-
Notifications
You must be signed in to change notification settings - Fork 0
Nginx
nginx (pronounced "engine X"), is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server, written by Igor Sysoev in 2005. Nginx is the only supported web server for GitLab.
Nginx uses server blocks to accomplish the functionality found in Apache's virtual hosts. Think of server blocks as specifications for individual web sites that your server can host.
Most Linux distro will use /etc/nginx/sites-availables directory to store hosts. Fedora will instead use /etc/nginx/conf.d. All additional web services .conf files shall be placed in this directory.
These files are included in alphabetical order, you need to keep that in mind if you don't specify any server as default_server, because first one would be the default.
nginx root, called webroot as well, has been moved to /db/www/nginx/html
WARNING: most http services installed by Fedora have by default permissions set to apache:apache. This has to be changed to nginx:nginx. Please check permissions on directory content /var/lib.
The below scheme is the directory tree, which tends to group related things in one only place
$ tree -a /etc/nginx
/etc/nginx
├── conf.d
│ ├── 00-gzip.conf
│ ├── 04-ssl.conf
│ ├── 10-thetradinghall.conf
│ ├── 20-psqlstat.conf
│ ├── 30-wiki.conf
│ ├── 40-phppgadmin.conf
│ └── php-fpm
├── default.d
│ ├── fastcgi.conf.default
│ ├── fastcgi_params.default
│ ├── mime.types.default
│ ├── nginx.conf.default
│ ├── php.conf
│ ├── php.default
│ ├── scgi_params.default
│ └── uwsgi_params.default
├── fastcgi.conf
├── fastcgi_params
├── .htaccess
├── koi-utf
├── koi-win
├── mime.types
├── nginx.conf
├── scgi_params
├── ssl
│ ├── phppgadmin.ssl.conf
│ ├── psql.ssl.conf
│ ├── rstudio.ssl.conf
│ ├── thetradinghall.ssl.conf
│ └── wiki.ssl.conf
├── uwsgi_params
└── win-utf
The main configuration file is located at /etc/nginx/nginx.conf.
NOTE: best practice is to keep this main configuration file as simple as possible. All added settings and subdomains will be placed in /etc/conf.d directory. This file is common to all server blocks.
/etc/nginx/nginx.conf
------------------------
user nginx;
worker_processes 8;
error_log /storage/log/nginx/error.log;
pid /run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 2048;
}
http {# every lines below and before server section are common to all blocks
# Configuration specific to HTTP and affecting all virtual servers
include /etc/nginx/mime.types;
include /etc/nginx/fastcgi.conf;
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/ssl/ssl.conf;
index index.html index.htm index.php;
types_hash_max_size 2048;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /storage/log/nginx/access.log;
server_names_hash_bucket_size 128;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 70;
#gzip on;
}
The php location is writen in /etc/nginx/conf.d/php-fpm. To add the location in any block needing PHP, just write an include. Must be an absolute path
location ~ \.php$ {# pass the PHP scripts to FastCGI server listening on the php-fpm socket
fastcgi_pass unix:/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param HTTPS on;
}
Below is an example of the phppgadmin server.
/etc/nginx/conf.d/40-phppgadmin.conf
-------------------------------------
server{
listen 80;
listen 443 ssl;
server_name phppgadmin.thetradinghall.com;
root /usr/share/phpPgAdmin;
include /etc/nginx/ssl/phppgadmin.ssl.conf;
error_log /storage/log/phppgadmin/error.log;
access_log /storage/log/phppgadmin/access.log;
include /etc/nginx/conf.d/php-fpm;
location /.well-known/acme-challenge/(.*) {# needed by letsencrypt --webroot
add_header Content-Type application/jose+json;
}
}
The error_log directive can be configured to log more or less information as required. The level of logging can be any one of the following:
- emerg: Emergency situations where the system is in an unusable state.
- alert: Severe situation where action is needed promptly.
- crit: Important problems that need to be addressed.
- error: An Error has occurred. Something was unsuccessful.
- warn: Something out of the ordinary happened, but not a cause for concern.
- notice: Something normal, but worth noting has happened.
- info: An informational message that might be nice to know.
- debug: Debugging information that can be useful to pinpoint where a problem is occurring.
Test configuration file /etc/nginx/nginx.conf with global directives for PID and quantity of worker processes:
$ nginx -t -c /etc/nginx/nginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;"
To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified.
It is largely recommended to disable SSL3, but Nginx by default do not use SSL3.
1- check Nginx has been built with SSL support:
# /usr/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 5.1.1 20150422 (Red Hat 5.1.1-1) (GCC)
built with OpenSSL 1.0.1k-fips 8 Jan 2015
.................
2- Create a private key and self-signed certificate. Openssl provides TLS/SSL support.
# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl req -new -x509 -nodes -newkey rsa:2048 -keyout enl.global.key -out enl.global.crt -days 1095
# ls
# chmod 400 nginx.key
# chmod 444 nginx.crt
-r--r--r-- 1 root root 1.4K Jun 29 20:49 enl.global.crt
-r-------- 1 root root 1.7K Jun 29 20:49 enl.global.key
Getting a free certificate is now possible with letsencrypt. Fedora has an available package.
Running the command with the certonly subcommands will install certificates and keys in /etc/letsencrypt directory. The needed keys are stored in /etc/letsencrypt/live/. Then, they have to be added in /etc/nginx/ssl/ssl.conf.
1- create the etc/letsencrypt/cli.ini. This enable to store some settings.
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
logs-dir = /storage/log/letsencrypt
email = [email protected]
text = True
debug = True
agree-tos = True
installer = nginx
2- create needed directories
On all server root paths, a .well-known/acme-challenge sub-directory has to be created. Verify it is owned by root:root.
3- nginx configuration file modifications
The below lines have to be added in all server configuration files to allow ACME to access automatically the previously created directory.
location /.well-known/acme-challenge/(.*) {
add_header Content-Type application/jose+json;
}
4- run the below command for every server. Example for mediawiki:
# letsencrypt --renew-by-default certonly --webroot --webroot-path /usr/share/mediawiki -d wiki.thetradinghall.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/wiki.thetradinghall.com/fullchain.pem. Your
cert will expire on 2016-03-15. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
5- write the /etc/nginx/ssl/ssl.conf
server_tokens off;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/pki/tls/certs/dhparams.pem;
ssl_protocols TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
ssl_session_tickets on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_certificate /etc/letsencrypt/live/thetradinghall.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/thetradinghall.com/privkey.pem;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
6- add ssl settings for each server. Create a /etc/nginx/ssl/MyServer.conf,
add the two lines regarding the path of the ssl certificate, then add an include /etc/nginx/ssl/MyServer.conf in each of server nginx configuration file.
7- test your configuration
Visit SSLabs test page, enter your URL and wait for the test to complete.
8- display content of pem certificate:
$ openssl x509 -in /path/to/cert -text -noout
We use systemd service and timer files for each server. Below is the one for psqlstat.thetradinghll.com
/etc/systemd/system/letsencrypt.psql.service
-------------------------------------------
[Unit]
Description=install let's encrypt certificate for psqlstat
Requires=nginx.service
After=nginx.service
[Service]
ExecStart=/usr/bin/letsencrypt --renew-by-default certonly --webroot --webroot-path /storage/psqlReport -d psql.thetradinghall.com
/etc/systemd/system/letsencrypt.psql.timer
----------------------------------------
[Unit]
Description=Run letsencrypt.psql.service periodically
[Timer]
#
OnCalendar=*-1,3,5,7,9,11-01 02:00:00
Persistent=true
Start and enable nginx
% sudo systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2015-05-08 16:00:03 CEST; 5s ago
Process: 13222 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 13221 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Main PID: 13223 (nginx)
CGroup: /system.slice/system-systemd\x2dnspawn.slice/[email protected]/system.slice/nginx.service
├─13223 nginx: master process /usr/sbin/nginx
└─13224 nginx: worker process
May 08 16:00:03 poppy systemd[1]: Starting The nginx HTTP and reverse proxy server...
May 08 16:00:03 poppy nginx[13221]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
May 08 16:00:03 poppy nginx[13221]: nginx: configuration file /etc/nginx/nginx.conf test is successful
May 08 16:00:03 poppy systemd[1]: Started The nginx HTTP and reverse proxy server.
It allows nginx to compress files and deliver them to clients (e.g. browsers) that can handle compressed content which most modern browsers do.
/etc/nginx/conf.d/00-gzip.conf
--------------------------------
gzip on;
gzip_static on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_buffers 16 8k;
Install Live http header plugin for Firefox and verify the Accept-Encoding: gzip,deflate header is here.
A web cache sits in between a client and an “origin server”, and saves copies of all the content it sees.
/etc/nginx/conf.d/00-cache.conf
----------------------------------
open_file_cache max=5000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;