-
Notifications
You must be signed in to change notification settings - Fork 0
Nginx
nginx (pronounced "engine X"), is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server, written by Igor Sysoev in 2005. Nginx is the only supported web server for GitLab.
Nginx uses server blocks to accomplish the functionality found in Apache's virtual hosts. Think of server blocks as specifications for individual web sites that your server can host.
Most Linux distro will use /etc/nginx/sites-availables directory to store hosts. Fedora will instead use /etc/nginx/conf.d. All additional web services .conf files shall be placed in this directory.
These files are included in alphabetical order, you need to keep that in mind if you don't specify any server as default_server, because first one would be the default.
nginx root, called webroot as well, has been moved to /db/www/nginx/html
WARNING: most http services installed by Fedora have by default permissions set to apache:apache. This has to be changed to nginx:nginx. Please check permissions on directory content /var/lib.
The main configuration file is located at /etc/nginx/nginx.conf. Edit it to change basic settings.
NOTE: best practice is to keep this main configuration file as simple as possible. All added settings and subdomains will be placed in /etc/include.d/ and /etc/conf.d directories.
/etc/nginx/nginx.conf
------------------------
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx nginx;
worker_processes 8;
error_log /storage/log/nginx/error.log info;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/ssl/ssl.conf;
types_hash_max_size 2048;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /storage/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server {
listen 80;
server_name thetradinghall.com www.thetradinghall.com;
root /db/nginx/data/www;
index index.html index.php;
include php-fpm.conf;
location /images/ {
root /db/nginx/data/images;
open_file_cache_errors off;
error_page 404 = /fetch$uri;
}
location /50x.html {
error_page 500 502 503 504 /50x.html;
}
location = /40x.html {
error_page 404 /404.html;
}
location ~ /\. {# prevent acces to dot files
access_log off;
log_not_found off;
deny all;
}
location ~* \.(jpg|jpeg|png|gif|ico)$ {# cache static files
expires 365d;
}
location ~* \.(jpg|jpeg|png|gif|ico)$ {# disable logging for static files
log_not_found off;
access_log off;
}
}
}
The error_log directive can be configured to log more or less information as required. The level of logging can be any one of the following:
- emerg: Emergency situations where the system is in an unusable state.
- alert: Severe situation where action is needed promptly.
- crit: Important problems that need to be addressed.
- error: An Error has occurred. Something was unsuccessful.
- warn: Something out of the ordinary happened, but not a cause for concern.
- notice: Something normal, but worth noting has happened.
- info: An informational message that might be nice to know.
- debug: Debugging information that can be useful to pinpoint where a problem is occurring.
Test configuration file ~/mynginx.conf with global directives for PID and quantity of worker processes:
$ nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;"
To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified.
It is largely recommended to disable SSL3, but Nginx by default do not use SSL3.
1- check Nginx has been built with SSL support:
# /usr/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 5.1.1 20150422 (Red Hat 5.1.1-1) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
.................
2- Create a private key and self-signed certificate. Openssl provides TLS/SSL support.
# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl req -new -x509 -nodes -newkey rsa:2048 -keyout enl.global.key -out enl.global.crt -days 1095
# ls
# chmod 400 nginx.key
# chmod 444 nginx.crt
-r--r--r-- 1 root root 1.4K Jun 29 20:49 enl.global.crt
-r-------- 1 root root 1.7K Jun 29 20:49 enl.global.key
Getting a free certificate is now possible with letsencrypt. Fedora has an available package.
Running the command with the certonly subcommands will install certificates and keys in /etc/letsencrypt directory. The needed keys are stored in /etc/letsencrypt/live/. Then, they have to be added in /etc/nginx/ssl/ssl.conf.
1- create the etc/letsencrypt/cli.ini. This enable to store some settings.
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
logs-dir = /storage/log/letsencrypt
email = [email protected]
#domains = thetradinghall.com, www.thetradinghall.com, wiki.thetradinghall.com, phppgadmin.thetradinghall.com
text = True
debug = True
#authenticator = webroot
#authenticator = manual
#webroot-path = /db/nginx/data/www
agree-tos = True
installer = nginx
2- create needed directories
On all server root paths, a .well-known/acme-challenge sub-directory has to be created. Verify it is owned by root:root.
3- nginx configuration file modifications
The below lines have to be added in all server configuration files to allow ACME to access automatically the previously created directory.
location ~ /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
4- run the below command for every server. Example for mediawiki:
# letsencrypt --renew-by-default certonly --webroot --webroot-path /usr/share/mediawiki -d wiki.thetradinghall.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/wiki.thetradinghall.com/fullchain.pem. Your
cert will expire on 2016-03-15. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
5- write the /etc/nginx/ssl/ssl.conf
# /etc/nginx/ssl/ssl.conf @ poppy
# This file contains all needed parameters for HTTPS
# Please add an include in the server configuration file to enable
# Last edited 2015-12-13
server_tokens off;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/certs/dhparams.pem;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_certificate /etc/letsencrypt/live/thetradinghall.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/thetradinghall.com/privkey.pem;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
6- add ssl settings for each server. Create a /etc/nginx/ssl/MyServer.conf,
add the two lines regarding the path of the ssl certificate, then add an include /etc/nginx/ssl/MyServer.conf in each of server nginx configuration file.
7- test your configuration
Visit SSLabs test page, enter your URL and wait for the test to complete.
8- display content of pem certificate:
$ openssl x509 -in /path/to/cert -text -noout
We use systemd service and timer files for each server. Below is the one for psqlstat.thetradinghll.com
/etc/systemd/system/letsencrypt.psql.service
-------------------------------------------
[Unit]
Description=install let's encrypt certificate for psqlstat
Requires=nginx.service
After=nginx.service
[Service]
ExecStart=/usr/bin/letsencrypt --renew-by-default certonly --webroot --webroot-path /storage/psqlReport -d psql.thetradinghall.com
/etc/systemd/system/letsencrypt.psql.timer
----------------------------------------
[Unit]
Description=Run letsencrypt.psql.service periodically
[Timer]
#
OnCalendar=*-1,3,5,7,9,11-01 02:00:00
Persistent=true
Start and enable nginx
% sudo systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2015-05-08 16:00:03 CEST; 5s ago
Process: 13222 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 13221 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 13223 (nginx)
CGroup: /system.slice/system-systemd\x2dnspawn.slice/[email protected]/system.slice/nginx.service
├─13223 nginx: master process /usr/sbin/nginx
└─13224 nginx: worker process
May 08 16:00:03 poppy systemd[1]: Starting The nginx HTTP and reverse proxy server...
May 08 16:00:03 poppy nginx[13221]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 08 16:00:03 poppy nginx[13221]: nginx: configuration file /etc/nginx/nginx.conf test is successful
May 08 16:00:03 poppy systemd[1]: Started The nginx HTTP and reverse proxy server.
It allows nginx to compress files and deliver them to clients (e.g. browsers) that can handle compressed content which most modern browsers do.
/etc/nginx/conf.d/00-gzip.conf
--------------------------------
gzip on;
gzip_static on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_buffers 16 8k;
Install Live http header plugin for Firefox and verify the Accept-Encoding: gzip,deflate header is here.
A web cache sits in between a client and an “origin server”, and saves copies of all the content it sees.
/etc/nginx/conf.d/00-cache.conf
----------------------------------
open_file_cache max=5000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;