Differences
This shows you the differences between two versions of the page.
linux_wiki:nginx_http_server [2018/03/23 16:08] billdozor [Main Config: nginx.conf] |
linux_wiki:nginx_http_server [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Nginx HTTP Server ====== | ||
- | **General Information** | ||
- | |||
- | Installation and configuration of Nginx web server. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux 6/7 | ||
- | |||
- | ---- | ||
- | |||
- | ====== Installation ====== | ||
- | |||
- | Installation of Nginx can be completed via repo (Official Nginx, EPEL, or Software Collections) or compiling. | ||
- | |||
- | ===== Repo: Official Nginx ===== | ||
- | |||
- | [[http:// | ||
- | |||
- | Versions as of 04/13/2016: | ||
- | * Mainline: 1.9.14 | ||
- | * Stable: 1.8.1 | ||
- | * Legacy: 1.6.3 and below | ||
- | |||
- | - Add a nginx repo file | ||
- | * Stable Repo:< | ||
- | [nginx] | ||
- | name=nginx repo | ||
- | baseurl=http:// | ||
- | gpgcheck=0 | ||
- | enabled=1</ | ||
- | * Mainline Repo:< | ||
- | [nginx] | ||
- | name=nginx repo | ||
- | baseurl=http:// | ||
- | gpgcheck=0 | ||
- | enabled=1</ | ||
- | - Install< | ||
- | |||
- | ===== Repo: EPEL ===== | ||
- | |||
- | Versions as of 04/13/2016 | ||
- | * CentOS 7.2: Nginx 1.6.3 | ||
- | |||
- | Procedure | ||
- | * Install the [[linux_wiki: | ||
- | * Install Nginx< | ||
- | |||
- | ===== Repo: Software Collections ===== | ||
- | |||
- | Versions as of 04/13/2016: | ||
- | * nginx 1.4 (legacy) | ||
- | * nginx 1.6 (legacy) | ||
- | * nginx 1.8 (stable) | ||
- | |||
- | - Add the [[linux_wiki: | ||
- | - Install< | ||
- | - Enable the software collection< | ||
- | - Run signal commands (nginx -s signal) as normal from the Operation section below | ||
- | ===== Compile and Install ===== | ||
- | |||
- | Building from source is usually done for specific functionality and is more time consuming. | ||
- | |||
- | - Install pre-reqs< | ||
- | - [[http:// | ||
- | - Unarchive/ | ||
- | - Change into directory< | ||
- | - Configure nginx< | ||
- | - Available configuration options: http:// | ||
- | - Compile< | ||
- | - Install< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configuration ====== | ||
- | |||
- | * Main Config: / | ||
- | * Alt Main (Compiled): / | ||
- | * Alt Main (Software Collections): | ||
- | * Additional Config: / | ||
- | * Alt Additional Config (Compiled): No default | ||
- | * Alt Additional Config (Software Collections): | ||
- | |||
- | ---- | ||
- | |||
- | ===== Main Config: nginx.conf ==== | ||
- | |||
- | * Default repo installed file location: / | ||
- | |||
- | Main nginx.conf config file, in the http context | ||
- | <code bash># Context: HTTP - HTTP Server Directives | ||
- | http { | ||
- | ... | ||
- | ##-- Security --## | ||
- | # server_tokens off - Disable nginx version on error pages and response headers | ||
- | server_tokens off; | ||
- | |||
- | ## Headers - Add additional headers ## | ||
- | # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | |||
- | # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks | ||
- | add_header X-Content-Type-Options nosniff; | ||
- | |||
- | # X-XSS-Protection "1; mode=block" | ||
- | # | ||
- | add_header X-XSS-Protection "1; mode=block" | ||
- | |||
- | # Content-Security-Policy -> Prevent XSS, clickjacking, | ||
- | add_header Content-Security-Policy " | ||
- | ##-- End of Security Settings --## | ||
- | ... | ||
- | }</ | ||
- | |||
- | ---- | ||
- | |||
- | ===== SSL: Enforce Strong Encryption ===== | ||
- | |||
- | * Default file location: / | ||
- | * Typical compiled location: / | ||
- | |||
- | ==== SSL: All in One ==== | ||
- | |||
- | All in one copy/paste most secure SSL settings.< | ||
- | ssl_ciphers " | ||
- | ssl_prefer_server_ciphers on;</ | ||
- | |||
- | ---- | ||
- | |||
- | ==== SSL: Protocols ==== | ||
- | |||
- | **Protocols** - Use only TLS (1.2 only if possible) | ||
- | * TLSv1.2 only (**Preferred**)< | ||
- | * TLS<code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== SSL: Ciphers ==== | ||
- | |||
- | **Ciphers** - Config | ||
- | <code bash> | ||
- | ssl_ciphers " | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Ciphers** - Server picks compatible cipher | ||
- | <code bash> | ||
- | ssl_prefer_server_ciphers on; | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Other Settings ===== | ||
- | |||
- | Other secure settings. | ||
- | |||
- | ==== Redirect HTTP to HTTPS ==== | ||
- | |||
- | Redirect all HTTP to HTTPS< | ||
- | server { | ||
- | listen 80 default_server; | ||
- | server_name | ||
- | |||
- | # Redirect everything to HTTPS | ||
- | return 301 https:// | ||
- | }</ | ||
- | |||
- | ---- | ||
- | |||
- | ==== HSTS ==== | ||
- | |||
- | Enabling HTTPS Strict Transport Security (HSTS). | ||
- | |||
- | Add the strict transport security header to the listening HTTPS server section | ||
- | <code bash> | ||
- | listen 443 ssl; | ||
- | listen [::]:443 ssl; | ||
- | server_name HOSTNAME-HERE; | ||
- | |||
- | # HSTS (HTTPS Strict Transport Security) | ||
- | # 63072000 seconds = 2 years | ||
- | add_header Strict-Transport-Security " | ||
- | .... | ||
- | }</ | ||
- | * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Operation ====== | ||
- | |||
- | Controlling the nginx web server. | ||
- | |||
- | Nginx can be controlled via the system' | ||
- | |||
- | * Main nginx executable: / | ||
- | * Alt main nginx executable (Compiled): / | ||
- | * Alt main nginx executable (Software Collections): | ||
- | |||
- | **Note**: If using the software collections method, that environment must be enabled before you attempt to operate the web server.< | ||
- | * This could be put in a user's .bashrc for easier use if needed. | ||
- | |||
- | ---- | ||
- | |||
- | ==== Enable on Boot ==== | ||
- | |||
- | * Autostart the nginx web server upon system startup | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Start ==== | ||
- | |||
- | * Evaluate config files; if syntax is ok, start | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Stop ==== | ||
- | |||
- | * Stop the nginx processes now | ||
- | * Kills current sessions | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Reload Config ==== | ||
- | |||
- | * Equivalent to Apache httpd' | ||
- | * Check syntax | ||
- | * if ok, then spawn new workers with new config and signal old workers to shutdown after current requests are complete | ||
- | * if NOT ok, continue using old configuration | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Restart ==== | ||
- | |||
- | * Kill worker processes immediately | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Graceful Stop ==== | ||
- | |||
- | * Equivalent to Apache httpd' | ||
- | * Wait for worker processes to finish serving current requests, then stop. | ||
- | * Do not accept new requests | ||
- | <code bash> | ||
- | |||
- | ---- |