NGINX

Last modified by Aurelie Bertrand on 2025/10/10 10:25

NGINX (Optional)

Nginx is used as reverse proxy.

Installation

sudo apt install nginx

Enabling automatic service start on startup

sudo systemctl enable nginx

Configuration

Create the configuration file with the name of your machine or environment. In this example, we use 001-digdash.

In the /etc/nginx folder:

# Create the conf file
sudo vi /etc/nginx/sites-available/001-digdash.conf
# Add following content
# Replace .mondomaine.com by seerver et paths for Certificate(s) and private key, by your information.
upstream backend_tomcat{
    least_conn;
    server localhost:8080 fail_timeout=0;
}

server {
  listen [::]:80;
  listen      80;
  server_name *.mondomaine.com;

 # Redirect all non-https requests
  rewrite ^ https://$host$request_uri? permanent;

  error_log  /var/log/nginx/digdash.com.error_log  warn;
  access_log  /var/log/nginx/digdash.com.access.log;
}

server {
  listen [::]:443 ssl http2 default_server;
  listen      443 ssl http2 default_server;
  server_name *.mondomaine.com;

  client_max_body_size 4G;
  proxy_read_timeout 300;
  proxy_connect_timeout 300;
  proxy_send_timeout 300;

  error_log  /var/log/nginx/digdash.com.error_log  warn;
  access_log  /var/log/nginx/digdash.com.access.log;

# Certificate(s) and private key
ssl_certificate_key /emplacement/de/la/clé/macle.key;
ssl_certificate /emplacement/du/certificat/moncertif.crt;

# DigDash Management SSL
include digdash_ssl_params;

# Security headers
add_header X-Frame-Options "SAMEORIGIN"; ## !Warning! if the DigDash portal is used in another site, do not use!
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "connect-src 'self' https://www.overpass-api.de;";
add_header Strict-Transport-Security "max-age=31536000";

   location / {
        include proxy_params;
        rewrite ^(/digdash_dashboard.*)/index.html(.*)$ $1/index.jsp  permanent;
        rewrite ^(/digdash_dashboard.*)/index-editor.jsp(.*)$ $1/index-editor.html  permanent;
        proxy_intercept_errors on;
        proxy_pass  http://backend_tomcat;
        proxy_cookie_path ~^/(.+)$ "/$1; HTTPOnly; Secure;samesite=none;";
  }

  location ~* ddenterpriseapi.*(/api/v1/|/v2/) {
        include proxy_params;
        proxy_intercept_errors off;
        proxy_pass http://backend_tomcat;
        proxy_cookie_path ~^/(.+)$ "/$1; HTTPOnly; Secure;samesite=none;";
  }
}

ℹ Security Headers

X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to display a page within a <frame>, <iframe>, <embed>, or <object> element. Sites can use this header to prevent clickjacking attacks and ensure their content is not embedded in other sites.
Be careful if the DigDash portal is used on another site; this header should not be included.

X-Content-Type-Options
The X-Content-Type-Options header is a flag used by the server to indicate that the MIME types advertised in the Content-Type headers should not be modified or tracked. This allows for a break from MIME type sniffing.

Content-Security-Policy
The Content-Security-Policy HTTP response header allows website administrators to control which resources the user agent is allowed to load for a given page. While there are some exceptions, these rules most often involve defining server origins and script access points. This header helps protect against cross-site scripting (XSS) attacks.

Strict-Transport-Security
The Strict-Transport-Security (often abbreviated as HSTS) HTTP response header informs browsers that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should be automatically upgraded to HTTPS.

Then create a symbolic link in sites-enabled

sudo ln -s  /etc/nginx/sites-available/001-digdash.conf /etc/nginx/sites-enabled/001-digdash.conf

Create the digdash_ssl_params file containing the security policy:

sudo vi digdash_ssl_params
# Or, generate random dhparam
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
#ssl_dhparam /etc/ssl/dhparam.pem;

ssl_protocols TLSv1.3 TLSv1.2;

ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:TLS:2m;
ssl_buffer_size 4k;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare

# Set HSTS to 365 days
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;