Nginx, did I miss something in the config file?

Hi,
I have struggled with this for 8h now and finally I have my server up and running with SSL on my Windows Server.
So just to make sure, have I missed something in my config file for Nginx that you can recommend me to put in?
I have added the proxy buffer off so I can upload bigg files.

I did find some security notice in the manual, but I could not find out where I should type it in in the config file, maybe someone can help me with that?
I’m assuming that it should go in to the config file for Nginx as it states: “Additional security settings for nginx (optional)” in the manual.
It was the following lines:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
and
server_tokens off;

Here is my config:

  nobody;
worker_processes  1;

  logs/error.log;
  logs/error.log  notice;
  logs/error.log  info;

       logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

      '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

     logs/access.log  main;

    sendfile        on;
       

    
    keepalive_timeout  65;

    
    server {
        listen       80;
        server_name  mydomain;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    }
    server {
        listen 443;
        ssl on;
        ssl_certificate C:/cert/cacert.pem;        # path to your cacert.pem
        ssl_certificate_key C:/cert/privkey.pem;    # path to your privkey.pem
        server_name mydomain;
        proxy_set_header X-Forwarded-For $remote_addr;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_tokens off;

        location / {
            fastcgi_pass    127.0.0.1:8008;
            fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
            fastcgi_param   PATH_INFO           $fastcgi_script_name;

            fastcgi_param   SERVER_PROTOCOL        $server_protocol;
            fastcgi_param   QUERY_STRING        $query_string;
            fastcgi_param   REQUEST_METHOD      $request_method;
            fastcgi_param   CONTENT_TYPE        $content_type;
            fastcgi_param   CONTENT_LENGTH      $content_length;
            fastcgi_param   SERVER_ADDR         $server_addr;
            fastcgi_param   SERVER_PORT         $server_port;
            fastcgi_param   SERVER_NAME         $server_name;
            fastcgi_param   REMOTE_ADDR         $remote_addr;
            fastcgi_param   HTTPS               on;
            fastcgi_param   HTTP_SCHEME         https;

            access_log      logs/seahub.access.log;
            error_log       logs/seahub.error.log;
            fastcgi_read_timeout 36000;
            client_max_body_size 0;
        }
        location /seafhttp {
            rewrite ^/seafhttp(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8082;
            client_max_body_size 0;
            proxy_connect_timeout  36000s;
            proxy_read_timeout  36000s;
            proxy_send_timeout  36000s;
            send_timeout  36000s;
       	    proxy_request_buffering off;
        }
        location /media {
            root C:/SeafileProgram/seafile-server-6.0.7/seahub;
        }
    }
}

That tells nginx to send a header “Strict-Transport-Security” which is a promise to the browsers that you will use TLS all the time from now on at least one year. I think you need a domain validated certificate do use it. I would turn it off at least until everything is working well and then optionally turn it on.

“server_tokens off” tells nginx not to send its version number. You should set it.

That is not seafile standard. It’s perfectly OK to use port 8008 if you told seahub to use that port.

1 Like

Thanks for your replay,
Yes I have change the port so that one is ok.

Ok, so then I should write in server_tokens off to the config file, but where in the config file should I write it?

It’s set correct where it is, good job.
If you can you should setup Let’s Encrypt so you have a valid Certificate, I have never done it in Windows. :smiley:

There is tons out there for Linux, but Windows…

Maybe it’s easier if you run a Linux Reverse Proxy and issue the certs there. :slight_smile:

As DerDanilo said the position in the server block for ssl (listen 443) is ok. As “server_tokens off” is used for security reasons - it shall obfuscate the version of nginx - it should be used in every server block. Put it a second time into the first server block (listen 80) behind
“rewrite ^ https://$http_host$request_uri? permanent;”

If you don’t do so, an attacker could read the response from http://mydomain et voila: the version information is in there.

1 Like

I added this to the server manual, @daniel.pan please approve.

Thanks, it was not easy with windows but I did make it - now I’ll update nginx to x64 version on my server and see if that works.

I did my cert with OpenSSL :slight_smile:

Now I’ll start trying to run the db with MySQL.

I have been bumping in some errors that I needed to fix during the road, I’ll do notes about the issues later and then upload it