Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| playground:playground [2020/08/03 17:17] – old w/o ssl peter-stadler | playground:playground [2024/08/06 19:36] – testando mguima | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== PlayGround ====== | ====== PlayGround ====== | ||
| - | ~~NOTOC~~ | ||
| - | <WRAP info> | + | ====== |
| - | The playground is for experimenting. Play around as you like!\\ | + | ==== OEM bootlog |
| - | This page is for playing around and experimenting only, and can be deleted any time, therefore don't put anything here that shall last long time.\\ | + | <WRAP bootlog> |
| - | Use the [[inbox: | + | <nowiki> |
| - | + | ... TBD ... | |
| - | Add your content below the line and **leave this note in place.** | + | </nowiki> |
| - | </ | + | </WRAP>\\ |
| - | + | ||
| - | ---- | + | |
| - | + | ||
| - | ====== | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | [[http:// | + | |
| - | is a high-performance HTTP/S server with other functions as well. | + | |
| - | It is a perfect candidate to run on OpenWrt due to the performance and memory | + | |
| - | handling. | + | |
| - | **NB:** At this time (2020-07-21), | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Install | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | We can install Nginx with SSL (using libopenssl) by: | + | |
| - | <code> opkg update && opkg install nginx-ssl </code> | + | |
| - | + | ||
| - | Of course there will be port issues if we installed | + | |
| - | [[docs: | + | |
| - | before or after Nginx, since the standard LuCI package installs | + | |
| - | [[docs: | + | |
| - | which also wants to claim port 80 (and port 443 for HTTPS). | + | |
| - | So configuring and/or portforwarding may be neccessary. | + | |
| - | There are ways to run | + | |
| - | [[docs: | + | |
| - | but that is not coverd here. | + | |
| - | For a quick fix, just change the uhttpd port to something else in | + | |
| - | ''/ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Configuration ===== | + | |
| - | /* Created by the following bash script that includes the source of some files: | + | |
| - | * https:// | + | |
| - | */ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | The official Documentation contains a | + | |
| - | [[https:// | + | |
| - | Here we will look at some often used configuration parts and how we handle them | + | |
| - | at OpenWrt. | + | |
| - | At different places there are references to the official | + | |
| - | [[https:// | + | |
| - | for further reading. | + | |
| - | + | ||
| - | **tl;dr:** The main configuration is a minimal configuration enabling the | + | |
| - | ''/ | + | |
| - | * There is a '' | + | |
| - | * We can disable parts of the configuration by renaming them. | + | |
| - | * If we want to install other HTTPS servers that are also reachable locally, | + | |
| - | * We have a server in '' | + | |
| - | * We can create a self-signed certificate and add corresponding directives to e.g. '' | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== Basic ==== | + | |
| - | /* Created by the following bash script that includes the source of some files: | + | |
| - | * https:// | + | |
| - | */ | + | |
| - | + | ||
| - | + | ||
| - | We modify the configuration by creating different configuration files in the | + | |
| - | ''/ | + | |
| - | The configuration files use the file extensions '' | + | |
| - | '' | + | |
| - | We can disable single configuration parts by giving them another extension, | + | |
| - | e.g., by adding '' | + | |
| - | For the new configuration to take effect, we must reload it by: | + | |
| - | < | + | |
| - | + | ||
| - | For OpenWrt we use a special initial configuration, | + | |
| - | the section [[# | + | |
| - | So, we can make a site available at a specific URL in the **LAN** by creating a | + | |
| - | '' | + | |
| - | Such a file consists just of some | + | |
| - | [[https:// | + | |
| - | location blocks]]. | + | |
| - | Under the latter link, you can find also the official documentation for all | + | |
| - | available directives of the HTTP core of Nginx. | + | |
| - | Look for // | + | |
| - | + | ||
| - | The following example provides a simple template, see at the end for | + | |
| - | different [[# | + | |
| - | [[https:// | + | |
| - | +extension%3Alocations& | + | |
| - | other packages using a .locations file]], too: | + | |
| - | <code nginx /etc/ | + | |
| - | location /ex/am/ple { | + | |
| - | access_log off; # default: not logging accesses. | + | |
| - | # access_log / | + | |
| - | # error_log stderr; # default: logging to logd (init forwards stderr). | + | |
| - | error_log /dev/null; # disable error logging after config file is read. | + | |
| - | # (state path of a file for access_log/ | + | |
| - | index index.html; | + | |
| - | } | + | |
| - | # location /eg/static { … } | + | |
| - | </ | + | |
| - | + | ||
| - | All location blocks in all '' | + | |
| - | since they are all included in the '' | + | |
| - | [[# | + | |
| - | We reserve the '' | + | |
| - | e.g. [[https:// | + | |
| - | All other sites shouldn’t use the root '' | + | |
| - | We can make other sites available on the root URL of other domain names, e.g. | + | |
| - | on www.example.com/ | + | |
| - | In order to do that, we create a '' | + | |
| - | see the next section [[# | + | |
| - | We can also activate SSL there, as described below in the section | + | |
| - | [[# | + | |
| - | We use such server parts also for publishing sites to the internet (WAN) | + | |
| - | instead of making them available just in the LAN. | + | |
| - | + | ||
| - | Via '' | + | |
| - | configuration. The difference to editing the main ''/ | + | |
| - | file instead is the following: If the package’s '' | + | |
| - | it will only be installed if the old file has not been changed. | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== New Server Parts ==== | + | |
| - | /* Created by the following bash script that includes the source of some files: | + | |
| - | * https:// | + | |
| - | */ | + | |
| - | + | ||
| - | + | ||
| - | For making the router reachable from the WAN at a registered domain name, | + | |
| - | it is not enough to give the name server the internet IP address of the router | + | |
| - | (maybe updated automatically by a | + | |
| - | [[docs: | + | |
| - | We also need to set up virtual hosting for this domain name by creating an | + | |
| - | appropriate server part in a ''/ | + | |
| - | All such files are included at the start of Nginx by the default main | + | |
| - | configuration of OpenWrt ''/ | + | |
| - | [[# | + | |
| - | + | ||
| - | In the server part, we state the domain as | + | |
| - | [[https:// | + | |
| - | server_name]]. | + | |
| - | The link points to the same document as for the location blocks in the | + | |
| - | [[# | + | |
| - | directives of the HTTP core of Nginx. | + | |
| - | This time look for //server// in the Context list, too. | + | |
| - | The server part should also contain similar location blocks as before. | + | |
| - | We can re-include a '' | + | |
| - | the LAN by default. | + | |
| - | Then the site is reachable under the same path at both domains, e.g., by | + | |
| - | http:// | + | |
| - | + | ||
| - | The following example is a simple template: | + | |
| - | <code nginx / | + | |
| - | server { | + | |
| - | listen 80; | + | |
| - | listen [::]:80; | + | |
| - | server_name example.com; | + | |
| - | # location / { … } # root location for this server. | + | |
| - | include '/ | + | |
| - | } | + | |
| - | </ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== SSL Server Parts ==== | + | |
| - | /* Created by the following bash script that includes the source of some files: | + | |
| - | * https:// | + | |
| - | */ | + | |
| - | + | ||
| - | + | ||
| - | We can enable HTTPS for a domain if Nginx is installed with SSL support. | + | |
| - | We need a SSL certificate as well as its key and add them by the directives | + | |
| - | // | + | |
| - | domain. | + | |
| - | The rest of the configuration is similar as described in the previous section | + | |
| - | [[# | + | |
| - | we only have to adjust the listen directives by adding the //ssl// parameter, | + | |
| - | see the official documentation for | + | |
| - | [[https:// | + | |
| - | configuring HTTPS servers]], too. | + | |
| - | + | ||
| - | The [[# | + | |
| - | file containing a server part that listens on the LAN address(es) and acts as | + | |
| - | // | + | |
| - | For making the domain name accessible in the LAN, too, the corresponding | + | |
| - | server part must listen **explicitly** on the local IP address(es), | + | |
| - | official documentation on | + | |
| - | [[https:// | + | |
| - | We can include the file ''/ | + | |
| - | directives with ssl parameter for all LAN addresses on the HTTP port 443 and is | + | |
| - | updated automatically. | + | |
| - | + | ||
| - | The official documentation of the SSL module contains an | + | |
| - | [[https:// | + | |
| - | example]], | + | |
| - | which includes some optimizations. | + | |
| - | The following template is extended similarly: | + | |
| - | <code nginx / | + | |
| - | server { | + | |
| - | listen 443 ssl; | + | |
| - | listen [::]:443 ssl; | + | |
| - | include '/ | + | |
| - | server_name example.com; | + | |
| - | ssl_certificate '/ | + | |
| - | ssl_certificate_key '/ | + | |
| - | ssl_session_cache shared: | + | |
| - | ssl_session_timeout 64m; | + | |
| - | # location / { … } # root location for this server. | + | |
| - | include '/ | + | |
| - | } | + | |
| - | </ | + | |
| - | + | ||
| - | For creating a certificate (and its key) we can use Let’s Encrypt by installing | + | |
| - | [[https:// | + | |
| - | < | + | |
| - | + | ||
| - | For the LAN server in the '' | + | |
| - | ''/ | + | |
| - | We can use this mechanism also for other sites by issuing, e.g.: | + | |
| - | < | + | |
| - | - It adds SSL directives to the server part of ''/ | + | |
| - | - Then, it checks if there is a certificate and key for the given domain name that is valid for at least 13 months or tries to create a self-signed one. | + | |
| - | - When cron is activated, it installs a cron job for renewing the self-signed | + | |
| - | + | ||
| - | Beside the '' | + | |
| - | [[# | + | |
| - | '' | + | |
| - | request for inexistent URIs to HTTPS. | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== OpenWrt’s Defaults ==== | + | |
| - | /* Created by the following bash script that includes the source of some files: | + | |
| - | * https:// | + | |
| - | */ | + | |
| - | + | ||
| - | + | ||
| - | The default main configuration file is: | + | |
| - | <file nginx / | + | |
| - | # Please consider creating files in / | + | |
| - | # For details see https:// | + | |
| - | + | ||
| - | worker_processes auto; | + | |
| - | + | ||
| - | user root; | + | |
| - | + | ||
| - | events {} | + | |
| - | + | ||
| - | http { | + | |
| - | access_log off; | + | |
| - | log_format openwrt | + | |
| - | ' | + | |
| - | ' (${body_bytes_sent}B in ${request_time}s) <- $http_referer'; | + | |
| - | + | ||
| - | include mime.types; | + | |
| - | default_type application/ | + | |
| - | sendfile on; | + | |
| - | + | ||
| - | client_max_body_size 128M; | + | |
| - | large_client_header_buffers 2 1k; | + | |
| - | + | ||
| - | gzip on; | + | |
| - | gzip_vary on; | + | |
| - | gzip_proxied any; | + | |
| - | + | ||
| - | root /www; | + | |
| - | + | ||
| - | include conf.d/ | + | |
| - | }</ | + | |
| - | + | ||
| - | We can pretend the main configuration contains also the following presets, | + | |
| - | since Nginx is configured with them: | + | |
| - | <code nginx> | + | |
| - | pid "/ | + | |
| - | lock_file "/ | + | |
| - | error_log " | + | |
| - | proxy_temp_path "/ | + | |
| - | client_body_temp_path "/ | + | |
| - | fastcgi_temp_path "/ | + | |
| - | + | ||
| - | So, the access log is turned off by default and we can look at the error log | + | |
| - | by '' | + | |
| - | [[docs: | + | |
| - | We can set the // | + | |
| - | messages are forwarded to instead (after the configuration is read). | + | |
| - | And for redirecting the access log of a //server// or // | + | |
| - | too, we insert the following directive in the corresponding block: | + | |
| - | <code nginx> | + | |
| - | access_log / | + | |
| - | </ | + | |
| - | + | ||
| - | At the end, the main configuration pulls in all '' | + | |
| - | directory ''/ | + | |
| - | server part for the LAN: | + | |
| - | <file nginx / | + | |
| - | # default_server for the LAN addresses getting the IPs by: | + | |
| - | # ifstatus lan | jsonfilter -e ' | + | |
| - | server { | + | |
| - | server_name _lan; | + | |
| - | include '/ | + | |
| - | ssl_certificate '/ | + | |
| - | ssl_certificate_key '/ | + | |
| - | ssl_session_cache ' | + | |
| - | ssl_session_timeout ' | + | |
| - | # access_log / | + | |
| - | include conf.d/ | + | |
| - | }</ | + | |
| - | + | ||
| - | It pulls in all '' | + | |
| - | We can install the location parts of different sites there (see above in the | + | |
| - | [[# | + | |
| - | ''/ | + | |
| - | This is needed especially for making them available to the WAN as described | + | |
| - | above in the section [[# | + | |
| - | All '' | + | |
| - | '' | + | |
| - | directives for every local IP address: | + | |
| - | <code nginx> | + | |
| - | listen IPv4:443 ssl default_server; | + | |
| - | listen [IPv6]:443 ssl default_server; | + | |
| - | </ | + | |
| - | The ''/ | + | |
| - | parameter '' | + | |
| - | We can include this file in other server parts that should be reachable in the | + | |
| - | LAN through their // | + | |
| - | Both files ''/ | + | |
| - | through its init for OpenWrt or the LAN interface changes. | + | |
| - | + | ||
| - | There is also the following server part that redirects requests for an | + | |
| - | inexistent '' | + | |
| - | the official documentation on | + | |
| - | [[https:// | + | |
| - | <file nginx / | + | |
| - | # acts as default server if there is no other. | + | |
| - | server { | + | |
| - | listen 80; | + | |
| - | listen [::]:80; | + | |
| - | server_name _redirect2ssl; | + | |
| - | return 302 https:// | + | |
| - | }</ | + | |
| - | + | ||
| - | Nginx’s init file for OpenWrt installs automatically a self-signed certificate | + | |
| - | for the LAN server part if needed and possible: | + | |
| - | - Everytime Nginx starts, we check if the LAN is set up for SSL. | + | |
| - | - We add //ssl*// directives (like in the example of the previous section | + | |
| - | - If there is no corresponding certificate that is valid for more than 13 | + | |
| - | - We activate SSL by including the ssl listen directives from ''/ | + | |
| - | - If cron is available, i.e., its status is not '' | + | |
| - | + | ||
| - | The points 2, 3 and 5 can be used for other domains, too: | + | |
| - | As described in the section [[# | + | |
| - | create a server part in ''/ | + | |
| - | a corresponding '' | + | |
| - | < | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Locations for Apps ===== | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | For an overview see the official Admin Guide of Nginx on | + | |
| - | [[https:// | + | |
| - | Reverse Proxy]]. | + | |
| - | For logging look at the example in the [[# | + | |
| - | Remember to restart Nginx after changing its configuration by: | + | |
| - | < | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== PHP with FastCGI ==== | + | |
| - | + | ||
| - | + | ||
| - | Install [[https:// | + | |
| - | using FastCGI: | + | |
| - | < | + | |
| - | + | ||
| - | In the Nginx configuration we can include the file | + | |
| - | [[https:// | + | |
| - | fastcgi_params]], | + | |
| - | We create a '' | + | |
| - | [[https:// | + | |
| - | +extension%3Alocations+extension%3Aconf& | + | |
| - | other packages using fastcgi_pass]] | + | |
| - | and Nginx' | + | |
| - | [[https:// | + | |
| - | PHP FastCGI Example]], too: | + | |
| - | <code nginx / | + | |
| - | location ~ [^/]\.php$ { | + | |
| - | #error_log / | + | |
| - | fastcgi_connect_timeout 300s; | + | |
| - | fastcgi_read_timeout 300s; | + | |
| - | fastcgi_send_timeout 300s; | + | |
| - | fastcgi_buffer_size 32k; | + | |
| - | fastcgi_buffers 4 32k; | + | |
| - | fastcgi_busy_buffers_size 32k; | + | |
| - | fastcgi_temp_file_write_size 32k; | + | |
| - | client_header_timeout 10s; | + | |
| - | client_body_timeout 10s; | + | |
| - | send_timeout 60s; # default, increase if experiencing a lot of timeouts. | + | |
| - | output_buffers 1 32k; | + | |
| - | fastcgi_index index.php; | + | |
| - | include fastcgi_params; | + | |
| - | fastcgi_param HTTP_PROXY ""; | + | |
| - | if (-f ) { | + | |
| - | # Only throw it at PHP-FPM if file exists (prevents PHP exploits). | + | |
| - | fastcgi_pass | + | |
| - | } | + | |
| - | } | + | |
| - | </ | + | |
| - | + | ||
| - | <code ini / | + | |
| - | doc_root = " | + | |
| - | cgi.force_redirect = 1 | + | |
| - | cgi.redirect_status_env = " | + | |
| - | </ | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ==== uWSGI ==== | + | |
| - | + | ||
| - | + | ||
| - | Install [[https:// | + | |
| - | < | + | |
| - | + | ||
| - | In the Nginx configuration we can include the file | + | |
| - | [[https:// | + | |
| - | uwsgi_params]], | + | |
| - | We create a '' | + | |
| - | [[https:// | + | |
| - | +extension%3Alocations+extension%3Aconf& | + | |
| - | other packages using uwsgi_pass]] | + | |
| - | and the | + | |
| - | [[https:// | + | |
| - | uWSGI documentation for Nginx]], too: | + | |
| - | <code nginx / | + | |
| - | location /mysite { | + | |
| - | # error_log / | + | |
| - | include | + | |
| - | uwsgi_pass unix:/// | + | |
| - | # for CGI (like in LuCI): | + | |
| - | # uwsgi_param SERVER_ADDR $server_addr; | + | |
| - | # uwsgi_modifier1 9; | + | |
| - | } | + | |
| - | </ | + | |
| - | + | ||
| - | For uWSGI, we create a configuration handling the application like the following, see | + | |
| - | [[https:// | + | |
| - | +extension%3Aini& | + | |
| - | other packages using uWSGI]], too: | + | |
| - | <code ini / | + | |
| - | [uwsgi] | + | |
| - | strict = true | + | |
| - | ; adjust the needed plugins, path, name, user and socket for the application: | + | |
| - | plugin = | + | |
| - | chdir = / | + | |
| - | mount = / | + | |
| - | ; or use cgi = / | + | |
| - | uid = user | + | |
| - | gid = nogroup | + | |
| - | chmod-socket = 660 | + | |
| - | chown-socket = user: | + | |
| - | ; Nginx runs as nouser: | + | |
| - | if-not-env = UWSGI_EMPEROR_FD | + | |
| - | socket = / | + | |
| - | vacuum = true | + | |
| - | ; cheap = true | + | |
| - | end-if = | + | |
| - | disable-logging = true | + | |
| - | log-format=%(method) %(uri) => return %(status) (%(rsize) bytes in %(msecs) ms) | + | |
| - | manage-script-name = true | + | |
| - | thunder-lock = true | + | |
| - | enable-threads = true | + | |
| - | threads = 3 | + | |
| - | master = true | + | |
| - | ; processes = 3 | + | |
| - | ; cheaper-algo = spare | + | |
| - | ; cheaper = 1 | + | |
| - | ; cheaper-initial = 1 | + | |
| - | ; cheaper-step = 1 | + | |
| - | ; lazy-apps = true | + | |
| - | ; harakiri = 60 | + | |
| - | ; idle = 360 | + | |
| - | </ | + | |
| + | ====== Bootlogs ====== | ||
| + | === OpenWRT bootlog === | ||
| + | == System bootlog == | ||
| + | <WRAP bootlog> | ||
| + | < | ||
| + | ... TBD ... | ||
| + | </ | ||
| + | </ | ||