Nginx

From Bibliotheca Anonoma
Revision as of 18:41, 28 January 2017 by Antonizoon (talk | contribs) (→‎Create a folder for HTTP Hosting)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installation

Install EPEL

Install EPEL to get Nginx, which is not in the standard repos. For RHEL7/CentOS 7:

cd /tmp
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum localinstall epel-release-latest-7.noarch.rpm

Install Nginx

Then, install Nginx:

sudo yum install nginx

Start Nginx

You will need to start Nginx before you can use it:

sudo systemctl start nginx

Allow Nginx through the firewall

For Firewalld:

sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

For UFW (used because firewalld has issues with docker): enable http (port 80) and https (443):

sudo ufw enable http
sudo ufw enable https

Enable Nginx at Boot

If you can go to port http://localhost:80, it works. Then enable Nginx to start at every boot:

sudo systemctl enable nginx

Configuration

Create a folder for HTTP Hosting

should probably use www-data group

Out of convention, we usually use /var/www/ to host any static data for our websites. This way, we can give the nginx group full access over this directory.

sudo mkdir -p /var/www/
sudo chown -R nginx:nginx /var/www/

Note: The following only applies if you are using RHEL or if SELinux is set to enforcing on CentOS.

Creating a specific folder where websites are served from also helps because SELinux restricts what directories Nginx can read, for safety (no reason why Nginx should be allowed to read home or system directories).

But first we have to explain to SELinux what typical usage looks like. You’ll also need to allow Nginx to access your folder (Otherwise you’ll get 403 Forbidden error).

# chcon -Rt httpd_sys_content_t /var/www/

Proxy Pass

Some apps run their own HTTP servers, which are meant to be proxied into Nginx.

We’ll also have to provide an SELinux policy exception for Nginx so proxy pass will work (otherwise it will be blocked):

# setsebool -P httpd_can_network_connect true

Server Blocks

I find it useful to use Debian-style server blocks instead of conf.d, since server blocks can be dedicated to a single domain and disabled by removing the sites-enabled link.

But that’s just me, and it can get tedious for other people who find linking to be extra work.

https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-server-blocks-on-centos-7

Server Info Pages

I find it useful to have Server Info Pages that give basic info about the server, stuff that an nmap on the IP could tell anyone in the first place.

The server info page is also on a subdomain with the true name of the server, and not shown by default.

More Info: Server Info Pages

Sources