<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>Nginx</title>
</head>
<body>
<a href="index.html">Tools Index</a>
<h1>1. Nginx</h1>
<h2 id="install">1.1. Install Nginx</h2>
<pre>
$ prt-get depinst nginx
</pre>
<p>Allow minimal privileges via mount options, view /etc/fstab;</p>
<pre>
UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2
</pre>
<p>Remove nginx user or group, system defines www user and group;</p>
<pre>
# userdel nginx
# groupdel nginx
</pre>
<p>Change default home directory of www user;</p>
<pre>
# usermod -m -d /srv/www www
</pre>
<p>Create configuration directory's for better organization;</p>
<pre>
$ sudo mkdir /etc/nginx/conf.d
$ sudo mkdir /etc/nginx/sites-enable
$ sudo mkdir /etc/nginx/sites
</pre>
<h2 id="logs">1.2. Logs</h2>
<pre>
$ sudo grep "login" /var/log/nginx/access.log
$ sudo grep "etc/passwd" /var/log/nginx/access.log
$ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log
</pre>
<h2 id="userdir">1.3. User Directory</h2>
<p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p>
<pre>
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
</pre>
<p>Directories should have 644 or 664 and
files chmod 755 or 775;</p>
<pre>
$ sudo find . -type f -print0 | xargs -0 chmod 644
$ sudo find . -type d -print0 | xargs -0 chmod 755
</pre>
<h2 id="certs">1.4. Certificates</h2>
<p>Certificates allow a more secure connection. Lets create
self-signed certificate;</p>
<pre>
$ sudo mkdir /etc/nginx/ssl
$ sudo cd /etc/nginx/ssl
</pre>
<p>Create private key;</p>
<pre>
$ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048
Password:
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for /etc/ssl/keys/nginx.key:
Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
</pre>
<p>Create ceritificate signing request. For "Common Name"
provide domain name or ip address, leave challange password
and optional company name blank;</p>
<pre>
$ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr
Enter pass phrase for /etc/ssl/keys/nginx.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:PT
State or Province Name (full name) [Some-State]:Porto
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:c13.nark.biz.tm
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$
</pre>
<p>Sign SSL cetificate;</p>
<pre>
$ sudo openssl x509 -req -days 365 -in /etc/ssl/certs/nginx.csr -signkey /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.crt
Signature ok
subject=/C=PT/ST=Porto/O=Internet Widgits Pty Ltd/CN=c13.nark.biz.tm
Getting Private key
Enter pass phrase for /etc/ssl/keys/nginx.key:
$
</pre>
<h3>Remove Password</h3>
<p>Having password is a good idea, but requires it every
time nginx is restarted. To remove;</p>
<pre>
$ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.org
$ sudo openssl rsa -in /etc/ssl/keys/nginx.key.org -out /etc/ssl/keys/nginx.key
Enter pass phrase for /etc/ssl/keys/nginx.key.org:
writing RSA key
$
</pre>
<h2 id="nginxconf">1.5. Nginx Configuration</h2>
<p><a href="http://wiki.nginx.org/Pitfalls">READ NGINX PITFALLS</a>,
for more information about optimization
<a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">digitalocean</a>,
<p>Number of worker_processes must be equal or less than
the number of available cpu cores</p>
<pre>
$ nproc
2
</pre>
<p>Number of worker_connections must be equal or less than
the number file-size writing limit, you can get it by;</p>
<pre>
$ nlimit -n
1024
</pre>
<p>Example of http block with ssl configured;</p>
<pre>
#
# /etc/nginx/nginx.conf
#
user www;
worker_processes 2;
error_log /var/log/nginx/error.log info;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 620;
keepalive_timeout 65;
client_body_timeout 12;
client_header_timeout 12;
# send_timeout 620;
send_timeout 65;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
# ssl on;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/keys/nginx.key;
##
# Logging Settings
##
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
# End of file </pre>
<h2 id="server">1.6. Laravel Server</h2>
check <a href "../conf/etc/nginx/">configuration directory</a>
for more examples. Install php and composer that is required
by Laravel;</p>
<h3>1.6.1. Setup PHP</h3>
<pre>
$ prt-get depinst php php-fpm php-gd php-pdo-pgsql composer
</pre>
<p>Setup php ini in development mode;<p/>
<pre>
$ sudo cp /etc/php/php.ini-development php.ini
$ php --ini
Configuration File (php.ini) Path: /etc/php
Loaded Configuration File: /etc/php/php.ini
Scan for additional .ini files in: /etc/php/conf.d
Additional .ini files parsed: /etc/php/conf.d/extensions.ini,
/etc/php/conf.d/pdo_pgsql.ini
$
</pre>
<h3>1.6.2. Setup Virtual Host</h3>
<p>Server (virtual host) with Laravel,
/etc/nginx/sites/<a href="../conf/etc/nginx/sites/laravel.conf">laravel.conf</a>;</p>
<pre>
server {
listen 443 ssl;
listen [::]:443 ssl;
root /srv/www/atom/public;
server_name c13.nark.biz.tm;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/c13-nark-biz-tm-error.log error;
sendfile off;
client_max_body_size 100m;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location ~ /\.ht {
deny all;
}
}
</pre>
<a href="index.html">Tools Index</a>
<p>This is part of the c9-doc Manual.
Copyright (C) 2016
Silvino Silva.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>