Difference between revisions of "Nginx"
Unnilennium (talk | contribs) (new contrib) |
|||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{Languages}} | ||
+ | <!-- here we define the contrib name variable --> | ||
+ | <!-- we get the page title, remove suffix for translated version; if needed you can define there with the value you want--> | ||
+ | {{#vardefine:contribname| {{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }} | ||
+ | {{#vardefine:smecontribname| smeserver-{{lc: {{#titleparts: {{BASEPAGENAME}} |1}} }} }} | ||
+ | <!-- we define the language --> | ||
+ | {{#vardefine:lang| {{lc: {{#titleparts: {{PAGENAME}} | | -1}} }} |en }} | ||
+ | {{Infobox contribs | ||
+ | |name={{#var:contribname}} | ||
+ | |image=Nginx.png | ||
+ | |description_image= {{#var:contribname}} logo | ||
+ | |maintainer= Unnilennium | ||
+ | |licence= BSD-2-Clause | ||
+ | |url= https://www.nginx.com | ||
+ | |category= http server | ||
+ | |tags=http server, proxy, reverse proxy | ||
+ | }} | ||
+ | |||
+ | ===Maintainer=== | ||
+ | <!-- here you need to file your username and name --> | ||
+ | [[User:Unnilennium|Jean-Philippe Pialasse]] | ||
+ | |||
+ | === Version === | ||
+ | <!-- keep this first element as is, you can add some if needed --> | ||
+ | {{#smeversion: {{#var:smecontribname}} }} | ||
+ | |||
+ | === Description === | ||
+ | Nginx, stylized as NGIИX, is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. | ||
+ | The Koozali SME Server implementation is meant to be run behind the original httpd apache server using reverse proxy for your needs. It might be possible to reverse the order, but was not designed this way originally. | ||
+ | |||
+ | === Installation === | ||
+ | <tabs container><tab name="For SME 10"> | ||
+ | yum --enablerepo=smecontribs install {{#var:smecontribname}} | ||
+ | </tab> | ||
+ | </tabs> | ||
+ | |||
+ | === Configuration === | ||
+ | you can list the available configuration with the following command : | ||
+ | config show {{#var:contribname}} | ||
+ | |||
+ | Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values : | ||
+ | {| class="wikitable" | ||
+ | !property | ||
+ | !default | ||
+ | !values | ||
+ | ! | ||
+ | |- | ||
+ | |access | ||
+ | |local | ||
+ | |local,private, public | ||
+ | | | ||
+ | |- | ||
+ | |status | ||
+ | |enabled | ||
+ | |enabled,disabled | ||
+ | |} | ||
+ | |||
+ | ===Internal Configuration === | ||
+ | Default templating makes nginx use the content of /etc/nginx/conf.d/*.conf to define server content. You can put your appropriate config files tgere | ||
+ | |||
+ | === Uninstall === | ||
+ | yum remove {{#var:smecontribname}} {{#var:contribname}} | ||
+ | |||
+ | |||
+ | === Bugs === | ||
+ | Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title= bugzilla}} | ||
+ | and select the {{#var:smecontribname}} component or use {{BugzillaFileBug|product=SME%20Contribs|component={{#var:smecontribname}}|title=this link}} | ||
+ | |||
+ | Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{#var:smecontribname}} |noresultsmessage=No open bugs found.}} | ||
+ | |||
+ | ===Changelog=== | ||
+ | Only released version in smecontrib are listed here. | ||
+ | |||
+ | {{ #smechangelog: {{#var:smecontribname}} }} | ||
+ | |||
+ | |||
+ | |||
+ | ===Previous manual instruction left there === | ||
{{Warning box| Work in progress. Do NOT try this on a production server}} | {{Warning box| Work in progress. Do NOT try this on a production server}} | ||
Line 9: | Line 87: | ||
In this example we will use port 4483 | In this example we will use port 4483 | ||
− | ==Install== | + | =====Install===== |
yum --enablerepo=epel install nginx | yum --enablerepo=epel install nginx | ||
− | ==Configure== | + | =====Configure===== |
− | link in rc7.d | + | Create a link in rc7.d This enables nginx to start on boot. |
− | + | ln -s /etc/rc.d/init.d/nginx /etc/rc.d/rc7.d/S87nginx | |
Create /var/log/nginx and set permissions if required | Create /var/log/nginx and set permissions if required | ||
Line 24: | Line 102: | ||
mkdir -p /var/log/nginx | mkdir -p /var/log/nginx | ||
+ | {{Warning box| The following may NOT be best practice and may need another approach, but works for testing}} | ||
− | ===Configs=== | + | Adding this MAY open your server up to compromise. You have been warned. |
+ | |||
+ | Add user to group so nginx can access files/directories | ||
+ | |||
+ | usermod -a -G shared nginx | ||
+ | |||
+ | ======Configs====== | ||
{{Note box|rename existing configs to config_con_ or move them completely to avoid issues}} | {{Note box|rename existing configs to config_con_ or move them completely to avoid issues}} | ||
Line 42: | Line 127: | ||
Check the port. You can use dehydrated/letsencrypt certificates | Check the port. You can use dehydrated/letsencrypt certificates | ||
− | ===Ports=== | + | ======Ports====== |
Open a port on your firewall | Open a port on your firewall | ||
Line 50: | Line 135: | ||
signal-event remoteaccess-update | signal-event remoteaccess-update | ||
− | == | + | Now engine if correctly configured in the conf files will listen on 4483 |
+ | |||
+ | Alternatively we can set apache to private so it only listens to local/internal connectins ,and nginx to external ones. | ||
+ | |||
+ | config setprop httpd-e-smith access private | ||
+ | |||
+ | config setprop nginx TCPPort 443 | ||
+ | |||
+ | signal-event remoteaccess-update | ||
+ | |||
+ | Or if you want port 80 as well | ||
+ | |||
+ | config setprop nginx TCPPorts 80,443 | ||
+ | |||
+ | signal-event remoteaccess-update | ||
+ | |||
+ | |||
+ | ======Sample configurations====== | ||
+ | |||
+ | These are JUST samples. You will need to work out your own. | ||
+ | |||
+ | |||
+ | default.conf | ||
+ | |||
+ | server { | ||
+ | # Listen on 80 | ||
+ | listen your.external.ip.address:80; | ||
+ | # Disable IPv6 | ||
+ | # listen [::]:80; | ||
+ | server_name domain.com host.domain.com; | ||
+ | # Passthru letsencrypt | ||
+ | location '/.well-known/acme-challenge' { | ||
+ | default_type "text/plain"; | ||
+ | #root /tmp/letsencrypt-auto; | ||
+ | root /home/e-smith/files/ibays/Primary/html; | ||
+ | } | ||
+ | |||
+ | # Upgrade everything else to https | ||
+ | location / { | ||
+ | return 301 https://$server_name$request_uri; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | |||
+ | This is my rocket chat reverse proxy with websockets as an example: | ||
+ | |||
+ | # Upstreams | ||
+ | upstream backend { | ||
+ | server 127.0.0.1:3000; | ||
+ | } | ||
+ | |||
+ | # HTTPS Server | ||
+ | server { | ||
+ | listen your.external.ip.address:443; | ||
+ | server_name domain.com host.domain.com; | ||
+ | |||
+ | # You can increase the limit if your need to. | ||
+ | client_max_body_size 200M; | ||
+ | |||
+ | error_log /var/log/nginx/rocketchat.access.log; | ||
+ | |||
+ | ssl on; | ||
+ | #ssl_certificate /etc/nginx/certificate.crt; | ||
+ | #ssl_certificate_key /etc/nginx/certificate.key; | ||
+ | ssl_certificate /etc/dehydrated/certs/reetspetit.info/fullchain.pem; | ||
+ | ssl_certificate_key /etc/dehydrated/certs/reetspetit.info/privkey.pem; | ||
+ | |||
+ | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE | ||
+ | |||
+ | location / { | ||
+ | proxy_pass http://backend/; | ||
+ | proxy_http_version 1.1; | ||
+ | proxy_set_header Upgrade $http_upgrade; | ||
+ | proxy_set_header Connection "upgrade"; | ||
+ | proxy_set_header Host $http_host; | ||
+ | |||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; | ||
+ | proxy_set_header X-Forward-Proto http; | ||
+ | proxy_set_header X-Nginx-Proxy true; | ||
+ | |||
+ | proxy_redirect off; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | |||
+ | <!-- list of category you want to see this page in --> | ||
+ | [[Category: Contrib]] | ||
− | + | <!-- Please keep there the template revision number as is --> | |
+ | [[contribtemplate::2| ]] | ||
+ | [[contriblang:: {{#var:lang}} | ]] |
Latest revision as of 22:08, 23 June 2022
nginx logo | |
Maintainer | Unnilennium |
---|---|
Url | https://www.nginx.com |
Licence | BSD-2-Clause |
Category | |
Tags | http server, proxy, reverse proxy |
Maintainer
Version
Description
Nginx, stylized as NGIИX, is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. The Koozali SME Server implementation is meant to be run behind the original httpd apache server using reverse proxy for your needs. It might be possible to reverse the order, but was not designed this way originally.
Installation
yum --enablerepo=smecontribs install smeserver-nginx
Configuration
you can list the available configuration with the following command :
config show nginx
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
property | default | values | |
---|---|---|---|
access | local | local,private, public | |
status | enabled | enabled,disabled |
Internal Configuration
Default templating makes nginx use the content of /etc/nginx/conf.d/*.conf to define server content. You can put your appropriate config files tgere
Uninstall
yum remove smeserver-nginx nginx
Bugs
Please raise bugs under the SME-Contribs section in bugzilla
and select the smeserver-nginx component or use this link
Below is an overview of the current issues for this contrib:
Changelog
Only released version in smecontrib are listed here.
- remove nginx restart from post-upgrade [SME: 12397]
- fix fragment order
- Initial import to Koozali SME 10
- First release
Previous manual instruction left there
It is possible to install nginx on SME. However, careful consideration must be given to the existing apache installation.
This is how to install on a specific port to avoid apache.
In this example we will use port 4483
Install
yum --enablerepo=epel install nginx
Configure
Create a link in rc7.d This enables nginx to start on boot.
ln -s /etc/rc.d/init.d/nginx /etc/rc.d/rc7.d/S87nginx
Create /var/log/nginx and set permissions if required
mkdir -p /var/log/nginx
Adding this MAY open your server up to compromise. You have been warned.
Add user to group so nginx can access files/directories
usermod -a -G shared nginx
Configs
e.g.
cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.con_
Now add your own configuration
e.g.
/etc/nginx/conf.d/myconf.conf
Check the port. You can use dehydrated/letsencrypt certificates
Ports
Open a port on your firewall
config set nginx service TCPPort 4483 status enabled access public
signal-event remoteaccess-update
Now engine if correctly configured in the conf files will listen on 4483
Alternatively we can set apache to private so it only listens to local/internal connectins ,and nginx to external ones.
config setprop httpd-e-smith access private
config setprop nginx TCPPort 443
signal-event remoteaccess-update
Or if you want port 80 as well
config setprop nginx TCPPorts 80,443
signal-event remoteaccess-update
Sample configurations
These are JUST samples. You will need to work out your own.
default.conf
server { # Listen on 80 listen your.external.ip.address:80; # Disable IPv6 # listen [::]:80; server_name domain.com host.domain.com; # Passthru letsencrypt location '/.well-known/acme-challenge' { default_type "text/plain"; #root /tmp/letsencrypt-auto; root /home/e-smith/files/ibays/Primary/html; } # Upgrade everything else to https location / { return 301 https://$server_name$request_uri; } }
This is my rocket chat reverse proxy with websockets as an example:
# Upstreams upstream backend { server 127.0.0.1:3000; } # HTTPS Server server { listen your.external.ip.address:443; server_name domain.com host.domain.com; # You can increase the limit if your need to. client_max_body_size 200M; error_log /var/log/nginx/rocketchat.access.log; ssl on; #ssl_certificate /etc/nginx/certificate.crt; #ssl_certificate_key /etc/nginx/certificate.key; ssl_certificate /etc/dehydrated/certs/reetspetit.info/fullchain.pem; ssl_certificate_key /etc/dehydrated/certs/reetspetit.info/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE location / { proxy_pass http://backend/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } }