Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| playground:playground [2020/05/11 20:28] – [Nginx webserver] bittwiddlers | playground:playground [2024/08/06 19:36] – testando mguima | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== PlayGround ====== | ====== PlayGround ====== | ||
| - | ~~NOTOC~~ | ||
| - | <WRAP info> | + | ====== |
| - | The playground is for experimenting. Play around as you like!\\ | + | ==== OEM bootlog |
| - | This page is for playing around and experimenting only, and can be deleted any time, therefore don't put anything here that shall last long time.\\ | + | <WRAP bootlog> |
| - | Use the [[inbox: | + | <nowiki> |
| - | + | ... TBD ... | |
| - | Add your content below the line and **leave this note in place.** | + | </nowiki> |
| - | </ | + | </WRAP>\\ |
| - | + | ||
| - | ---- | + | |
| - | + | ||
| - | + | ||
| - | ====== | + | |
| - | + | ||
| - | [[http:// | + | |
| - | It is a perfect candidate to run on OpenWRT due to the performance and memory handling. | + | |
| - | + | ||
| - | ====== | + | |
| - | + | ||
| - | test section | + | |
| - | ====== Install ====== | + | |
| - | We can install Nginx with SSL (using libopenssl) by: | + | |
| - | <code> opkg update && opkg install nginx-ssl </code> | + | |
| - | If we omit the " | + | |
| - | + | ||
| - | Of course there will be port issues if you installed LuCI before or after Nginx, since LuCI package installs uhttpd, which also wants to claim port 80. So configuring and/or portforwarding may be neccessary. There are ways to run LuCI with another http daemon but that is not coverd here. For a quick fix, just change the uhttpd port to something else in / | + | |
| - | + | ||
| - | ====== Configuration ====== | + | |
| - | + | ||
| - | ===== Basic ===== | + | |
| - | + | ||
| - | We modify the configuration by creating configuration files in the / | + | |
| - | + | ||
| - | <code> | + | |
| - | + | ||
| - | For OpenWrt we use a special configuration, | + | |
| - | + | ||
| - | ''' | + | |
| - | # / | + | |
| - | location /ex/am/ple { | + | |
| - | # access_log / | + | |
| - | error_log /dev/null; #disables logging after config file is read. | + | |
| - | index index.html; | + | |
| - | } | + | |
| - | # location /eg/static ... | + | |
| - | ''' | + | |
| - | + | ||
| - | This file consists just of some [[https:// | + | |
| - | Under the latter link, you can find also the official documentation for all available directives of the HTTP core of Nginx. Look for " | + | |
| - | See other packages using a [[https:// | + | |
| - | + | ||
| - | It is important that all location blocks in all .locations files are different since they are all included in the LAN server part: | + | |
| - | + | ||
| - | <code># | + | |
| - | # default_server for the LAN addresses got by: ifstatus lan | grep '" | + | |
| - | server { | + | |
| - | include '/ | + | |
| - | server_name _; | + | |
| - | include conf.d/ | + | |
| - | }</code> | + | |
| - | + | ||
| - | Luci can use the root location / to make it available under, e.g. [[https:// | + | |
| - | + | ||
| - | In order to make another site available on a root URI, e.g. on [[https:// | + | |
| - | + | ||
| - | ===== New Server Parts ===== | + | |
| - | + | ||
| - | + | ||
| - | [[https:// | + | |
| - | + | ||
| - | <code># example.com.conf: | + | |
| - | server { | + | |
| - | listen 80; | + | |
| - | listen [::]:80; | + | |
| - | include '/var/ | + | |
| - | server_name example.com; | + | |
| - | include ' | + | |
| - | } | + | |
| - | </code> | + | |
| - | + | ||
| - | The file / | + | |
| - | + | ||
| - | + | ||
| - | See other packages providing such [[https:// | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== SSL Server Parts ===== | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | Redirect to ssl by the default server installed at / | + | |
| - | < | + | |
| - | # acts as default server if there is no other. | + | |
| - | server { | + | |
| - | listen 80; | + | |
| - | listen [::]:80; | + | |
| - | server_name _; | + | |
| - | return 302 https:// | + | |
| - | }</ | + | |
| - | + | ||
| - | < | + | |
| - | server { | + | |
| - | listen 443 ssl; | + | |
| - | listen [::]:443 ssl; | + | |
| - | include '/ | + | |
| - | server_name example.com; | + | |
| - | ssl_certificate ' | + | |
| - | ssl_certificate_key ' | + | |
| - | ssl_session_cache shared: | + | |
| - | ssl_session_timeout 64m; | + | |
| - | include ' | + | |
| - | } | + | |
| - | </ | + | |
| - | + | ||
| - | + | ||
| - | [[https:// | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | [[link " | + | |
| - | + | ||
| - | + | ||
| - | We have the TLS Server Name Indication (SNI) support enabled, you can see it by the command: | + | |
| - | < | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Special Cases ===== | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | [[https:// | + | |
| - | + | ||
| - | + | ||
| - | [[playground: | + | |
| - | ===== Openwrt Internals ===== | + | |
| - | + | ||
| - | The main configuration is: | + | |
| - | < | + | |
| - | # Please create *.conf files in / | + | |
| - | # For details see https:// | + | |
| - | + | ||
| - | user nobody nogroup; | + | |
| - | worker_processes auto; | + | |
| - | + | ||
| - | events {} | + | |
| - | + | ||
| - | http { | + | |
| - | access_log off; | + | |
| - | + | ||
| - | include mime.types; | + | |
| - | default_type application/ | + | |
| - | sendfile on; | + | |
| - | + | ||
| - | client_max_body_size 17M; | + | |
| - | large_client_header_buffers 2 1k; | + | |
| - | + | ||
| - | gzip on; | + | |
| - | gzip_vary on; | + | |
| - | gzip_proxied any; | + | |
| - | + | ||
| - | root /www; | + | |
| - | + | ||
| - | include conf.d/ | + | |
| - | }</ | + | |
| - | + | ||
| - | + | ||
| - | It pulls in the | + | |
| - | + | ||
| - | More details | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | The file / | + | |
| - | + | ||
| - | The server part / | + | |
| - | + | ||
| - | The locations can also be used in other / | + | |
| - | + | ||
| - | The / | + | |
| - | + | ||
| - | + | ||
| - | Everytime nginx-ssl starts, we check if the LAN has already a valid ssl certificate in | + | |
| - | / | + | |
| - | + | ||
| - | If there is no valid certificate, | + | |
| - | + | ||
| - | When there exists a certificate, | + | |
| - | / | + | |
| - | if needed and if it looks “normal”, | + | |
| - | + | ||
| - | When there is a valid certificate for the LAN, we activate ssl by listen :443 ssl; directives in | + | |
| - | / | + | |
| - | and it becomes available by the default redirect from listen *:80; in | + | |
| - | / | + | |
| - | + | ||
| - | If cron is available (not inactive), we use it to check the certificate for validity once a year and renew it if there are only 13 months of the more than 3 years life time left. | + | |
| - | + | ||
| - | The prime points 2, 3 and 5 can be used for other domains, too: Create a | + | |
| - | / | + | |
| - | with a corresponding server_name www.example.com; | + | |
| - | service nginx create_selfsigned_certificate_if_needed www.example.com | + | |
| - | I did not test it for other domains, though. | + | |
| + | ====== Bootlogs ====== | ||
| + | === OpenWRT bootlog === | ||
| + | == System bootlog == | ||
| + | <WRAP bootlog> | ||
| + | < | ||
| + | ... TBD ... | ||
| + | </ | ||
| + | </ | ||