```{index} nginx; default.conf
```


# default.conf --- Конфигурация открытия серверов по IP

Нужно сначала сгенерировать самоподписной сертификат хоста, с IP адресом:

```bash
mkdir -p /etc/nginx/ssl/ && \
export myip=`hostname -I` && \
openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 \
    -nodes -keyout /etc/nginx/ssl/nginx.key \
    -out /etc/nginx/ssl/nginx.crt \
    -subj "/C=RU/ST=Msk/L=Msk/O=AppWorks/OU=IT/CN=sitefactory.local"
```

``````{hint}
То же одной строкой:
```bash
mkdir -p /etc/nginx/ssl/ && export myip=`hostname -I` && openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=RU/ST=Msk/L=Msk/O=AppWorks/OU=IT/CN=sitefactory.local"
```
``````

Добавить конфигурацию ssl подключений для nginx:

```bash
mkdir -p /etc/nginx/conf.d/generic/ && \
vim /etc/nginx/conf.d/generic/ssl.cfg
```

```nginx
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
```

Затем в `conf.d/default.conf` внести следующую настройку:

```nginx
server {
    server_name _;
    listen 80;
    listen 443 ssl;
    
    include /etc/nginx/conf.d/generic/ssl.cfg;
    ssl_certificate     /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    
    charset utf-8;

    location / {
        return 418;
    }
    
    location /6phY9_healthcheck {
        return 200;
    }

    location /21QSv6cP_nginx_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}
```

После этого не забыть перезапустить nginx.


```{index} внешние ссылки
```

```{seealso}
- [nginx.org: Configuring HTTPS servers](https://nginx.org/en/docs/http/configuring_https_servers.html)

- [nginx.org: ngx_http_ssl_module - ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers)

- [mozilla wiki: Security/Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

- [mozilla.org: SSL Configuration Generator](https://ssl-config.mozilla.org/#server=nginx)

- [Ubiq: How to Harden NGINX Server](https://ubiq.co/tech-blog/harden-nginx-server/)
```