Install EPEL to get Nginx, which is not in the standard repos. For RHEL7/CentOS 7:
cd /tmp wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm sudo yum localinstall epel-release-latest-7.noarch.rpm
Then, install Nginx:
sudo yum install nginx
You will need to start Nginx before you can use it:
sudo systemctl start nginx
Allow Nginx through the firewall
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --reload
For UFW (used because firewalld has issues with docker): enable http (port 80) and https (443):
sudo ufw enable http sudo ufw enable https
Enable Nginx at Boot
If you can go to port http://localhost:80, it works. Then enable Nginx to start at every boot:
sudo systemctl enable nginx
Create a folder for HTTP Hosting
should probably use www-data group
Out of convention, we usually use
/var/www/ to host any static data for our websites. This way, we can give the
nginx group full access over this directory.
sudo mkdir -p /var/www/ sudo chown -R nginx:nginx /var/www/
Note: The following only applies if you are using RHEL or if SELinux is set to enforcing on CentOS.
Creating a specific folder where websites are served from also helps because SELinux restricts what directories Nginx can read, for safety (no reason why Nginx should be allowed to read home or system directories).
But first we have to explain to SELinux what typical usage looks like. You’ll also need to allow Nginx to access your folder (Otherwise you’ll get 403 Forbidden error).
# chcon -Rt httpd_sys_content_t /var/www/
Some apps run their own HTTP servers, which are meant to be proxied into Nginx.
We’ll also have to provide an SELinux policy exception for Nginx so proxy pass will work (otherwise it will be blocked):
# setsebool -P httpd_can_network_connect true
I find it useful to use Debian-style server blocks instead of conf.d, since server blocks can be dedicated to a single domain and disabled by removing the sites-enabled link.
But that’s just me, and it can get tedious for other people who find linking to be extra work.
Server Info Pages
I find it useful to have Server Info Pages that give basic info about the server, stuff that an nmap on the IP could tell anyone in the first place.
The server info page is also on a subdomain with the true name of the server, and not shown by default.
More Info: Server Info Pages