-
Notifications
You must be signed in to change notification settings - Fork 0
Nginx
nginx (pronounced "engine X"), is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server, written by Igor Sysoev in 2005. Nginx is the only supported web server for GitLab.
Nginx uses server blocks to accomplish the functionality found in Apache's virtual hosts. Think of server blocks as specifications for individual web sites that your server can host.
Most Linux distro will use /etc/nginx/sites-availables directory to store hosts. Fedora will instead use /etc/nginx/conf.d. All additional web services .conf files shall be placed in this directory.
These files are included in alphabetical order, you need to keep that in mind if you don't specify any server as default_server, because first one would be the default.
nginx root, called webroot as well, has been moved to /db/www/nginx/html
WARNING: most http services installed by Fedora have by default permissions set to apache:apache. This has to be changed to nginx:nginx. Please check permissions on directory content /var/lib.
The main configuration file is located at /etc/nginx/nginx.conf. Edit it to change basic settings.
/etc/nginx/nginx.conf
------------------------
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx nginx;
worker_processes 8;
error_log /storage/log/nginx/error.log info;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/ssl/ssl.conf;
types_hash_max_size 2048;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /storage/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server {
listen 80;
server_name thetradinghall.com www.thetradinghall.com;
root /db/nginx/data/www;
index index.html index.php;
include php-fpm.conf;
location /images/ {
root /db/nginx/data/images;
open_file_cache_errors off;
error_page 404 = /fetch$uri;
}
location /50x.html {
error_page 500 502 503 504 /50x.html;
}
location = /40x.html {
error_page 404 /404.html;
}
# prevent acces to dot files
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
}
}
The error_log directive can be configured to log more or less information as required. The level of logging can be any one of the following:
- emerg: Emergency situations where the system is in an unusable state.
- alert: Severe situation where action is needed promptly.
- crit: Important problems that need to be addressed.
- error: An Error has occurred. Something was unsuccessful.
- warn: Something out of the ordinary happened, but not a cause for concern.
- notice: Something normal, but worth noting has happened.
- info: An informational message that might be nice to know.
- debug: Debugging information that can be useful to pinpoint where a problem is occurring.
Test configuration file ~/mynginx.conf with global directives for PID and quantity of worker processes:
$ nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;"
To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified.
It is largely recommended to disable SSL3, but Nginx by default do not use SSL3.
1- check Nginx has been built with SSL support:
# /usr/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 5.1.1 20150422 (Red Hat 5.1.1-1) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
.................
2- Create a private key and self-signed certificate. Openssl provides TLS/SSL support.
# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl req -new -x509 -nodes -newkey rsa:2048 -keyout enl.global.key -out enl.global.crt -days 1095
# ls
# chmod 400 nginx.key
# chmod 444 nginx.crt
-r--r--r-- 1 root root 1.4K Jun 29 20:49 enl.global.crt
-r-------- 1 root root 1.7K Jun 29 20:49 enl.global.key
3- modify /etc/nginx/nginx.conf with adding these lines:
....
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
.........
server {
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/certs/dhparams.pem;
ssl_certificate /etc/nginx/ssl/tth.com.crt;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate_key /etc/nginx/ssl/tth.com.key;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s; # here we use GOOGLE DNS
resolver_timeout 5s;
4- test your configuration
Visit SSLabs test page, enter your URL and wait for the test to complete.
Getting a free certificate is now possible with letsencrypt. After the installation, the letsencrypt command is avalaible in ~/.local/share/letsencrypt/bin directory.
Running the command with the certonly subcommands will install certificates and keys in /etc/letsencrypt directory.
Start and enable nginx
% sudo systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2015-05-08 16:00:03 CEST; 5s ago
Process: 13222 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 13221 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 13223 (nginx)
CGroup: /system.slice/system-systemd\x2dnspawn.slice/[email protected]/system.slice/nginx.service
├─13223 nginx: master process /usr/sbin/nginx
└─13224 nginx: worker process
May 08 16:00:03 poppy systemd[1]: Starting The nginx HTTP and reverse proxy server...
May 08 16:00:03 poppy nginx[13221]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 08 16:00:03 poppy nginx[13221]: nginx: configuration file /etc/nginx/nginx.conf test is successful
May 08 16:00:03 poppy systemd[1]: Started The nginx HTTP and reverse proxy server.