Nginx
Docs
Install Docs
(1) Install for CentOS/RHEL
- it works with brotli source code compilation..etc
Package from the Official NGINX Repository
Create the file nginx.repo in /etc/yum.repos.d
sudo vim /etc/yum.repos.d/nginx.repoAdd the following lines to nginx.repo:
[nginx]name=nginx repobaseurl=https://nginx.org/packages/centos/7/$basearch/gpgcheck=0enabled=1Note : OS is either rhel or centos, 'OSRELEASE' is the release number (6, 6.x, 7, 7.x and so on)
Update the repository:
sudo yum updateInstall the NGINX Open Source package
sudo yum install nginxIf you are running a firewall, run the following commands to allow HTTP and HTTPS traffic:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
Note : Make SELINUX settings to disabled/permissive to allow nginix to serve new location static content. Commands (MD)
(1) Install for Ubuntu
Create a new file '/etc/apt/sources.list.d/nginx.list'
Syntax content
## Replace $release with your corresponding Ubuntu release.
deb https://nginx.org/packages/ubuntu/ $release nginx
deb-src https://nginx.org/packages/ubuntu/ $release nginx
- Add below content if ubuntu 20.04
deb https://nginx.org/packages/ubuntu/ focal nginx
deb-src https://nginx.org/packages/ubuntu/ focal nginx
- Update repo & install nginx
sudo apt-get update
sudo apt-get install nginx
If we get error 'Err:5 https://nginx.org/packages/ubuntu focal InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62'execute following
//syntax
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $key
//Example
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62
- Re try nginx installation
sudo apt-get update
sudo apt-get install nginx
- allow http & https port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
(2) Start & Verify
Start NGINX Open Source:
sudo nginxIf port 80 in use error, kill the process
sudo fuser -k 80/tcp
Verify that NGINX Open Source is up and running:
curl -I 127.0.0.1OR open browser & type ipaddress
output
"Welcome to nginx ..." - some page will come
(3) Application on system reboot
Enable Nginx to start when your system boots
sudo systemctl enable nginx
Commands
Default Server Root : /usr/share/nginx/html
(Files that are placed in there will be served on your web server)
above location is specified in this /etc/nginx/nginx.conf
Start Nginx
sudo systemctl start nginx
Stop Nginx
sudo systemctl stop nginx
Restart Nginx
sudo systemctl restart nginx
Reload Nginx configurations.
sudo systemctl reload nginx
To verify config file
nginx -t
Serving static content
- Open file '/etc/nginx/nginx.conf'
user nginx;
worker_processes 1;
//Can modify error log path
error_log /customLocation/nginx/logs/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
If you read "include /etc/nginx/conf.d/*.conf;" line, we can create new configuration file in specified folder
Create file with domain/ip address name (eg: 10...*.conf) in '/etc/nginx/conf.d' folder
server {# --- listening to port 80listen 80 backlog=4096;# --- specify private & public ip, domain nameserver_name 192.*.*.* 10.*.*.* www.domain.com;# --- specify root folder (all static applications can reside in it)root /some/root/location/to/browse;location / {# --- let landing index.html call -> default-pages/index.htmlindex index.html readme.html master.html;}# --- Say to deny some file type requestslocation ~ \.(md|sh) {deny all;}# ---- custom error pages --------------------------------error_page 404 /404.html;location = /404.html {root /some/root/location/to/browse/default-pages;}error_page 403 /403.html;location = /403.html {root /some/root/location/to/browse/default-pages;}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /some/root/location/to/browse/default-pages;
}
# Fix css and images of error pages (as relative path of css/ images in error html pages were pointing out to http://ipAddr/css/some.css)
location /css/ {
root /some/root/location/to/browse/default-pages;
}
location /images/ {
root /some/root/location/to/browse/default-pages;
}
# ---------------------------error pages --------------------------------
# --- Java tomcat or Node server reverse proxy
location /product-x/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# --- url of server application with port
proxy_pass http://localhost:****/;
}
}
Note : default-pages is folder containing landing page, error page & it's resources.
1. If you type "http://ipAddress/" in browser, it will go to "root path + /"
eg: /some/root/location/to/browse/index.html
Some properties of location (check docs for more)
location /someProject {
# specific root
root /data;
# allow directory browsing
autoindex on;
# define specific landing page
index index.$geo.html index.htm index.html readme.html master.html;
# check if file exists
try_files $uri /images/default.gif;
# to prevent copying the data into the buffer before sending file
sendfile on;
}
location /somePath {
# to deny access
deny all;
}
## Optimizing the Backlog Queue
Displaying the Listen Queue
netstat ipaddr
Tuning the Operating System
sudo sysctl -w net.core.somaxconn=4096
Add the following line to /etc/sysctl.conf
net.core.somaxconn = 4096
Tuning NGINX
- If you set the somaxconn kernel parameter to a value greater than 512, change the backlog parameter to the NGINX listen directive to match:
server { listen 80 backlog=4096;
# ...
}
//restart server
## Install Brotli from source
[link](https://serverdiary.com/linux/how-to-install-and-configure-nginx-brotli/)
```shell
//use --skip-broken if shown in error
yum groupinstall 'Development Tools' -y
//space issue - broken into 2 commands
yum install gcc-c++ flex bison yajl yajl-devel
yum install curl-devel curl GeoIP-devel doxygen zlib-devel
//space issue - broken into 2 commands
yum install lmdb lmdb-devel libxml2
yum install libxml2-devel ssdeep ssdeep-devel lua lua-devel
- Clone ngx_brotli from Github https://github.com/google/ngx_brotli
cd /usr/src
git clone https://github.com/google/ngx_brotli.git
cd ngx_brotli
git submodule update --init
Check your Nginx version with command:
nginx -V
sample output as:
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib64/nginx/modules
--conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock
...so on
- Now you need to download Nginx source, depend on your Nginx version.
- In this example is Nginx 1.16.1, compile module and compiled Nginx Brotli located in objs.
cd /usr/src
wget http://nginx.org/download/nginx-1.16.1.tar.gz
tar zxvf nginx-1.16.1.tar.gz
cd nginx-1.16.1
//installing pcre-devel else next ./configure command throwing error
yum install pcre
yum install pcre-devel
./configure --with-compat --add-dynamic-module=../ngx_brotli
make modules
cp objs/ngx_http_brotli_static_module.so /etc/nginx/modules/
cp objs/ngx_http_brotli_filter_module.so /etc/nginx/modules/
chmod 644 /etc/nginx/modules/ngx_http_brotli_static_module.so
chmod 644 /etc/nginx/modules/ngx_http_brotli_filter_module.so
Enable GZIP & Brotli Compression
Edit nginx configuration file – /etc/nginx/nginx.conf and add these lines near top
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
Now global nginx.conf (under http section) or specific.conf - add following
# gzip
gzip on;
gzip_static on; //serve pre compressed
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/
json application/javascript application/
xml+rss application/atom+xml image/svg+xml;
# brotli
brotli on;
brotli_static on; //serve pre compressed
brotli_comp_level 6;
brotli_types text/xml image/svg+xml application/
x-font-ttf image/vnd.microsoft.icon application/
x-font-opentype application/json font/eot application/
vnd.ms-fontobject application/javascript font/
otf application/xml application/xhtml+xml text/
javascript application/x-javascript text/
plain application/x-font-truetype application/
xml+rss image/x-icon font/opentype text/css image/
x-win-bitmap;
- by default for https connections, brotli 'Accept-Encoding' is present in request header
Note : Restart Nginx
Set up SSL on Nginx
- First copy your DigiCertCA.crt (intermediate certificate), domain.crt (primary certificate) and domain.key to server
- Make those files readable by root only to increase security.
- Since .pem file was not provided, concatenate the primary and intermediate certificates
cat your_domain_name.crt DigiCertCA.crt >> bundle.crt
- Edit the Nginx virtual hosts file
server {
#redirect http to https
listen 80 default_server;
listen [::]:80 default_server;
server_name ipAddress www.domain.com;
#return 301 https://$host$request_uri;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl;
server_name ipAddress www.domain.com;
# ssl on; //instead ssl added in listen statement
ssl_certificate /etc/ssl/your_domain_name.pem; (or bundle.crt)
ssl_certificate_key /etc/ssl/your_domain_name.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
}
- 443 is https default port (Same must be opened in local & main firewall)
- check remotely by 'telnet publicIp port'
- Verify nginx config by -t command
- Restart the Nginx