$ prt-get depinst nginx
Allow minimal privileges via mount options, view /etc/fstab;
UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2
Add user nginx to www group;
# usermod -a -G www nginx
Change default home directory of nginx user;
# usermod -m -d /srv/www nginx
Create configuration directory's for better organization;
$ sudo mkdir /etc/nginx/conf.d $ sudo mkdir /etc/nginx/sites-enable $ sudo mkdir /etc/nginx/sites
Certificates allow a more secure connection. Lets create self-signed certificate;
Create private key;
$ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 Password: Generating RSA private key, 2048 bit long modulus ..............................+++ ............+++ e is 65537 (0x10001) Enter pass phrase for /etc/ssl/keys/nginx.key: Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key:
Create ceritificate signing request. For "Common Name" provide domain name or ip address, leave challange password and optional company name blank;
$ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr Enter pass phrase for /etc/ssl/keys/nginx.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:PT State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $
Having password is a good idea, but requires it every time nginx is restarted. To remove;
$ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
Enter pass phrase for /etc/ssl/keys/nginx.key.pass: writing RSA key
$ sudo chown nginx /etc/ssl/keys/nginx.key* $ sudo chmod 0600 /etc/ssl/keys/nginx.key* # chmod 644 /etc/ssl/certs/exim.cert
Sign SSL cetificate;
$ sudo openssl x509 -req -days 365 \ -in /etc/ssl/certs/nginx.csr \ -signkey /etc/ssl/keys/nginx.key \ -out /etc/ssl/certs/nginx.crtSignature ok subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=core.privat-network.net Getting Private key Enter pass phrase for /etc/ssl/keys/nginx.key:
$ sudo chown nginx:nginx /etc/ssl/keys/nginx.key* $ sudo chmod 0600 /etc/ssl/keys/nginx.key* $ sudo chmod 644 /etc/ssl/certs/nginx.cert
Read nginx pitfalls, for more information about optimization digitalocean,
Number of worker_processes must be equal or less than the number of available cpu cores. This is set to auto.
$ nproc 2
Number of worker_connections must be equal or less than the number file-size writing limit, you can get it by;
$ nlimit -n 1024
Example of http block with ssl configured;
# # /etc/nginx/nginx.conf - nginx server configuration # user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; # ssl on; ssl_certificate /etc/ssl/certs/nginx.crt; ssl_certificate_key /etc/ssl/keys/nginx.key; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; sendfile on; #tcp_nopush on; keepalive_timeout 65; client_body_timeout 12; client_header_timeout 12; send_timeout 65; gzip on; gzip_vary on; #gzip_proxied any; gzip_comp_level 9; # gzip_buffers 16 8k; # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; } # End of file
Check /etc/nginx/sites for more examples.
To debug configurations check logs and;
Install php and setup php.ini as development mode;
$ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
Setup php ini in development mode;
$ sudo cp /etc/php/php.ini-development /etc/php/php.ini
$ php --ini Configuration File (php.ini) Path: /etc/php Loaded Configuration File: /etc/php/php.ini Scan for additional .ini files in: /etc/php/conf.d Additional .ini files parsed: /etc/php/conf.d/extensions.ini, /etc/php/conf.d/pdo_pgsql.ini
Server (virtual host) with Laravel, /etc/nginx/sites/laravel.conf;
server { listen 443 ssl; listen [::]:443 ssl; root /srv/www/atom/public; server_name core.privat-network.net; index index.html index.htm index.php; charset utf-8; location / { try_files $uri $uri/ /index.php$is_args$args; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { access_log off; log_not_found off; } access_log off; error_log /var/log/nginx/core.privat-network.net-error.log error; sendfile off; client_max_body_size 100m; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors off; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; } location ~ /\.ht { deny all; } }
location ~ ^/~(.+?)(/.*)?$ { alias /home/$1/public_html$2; index index.html index.htm; autoindex on; }
Directories should have 644 or 664 and files chmod 755 or 775;
$ sudo find . -type f -print0 | xargs -0 chmod 644 $ sudo find . -type d -print0 | xargs -0 chmod 755
$ sudo grep "login" /var/log/nginx/access.log $ sudo grep "etc/passwd" /var/log/nginx/access.log $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.logTools Index
This is part of the c9-doc Manual. Copyright (C) 2016 c9 team. See the file Gnu Free Documentation License for copying conditions.