NGINX

Aug 9, 2016
2 min read
May 31, 2023 18:15 EEST

NGINX as a Service on Windows

Download nginx for windows and extract the zip file (tested with version 1.9.5). Download Winsw and place the file into the nginx folder. Rename the Winsw file to e.g. nginxservice.exe. Create a configuration file:

nginxservice.xml
<service>
  <id>nginx</id>
  <name>nginx</name>
  <description>nginx</description>
  <executable>D:\nginx-1.9.5\nginx</executable>
  <logpath>D:\nginx-1.9.5</logpath>
  <logmode>roll</logmode>
  <depend></depend>
  <startargument>-p D:\nginx-1.9.5</startargument>
  <stopargument>-p D:\nginx-1.9.5 -s stop</stopargument>
</service>

Open a windows console:

d:
cd nginx-1.9.5
nginxservice install

Now you can start nginx as usual as service directly with normal windows tools.

To remove the service again:

d:
cd nginx-1.9.5
nginxservice uninstall

Attach to Tomcat/Jetty

http {
  ...
  server {
    ...
    location / {
        location / {
            proxy_set_header X-Forwarded-Host $host;
	    proxy_set_header X-Forwarded-Server $host;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_pass http://127.0.0.1:8080/;
        }      
    }
  }
}

Enable IE Compatibility Mode

http {
  ...
  server {
    ...
    location / {
        location / {
            ...
	    add_header X-UA-Compatible "IE=5;charset=iso-8859-1";
        }      
    }
  }
}

Disable Access Logging

http {
  ...
  access_log off;
  ...
}

GEO Logging

Download the GEO database:

mkdir -p /usr/local/etc/geo
cd !$
echo #\!/bin/sh >updategeo.sh
echo curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz" >>updategeo.sh
echo curl -O "http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" >> updategeo.sh
echo gunzip -f GeoLiteCity.dat.gz >> updategeo.sh
echo gunzip -f GeoIP.dat.gz >> updategeo.sh
chmod +x updategeo.sh
./updategeo.sh

Add on http level:

/usr/local/etc/nginx/nginx.conf
http {
...
        geoip_country /usr/local/etc/geo/GeoIP.dat;
        geoip_city /usr/local/etc/geo/GeoLiteCity.dat;
        geoip_proxy 127.0.0.1;

Make sure you pass the options to fastcgi:

/usr/local/etc/nginx/fastcgi_params
...
### SET GEOIP Variables ###
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;

fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

And for proxy:

/usr/local/etc/nginx/snipets/proxy.conf
### SET GEOIP Variables ###
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_CODE3 $geoip_country_code3;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;

proxy_set_header GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
proxy_set_header GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
proxy_set_header GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
proxy_set_header GEOIP_REGION $geoip_region;
proxy_set_header GEOIP_CITY $geoip_city;
proxy_set_header GEOIP_POSTAL_CODE $geoip_postal_code;
proxy_set_header GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
proxy_set_header GEOIP_LATITUDE $geoip_latitude;
proxy_set_header GEOIP_LONGITUDE $geoip_longitude;

Make sure you include the fastcgi_params or proxy.conf as required.

As the IP database is updated every first Tuesday of each month edit your crontab:

# update GeoIP database on every first Wednesday in a month
03  3   *   *   3   root    [ $(date +\%d) -le 07] && cd /usr/local/etc/geo && ./updategeo.sh

Enable ModSecurity

cd /usr/local/etc
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs.git
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf