From Fedora Project Wiki

Revision as of 23:48, 18 November 2024 by Noloader (talk | contribs) (Fix grammar in section "SSL/TLS Configuration.")

Nginx (pronounced "engine-x") is a fast and lightweight web server, http load balancer, reverse proxy and http cache server. The main characteristics are efficiency and scalability which makes Nginx suited for both the small and the busiest servers on the Internet.

Find more documentation at [[1]].

Installation

For Fedora 22 and later versions use DNF:

$ su
# dnf install nginx

Or for older releases use YUM:

$ su
# yum install nginx

To start the server at each boot:

# systemctl enable nginx.service

To start the server now:

# systemctl start nginx.service

Configuration

The main configuration file is located in /etc/nginx/nginx.conf and is structured in the following way. First, there are some very general configuration options about nginx itself and an events block. Notice you should use a semicolon (;) after each option, except for the blocks themselves.

user              nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;

events {
   worker_connections  1024;
}

The advised number of processes is the number of cores/threads your cpu has.

Second, there is one big http block that contains the general configuration related to this protocol. Notice that inside this block there is the following line:

include /etc/nginx/conf.d/*.conf;

which tells us that the rest of the configuration files are going to be in the configuration directory /etc/nginx/conf.d/ and are going to have a .conf extension.

And inside this http block, either in nginx.conf file or included from the configuration directory /etc/nginx/conf.d/ there is one server block per virtual host. The http block provides the server_name and document root.

Note that the default document root from nginx.conf is /usr/share/nginx/html. If you have questions regarding file permissions, directory permissions or SELinux contexts, you can examine them using the default.

Best practice is to provide one configuration file for each site. For example, if you are serving for example.com, then you would create /etc/nginx/conf.d/example.com.conf for the site.

Webserver

Nginx was designed to be a webserver. All you need to create a virtual host is to create a new file in the /etc/nginx/conf.d/ directory with a .conf extension and a server block in it. The server block will be automatically included in the http block.

For example, /etc/nginx/conf.d/example.com.conf

server {
	listen 80;
	server_name example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

You can also specify multiple server names in the server_name option:

server {
	listen 80;
	server_name example.com www.example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

And you can listen for IPv6 using multiple listen options:

server {
	listen 80;
	listen [::]:80;
	server_name example.com www.example.com;
	root /var/www/example.com/public_html;
	index index.php index.html;
}

SSL/TLS Configuration

Nginx uses ngx_http_ssl_module to provide secure sockets. You can modify SSL/TLS parameters, like protocol versions and cipher suites.

ngx_http_ssl_module relies on OpenSSL. At the moment there are no alternatives to OpenSSL.

Install an existing certificate

If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:

# mv key_file.key /etc/pki/tls/private/example.com.key
# restorecon /etc/pki/tls/private/example.com.key
# chown root.root /etc/pki/tls/private/example.com.key
# chmod 0600 /etc/pki/tls/private/example.com.key
# mv certificate.crt /etc/pki/tls/certs/example.com.crt
# restorecon /etc/pki/tls/private/example.com.crt
# chown root.root /etc/pki/tls/private/example.com.crt
# chmod 0600 /etc/pki/tls/private/example.com.crt

After this set it up

Generate a new certificate

How to generate a new certificate

Configuring TLS/SSL keys

Modify inside the server block of a particular virtual host the following lines or add them, so it looks like this:

listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/example.com.crt
ssl_certificate_key /etc/pki/tls/private/example.com.key

Strict Transport Security

The http Strict-Transport-Security response header (HSTS) tells user agents the site should only be accessed using https. You can add the header using the following option.

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";

Permanent HTTPS Redirect

A 301 redirect is a permanent server-side redirect that automatically sends users to a new URL when they request an old one. You can provide a permanent redirect from http to https using the following option.

if ($scheme = "http") {
    return 301 https://$server_name$request_uri;
}