1. 2017-12-19 - No keep alive in Nginx; Tags: No keep alive in Nginx
    Loading...

    No keep alive in Nginx

    Providing a HTTP health check service with Nginx, is straightforward. If you do ensure that Nginx closes the HTTP connection instead keeping it alive. The basic option therefore is:

    Syntax: keepalive_timeout timeout [header_timeout];
    Default: keepalive_timeout 75s;
    Context: http, server, location

    The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field.

    In order to disable keep-alive do keepalive_timeout 0;.

    server {
        listen 445;
        location / {
            keepalive_timeout 0;
            root /usr/share/nginx/html;
        }
        access_log off;
    }
  2. 2017-10-25 - Setup AWS Elasticsearch Service; Tags: Setup AWS Elasticsearch Service
    Loading...

    Setup AWS Elasticsearch Service

    Running Elasticsearch Service on AWS (Amazon Web Services)

    • Elasticsearch Service is running as VPC (Virtual Private Cloud)
    • Expose service with EC2 container running nginx

    Security is an onion, and good strategies have multiple layers.

    Networking

    Open http and https

    • inbound
    • outbound

    Elastic IP

    DNS: ec2-.eu-central-1.compute.amazonaws.com IP:

    HTTPS everywhere

    Let’s encrypt rejects ephemeral AWS instances. Create a self signed certificate. For detailed instructions.

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
    

    Secure it

    chmod 0400 /etc/ssl/private/nginx-selfsigned.key
    

    Certificate config

    sudo vim /etc/nginx/snippets/self-signed.conf
    

    Add this content

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    

    TLS parameters

    Create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients.

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    
    sudo vim /etc/nginx/snippets/ssl-params.conf
    

    Add this content

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    

    Copy default to new config file elasticsearch

    root@aws:/etc/nginx/sites-available# cp default elasticsearch
    

    elasticsearch contains rules to redirect all traffic to https

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
    
        # redirect to https
        # setup aws dns name of elastic ip
        server_name ec2-elastic-ip.eu-central-1.compute.amazonaws.com;
        return 301 https://$server_name$request_uri;
    
        root /var/www/html;
    
        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;
    
        server_name _;
    
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
    
    }
    
    server {
            # SSL configuration
            listen 443 ssl http2 default_server;
            listen [::]:443 ssl http2 default_server;
            include snippets/self-signed.conf;
            include snippets/ssl-params.conf;
    }
    

    test config

    root@aws:~# nginx -t
    nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    

    rm symlink of default

    root@aws:/etc/nginx/sites-available# rm ../sites-enabled/default
    

    create symlink for elasticsearch

    root@aws:/etc/nginx# cd ../sites-enabled/
    root@aws:/etc/nginx/sites-enabled# ln -s /etc/nginx/sites-available/elasticsearch elasticsearch
    

    restart nginx

    Add Elasticsearch upstream (only one source, but may change in time)

    upstream elasticsearch_servers {
        server vpc-elasticsearch.eu-central-1.es.amazonaws.com;
        keepalive 15;
    }
    
    server {
            # SSL configuration
            listen 443 ssl http2 default_server;
            listen [::]:443 ssl http2 default_server;
    
            auth_basic "Jojo's Memory - Notes and Memos";
            auth_basic_user_file /etc/nginx/.htpasswd;
    
            location / {
                    proxy_pass http://elasticsearch_servers;
                    proxy_pass_request_headers off;
                    proxy_redirect off;
                    proxy_http_version 1.1;
                    proxy_set_header Connection "Keep-Alive";
                    proxy_set_header Proxy-Connection "Keep-Alive";
                    proxy_set_header X-Real-IP  $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_connect_timeout 5s;
                    proxy_read_timeout 10s;
            }
    
            include snippets/self-signed.conf;
            include snippets/ssl-params.conf;
    }
    

    add basic auth file

    sudo sh -c "echo -n 'cinhtau:' >> /etc/nginx/.htpasswd"
    sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"
    

    proxy_pass_request_headers off; is important, as it would be used for auth against the vpc elasticsearch endpoint.

    Expose Kibana on port 5601

    server {
        # SSL configuration
        listen 5601 ssl http2 default_server;
        listen [::]:5601 ssl http2 default_server;
    
        auth_basic "Jojo's Memory - Notes and Memos";
        auth_basic_user_file /etc/nginx/.htpasswd;
    
        location / {
            proxy_set_header Host ec2-elastic-ip.eu-central-1.compute.amazonaws.com;
            proxy_set_header X-Real-IP <your elastic ip>;
    
            proxy_http_version 1.1;
            proxy_set_header Connection "Keep-Alive";
            proxy_set_header Proxy-Connection "Keep-Alive";
            proxy_set_header Authorization "";
    
            proxy_pass http://vpc-elasticsearch.eu-central-1.es.amazonaws.com/_plugin/kibana/;
            proxy_redirect http://vpc-elasticsearch.eu-central-1.es.amazonaws.com/_plugin/kibana/ http://<your elastic ip>/kibana/;
        }
    
        location ~ (/app/kibana|/app/timelion|/bundles|/es_admin|/plugins|/api|/ui|/elasticsearch) {
            proxy_pass              http://vpc-elasticsearch.eu-central-1.es.amazonaws.com;
            proxy_set_header        Host $host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_set_header        X-Forwarded-Host $http_host;
            proxy_set_header Authorization "";
        }
    
        include snippets/self-signed.conf;
        include snippets/ssl-params.conf;
    }