Nginx

From SME Server
Revision as of 00:45, 12 December 2018 by ReetP (talk | contribs)
Jump to navigation Jump to search
Warning.png Warning:
Work in progress. Do NOT try this on a production server


It is possible to install nginx on SME. However, careful consideration must be given to the existing apache installation.


Warning.png Warning:
Before starting nginx you MUST decide what port to run it on and configure it accordingly


This is how to install on a specific port to avoid apache.

In this example we will use port 4483

Install

yum --enablerepo=epel install nginx


Configure

Create a link in rc7.d This enables nginx to start on boot.

ln -s /etc/rc.d/init.d/nginx /etc/rc.d/rc7.d/S87nginx

Create /var/log/nginx and set permissions if required

mkdir -p /var/log/nginx


  Warning:
The following may NOT be best practice and may need another approach, but works for testing


Adding this MAY open your server up to compromise. You have been warned.

Add user to group so nginx can access files/directories

usermod -a -G shared nginx

Configs

  Note:
rename existing configs to config_con_ or move them completely to avoid issues


e.g.

cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.con_


Now add your own configuration

e.g.

/etc/nginx/conf.d/myconf.conf

Check the port. You can use dehydrated/letsencrypt certificates

Ports

Open a port on your firewall

config set nginx service TCPPort 4483 status enabled access public
signal-event remoteaccess-update

Now engine if correctly configured in the conf files will listen on 4483

Alternatively we can set apache to private so it only listens to local/internal connectins ,and nginx to external ones.

config setprop httpd-e-smith access private
config setprop nginx TCPPort 443
signal-event remoteaccess-update

Or if you want port 80 as well

config setprop nginx TCPPorts 80,443
signal-event remoteaccess-update


Sample configurations

These are JUST samples. You will need to work out your own.


default.conf

 server {
 # Listen on 80
   listen              your.external.ip.address:80;
 # Disable IPv6
 #  listen              [::]:80;
   server_name         domain.com host.domain.com;
 # Passthru letsencrypt
   location '/.well-known/acme-challenge' {
   default_type "text/plain";
     #root        /tmp/letsencrypt-auto;
     root        /home/e-smith/files/ibays/Primary/html;
   }
 
 # Upgrade everything else to https
   location / {
     return              301 https://$server_name$request_uri;
   }
 }


This is my rocket chat reverse proxy with websockets as an example:

 # Upstreams
 upstream backend {
     server 127.0.0.1:3000;
 }
 
 # HTTPS Server
 server {
     listen your.external.ip.address:443;
     server_name domain.com host.domain.com;
 
     # You can increase the limit if your need to.
     client_max_body_size 200M;
 
     error_log /var/log/nginx/rocketchat.access.log;
 
     ssl on;
     #ssl_certificate /etc/nginx/certificate.crt;
     #ssl_certificate_key /etc/nginx/certificate.key;
     ssl_certificate /etc/dehydrated/certs/reetspetit.info/fullchain.pem;
     ssl_certificate_key /etc/dehydrated/certs/reetspetit.info/privkey.pem;
     
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
 
     location / {
         proxy_pass http://backend/;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $http_host;
 
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forward-Proto http;
         proxy_set_header X-Nginx-Proxy true;
 
         proxy_redirect off;
     }
 }

Start

/etc/rc.d/init.d/nginx start
/etc/rc.d/init.d/nginx stop
/etc/rc.d/init.d/nginx restart