return 302 https://$host$request_uri; +
-}</code> +
- +
-<code># example.com.conf: +
-server { +
-    listen 443 ssl; +
-    listen [::]:443 ssl; +
-    include '/var/nginx_lan_ssl.listen'; +
-    server_name example.com; +
-    ssl_certificate 'conf.d/example.com.crt'; +
-    ssl_certificate_key 'conf.d/example.com.key'; +
-    ssl_session_cache shared:SSL:32k; +
-    ssl_session_timeout 64m; +
-    include 'conf.d/example.com.locations'; +
-+
-</code> +
- +
- +
-[[https://nginx.org/en/docs/http/configuring_https_servers.html|HTTPS intro]] +
- +
- +
- +
-[[link "https://nginx.org/en/docs/http/ngx_http_ssl_module.html|all HTTPS directives]] +
- +
- +
-We have the TLS Server Name Indication (SNI) support enabled, you can see it by the command: +
-<code>nginx -V</code>   +
- +
- +
- +
-===== Special Cases ===== +
- +
- +
- +
-[[https://github.com/nginx/nginx/tree/master/conf|Nginx conf]] +
- +
- +
-[[playground:test_new|playground:test_new]] +
-===== Openwrt Internals ===== +
- +
-The main configuration is: +
-<code># /etc/nginx/nginx.conf: +
-# Please create *.conf files in /etc/nginx/conf.d/ without editing this file. +
-# For details see https://openwrt.org.docs/guide-user/services/webserver/nginx +
- +
-user nobody nogroup; +
-worker_processes auto; +
- +
-events {} +
- +
-http { +
-    access_log off; +
- +
-    include mime.types; +
-    default_type application/octet-stream; +
-    sendfile on; +
- +
-    client_max_body_size 17M; +
-    large_client_header_buffers 2 1k; +
- +
-    gzip on; +
-    gzip_vary on; +
-    gzip_proxied any; +
- +
-    root /www; +
- +
-    include conf.d/*.conf; +
-}</code> +
- +
- +
-It pulls in the  +
- +
-More details  +
- +
- +
- +
- +
- +
- +
-The file /var/nginx_lan.listen keeps the IP addresses of the LAN. +
- +
-The server part /etc/nginx/conf.d/_lan.conf pulls in this file and all location parts in /etc/nginx/conf.d/*.locations. So, different sites can install their location parts there and they will be available on LAN. +
- +
-The locations can also be used in other /etc/nginx/conf.d/*.conf. server parts for making selected sites available on WAN under different domains, i.e. server_name. +
- +
-The /var/nginx_listen_lan.conf file is (re-)created if nginx starts or the LAN interface changes. +
- +
- +
-    Everytime nginx-ssl starts, we check if the LAN has already a valid ssl certificate in +
-    /etc/nginx/conf.d/_lan.{crt,key} +
-     +
-    If there is no valid certificate, we try to create a self-signed one (that needs px5g or openssl-util to be installed, too) +
-     +
-    When there exists a certificate, we add corresponding ssl_certificate* directives to the configuration file +
-    /etc/nginx/conf.d/_lan.conf +
-    if needed and if it looks “normal”, i.e., it has a server_name _; part. +
-     +
-    When there is a valid certificate for the LAN, we activate ssl by listen :443 ssl; directives in +
-    /var/nginx_lan.listen +
-    and it becomes available by the default redirect from listen *:80; in +
-    /etc/nginx/conf.d/_redirect2ssl.conf +
-     +
-    If cron is available (not inactive), we use it to check the certificate for validity once a year and renew it if there are only 13 months of the more than 3 years life time left. +
- +
-The prime points 2, 3 and 5 can be used for other domains, too: Create a +
-/etc/nginx/conf.d/www.example.com.conf +
-with a corresponding server_name www.example.com; part and call +
-service nginx create_selfsigned_certificate_if_needed www.example.com +
-I did not test it for other domains, though.+
  
 +====== Bootlogs ======
 +=== OpenWRT bootlog ===
 +== System bootlog ==
 +<WRAP bootlog>
 +<nowiki>
 +... TBD ...
 +</nowiki>
 +</WRAP>\\
  
  • Last modified: 2024/11/11 21:03
  • by signoretnt