This is an old revision of the document!
Nginx HTTP Server
General Information
Installation and configuration of Nginx web server.
Checklist
- Distro(s): Enterprise Linux 6/7
Installation
Installation of Nginx can be completed via repo (Official Nginx, EPEL, or Software Collections) or compiling.
Repo: Official Nginx
Nginx.org has pre-built packages. You can select mainline (newer) or stable.
Versions as of 04/13/2016:
- Mainline: 1.9.14
- Stable: 1.8.1
- Legacy: 1.6.3 and below
- Add a nginx repo file
- Stable Repo:
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
- Mainline Repo:
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1
- Install
yum install nginx
Repo: EPEL
Versions as of 04/13/2016
- CentOS 7.2: Nginx 1.6.3
Procedure
- Install the EPEL repo
- Install Nginx
yum install nginx
Repo: Software Collections
Versions as of 04/13/2016:
- nginx 1.4 (legacy)
- nginx 1.6 (legacy)
- nginx 1.8 (stable)
- Add the software collections repo.
- Install
yum install rh-nginx18
- Enable the software collection
scl enable rh-nginx18 bash
- Run signal commands (nginx -s signal) as normal from the Operation section below
Compile and Install
Building from source is usually done for specific functionality and is more time consuming.
- Install pre-reqs
yum install gcc pcre-devel zlib-devel
- Download a tarball (Example: Stable)
wget http://nginx.org/download/nginx-1.8.1.tar.gz
- Unarchive/unpack
tar -zxvf nginx-1.8.1.tar.gz
- Change into directory
cd nginx-1.8.1/
- Configure nginx
./configure --prefix=/usr/local/nginx
- Available configuration options: http://nginx.org/en/docs/configure.html
- Compile
make
- Install
make install
Configuration
- Main Config: /etc/nginx/nginx.conf
- Alt Main (Compiled): /usr/local/nginx/conf/nginx.conf
- Alt Main (Software Collections): /etc/opt/rh/rh-nginx18/nginx/nginx.conf
- Additional Config: /etc/nginx/conf.d/
- Alt Additional Config (Compiled): No default
- Alt Additional Config (Software Collections): /etc/opt/rh/rh-nginx18/nginx/conf.d/
Main Config: nginx.conf
- Default repo installed file location: /etc/nginx/nginx.conf
Main nginx.conf config file, in the http context
# Context: HTTP - HTTP Server Directives http { ... ##-- Security --## # server_tokens off - Disable nginx version on error pages and response headers server_tokens off; ## Headers - Add additional headers ## # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin add_header X-Frame-Options SAMEORIGIN; # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks add_header X-Content-Type-Options nosniff; # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting # 1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected add_header X-XSS-Protection "1; mode=block" always; # Content-Security-Policy -> Prevent XSS, clickjacking, code injection add_header Content-Security-Policy "default-src 'self';" always; ##-- End of Security Settings --## ... }
SSL: Enforce Strong Encryption
- Default file location: /etc/nginx/nginx.conf OR an included file
- Typical compiled location: /opt/cots/nginx/conf/nginx.conf OR an included file
SSL: All in One
All in one copy/paste most secure SSL settings.
ssl_protocols TLSv1.2;
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
ssl_prefer_server_ciphers on;
SSL: Protocols
Protocols - Use only TLS (1.2 only if possible)
- TLSv1.2 only (Preferred)
ssl_protocols TLSv1.2;
- TLS
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
SSL: Ciphers
Ciphers - Config
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
Ciphers - Server picks compatible cipher
ssl_prefer_server_ciphers on;
Other Settings
Other secure settings.
Redirect HTTP to HTTPS
Redirect all HTTP to HTTPS
server { listen 80 default_server; server_name _; # Redirect everything to HTTPS return 301 https://$http_host$request_uri; }
HSTS
Enabling HTTPS Strict Transport Security (HSTS).
Add the strict transport security header to the listening HTTPS server section
server { listen 443 ssl; listen [::]:443 ssl; server_name HOSTNAME-HERE; # HSTS (HTTPS Strict Transport Security) # 63072000 seconds = 2 years add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; "; .... }
- max-age=63072000 → Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
Operation
Controlling the nginx web server.
Nginx can be controlled via the system's service commands or nginx executable signals.
- Main nginx executable: /usr/sbin/nginx
- Alt main nginx executable (Compiled): /usr/local/nginx/sbin/nginx
- Alt main nginx executable (Software Collections): /opt/rh/rh-nginx18/root/sbin/nginx
Note: If using the software collections method, that environment must be enabled before you attempt to operate the web server.
scl enable rh-nginx18 bash
- This could be put in a user's .bashrc for easier use if needed.
Enable on Boot
- Autostart the nginx web server upon system startup
systemctl enable nginx
Start
- Evaluate config files; if syntax is ok, start
systemctl start nginx
or
nginx
Stop
- Stop the nginx processes now
- Kills current sessions
systemctl stop nginx
or
nginx -s stop
Reload Config
- Equivalent to Apache httpd's “graceful” restart
- Check syntax
- if ok, then spawn new workers with new config and signal old workers to shutdown after current requests are complete
- if NOT ok, continue using old configuration
systemctl reload nginx
or
nginx -s reload
Restart
- Kill worker processes immediately
systemctl restart nginx
or
nginx -s stop && nginx -s start
Graceful Stop
- Equivalent to Apache httpd's “graceful-stop”
- Wait for worker processes to finish serving current requests, then stop.
- Do not accept new requests
nginx -s quit