Tag Archives: nginx

SELinux policy for nginx and GitLab unix socket in Fedora 19

The installation of GitLab in Fedora 19 went fine. I followed the official installation guide with some deviations where necessary, mostly taken from the CentOS guide in gitlab-recipes. I setup nginx using the ssl config, and poked some holes in iptables. For systemd services I used these files.

Source: SELinux policy for nginx and GitLab unix socket in Fedora 19

Configuring NGINX to accept the PROXY Protocol – NGINX

This article explains how to configure NGINX and NGINX Plus to accept the PROXY protocol. Table of Contents Introduction Using the PROXY protocol with SSL, HTTP/2, SPDY, and WebSocket Using the PROXY protocol with a TCP Stream Complete Example Introduction The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through […]

Source: Configuring NGINX to accept the PROXY Protocol – NGINX

How to Generate SSL Certificate Chain for Nginx

I’m using Comodo Certificate, you will get these files from their email:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  • Intermediate CA Certificate – ComodoUTNSGCCA.crt
  • Intermediate CA Certificate – EssentialSSLCA_2.crt
  • Your EssentialSSL Certificate – www_example_com.crt

Correct order:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – EssentialSSLCA_2.crt
  3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
  4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  5. Root CA Certificate – AddTrustExternalCARoot.crt

You can create a chained certificate required by Nginx:

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

In fact, you can only need the first three certificates: most systems have their root CA.

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

Update Mar 21, 2015:

Comodo updated their certificates filename, so the correct order now is:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  4. Root CA Certificate – AddTrustExternalCARoot.crt
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt

logrotate for nginx

vi /etc/logrotate.d/nginx
/srv/www/*/logs/*log {
        daily
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 nginx adm
}
# debug
logrotate -d /etc/logrotate.conf
# focus logrotate with verbose info
logrotate -f -v /etc/logrotate.conf