Truncate and rotate linux server log files using copy, truncate and restart gracefully

If you are not using auto-rotate of log files for certain daemons in your linux server, you may be looking for a solution to auto-rotate your log files.

Rotating a log file is necessary so that your log file will not be too big.

When log files gets too big, it has bitten me in the a** before.  Server runs out of disk space
and server process fails. Yes it is an embarrassing situation for any server admin.  Save yourself the embarrassment and spent 5 minutes implementing this simple rotate script:

cp /var/log/nginx/error.log /data/log/tmp_nginx_log/nginx_error_`date +"%Y_%m_%d"`.log; truncate -s0 /var/log/nginx/error.log; kill -USR1 $( cat /var/run/nginx.pid )

The code above will do the following:

1. copy the current log file from /var/log/nginx/error.log to /data/log/tmp_nginx_log/
   while copying, it will also rename the file by appending specific date to it.
2. next, it will truncate the current log file to zero size.
3. finally, it will send message to nginx web server to reload gracefully and it will start logging errors into the new zero sized log file.

So now that we moved the log file to another directory what do we do with it there?

Since we named all files with their appropriate dates, we can easily review individual log files when we need too. 

Another purpose for separating the log files into separate dates, is so that we can clean-up old log files we no longer want. For example if you want to only keep log files for 30 days, you can easily run the following command or schedule in your crontab.

find /data/log/tmp_nginx_log -type f -mtime +3 | xargs rm


The command above will remove any files older than 3 days from /data/log/tmp_nginx_log directory.

For more options you can do to clean up files, read my blog about how to Remove Files in Directory Recursively.

Compiling and installing Nginx 1.4.4 from scratch

wget http://nginx.org/download/nginx-1.4.4.tar.gz

tar -zvxf nginx-1.4.4.tar.gz

cd nginx-1.4.4

./configure \
--with-http_ssl_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_stub_status_module \
--with-mail \
--with-mail_ssl_module \
--with-file-aio \
--with-ipv6


make
make install

GZIP setting for NGINX that I recommend to use

 ##
 # Gzip Settings
 ##

 gzip on;
 gzip_disable "msie6";
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_vary on;
 gzip_proxied any;
 gzip_types text/plain text/

Generate self signed self-signed signing certificate

Step 1 : Generate Secure Key

openssl genrsa -des3 -out <your_domain_name>.key 2048

Step 2 : Generate Insecure Key

openssl rsa -in <your_domain_name>.key -out <your_domain_name>.key.insecure

mv <your_domain_name>.key <your_domain_name>.key.secure

mv <your_domain_name>.key.insecure <your_domain_name>.key

Step 3 : Generate CSR (certificate request)

openssl req -new -key <your_domain_name>.key -out <your_domain_name>.csr

Step 4 : Generate Certificate

openssl x509 -req -days 365 -in <your_domain_name>.csr -signkey <your_domain_name>.key -out <your_domain_name>.crt

Tip:

It is good practice to store your keys (.key.insecure) & (.key) in separate directory from your certificate files.  For example if you are using Debian I recommend storing your keys in /etc/private/ssl directory.

Combining SSL certificates from Comodo Positive SSL for NGINX

Here is a quick and easy way to combine Comodo's Positive SSL Certificate.

I bought my certificate from NameCheap for about $9.95 / year.

This post will only describe the process of combining the certificate. I assume you already:

1. Generate CSR and .key file
2. Submit CSR to Comodo / Namecheap
3. Got an email from Comodo containing .crt file

If you have not done any of the task above, please do them first before following this guide.

[STEP 1]  Confirm and Extract all files received from Comodo:

Attached to this email you should find a .zip file containing:

• Root CA Certificate - AddTrustExternalCARoot.crt
• Intermediate CA Certificate - COMODORSAAddTrustCA.crt
• Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
• Your PositiveSSL Certificate - <YOUR_DOMAIN_NAME>_com.crt 

[STEP 2]  Make sure all files are inside one directory.

Copy / move all files into one directory.

[STEP 3]  Combine them!

From your linux server command line, execute:

cat <YOUR_DOMAIN_NAME>_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > <YOUR_DOMAIN_NAME>_combined.crt

[STEP 4]  Edit your nginx /etc/sites-available/<your_file>

The following configuration is what I use to enable SSL on my NGINX configuration. I have tweaked this configuration overtime and this is my latest one. It enables TLS and prevent SSLv2 and SSLv3 from being used because they are weak and vulnerable. I also included configuration to disable weak ciphers.

ssl on;
ssl_certificate /etc/ssl/<YOUR_DOMAIN_NAME>/<YOUR_DOMAIN_NAME>_combined.crt;
ssl_certificate_key /etc/ssl/private/<YOUR_DOMAIN_NAME>.key;

ssl_session_timeout 5m;

#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

ssl_prefer_server_ciphers on;

[STEP 5]  Restart NGINX

service nginx restart