From Fedora Project Wiki

mNo edit summary
(Improve flow of text. Add additional information about TLS configurations.)
Line 1: Line 1:
Nginx (pronounced "engine-x") is a fast and lightweight web, http load balancer, reverse proxy and http cache server. The main characteristics are efficiency and scalability which makes Nginx suited for both the small and the busiest servers on the Internet.
'''Nginx''' (pronounced "engine-x") is a fast and lightweight web server, http load balancer, reverse proxy and http cache server. The main characteristics are efficiency and scalability which makes Nginx suited for both the small and the busiest servers on the Internet.
 
Find more documentation at [[http://nginx.org]].
Find more documentation at [[http://nginx.org]].


Line 11: Line 12:


  $ su
  $ su
  # yum install nginx  
  # yum install nginx


To have the server start at each boot:
To start the server at each boot:


  # systemctl enable nginx.service
  # systemctl enable nginx.service
Line 23: Line 24:
== Configuration ==
== Configuration ==


The configuration of nginx is straightforward. The main configuration file is located in {{filename|/etc/nginx/nginx.conf}} and is structured in the following way, first there is some very general configuration about nginx itself and an events block which looks like this:
The main configuration file is located in {{filename|/etc/nginx/nginx.conf}} and is structured in the following way. First, there are some very general configuration options about nginx itself and an events block. Notice you should use a semicolon (;) after each option, except for the blocks themselves.
 
  user              nginx;
  user              nginx;
  worker_processes  1;
  worker_processes  1;
Line 32: Line 34:
   
   
  pid        /var/run/nginx.pid;
  pid        /var/run/nginx.pid;
   
   
  events {
  events {
Line 38: Line 39:
  }
  }


The advised number of processes is the number of cores/threads your cpu has. Remember that you should use a semicolon(;) after each option, except for the blocks themselves.
The advised number of processes is the number of cores/threads your cpu has.


After that there is one big http block that contains the general configuration related to this protocol. Notice that inside this block there is the following line
Second, there is one big http block that contains the general configuration related to this protocol. Notice that inside this block there is the following line:
    include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/*.conf;
which tells us that the rest of the configuration files are going to be in the configuration directory {{filename|/etc/nginx/conf.d/}} and are going to have a .conf extension.
which tells us that the rest of the configuration files are going to be in the configuration directory {{filename|/etc/nginx/conf.d/}} and are going to have a .conf extension.


And inside this http block, either in the nginx.conf file itself or included from the configuration directory {{filename|/etc/nginx/conf.d/}} there is one server block per virtual host.
And inside this http block, either in {{filename|nginx.conf}} file or included from the configuration directory {{filename|/etc/nginx/conf.d/}} there is one server block per virtual host. The http block provides the `server_name` and document root.
 
Note that the default document root from {{filename|nginx.conf}} is {{filename|/usr/share/nginx/html}}. If you have questions regarding file permissions, directory permissions or SELinux contexts, you can examine them using the default.
 
Best practice is to provide one configuration file for each site. For example, if you are serving for {{filename|example.com}}, then you would create {{filename|/etc/nginx/conf.d/example.com.conf}} for the site.


== Webserver ==
== Webserver ==


Nginx was designed to be a webserver. All you need to create a virtual host is to create a new file in the {{filename|/etc/nginx/conf.d/}} directory with a .conf extension and a server block in it. the server block will be automatically included in the http block.
Nginx was designed to be a webserver. All you need to create a virtual host is to create a new file in the {{filename|/etc/nginx/conf.d/}} directory with a .conf extension and a server block in it. The server block will be automatically included in the http block.


For example, {{filename|/etc/nginx/conf.d/myhost.com.conf}}
For example, {{filename|/etc/nginx/conf.d/example.com.conf}}
  server {
  server {
  listen 80;
  listen 80;
  server_name myhost.com;
  server_name example.com;
  root /var/www/myhost.com/public_html;
  root /var/www/example.com/public_html;
  index index.php index.html;
  index index.php index.html;
  }
  }


=== TLS/SSL ===
You can also specify multiple server names in the `server_name` option:
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com/public_html;
index index.php index.html;
}


Nginx uses ngx_http_ssl_module which is based on OpenSSL and at the moment there are no alternatives.
And you can listen for IPv6 using multiple listen options:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/example.com/public_html;
index index.php index.html;
}
 
== TLS/SSL Configuration ==
 
Nginx uses `ngx_http_ssl_module` to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites.
 
`ngx_http_ssl_module` which relies on OpenSSL. At the moment there are no alternatives to OpenSSL.


==== Install an existing certificate ====
=== Install an existing certificate ===


If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:
If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:


  # mv key_file.key /etc/pki/tls/private/myhost.com.key
  # mv key_file.key /etc/pki/tls/private/example.com.key
  # restorecon /etc/pki/tls/private/myhost.com.key
  # restorecon /etc/pki/tls/private/example.com.key
  # chown root.root /etc/pki/tls/private/myhost.com.key
  # chown root.root /etc/pki/tls/private/example.com.key
  # chmod 0600 /etc/pki/tls/private/myhost.com.key
  # chmod 0600 /etc/pki/tls/private/example.com.key
  # mv certificate.crt /etc/pki/tls/certs/myhost.com.crt
  # mv certificate.crt /etc/pki/tls/certs/example.com.crt
  # restorecon /etc/pki/tls/private/myhost.com.crt
  # restorecon /etc/pki/tls/private/example.com.crt
  # chown root.root /etc/pki/tls/private/myhost.com.crt
  # chown root.root /etc/pki/tls/private/example.com.crt
  # chmod 0600 /etc/pki/tls/private/myhost.com.crt
  # chmod 0600 /etc/pki/tls/private/example.com.crt


After this [[#tls-configuration| set it up]]
After this [[#tls-configuration| set it up]]


==== Generate a new certificate ====
=== Generate a new certificate ===


How to [https://fedoraproject.org/wiki/Https#openssl generate a new certificate]
How to [https://fedoraproject.org/wiki/Https#openssl generate a new certificate]


{{anchor|tls-configuration}}
{{anchor|tls-configuration}}
==== Configuring TLS/SSL hosts ====
=== Configuring TLS/SSL keys ===


Modify inside the server block of a particular virtual host the following lines or add them, so it looks like this:
Modify inside the server block of a particular virtual host the following lines or add them, so it looks like this:
  listen 443 ssl;
  listen 443 ssl;
  ssl_certificate /etc/pki/tls/certs/myhost.com.crt
  ssl_certificate /etc/pki/tls/certs/example.com.crt
  ssl_certificate_key /etc/pki/tls/private/myhost.com.key
  ssl_certificate_key /etc/pki/tls/private/example.com.key
 
=== Strict Transport Security ===
 
The http Strict-Transport-Security response header (HSTS) tells user agents the site should only be accessed using https. You can add the header using the following option.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
 
=== Permanent HTTPS Redirect ===
 
A 301 redirect is a permanent server-side redirect that automatically sends users to a new URL when they request an old one. You can provide a permanent redirect from http to https using the following option.
if ($scheme = "http") {
    return 301 https://$server_name$request_uri;
}

Revision as of 23:45, 18 November 2024

Nginx (pronounced "engine-x") is a fast and lightweight web server, http load balancer, reverse proxy and http cache server. The main characteristics are efficiency and scalability which makes Nginx suited for both the small and the busiest servers on the Internet.

Find more documentation at [[1]].

Installation

For Fedora 22 and later versions use DNF: 

$ su
# dnf install nginx

Or for older releases use YUM: 

$ su
# yum install nginx

To start the server at each boot: 

# systemctl enable nginx.service

To start the server now: 

# systemctl start nginx.service

Configuration

The main configuration file is located in /etc/nginx/nginx.conf and is structured in the following way. First, there are some very general configuration options about nginx itself and an events block. Notice you should use a semicolon (;) after each option, except for the blocks themselves. 

user              nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;

events {
   worker_connections  1024;
}

The advised number of processes is the number of cores/threads your cpu has.

Second, there is one big http block that contains the general configuration related to this protocol. Notice that inside this block there is the following line: 

include /etc/nginx/conf.d/*.conf;

which tells us that the rest of the configuration files are going to be in the configuration directory /etc/nginx/conf.d/ and are going to have a .conf extension.

And inside this http block, either in nginx.conf file or included from the configuration directory /etc/nginx/conf.d/ there is one server block per virtual host. The http block provides the server_name and document root.

Note that the default document root from nginx.conf is /usr/share/nginx/html. If you have questions regarding file permissions, directory permissions or SELinux contexts, you can examine them using the default.

Best practice is to provide one configuration file for each site. For example, if you are serving for example.com, then you would create /etc/nginx/conf.d/example.com.conf for the site.

Webserver

Nginx was designed to be a webserver. All you need to create a virtual host is to create a new file in the /etc/nginx/conf.d/ directory with a .conf extension and a server block in it. The server block will be automatically included in the http block.

For example, /etc/nginx/conf.d/example.com.conf 

server {
	listen 80;
	server_name example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

You can also specify multiple server names in the server_name option: 

server {
	listen 80;
	server_name example.com www.example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

And you can listen for IPv6 using multiple listen options: 

server {
	listen 80;
	listen [::]:80;
	server_name example.com www.example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

TLS/SSL Configuration

Nginx uses ngx_http_ssl_module to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites.

ngx_http_ssl_module which relies on OpenSSL. At the moment there are no alternatives to OpenSSL.

Install an existing certificate

If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct: 

# mv key_file.key /etc/pki/tls/private/example.com.key
# restorecon /etc/pki/tls/private/example.com.key
# chown root.root /etc/pki/tls/private/example.com.key
# chmod 0600 /etc/pki/tls/private/example.com.key
# mv certificate.crt /etc/pki/tls/certs/example.com.crt
# restorecon /etc/pki/tls/private/example.com.crt
# chown root.root /etc/pki/tls/private/example.com.crt
# chmod 0600 /etc/pki/tls/private/example.com.crt

After this set it up

Generate a new certificate

How to generate a new certificate

Configuring TLS/SSL keys

Modify inside the server block of a particular virtual host the following lines or add them, so it looks like this: 

	listen 443 ssl;
	ssl_certificate /etc/pki/tls/certs/example.com.crt
	ssl_certificate_key /etc/pki/tls/private/example.com.key

Strict Transport Security

The http Strict-Transport-Security response header (HSTS) tells user agents the site should only be accessed using https. You can add the header using the following option. 

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

Permanent HTTPS Redirect

A 301 redirect is a permanent server-side redirect that automatically sends users to a new URL when they request an old one. You can provide a permanent redirect from http to https using the following option. 

if ($scheme = "http") {
    return 301 https://$server_name$request_uri;
}
Retrieved from "https://fedoraproject.org/w/index.php?title=Nginx&oldid=725014"