nginx

Nginx is another application server, just like: Apache HTTP and Apache Tomcat. Unlike Tomcat, Nginx cannot be used for artifacts at the same time, Nginx is very stable and is compatible with another plugins and applications.

Installation of nginx is the same as apache and tomcat, you can use the yum repository as follows:

Required Libraries

[root@dokuwiki .ssh]# rpm -qa | grep nginx
nginx-mod-http-geoip-1.10.2-1.el6.x86_64
nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64
nginx-filesystem-1.10.2-1.el6.noarch
nginx-mod-stream-1.10.2-1.el6.x86_64
nginx-mod-http-image-filter-1.10.2-1.el6.x86_64
nginx-1.10.2-1.el6.x86_64
nginx-all-modules-1.10.2-1.el6.noarch
nginx-mod-http-perl-1.10.2-1.el6.x86_64
nginx-mod-mail-1.10.2-1.el6.x86_64

After that, we can start with the configuration. The configuration files for nginx are located in: /etc/nginx

-rw-r--r--.  1 root root 3610 Oct 31  2016 win-utf
-rw-r--r--.  1 root root  664 Oct 31  2016 uwsgi_params.default
-rw-r--r--.  1 root root  664 Oct 31  2016 uwsgi_params
-rw-r--r--.  1 root root  636 Oct 31  2016 scgi_params.default
-rw-r--r--.  1 root root  636 Oct 31  2016 scgi_params
-rw-r--r--.  1 root root 2656 Oct 31  2016 nginx.conf.default
-rw-r--r--.  1 root root 3957 Oct 31  2016 mime.types.default
-rw-r--r--.  1 root root 3957 Oct 31  2016 mime.types
-rw-r--r--.  1 root root 2223 Oct 31  2016 koi-win
-rw-r--r--.  1 root root 2837 Oct 31  2016 koi-utf
-rw-r--r--.  1 root root 1007 Oct 31  2016 fastcgi_params.default
-rw-r--r--.  1 root root 1007 Oct 31  2016 fastcgi_params
-rw-r--r--.  1 root root 1077 Oct 31  2016 fastcgi.conf.default
-rw-r--r--.  1 root root 1077 Oct 31  2016 fastcgi.conf
drwxr-xr-x.  2 root root 4096 Oct 31  2016 default.d
-rw-r--r--.  1 root root  683 Jul 24 15:19 nginx.conf
drwxr-xr-x.  5 root root 4096 Jul 24 15:20 .
drwxr-xr-x.  2 root root 4096 Jul 25 07:06 sites-enabled
drwxr-xr-x.  2 root root 4096 Jul 25 07:30 conf.d
drwxr-xr-x. 97 root root 4096 Aug 17 06:44 ..

The configuration files are in couple categories:

  • Nginx configuration
  • Site Configuration
  • Security Configuration

Nginx configuration include how nginx works in terms of: how much connection works, in what format the log should be generated, where the access log should be located and so on. Additionally we have to put the other configuration file location:

Nginx Configuration

/etc/nginx
[root@dokuwiki nginx]# cat nginx.conf
user  nginx;
worker_processes  8;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

The site configuration include: on which port it should listen, site name and others. Optionally you can include the security configuration also, however it isn't good practice to do so.

Site Configuration

server {
    listen 80;
    server_name www.jdbwiki.tech;
        root /etc/dokuwiki;
        index index.php index.html;
    location / {
        try_files $uri $uri/ /index.php;
    }

return 301 https://www.jdbwiki.tech$request_uri;

location ~ \.php$ {
    #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    include fastcgi_params;                
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}

Although security configuration and site configuration can be all part of the nginx configuration. It is good to have these things separated. So the security configuration again includes on which port the SSL is enabled (by default 443) what cipher to be used:

Security Configuration

#
# HTTPS server configuration
#

server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl;
    server_name  www.jdbwiki.tech;
    root /etc/dokuwiki;
    location / {
    try_files $uri /index.html index.php;
    }

    location ~ \.php$ {
    #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    include fastcgi_params;                
    fastcgi_intercept_errors on;
    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
    }

    ssl_certificate /root/SSLCert/cert.pem;
    ssl_certificate_key /root/SSLCert/key.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
}

Once all has been set up, we can start the nginx server:

Check status

[root@dokuwiki conf.d]# service nginx status
nginx (pid  2551) is running...
[root@dokuwiki conf.d]# 

We can configure automatic re-certification using 3months certificates, usuing ACME client:

Install ACMD


--Curl
curl https://get.acme.sh | sh

OR
--Wget
wget -O -  https://get.acme.sh | sh

OR
--Git
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install

Then we can install the certificate as follows:

Automatic Certificate

v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$ ./acme.sh --issue -d jdbwiki.com -w /home/v5x8sroe2bb3/public_html
Using CA: https://acme-v02.api.letsencrypt.org/directory
Single domain='jdbwiki.com'
Getting domain auth token for each domain
Getting webroot for domain='jdbwiki.com'
Verifying: jdbwiki.com
Success
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/103638882/6417907782'
Downloading cert.
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04a3aaa6dd9b6d788fabed9e3e7fc7529685'
Cert success.
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISBKOqpt2bbXiPq+2ePn/HUpaFMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMjYxMDA1MDdaFw0y
MTAyMjQxMDA1MDdaMBYxFDASBgNVBAMTC2pkYndpa2kuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eny9rMKLGXWg3iTMC/7W4lJf+qolwykA1Sz
ao6sZECWuIhvCHcBam3GGQzPPd020Dmpd5ZkKl5YmXjjTmIYAGE7o6DMvWsn+IcD
yX/xa0F1bvRnT+6eoTpvDMLWdjTJ/J27R8Qp41W2hLVA0I3J0Z1Nrb0dAF1TjyBm
CuqTdcVe25T/rqZ7GKreerdqVUkJhYOZCGgYc0jmEv9YZz+bp+NIQCTX7E4Rdv4N
urQ/H5usL5wxcWUbUoYN2UoLezIGnrqrqob9na7kbjyKWE8s79hj+GV3ONOk9Gs9
Avucdp7oDLVmhPR+4erkIw0bMFqTz8UjI/jdiXAB2q9xYiDYrwIDAQABo4ICYDCC
AlwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRTOLTkTCc1BH3mEnfA1327qWPtjzAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw
LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MBYGA1UdEQQPMA2CC2pkYndpa2kuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA9lyUL9F3MCIUVBgIMJRW
juNNExkzv98MLyALzE7xZOMAAAF2BDpw+AAABAMARzBFAiAUmBt8mwx875DMgC0D
nAOpSpYQMAgh3Jl9WuDBoHVSJQIhAPHeJLe6rhSGAbCFO0R0ag6gk26JZ+7wqJMd
O4mMSltdAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF2BDpy
7wAABAMARzBFAiBWaZGR7dHzfXwrxrJp+FPrn91Q4+615ie/nn5KJ6eJbwIhAJG2
FF2sLrsztr9dQCm4VKFgv8aXDVVg1epwwSONxqiAMA0GCSqGSIb3DQEBCwUAA4IB
AQCRWoTjPyCEZzara19JqsEo4owRDxq5ANZf/ko3mUopZQoxkdtPclPjP8FruIX1
VUo+DVs0IT8VT3FfcnXA8R7QWLyq5DdaVojzLZDjknrBtDci2elek/plTqMTk3uc
fexX5NuzUZpc+bU2mhL3JR6/uoux8lZ0k9ER7+sdMCvfe/g/3DkSDDXBStnIwlZD
N9BS0udolP5qZwmTH/WGNioYcvWJuun41EG5ojrPdAye+/x7E5tXyG5v1p5v/A/Z
+qaqhhBBun/TPM6s4n9/7XRVNUlq0qPLlN4NkssS9KLM1EJnyx1UIA8axrEzxoPP
5Jf0W+WhnP0082Gs9RxeCCjQ
-----END CERTIFICATE-----
Your cert is in  /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/jdbwiki.com.cer
Your cert key is in  /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/jdbwiki.com.key
The intermediate CA cert is in  /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/ca.cer
And the full chain certs is there:  /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/fullchain.cer
v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$

You can modify the location using parameter, refer to the help options:

ACME help options

v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$ ./acme.sh --help
https://github.com/acmesh-official/acme.sh
v2.8.8
Usage: acme.sh <command> ... [parameters ...]
Commands:
  -h, --help               Show this help message.
  -v, --version            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh.
  --issue                  Issue a cert.
  --deploy                 Deploy the cert to your server.
  -i, --install-cert       Install the issued cert to apache/nginx or any other server.
  -r, --renew              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                 Revoke a cert.
  --remove                 Remove the cert from list of certs known to acme.sh.
  --list                   List all the certs.
  --to-pkcs12              Export the certificate and key to a pfx file.
  --to-pkcs8               Convert to pkcs8 format.
  --sign-csr               Issue a cert from an existing csr.
  --show-csr               Show the content of a csr.
  -ccr, --create-csr       Create CSR, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --update-account         Update account info.
  --register-account       Register account key.
  --deactivate-account     Deactivate the account.
  --create-account-key     Create an account private key, professional use.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                   Run cron job to renew all the certs.
  --set-notify             Set the cron notification hook, level or mode.
  --deactivate             Deactivate the domain authz, professional use.
  --set-default-ca         Used with '--server', Set the default CA to use.
************************************************************************************
  • nginx.txt
  • Last modified: 2020/11/26 11:11
  • by andonovj