Nginx Configuration

Summary

This is a fully developed Nginx configuration ready for deployment in production environments. It is pre-configured to be scalable, efficient, secure, and reliable.

Author's Notes

@carlbennett wanted an Nginx configuration that was both secure and modular enough that it could be put on any server, with minor tuning to just a few settings to make it work anywhere. And thus, this configuration was created.

It is based on the Fedora 29 x86_64 Nginx packages and is maintained at carlbennett/nginx-conf. It is compatible with most Nginx installations, and works well on CentOS 7 when using nginx.org's repos instead of the default centos repos.

Recommended Nginx version: 1.13.0 or newer.

Features

• Global caching
  • If included, tunes nginx to have browsers cache static resources.
• Global Gzip compression
  • If included, common types of static resources will be compressed by nginx.
• Global URL filtering
  • If included, nginx will disconnect common types of attacks based on the URL, instead of responding with an error page or content which could alert the bad actor about your server, which would send an invite to come back later.
  • Can be extended upon very easily to block even more types of URLs.
• PHP support
  • If included, you can and should define php error reporting and short tags in your server block.
  • You can pass other php options via the PHP_VALUE parameter too.

Installation

These steps have been tested on Fedora 29 x86_64, and may require minor changes to work on non-RHEL systems.

The following commands assume you are logged in as root or are sudoing as root before every command.

Install nginx

⚠️ If you are using CentOS, substitute dnf with yum in the command below.

dnf install nginx

Setup the user and group

If you wish to replace apache:

userdel -r apache
usermod -u 48 nginx
groupmod -g 48 nginx

Add permission group for web content:

groupadd -r www-data
usermod -aG www-data nginx
usermod -aG www-data `whoami`

Clone this repository

cd ~
git clone git@github.com:carlbennett/nginx-conf.git && cd ./nginx-conf

Copy files to system

cp -r ./etc/nginx/ /etc/nginx
mkdir -p /var/www && cp -r ./var/www/* /var/www

File and directory permissions

chown -R root:root /etc/nginx
chown -R nginx:www-data /var/www
find /var/www -type f -print0 | sudo xargs -0 chmod 664
find /var/www -type d -print0 | sudo xargs -0 chmod 775

SELinux booleans

If using nginx on a RHEL-like system with a backend like php-fpm, the following booleans become useful to enable network connectivity as the nginx/php-fpm user.

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_network_memcache 1

SELinux file context

If using nginx on a RHEL-like system with an alternate webroot, the following configures proper SELinux fcontext, which is necessary if not using /var/www.

dnf install policycoreutils-python-utils # provides semanage
semanage fcontext -a -t httpd_sys_content_t '/opt/other-www(/.*)?'
restorecon -r /opt/other-www

If there are directories which a backend needs write access to, be sure to use the fcontext httpd_rw_sys_content_t instead for such directories. The fcontext httpd_sys_content_t (as printed earlier) is for read-only content.

In addition, there is also httpd_sys_script_exec_t for CGI/executable files, but this fcontext is less common and is already set for /var/www/cgi-bin.

The following command lists all file contexts currently configured: semanage fcontext -l | grep httpd

Configure nginx

You should now configure everything under /etc/nginx to your liking.

Run nginx

systemctl enable nginx
systemctl start nginx