Overview
Nginx is another application server, just like: Apache HTTP and Apache Tomcat. Unlike Tomcat, Nginx cannot be used for artifacts at the same time, Nginx is very stable and is compatible with another plugins and applications.
Installation
Installation of nginx is the same as apache and tomcat, you can use the yum repository as follows:
Required Libraries
[root@dokuwiki .ssh]# rpm -qa | grep nginx nginx-mod-http-geoip-1.10.2-1.el6.x86_64 nginx-mod-http-xslt-filter-1.10.2-1.el6.x86_64 nginx-filesystem-1.10.2-1.el6.noarch nginx-mod-stream-1.10.2-1.el6.x86_64 nginx-mod-http-image-filter-1.10.2-1.el6.x86_64 nginx-1.10.2-1.el6.x86_64 nginx-all-modules-1.10.2-1.el6.noarch nginx-mod-http-perl-1.10.2-1.el6.x86_64 nginx-mod-mail-1.10.2-1.el6.x86_64
After that, we can start with the configuration. The configuration files for nginx are located in: /etc/nginx
-rw-r--r--. 1 root root 3610 Oct 31 2016 win-utf -rw-r--r--. 1 root root 664 Oct 31 2016 uwsgi_params.default -rw-r--r--. 1 root root 664 Oct 31 2016 uwsgi_params -rw-r--r--. 1 root root 636 Oct 31 2016 scgi_params.default -rw-r--r--. 1 root root 636 Oct 31 2016 scgi_params -rw-r--r--. 1 root root 2656 Oct 31 2016 nginx.conf.default -rw-r--r--. 1 root root 3957 Oct 31 2016 mime.types.default -rw-r--r--. 1 root root 3957 Oct 31 2016 mime.types -rw-r--r--. 1 root root 2223 Oct 31 2016 koi-win -rw-r--r--. 1 root root 2837 Oct 31 2016 koi-utf -rw-r--r--. 1 root root 1007 Oct 31 2016 fastcgi_params.default -rw-r--r--. 1 root root 1007 Oct 31 2016 fastcgi_params -rw-r--r--. 1 root root 1077 Oct 31 2016 fastcgi.conf.default -rw-r--r--. 1 root root 1077 Oct 31 2016 fastcgi.conf drwxr-xr-x. 2 root root 4096 Oct 31 2016 default.d -rw-r--r--. 1 root root 683 Jul 24 15:19 nginx.conf drwxr-xr-x. 5 root root 4096 Jul 24 15:20 . drwxr-xr-x. 2 root root 4096 Jul 25 07:06 sites-enabled drwxr-xr-x. 2 root root 4096 Jul 25 07:30 conf.d drwxr-xr-x. 97 root root 4096 Aug 17 06:44 ..
Configuration
The configuration files are in couple categories:
- Nginx configuration
- Site Configuration
- Security Configuration
Nginx Configuration
Nginx configuration include how nginx works in terms of: how much connection works, in what format the log should be generated, where the access log should be located and so on. Additionally we have to put the other configuration file location:
Nginx Configuration
/etc/nginx [root@dokuwiki nginx]# cat nginx.conf user nginx; worker_processes 8; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
Site Configuration
The site configuration include: on which port it should listen, site name and others. Optionally you can include the security configuration also, however it isn't good practice to do so.
Site Configuration
server { listen 80; server_name www.jdbwiki.tech; root /etc/dokuwiki; index index.php index.html; location / { try_files $uri $uri/ /index.php; } return 301 https://www.jdbwiki.tech$request_uri; location ~ \.php$ { #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini include fastcgi_params; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; }
Security Configuration
Although security configuration and site configuration can be all part of the nginx configuration. It is good to have these things separated. So the security configuration again includes on which port the SSL is enabled (by default 443) what cipher to be used:
Security Configuration
# # HTTPS server configuration # server { listen 443 ssl http2 default_server; listen [::]:443 ssl; server_name www.jdbwiki.tech; root /etc/dokuwiki; location / { try_files $uri /index.html index.php; } location ~ \.php$ { #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini include fastcgi_params; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; } ssl_certificate /root/SSLCert/cert.pem; ssl_certificate_key /root/SSLCert/key.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; }
Once all has been set up, we can start the nginx server:
Check status
[root@dokuwiki conf.d]# service nginx status nginx (pid 2551) is running... [root@dokuwiki conf.d]#
Automatic certificates
We can configure automatic re-certification using 3months certificates, usuing ACME client:
Install ACMD
--Curl curl https://get.acme.sh | sh OR --Wget wget -O - https://get.acme.sh | sh OR --Git git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install
Then we can install the certificate as follows:
Automatic Certificate
v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$ ./acme.sh --issue -d jdbwiki.com -w /home/v5x8sroe2bb3/public_html Using CA: https://acme-v02.api.letsencrypt.org/directory Single domain='jdbwiki.com' Getting domain auth token for each domain Getting webroot for domain='jdbwiki.com' Verifying: jdbwiki.com Success Verify finished, start to sign. Lets finalize the order. Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/103638882/6417907782' Downloading cert. Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04a3aaa6dd9b6d788fabed9e3e7fc7529685' Cert success. -----BEGIN CERTIFICATE----- MIIFTjCCBDagAwIBAgISBKOqpt2bbXiPq+2ePn/HUpaFMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMjYxMDA1MDdaFw0y MTAyMjQxMDA1MDdaMBYxFDASBgNVBAMTC2pkYndpa2kuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1eny9rMKLGXWg3iTMC/7W4lJf+qolwykA1Sz ao6sZECWuIhvCHcBam3GGQzPPd020Dmpd5ZkKl5YmXjjTmIYAGE7o6DMvWsn+IcD yX/xa0F1bvRnT+6eoTpvDMLWdjTJ/J27R8Qp41W2hLVA0I3J0Z1Nrb0dAF1TjyBm CuqTdcVe25T/rqZ7GKreerdqVUkJhYOZCGgYc0jmEv9YZz+bp+NIQCTX7E4Rdv4N urQ/H5usL5wxcWUbUoYN2UoLezIGnrqrqob9na7kbjyKWE8s79hj+GV3ONOk9Gs9 Avucdp7oDLVmhPR+4erkIw0bMFqTz8UjI/jdiXAB2q9xYiDYrwIDAQABo4ICYDCC AlwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRTOLTkTCc1BH3mEnfA1327qWPtjzAf BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEw LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcw LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv MBYGA1UdEQQPMA2CC2pkYndpa2kuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5 cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA9lyUL9F3MCIUVBgIMJRW juNNExkzv98MLyALzE7xZOMAAAF2BDpw+AAABAMARzBFAiAUmBt8mwx875DMgC0D nAOpSpYQMAgh3Jl9WuDBoHVSJQIhAPHeJLe6rhSGAbCFO0R0ag6gk26JZ+7wqJMd O4mMSltdAHYARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF2BDpy 7wAABAMARzBFAiBWaZGR7dHzfXwrxrJp+FPrn91Q4+615ie/nn5KJ6eJbwIhAJG2 FF2sLrsztr9dQCm4VKFgv8aXDVVg1epwwSONxqiAMA0GCSqGSIb3DQEBCwUAA4IB AQCRWoTjPyCEZzara19JqsEo4owRDxq5ANZf/ko3mUopZQoxkdtPclPjP8FruIX1 VUo+DVs0IT8VT3FfcnXA8R7QWLyq5DdaVojzLZDjknrBtDci2elek/plTqMTk3uc fexX5NuzUZpc+bU2mhL3JR6/uoux8lZ0k9ER7+sdMCvfe/g/3DkSDDXBStnIwlZD N9BS0udolP5qZwmTH/WGNioYcvWJuun41EG5ojrPdAye+/x7E5tXyG5v1p5v/A/Z +qaqhhBBun/TPM6s4n9/7XRVNUlq0qPLlN4NkssS9KLM1EJnyx1UIA8axrEzxoPP 5Jf0W+WhnP0082Gs9RxeCCjQ -----END CERTIFICATE----- Your cert is in /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/jdbwiki.com.cer Your cert key is in /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/jdbwiki.com.key The intermediate CA cert is in /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/ca.cer And the full chain certs is there: /home/v5x8sroe2bb3/.acme.sh/jdbwiki.com/fullchain.cer v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$
You can modify the location using parameter, refer to the help options:
ACME help options
v5x8sroe2bb3@n3plcpnl0011 [~/.acme.sh]$ ./acme.sh --help https://github.com/acmesh-official/acme.sh v2.8.8 Usage: acme.sh <command> ... [parameters ...] Commands: -h, --help Show this help message. -v, --version Show version info. --install Install acme.sh to your system. --uninstall Uninstall acme.sh, and uninstall the cron job. --upgrade Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh. --issue Issue a cert. --deploy Deploy the cert to your server. -i, --install-cert Install the issued cert to apache/nginx or any other server. -r, --renew Renew a cert. --renew-all Renew all the certs. --revoke Revoke a cert. --remove Remove the cert from list of certs known to acme.sh. --list List all the certs. --to-pkcs12 Export the certificate and key to a pfx file. --to-pkcs8 Convert to pkcs8 format. --sign-csr Issue a cert from an existing csr. --show-csr Show the content of a csr. -ccr, --create-csr Create CSR, professional use. --create-domain-key Create an domain private key, professional use. --update-account Update account info. --register-account Register account key. --deactivate-account Deactivate the account. --create-account-key Create an account private key, professional use. --install-cronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job. --uninstall-cronjob Uninstall the cron job. The 'uninstall' command can do this automatically. --cron Run cron job to renew all the certs. --set-notify Set the cron notification hook, level or mode. --deactivate Deactivate the domain authz, professional use. --set-default-ca Used with '--server', Set the default CA to use. ************************************************************************************