Nginx Configuration
Summary
This is a fully developed Nginx configuration ready for deployment in production environments. It is pre-configured to be scalable, efficient, secure, and reliable.
Author's Notes
@carlbennett wanted an Nginx configuration that was both secure and modular enough that it could be put on any server, with minor tuning to just a few settings to make it work anywhere. And thus, this configuration was created.
It is based on the Fedora 29 x86_64 Nginx packages and is maintained at carlbennett/nginx-conf. It is compatible with most Nginx installations, and works well on CentOS 7 when using nginx.org's repos instead of the default centos repos.
Recommended Nginx version: 1.13.0
or newer.
Features
- Global caching
- If included, tunes nginx to have browsers cache static resources.
- Global Gzip compression
- If included, common types of static resources will be compressed by nginx.
- Global URL filtering
- If included, nginx will disconnect common types of attacks based on the URL, instead of responding with an error page or content which could alert the bad actor about your server, which would send an invite to come back later.
- Can be extended upon very easily to block even more types of URLs.
- PHP support
- If included, you can and should define php error reporting and short tags in your server block.
- You can pass other php options via the PHP_VALUE parameter too.
Installation
These steps have been tested on Fedora 29 x86_64, and may require minor changes to work on non-RHEL systems.
The following commands assume you are logged in as root
or are sudo
ing as
root
before every command.
Install nginx
dnf
with yum
in the command
below.
dnf install nginx
Setup the user and group
If you wish to replace apache:
userdel -r apache
usermod -u 48 nginx
groupmod -g 48 nginx
Add permission group for web content:
groupadd -r www-data
usermod -aG www-data nginx
usermod -aG www-data `whoami`
Clone this repository
cd ~
git clone [email protected]:carlbennett/nginx-conf.git && cd ./nginx-conf
Copy files to system
cp -r ./etc/nginx/ /etc/nginx
mkdir -p /var/www && cp -r ./var/www/* /var/www
File and directory permissions
chown -R root:root /etc/nginx
chown -R nginx:www-data /var/www
find /var/www -type f -print0 | sudo xargs -0 chmod 664
find /var/www -type d -print0 | sudo xargs -0 chmod 775
SELinux booleans
If using nginx on a RHEL-like system with a backend like php-fpm, the following booleans become useful to enable network connectivity as the nginx/php-fpm user.
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_memcache 1
SELinux file context
If using nginx on a RHEL-like system with an alternate webroot, the following
configures proper SELinux fcontext, which is necessary if not using /var/www
.
dnf install policycoreutils-python-utils # provides semanage
semanage fcontext -a -t httpd_sys_content_t '/opt/other-www(/.*)?'
restorecon -r /opt/other-www
If there are directories which a backend needs write access to, be sure to use
the fcontext httpd_rw_sys_content_t
instead for such directories. The fcontext
httpd_sys_content_t
(as printed earlier) is for read-only content.
In addition, there is also httpd_sys_script_exec_t
for CGI/executable files,
but this fcontext is less common and is already set for /var/www/cgi-bin
.
The following command lists all file contexts currently configured:
semanage fcontext -l | grep httpd
Configure nginx
You should now configure everything under /etc/nginx
to your liking.
Run nginx
systemctl enable nginx
systemctl start nginx