Tag Archives: Nginx

Allow WordPress Embedded Posts with Global X-Frame-Options for Nginx Servers

The problem: when you enables X-Frame-Options globally. You won’t be able to embed your posts with latest WordPress embed posts method.

The solution: you can simply exclude it in your Nginx configuration. I’ll use Nginx map for better performance:

map $request_uri $x_frame_options_headers {
  default                 SAMEORIGIN;
  # Matching WordPress embed page, ie. https://example.com/my-post/embed#?secret=vLi4CQcWkH
  ~/embed                 "";
}

# Don't allow the browser to render the page inside an frame or iframe
add_header X-Frame-Options $x_frame_options_headers;
HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way
Embedding Demo

SELinux policy for nginx and GitLab unix socket in Fedora 19

The installation of GitLab in Fedora 19 went fine. I followed the official installation guide with some deviations where necessary, mostly taken from the CentOS guide in gitlab-recipes. I setup nginx using the ssl config, and poked some holes in iptables. For systemd services I used these files.

Source: SELinux policy for nginx and GitLab unix socket in Fedora 19

Configuring NGINX to accept the PROXY Protocol – NGINX

This article explains how to configure NGINX and NGINX Plus to accept the PROXY protocol. Table of Contents Introduction Using the PROXY protocol with SSL, HTTP/2, SPDY, and WebSocket Using the PROXY protocol with a TCP Stream Complete Example Introduction The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through […]

Source: Configuring NGINX to accept the PROXY Protocol – NGINX

How to Generate SSL Certificate Chain for Nginx

I’m using Comodo Certificate, you will get these files from their email:

  • Root CA Certificate – AddTrustExternalCARoot.crt
  • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  • Intermediate CA Certificate – ComodoUTNSGCCA.crt
  • Intermediate CA Certificate – EssentialSSLCA_2.crt
  • Your EssentialSSL Certificate – www_example_com.crt

Correct order:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – EssentialSSLCA_2.crt
  3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
  4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
  5. Root CA Certificate – AddTrustExternalCARoot.crt

You can create a chained certificate required by Nginx:

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

In fact, you can only need the first three certificates: most systems have their root CA.

cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

Update Mar 21, 2015:

Comodo updated their certificates filename, so the correct order now is:

  1. Your EssentialSSL Certificate – www_example_com.crt
  2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
  3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
  4. Root CA Certificate – AddTrustExternalCARoot.crt
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt

logrotate for nginx

vi /etc/logrotate.d/nginx
/srv/www/*/logs/*log {
        daily
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 nginx adm
}

# debug
logrotate -d /etc/logrotate.conf

# focus logrotate with verbose info
logrotate -f -v /etc/logrotate.conf