m (Whitespace) |
m (Fix grammar in section "SSL/TLS Configuration.") |
||
| Line 80: | Line 80: | ||
} | } | ||
== TLS | == SSL/TLS Configuration == | ||
Nginx uses `ngx_http_ssl_module` to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites. | Nginx uses `ngx_http_ssl_module` to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites. | ||
`ngx_http_ssl_module` | `ngx_http_ssl_module` relies on OpenSSL. At the moment there are no alternatives to OpenSSL. | ||
=== Install an existing certificate === | === Install an existing certificate === | ||
Revision as of 23:48, 18 November 2024
Nginx (pronounced "engine-x") is a fast and lightweight web server, http load balancer, reverse proxy and http cache server. The main characteristics are efficiency and scalability which makes Nginx suited for both the small and the busiest servers on the Internet.
Find more documentation at [[1]].
Installation
For Fedora 22 and later versions use DNF:
$ su # dnf install nginx
Or for older releases use YUM:
$ su # yum install nginx
To start the server at each boot:
# systemctl enable nginx.service
To start the server now:
# systemctl start nginx.service
Configuration
The main configuration file is located in /etc/nginx/nginx.conf and is structured in the following way. First, there are some very general configuration options about nginx itself and an events block. Notice you should use a semicolon (;) after each option, except for the blocks themselves.
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
The advised number of processes is the number of cores/threads your cpu has.
Second, there is one big http block that contains the general configuration related to this protocol. Notice that inside this block there is the following line:
include /etc/nginx/conf.d/*.conf;
which tells us that the rest of the configuration files are going to be in the configuration directory /etc/nginx/conf.d/ and are going to have a .conf extension.
And inside this http block, either in nginx.conf file or included from the configuration directory /etc/nginx/conf.d/ there is one server block per virtual host. The http block provides the server_name and document root.
Note that the default document root from nginx.conf is /usr/share/nginx/html. If you have questions regarding file permissions, directory permissions or SELinux contexts, you can examine them using the default.
Best practice is to provide one configuration file for each site. For example, if you are serving for example.com, then you would create /etc/nginx/conf.d/example.com.conf for the site.
Webserver
Nginx was designed to be a webserver. All you need to create a virtual host is to create a new file in the /etc/nginx/conf.d/ directory with a .conf extension and a server block in it. The server block will be automatically included in the http block.
For example, /etc/nginx/conf.d/example.com.conf
server {
listen 80;
server_name example.com;
root /var/www/example.com/public_html;
index index.php index.html;
}
You can also specify multiple server names in the server_name option:
server {
listen 80;
server_name example.com www.example.com;
root /var/www/example.com/public_html;
index index.php index.html;
}
And you can listen for IPv6 using multiple listen options:
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
root /var/www/example.com/public_html;
index index.php index.html;
}
SSL/TLS Configuration
Nginx uses ngx_http_ssl_module to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites.
ngx_http_ssl_module relies on OpenSSL. At the moment there are no alternatives to OpenSSL.
Install an existing certificate
If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:
# mv key_file.key /etc/pki/tls/private/example.com.key # restorecon /etc/pki/tls/private/example.com.key # chown root.root /etc/pki/tls/private/example.com.key # chmod 0600 /etc/pki/tls/private/example.com.key # mv certificate.crt /etc/pki/tls/certs/example.com.crt # restorecon /etc/pki/tls/private/example.com.crt # chown root.root /etc/pki/tls/private/example.com.crt # chmod 0600 /etc/pki/tls/private/example.com.crt
After this set it up
Generate a new certificate
How to generate a new certificate
Configuring TLS/SSL keys
Modify inside the server block of a particular virtual host the following lines or add them, so it looks like this:
listen 443 ssl; ssl_certificate /etc/pki/tls/certs/example.com.crt ssl_certificate_key /etc/pki/tls/private/example.com.key
Strict Transport Security
The http Strict-Transport-Security response header (HSTS) tells user agents the site should only be accessed using https. You can add the header using the following option.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
Permanent HTTPS Redirect
A 301 redirect is a permanent server-side redirect that automatically sends users to a new URL when they request an old one. You can provide a permanent redirect from http to https using the following option.
if ($scheme = "http") {
return 301 https://$server_name$request_uri;
}