Nginx Configuration
Summary
This is a fully developed Nginx configuration ready for deployment in production environments. It is pre-configured to be scalable, efficient, secure, and reliable.
Author's Notes
@carlbennett wanted an Nginx configuration that was both secure and modular enough that it could be put on any server, with minor tuning to just a few settings to make it work anywhere. And thus, this configuration was created.
It is based on the Fedora 29 x86_64 Nginx packages and is maintained at carlbennett/nginx-conf. It is compatible with most Nginx installations, and works well on CentOS 7 when using nginx.org's repos instead of the default centos repos.
Recommended Nginx version: 1.13.0 or newer.
Features
- Global caching
- If included, tunes nginx to have browsers cache static resources.
- Global Gzip compression
- If included, common types of static resources will be compressed by nginx.
- Global URL filtering
- If included, nginx will disconnect common types of attacks based on the URL, instead of responding with an error page or content which could alert the bad actor about your server, which would send an invite to come back later.
- Can be extended upon very easily to block even more types of URLs.
- PHP support
- If included, you can and should define php error reporting and short tags in your server block.
- You can pass other php options via the PHP_VALUE parameter too.
Installation
These steps have been tested on Fedora 29 x86_64, and may require minor changes to work on non-RHEL systems.
The following commands assume you are logged in as root or are sudoing as
root before every command.
Install nginx
dnf with yum in the command
below.
dnf install nginxSetup the user and group
If you wish to replace apache:
userdel -r apache
usermod -u 48 nginx
groupmod -g 48 nginxAdd permission group for web content:
groupadd -r www-data
usermod -aG www-data nginx
usermod -aG www-data `whoami`
Clone this repository
cd ~
git clone [email protected]:carlbennett/nginx-conf.git && cd ./nginx-confCopy files to system
cp -r ./etc/nginx/ /etc/nginx
mkdir -p /var/www && cp -r ./var/www/* /var/wwwFile and directory permissions
chown -R root:root /etc/nginx
chown -R nginx:www-data /var/www
find /var/www -type f -print0 | sudo xargs -0 chmod 664
find /var/www -type d -print0 | sudo xargs -0 chmod 775SELinux booleans
If using nginx on a RHEL-like system with a backend like php-fpm, the following booleans become useful to enable network connectivity as the nginx/php-fpm user.
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_memcache 1SELinux file context
If using nginx on a RHEL-like system with an alternate webroot, the following
configures proper SELinux fcontext, which is necessary if not using /var/www.
dnf install policycoreutils-python-utils # provides semanage
semanage fcontext -a -t httpd_sys_content_t '/opt/other-www(/.*)?'
restorecon -r /opt/other-wwwIf there are directories which a backend needs write access to, be sure to use
the fcontext httpd_rw_sys_content_t instead for such directories. The fcontext
httpd_sys_content_t (as printed earlier) is for read-only content.
In addition, there is also httpd_sys_script_exec_t for CGI/executable files,
but this fcontext is less common and is already set for /var/www/cgi-bin.
The following command lists all file contexts currently configured:
semanage fcontext -l | grep httpd
Configure nginx
You should now configure everything under /etc/nginx to your liking.
Run nginx
systemctl enable nginx
systemctl start nginx