This is an old revision of the document!
Nginx HTTP Server
General Information
Installation and configuration of Nginx web server.
Checklist
- Distro(s): Enterprise Linux 6/7
Installation
Installation of Nginx can be completed via repo (Official Nginx, EPEL, or Software Collections) or compiling.
Repo: Official Nginx
Nginx.org has pre-built packages. You can select mainline (newer) or stable.
Versions as of 04/13/2016:
- Mainline: 1.9.14
- Stable: 1.8.1
- Legacy: 1.6.3 and below
- Import nginx gpg signing key
rpm --import http://nginx.org/keys/nginx_signing.key
- Add a nginx repo file
- Stable Repo:
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
- Mainline Repo:
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1
- Install
yum install nginx
Repo: EPEL
Versions as of 04/13/2016
- CentOS 7.2: Nginx 1.6.3
Procedure
- Install the EPEL repo
- Install Nginx
yum install nginx
Repo: Software Collections
Versions as of 04/13/2016:
- nginx 1.4 (legacy)
- nginx 1.6 (legacy)
- nginx 1.8 (stable)
- Add the software collections repo.
- Install
yum install rh-nginx18
- Enable the software collection
scl enable rh-nginx18 bash
- Run signal commands (nginx -s signal) as normal from the Operation section below
Compile and Install
Building from source is usually done for specific functionality and is more time consuming.
- Install pre-reqs
yum install gcc pcre-devel zlib-devel
- Download a tarball (Example: Stable)
wget http://nginx.org/download/nginx-1.8.1.tar.gz
- Unarchive/unpack
tar -zxvf nginx-1.8.1.tar.gz
- Change into directory
cd nginx-1.8.1/
- Configure nginx
./configure --prefix=/usr/local/nginx
- Available configuration options: http://nginx.org/en/docs/configure.html
- Compile
make
- Install
make install
Configuration
- Main Config: /etc/nginx/nginx.conf
- Alt Main (Compiled): /usr/local/nginx/conf/nginx.conf
- Alt Main (Software Collections): /etc/opt/rh/rh-nginx18/nginx/nginx.conf
- Additional Config: /etc/nginx/conf.d/
- Alt Additional Config (Compiled): No default
- Alt Additional Config (Software Collections): /etc/opt/rh/rh-nginx18/nginx/conf.d/
Main Config: nginx.conf
- Default repo installed file location: /etc/nginx/nginx.conf
Main nginx.conf config file, in the http context
## NGINX - Main Configuration ## # Context: Main - General Server Configuration # User that worker processes run as user nginx; # Number of worker processes (auto = set to number of CPUs) worker_processes auto; # Error Log and PID of main process error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; # Context: Events - Connection Processing events { # Max number of connections per worker process worker_connections 1024; } # Context: HTTP - HTTP Server Directives http { # MIME - Include file and default type include /etc/nginx/mime.types; default_type application/octet-stream; # Logging: Format and Main Access Log log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # server_tokens off - Disable nginx version on error pages and response headers server_tokens off; ## Headers - Add additional headers ## # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin add_header X-Frame-Options SAMEORIGIN; # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks add_header X-Content-Type-Options nosniff; # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting # 1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected add_header X-XSS-Protection "1; mode=block" always; # Content-Security-Policy -> Prevent XSS, clickjacking, code injection add_header Content-Security-Policy "default-src 'self';" always; # Combined directives: sendfile, tcp_nopush, tcp_nodelay all on # sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, # then tcp_nodelay forces the fast sending of the last data # Sendfile - Send files directly in kernel space # on -> keep on for locally stored files # off -> turn off for files served over network mounted storage sendfile on; # tcp_nopush - Do not send data until packet reaches MSS # Dependency: sendfile MUST be on for this to work #tcp_nopush on; # tcp_nodelay - Send packets in buffer as soon as they are available #tcp_nodelay on; # Server side keepalive timeout in seconds (default: 75) keepalive_timeout 65; # Gzip - Compress responses using gzip #gzip on; # Include enabled configurations include /etc/nginx/conf.d/enabled/*.conf; }
Default Config: default.conf
- Create the available/enabled directories
mkdir /etc/nginx/conf.d/{available,enabled}
- Remove default installed config
rm /etc/nginx/conf.d/default.conf
- Create new default site/catch all config file
vim /etc/nginx/conf.d/available/default.conf ## Default Config - Catch All Matches ## # HTTP (Port 80) server { listen 80 default_server; server_name _; # Redirect everything to HTTPS return 301 https://$http_host$request_uri; } # HTTPS (Port 443) server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name _; # HSTS (HTTPS Strict Transport Security) # 63072000 seconds = 2 years add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; # SSL - Certificate Config ssl on; ssl_certificate /etc/pki/tls/mycert.crt; ssl_certificate_key /etc/pki/tls/mykey.key; ssl_client_certificate /etc/pki/tls/myca.crt; # SSL - Session Config ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; # SSL - Protocols and Ciphers ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM"; # Location: Webserver root location / { # autoindex off - Disable directory listing output autoindex off; root /usr/share/nginx/html; index index.html index.htm; } }
- Create symlink in enabled directory to default config
ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf
- Deploy your SSL certificates.
SSL: Enforce Strong Encryption
- Default file location: /etc/nginx/nginx.conf OR an included file
SSL: All in One
All in one copy/paste most secure SSL settings.
ssl_protocols TLSv1.2;
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
ssl_prefer_server_ciphers on;
SSL: Protocols
Protocols - Use only TLS (1.2 only if possible)
- TLSv1.2 only (Preferred)
ssl_protocols TLSv1.2;
- TLS
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
SSL: Ciphers
Ciphers - Config
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
Ciphers - Server picks compatible cipher
ssl_prefer_server_ciphers on;
Other Settings
Other secure settings.
Redirect HTTP to HTTPS
Redirect all HTTP to HTTPS
server { listen 80 default_server; server_name _; # Redirect everything to HTTPS return 301 https://$http_host$request_uri; }
HSTS
Enabling HTTPS Strict Transport Security (HSTS).
Add the strict transport security header to the listening HTTPS server section
server { listen 443 ssl; listen [::]:443 ssl; server_name HOSTNAME-HERE; # HSTS (HTTPS Strict Transport Security) # 63072000 seconds = 2 years add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; .... }
- max-age=63072000 → Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
Operation
Controlling the nginx web server.
Nginx can be controlled via the system's service commands or nginx executable signals.
- Main nginx executable: /usr/sbin/nginx
- Alt main nginx executable (Compiled): /usr/local/nginx/sbin/nginx
- Alt main nginx executable (Software Collections): /opt/rh/rh-nginx18/root/sbin/nginx
Note: If using the software collections method, that environment must be enabled before you attempt to operate the web server.
scl enable rh-nginx18 bash
- This could be put in a user's .bashrc for easier use if needed.
Enable on Boot
- Autostart the nginx web server upon system startup
systemctl enable nginx
Start
- Evaluate config files; if syntax is ok, start
systemctl start nginx
or
nginx
Stop
- Stop the nginx processes now
- Kills current sessions
systemctl stop nginx
or
nginx -s stop
Reload Config
- Equivalent to Apache httpd's “graceful” restart
- Check syntax
- if ok, then spawn new workers with new config and signal old workers to shutdown after current requests are complete
- if NOT ok, continue using old configuration
systemctl reload nginx
or
nginx -s reload
Restart
- Kill worker processes immediately
systemctl restart nginx
or
nginx -s stop && nginx -s start
Graceful Stop
- Equivalent to Apache httpd's “graceful-stop”
- Wait for worker processes to finish serving current requests, then stop.
- Do not accept new requests
nginx -s quit