Installing Nginx on CentOS 6.5 Minimal x86_64 - rharmonson/richtech GitHub Wiki

#Installing Nginx on CentOS 6.5 Minimal x86_64

##CentOS 6.5 Minimal x86_64 Complete a base operating system build to your preference or you can follow my guide found here:

https://github.com/rharmonson/richtech/wiki/CentOS-6.5-Minimal-x86_64-Base-Installation-Guide

##EPEL Repository As a standard, I use the Extra Packages for Enterprise Linux, e.g. open-vm-tools and ntfs-3g. With this specific build, EPEL is not a requirement but advisable.

https://github.com/rharmonson/richtech/wiki/EPEL-Repository-on-CentOS-6.5

##Nginx Repository

Reference:

http://wiki.nginx.org/Install#Official_Red_Hat.2FCentOS_packages

To add the Nginx repository, create a file named /etc/yum.repos.d/nginx.repo and paste the configurations below:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

alternatively, you can use this one-liner:

echo -e "[nginx]\nname=nginx repo\nbaseurl=http://nginx.org/packages/centos/\$releasever/\$basearch\nenabled=1\ngpgcheck=0" > /etc/yum.repos.d/nginx.repo

##Install Nginx Once the Nginx repo is setup, use yum to install the nginx package.

# yum install nginx

Results with installing the current stable binaries for CentOS.

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 0:1.6.0-2.el6.ngx will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package        Arch            Version                    Repository      Size
================================================================================
Installing:
 nginx          x86_64          1.6.0-2.el6.ngx            nginx          336 k

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 336 k
Installed size: 826 k
Is this ok [y/N]:

Nginx to auto-start and shutdown with host reboots.

# chkconfig nginx on

##SELinux By default SELinux is enforcing. Initially, let's change it to permissive.

# vi /etc/selinux/config

Update the value of SELINUX to permissive, then save.

Next log off then on or execute the following set SELinux in permissive mode for the current session.

# setenforce 0

See my guide given below for an example on how to create a SELinux module.

https://github.com/rharmonson/richtech/wiki/Installing-Tracks-2.2.2-on-CentOS-6.5-Minimal-x86_64#selinux-passenger-module

##Firewall Execute the iptables text user interface to permit http and https or you custom ports to Nginx.

# system-config-firewall-tui

##Done At this point, nginx is installed but is not configured. Under /etc/nginx/conf.d you will find a default.conf and example_ssl.conf as references for building a nginx.conf for use of nginx as a web server. Alternatively, nginx can use as a reverse proxy and I provide a sample of a revised and working nginx.conf. Also, you will find under the section titled "Other Considerations" references that may be helpful.

###Reverse Proxy nginx.conf example Below /etc/nginx/nginx.conf is intended as an example only.

#work processes = cpu cores
worker_processes        4;
worker_priority         15;

events {
        worker_connections 2048;
        multi_accept off;
        use epoll;
}

http {
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        server_names_hash_max_size 1024;
        server_tokens off;

### Redirect root to https:www
server {
        listen 80;
        server_name mydomain.com;
        return 301 https://www.mydomain.com$request_uri;
}

### Redirect www to https:www
server {
        listen 80;
        server_name www.mydomain.com;
        return 301 https://www.mydomain.com$request_uri;
}

### Primary Server
server {
        listen          443 ssl;
        listen          80;
        server_name     www.mydomain.com mydomain.com;

        ssl_certificate         /etc/nginx/ssl-bundle.crt;
        ssl_certificate_key     /etc/nginx/www_mydomain_com.key;

        ### Static webpage
        location /staticpage/ {
                proxy_pass http://192.168.1.112/staticpage/;
        }

        ### Deny Administrator Backend
        location /webadmin/ {
        deny all;
        }

        ### CMS on Apache2
        location / {
                index index.php;
                client_max_body_size 30M;

        ## Set Headers
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;

        ## CMS Backend
                proxy_pass https://192.168.1.111/;
                proxy_redirect off;
        }

        ### Explicitly deny and log for .htaccess & .htpasswd
        location ~ ^\.(htaccess|htpasswd)$ {
                deny all;
                access_log on;
        }

}
}

##Other Considerations

Nginx Beginner's guide

http://nginx.org/en/docs/beginners_guide.html

Book: Nginx HTTP Server

https://www.packtpub.com/nginx-http-server-for-web-applications/book

Top 20 Nginx WebServer Best Security Practices

http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html

NGINX HTTP(S) Reverse Proxy with ModSecurity Protection

http://www.stan.gr/2014/02/nginx-reverse-proxy-with-modsecurity.html

Nginx Pitfalls

http://wiki.nginx.org/Pitfalls