General Information
Installation and configuration of Nginx web server.
Checklist
Installation of Nginx can be completed via repo (Official Nginx, EPEL, or Software Collections) or compiling.
Nginx.org has pre-built packages. You can select mainline (newer) or stable.
Versions as of 04/13/2016:
rpm --import http://nginx.org/keys/nginx_signing.key
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
vim /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1
yum install nginx
Versions as of 04/13/2016
Procedure
yum install nginx
Versions as of 04/13/2016:
yum install rh-nginx18
scl enable rh-nginx18 bash
Building from source is usually done for specific functionality and is more time consuming.
yum install gcc pcre-devel zlib-devel
wget http://nginx.org/download/nginx-1.8.1.tar.gz
tar -zxvf nginx-1.8.1.tar.gz
cd nginx-1.8.1/
./configure --prefix=/usr/local/nginx
make
make install
Main nginx.conf config file, in the http context
## NGINX - Main Configuration ## # Context: Main - General Server Configuration # User that worker processes run as user nginx; # Number of worker processes (auto = set to number of CPUs) worker_processes auto; # Error Log and PID of main process error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; # Context: Events - Connection Processing events { # Max number of connections per worker process worker_connections 1024; } # Context: HTTP - HTTP Server Directives http { # MIME - Include file and default type include /etc/nginx/mime.types; default_type application/octet-stream; # Logging: Format and Main Access Log log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # server_tokens off - Disable nginx version on error pages and response headers server_tokens off; ## Headers - Add additional headers ## # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin add_header X-Frame-Options SAMEORIGIN; # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks add_header X-Content-Type-Options nosniff; # X-XSS-Protection "1; mode=block" -> Prevent Some Cross Site Scripting # 1;mode=block -> XSS filter enabled, prevent rendering the page if attack detected add_header X-XSS-Protection "1; mode=block" always; # Content-Security-Policy -> Prevent XSS, clickjacking, code injection add_header Content-Security-Policy "default-src 'self';" always; # Combined directives: sendfile, tcp_nopush, tcp_nodelay all on # sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, # then tcp_nodelay forces the fast sending of the last data # Sendfile - Send files directly in kernel space # on -> keep on for locally stored files # off -> turn off for files served over network mounted storage sendfile on; # tcp_nopush - Do not send data until packet reaches MSS # Dependency: sendfile MUST be on for this to work #tcp_nopush on; # tcp_nodelay - Send packets in buffer as soon as they are available #tcp_nodelay on; # Server side keepalive timeout in seconds (default: 75) keepalive_timeout 65; # Gzip - Compress responses using gzip #gzip on; # Include enabled configurations include /etc/nginx/conf.d/enabled/*.conf; }
mkdir /etc/nginx/conf.d/{available,enabled}
rm /etc/nginx/conf.d/default.conf
vim /etc/nginx/conf.d/available/default.conf ## Default Config - Catch All Matches ## # HTTP (Port 80) server { listen 80 default_server; server_name _; # Redirect everything to HTTPS return 301 https://$http_host$request_uri; } # HTTPS (Port 443) server { listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name _; # HSTS (HTTPS Strict Transport Security) # 63072000 seconds = 2 years add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; # SSL - Certificate Config ssl on; ssl_certificate /etc/pki/tls/mycert.crt; ssl_certificate_key /etc/pki/tls/mykey.key; ssl_client_certificate /etc/pki/tls/myca.crt; # SSL - Session Config ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; # SSL - Protocols and Ciphers ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "HIGH:!AECDH:!DHE:!EDH:!RC4:!ADH:!3DES:!MEDIUM"; # Location: Webserver root location / { # autoindex off - Disable directory listing output autoindex off; root /usr/share/nginx/html; index index.html index.htm; } }
ln -s /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/enabled/default.conf
Once the base config is in place, site specific config can be added.
cp /etc/nginx/conf.d/available/default.conf /etc/nginx/conf.d/available/mysite.org.conf
/etc/nginx/conf.d/available/mysite.org.conf
server_name mywebserver.org;
listen 80; listen 443 ssl;
ln -s /etc/nginx/conf.d/available/mysite.org.conf /etc/nginx/conf.d/enabled/mysite.org.conf
unlink /etc/nginx/conf.d/enabled/default.conf
/etc/init.d/nginx restart
systemctl restart nginx
Nginx can function as a reverse proxy. This is particularly useful for:
This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp.
server { .... # Location: Reverse Proxy to Java App location /myapp/ { # Forward /myapp/ requests to correct port proxy_pass http://127.0.0.1:8080/myapp/; # Additional headers to pass proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
All in one copy/paste most secure SSL settings.
ssl_protocols TLSv1.2;
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
ssl_prefer_server_ciphers on;
Protocols - Use only TLS (1.2 only if possible)
ssl_protocols TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
Ciphers - Config
ssl_ciphers "HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4";
Ciphers - Server picks compatible cipher
ssl_prefer_server_ciphers on;
Other secure settings.
Redirect all HTTP to HTTPS
server { listen 80 default_server; server_name _; # Redirect everything to HTTPS return 301 https://$http_host$request_uri; }
Enabling HTTPS Strict Transport Security (HSTS).
Add the strict transport security header to the listening HTTPS server section
server { listen 443 ssl; listen [::]:443 ssl; server_name HOSTNAME-HERE; # HSTS (HTTPS Strict Transport Security) # 63072000 seconds = 2 years add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; .... }
Controlling the nginx web server.
Nginx can be controlled via the system's service commands or nginx executable signals.
Note: If using the software collections method, that environment must be enabled before you attempt to operate the web server.
scl enable rh-nginx18 bash
systemctl enable nginx
systemctl start nginx
or
nginx
systemctl stop nginx
or
nginx -s stop
systemctl reload nginx
or
nginx -s reload
systemctl restart nginx
or
nginx -s stop && nginx -s start
nginx -s quit