Virtual Web Servers

Websites are defined in as “Servers” in Nginx and stored as configuration files in the directory /etc/nginx/servers-available.

They are not loaded automatically. To activate a server a symbolic link in the directory /etc/nginx/servers-enabled is created (See the main configuration file nginx.conf).

The only notable exception (the default server defined in /etc/nginx/http-conf.d/99_default-server.conf is always loaded).

Example Static Website

Along the way trough this documentation we will define many more websites for different purposes with a variating degree of complexity.

For the sake of a clear example, lets show a simple static website who just serves HTML documents from the directory /var/www/example.net/public_html/.

  1#
  2# example.net Basic Static Website Example
  3#
  4
  5# Unsecured HTTP Site and Aliases - Redirect to proper HTTPS Site
  6server {
  7
  8    server_name example.net www.example.net;
  9
 10    # IPv6 public global address
 11    listen      [2001:db8::11]:80 deferred;
 12
 13    # IPv4 private local address
 14    listen      192.0.2.11:80 deferred;
 15
 16    # IPv4 private address (Port-forwarded from NAT firewall/router)
 17    listen      192.0.2.10:80;
 18
 19    # Redirect Tor Clients to our Tor Hidden Service
 20    if ($isTorExitNode = "true") {
 21        return  301 http://1234567890abcdef.onion$request_uri;
 22    }
 23
 24    # Redirect to HTTPS on proper hostname
 25    return      301 https://$server_name$request_uri;
 26}
 27
 28# Secured HTTPS Alias Servers - Redirect to proper HTTPS Server
 29server {
 30
 31    server_name www.example.net;
 32
 33    # IPv6 public global address
 34    listen      [2001:db8::11]:443 ssl http2;
 35
 36    # IPv4 private local address
 37    listen      192.0.2.11:443 ssl http2;
 38
 39    # IPv4 private address (Port-forwarded from NAT firewall/router)
 40    listen      192.0.2.10:443 ssl http2;
 41
 42    # TLS certificate (chained) and private key
 43    ssl_certificate         /etc/dehydrated/certs/example.net/fullchain.pem;
 44    ssl_certificate_key     /etc/dehydrated/certs/example.net/privkey.pem;
 45
 46    # Enable stapling of online certificate status protocol (OCSP) response
 47    include                 ocsp-stapling.conf;
 48
 49    # TLS certificate of signing CA (to validate OCSP response when stapling)
 50    ssl_trusted_certificate /etc/dehydrated/certs/example.net/chain.pem;
 51
 52    # OCSP stapling response file (pre-generated)
 53    ssl_stapling_file       /etc/dehydrated/certs/example.net/ocsp_response.der;
 54
 55    # TLS session cache (type:name:size)
 56    ssl_session_cache       shared:www.example.net:10m;
 57
 58    # TLS session ticket keys (rotated every 8 hours, for 24 hours max.)
 59    ssl_session_ticket_key  tls_session_keys/www.example.net.1.key;
 60    ssl_session_ticket_key  tls_session_keys/www.example.net.2.key;
 61    ssl_session_ticket_key  tls_session_keys/www.example.net.3.key;
 62
 63    # Strict Transport Security (HSTS)
 64    include     hsts.conf;
 65
 66    # Redirect Tor Clients to our Tor Hidden Service
 67    if ($isTorExitNode = "true") {
 68        return  301 http://1234567890abcdef.onion$request_uri;
 69    }
 70
 71    # Redirect to HTTPS on proper hostname
 72    return      301 https://example.net$request_uri;
 73
 74}
 75
 76# Secured HTTPS Server
 77server {
 78
 79    server_name example.net;
 80
 81    # IPv6 public global address
 82    listen      [2001:db8::11]:443 ssl http2 deferred;
 83
 84    # IPv4 private local address
 85    listen      192.0.2.11:443 ssl http2 deferred;
 86
 87    # IPv4 private address (Port-forwarded from NAT firewall/router)
 88    listen      192.0.2.10:443 ssl http2;
 89
 90    # TLS certificate (chained) and private key
 91    ssl_certificate         /etc/dehydrated/certs/example.net/fullchain.pem;
 92    ssl_certificate_key     /etc/dehydrated/certs/example.net/privkey.pem;
 93
 94    # Enable stapling of online certificate status protocol (OCSP) response
 95    include                 ocsp-stapling.conf;
 96
 97    # TLS certificate of signing CA (to validate OCSP response when stapling)
 98    ssl_trusted_certificate /etc/dehydrated/certs/example.net/chain.pem;
 99
100    # OCSP stapling response file (pre-generated)
101    ssl_stapling_file       /etc/dehydrated/certs/example.net/ocsp_response.der;
102
103    # TLS session cache (type:name:size)
104    ssl_session_cache       shared:example.net:10m;
105
106    # TLS session ticket keys (rotated every 8 hours, for 24 hours max.)
107    ssl_session_ticket_key  tls_session_keys/example.net.1.key;
108    ssl_session_ticket_key  tls_session_keys/example.net.2.key;
109    ssl_session_ticket_key  tls_session_keys/example.net.3.key;
110
111    # Strict Transport Security (HSTS)
112    include     hsts.conf;
113
114    # Content Security Policy (CSP) (line-breaks for readability, don't include them)
115    add_header  Content-Security-Policy
116        "default-src 'none';
117         script-src 'none';
118         style-src 'none';
119         img-src 'none';
120         font-src 'none';
121         connect-src 'none';
122         media-src 'none';
123         object-src 'none';
124         child-src 'none';
125         worker-src 'none';
126         frame-ancestors 'none';
127         form-action 'none';
128         upgrade-insecure-requests;
129         block-all-mixed-content;
130         reflected-xss block;
131         base-uri https://example.net/;
132         manifest-src 'none';
133         referrer no-referrer; "
134        always;
135
136    # Redirect Tor Clients to our Tor Hidden Service
137    if ($isTorExitNode = "true") {
138        return  301 http://1234567890abcdef.onion$request_uri;
139    }
140
141    # Common Server Settings
142    include     server-conf.d/*.conf;
143
144    # Servers Public Documents Root
145    root        /var/www/example.net/public_html;
146}
147
148# Tor Hidden Service
149server {
150
151    server_name 1234567890abcdef.onion;
152
153    # IPv4 local address (forwarded from Tor hidden service)
154    listen      127.0.0.11:80 deferred;
155
156    # Common Server Settings
157    include     server-conf.d/*.conf;
158
159    # Content Security Policy (CSP) (line-breaks for readability, don't include them)
160    add_header  Content-Security-Policy
161        "default-src 'none';
162         script-src 'none';
163         style-src 'none';
164         img-src 'none';
165         font-src 'none';
166         connect-src 'none';
167         media-src 'none';
168         object-src 'none';
169         child-src 'none';
170         worker-src 'none';
171         frame-ancestors 'none';
172         form-action 'none';
173         reflected-xss block;
174         base-uri http://1234567890abcdef.onion/;
175         manifest-src 'none';
176         referrer no-referrer; "
177        always;
178
179    # Servers Public Documents Root
180    root        /var/www/example.net/public_html;
181}

TLS Session Tickets Keys

Every server needs its own set of TLS session keys. The session keys are to be rotated every 12 hours, but remain valid for 36 hours.

As one might guess, we need a cron job.

tbd;