Differences
This shows you the differences between two versions of the page.
linux_wiki:nginx_http_server [2018/04/09 00:39] billdozor [Example: Reverse Proxy] |
linux_wiki:nginx_http_server [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Nginx HTTP Server ====== | ||
- | **General Information** | ||
- | |||
- | Installation and configuration of Nginx web server. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux 6/7 | ||
- | |||
- | ---- | ||
- | |||
- | ====== Installation ====== | ||
- | |||
- | Installation of Nginx can be completed via repo (Official Nginx, EPEL, or Software Collections) or compiling. | ||
- | |||
- | ===== Repo: Official Nginx ===== | ||
- | |||
- | [[http:// | ||
- | |||
- | Versions as of 04/13/2016: | ||
- | * Mainline: 1.9.14 | ||
- | * Stable: 1.8.1 | ||
- | * Legacy: 1.6.3 and below | ||
- | |||
- | - Import nginx gpg signing key<code bash>rpm --import http:// | ||
- | - Add a nginx repo file | ||
- | * Stable Repo:< | ||
- | [nginx] | ||
- | name=nginx repo | ||
- | baseurl=http:// | ||
- | gpgcheck=0 | ||
- | enabled=1</ | ||
- | * Mainline Repo:< | ||
- | [nginx] | ||
- | name=nginx repo | ||
- | baseurl=http:// | ||
- | gpgcheck=0 | ||
- | enabled=1</ | ||
- | - Install< | ||
- | |||
- | ===== Repo: EPEL ===== | ||
- | |||
- | Versions as of 04/13/2016 | ||
- | * CentOS 7.2: Nginx 1.6.3 | ||
- | |||
- | Procedure | ||
- | * Install the [[linux_wiki: | ||
- | * Install Nginx< | ||
- | |||
- | ===== Repo: Software Collections ===== | ||
- | |||
- | Versions as of 04/13/2016: | ||
- | * nginx 1.4 (legacy) | ||
- | * nginx 1.6 (legacy) | ||
- | * nginx 1.8 (stable) | ||
- | |||
- | - Add the [[linux_wiki: | ||
- | - Install< | ||
- | - Enable the software collection< | ||
- | - Run signal commands (nginx -s signal) as normal from the Operation section below | ||
- | ===== Compile and Install ===== | ||
- | |||
- | Building from source is usually done for specific functionality and is more time consuming. | ||
- | |||
- | - Install pre-reqs< | ||
- | - [[http:// | ||
- | - Unarchive/ | ||
- | - Change into directory< | ||
- | - Configure nginx< | ||
- | - Available configuration options: http:// | ||
- | - Compile< | ||
- | - Install< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configuration ====== | ||
- | |||
- | * Main Config: / | ||
- | * Alt Main (Compiled): / | ||
- | * Alt Main (Software Collections): | ||
- | * Additional Config: / | ||
- | * Alt Additional Config (Compiled): No default | ||
- | * Alt Additional Config (Software Collections): | ||
- | |||
- | ---- | ||
- | |||
- | ===== Main Config: nginx.conf ==== | ||
- | |||
- | * Default repo installed file location: / | ||
- | |||
- | Main nginx.conf config file, in the http context | ||
- | <code bash>## NGINX - Main Configuration ## | ||
- | |||
- | # Context: Main - General Server Configuration | ||
- | |||
- | # User that worker processes run as | ||
- | user nginx; | ||
- | |||
- | # Number of worker processes (auto = set to number of CPUs) | ||
- | worker_processes | ||
- | |||
- | # Error Log and PID of main process | ||
- | error_log | ||
- | pid / | ||
- | |||
- | |||
- | # Context: Events - Connection Processing | ||
- | events { | ||
- | # Max number of connections per worker process | ||
- | worker_connections | ||
- | } | ||
- | |||
- | # Context: HTTP - HTTP Server Directives | ||
- | http { | ||
- | # MIME - Include file and default type | ||
- | include | ||
- | default_type | ||
- | |||
- | # Logging: Format and Main Access Log | ||
- | log_format | ||
- | ' | ||
- | '" | ||
- | access_log | ||
- | |||
- | # server_tokens off - Disable nginx version on error pages and response headers | ||
- | server_tokens off; | ||
- | |||
- | ## Headers - Add additional headers ## | ||
- | # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | |||
- | # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks | ||
- | add_header X-Content-Type-Options nosniff; | ||
- | |||
- | # X-XSS-Protection "1; mode=block" | ||
- | # | ||
- | add_header X-XSS-Protection "1; mode=block" | ||
- | | ||
- | # Content-Security-Policy -> Prevent XSS, clickjacking, | ||
- | add_header Content-Security-Policy " | ||
- | | ||
- | # Combined directives: sendfile, tcp_nopush, tcp_nodelay all on | ||
- | # sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send | ||
- | # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, | ||
- | # then tcp_nodelay forces the fast sending of the last data | ||
- | |||
- | # Sendfile - Send files directly in kernel space | ||
- | # on -> keep on for locally stored files | ||
- | # off -> turn off for files served over network mounted storage | ||
- | sendfile | ||
- | |||
- | # tcp_nopush - Do not send data until packet reaches MSS | ||
- | # Dependency: sendfile MUST be on for this to work | ||
- | # | ||
- | |||
- | # tcp_nodelay - Send packets in buffer as soon as they are available | ||
- | # | ||
- | |||
- | # Server side keepalive timeout in seconds (default: 75) | ||
- | keepalive_timeout | ||
- | |||
- | # Gzip - Compress responses using gzip | ||
- | #gzip on; | ||
- | |||
- | # Include enabled configurations | ||
- | include / | ||
- | }</ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Default Config: default.conf ==== | ||
- | |||
- | * Create the available/ | ||
- | * Remove default installed config< | ||
- | * Create new default site/catch all config file< | ||
- | |||
- | ## Default Config - Catch All Matches ## | ||
- | |||
- | # HTTP (Port 80) | ||
- | server { | ||
- | listen 80 default_server; | ||
- | server_name | ||
- | |||
- | # Redirect everything to HTTPS | ||
- | return 301 https:// | ||
- | } | ||
- | |||
- | # HTTPS (Port 443) | ||
- | server { | ||
- | listen 443 ssl default_server; | ||
- | listen [::]:443 ssl default_server; | ||
- | server_name _; | ||
- | |||
- | # HSTS (HTTPS Strict Transport Security) | ||
- | # 63072000 seconds = 2 years | ||
- | add_header Strict-Transport-Security " | ||
- | |||
- | # SSL - Certificate Config | ||
- | ssl on; | ||
- | ssl_certificate / | ||
- | ssl_certificate_key / | ||
- | ssl_client_certificate / | ||
- | |||
- | # SSL - Session Config | ||
- | ssl_session_timeout 5m; | ||
- | ssl_session_cache shared: | ||
- | |||
- | # SSL - Protocols and Ciphers | ||
- | ssl_protocols TLSv1.2; | ||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_ciphers " | ||
- | |||
- | # Location: Webserver root | ||
- | location / { | ||
- | # autoindex off - Disable directory listing output | ||
- | autoindex off; | ||
- | root / | ||
- | index index.html index.htm; | ||
- | } | ||
- | }</ | ||
- | * Create symlink in enabled directory to default config< | ||
- | * Deploy your SSL certificates. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Site Specific Config ==== | ||
- | |||
- | Once the base config is in place, site specific config can be added. | ||
- | * Copy the default config to a new file< | ||
- | * Edit the new file< | ||
- | * Replace server_name directives with system' | ||
- | * Remove " | ||
- | listen 443 ssl;</ | ||
- | * Make any other additional site specific config changes. | ||
- | |||
- | * Create symlink to enable the new site< | ||
- | * Disable the default.conf catch all config if you don't want it to function on a non-match to your site specific config< | ||
- | * Restart nginx for changes to take affect | ||
- | * CentOS 6<code bash>/ | ||
- | * CentOS 7<code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ===== Example: Reverse Proxy ===== | ||
- | |||
- | Nginx can function as a reverse proxy. This is particularly useful for: | ||
- | * Accepting connections on secure standard ports and forwarding them to non-secure/ | ||
- | * Sitting in front of an application server (that might be listening on localhost) | ||
- | * Load balancing | ||
- | |||
- | ===== Forward to Non Standard Port ===== | ||
- | |||
- | This example accepts connections on standard port 443/tcp and forwards the request to a Java application listening on localhost, port 8080/tcp. | ||
- | <code bash> | ||
- | server { | ||
- | .... | ||
- | # Location: Reverse Proxy to Java App | ||
- | location /myapp/ { | ||
- | # Forward /myapp/ requests to correct port | ||
- | proxy_pass http:// | ||
- | |||
- | # Additional headers to pass | ||
- | proxy_set_header | ||
- | proxy_set_header | ||
- | proxy_set_header | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== SSL: Enforce Strong Encryption ===== | ||
- | |||
- | * Default file location: / | ||
- | |||
- | ==== SSL: All in One ==== | ||
- | |||
- | All in one copy/paste most secure SSL settings.< | ||
- | ssl_ciphers " | ||
- | ssl_prefer_server_ciphers on;</ | ||
- | |||
- | ---- | ||
- | |||
- | ==== SSL: Protocols ==== | ||
- | |||
- | **Protocols** - Use only TLS (1.2 only if possible) | ||
- | * TLSv1.2 only (**Preferred**)< | ||
- | * TLS<code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== SSL: Ciphers ==== | ||
- | |||
- | **Ciphers** - Config | ||
- | <code bash> | ||
- | ssl_ciphers " | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Ciphers** - Server picks compatible cipher | ||
- | <code bash> | ||
- | ssl_prefer_server_ciphers on; | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Other Settings ===== | ||
- | |||
- | Other secure settings. | ||
- | |||
- | ==== Redirect HTTP to HTTPS ==== | ||
- | |||
- | Redirect all HTTP to HTTPS< | ||
- | server { | ||
- | listen 80 default_server; | ||
- | server_name | ||
- | |||
- | # Redirect everything to HTTPS | ||
- | return 301 https:// | ||
- | }</ | ||
- | |||
- | ---- | ||
- | |||
- | ==== HSTS ==== | ||
- | |||
- | Enabling HTTPS Strict Transport Security (HSTS). | ||
- | |||
- | Add the strict transport security header to the listening HTTPS server section | ||
- | <code bash> | ||
- | listen 443 ssl; | ||
- | listen [::]:443 ssl; | ||
- | server_name HOSTNAME-HERE; | ||
- | |||
- | # HSTS (HTTPS Strict Transport Security) | ||
- | # 63072000 seconds = 2 years | ||
- | add_header Strict-Transport-Security " | ||
- | .... | ||
- | }</ | ||
- | * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Operation ====== | ||
- | |||
- | Controlling the nginx web server. | ||
- | |||
- | Nginx can be controlled via the system' | ||
- | |||
- | * Main nginx executable: / | ||
- | * Alt main nginx executable (Compiled): / | ||
- | * Alt main nginx executable (Software Collections): | ||
- | |||
- | **Note**: If using the software collections method, that environment must be enabled before you attempt to operate the web server.< | ||
- | * This could be put in a user's .bashrc for easier use if needed. | ||
- | |||
- | ---- | ||
- | |||
- | ==== Enable on Boot ==== | ||
- | |||
- | * Autostart the nginx web server upon system startup | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Start ==== | ||
- | |||
- | * Evaluate config files; if syntax is ok, start | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Stop ==== | ||
- | |||
- | * Stop the nginx processes now | ||
- | * Kills current sessions | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Reload Config ==== | ||
- | |||
- | * Equivalent to Apache httpd' | ||
- | * Check syntax | ||
- | * if ok, then spawn new workers with new config and signal old workers to shutdown after current requests are complete | ||
- | * if NOT ok, continue using old configuration | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Restart ==== | ||
- | |||
- | * Kill worker processes immediately | ||
- | <code bash> | ||
- | or | ||
- | <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ==== Graceful Stop ==== | ||
- | |||
- | * Equivalent to Apache httpd' | ||
- | * Wait for worker processes to finish serving current requests, then stop. | ||
- | * Do not accept new requests | ||
- | <code bash> | ||
- | |||
- | ---- |