Nginx is a complex and rubust software, for this guide, we only care about how to setup it for layer7 and layer4 configuration. This guide instroduce configuration for webserver(layer7) and load balancer(layer4), and is based on centos8 stream os, we do not cover performence tuned here.
What’s nginx?
Nginx is a widely used web server software, it can also be used as a revers proxy, load balancer, mail proxy and HTTP cache. for more introduction of it, visit here
Nginx installation on centos stream 8/9
For centos default installation, run
yum install -y nginxthe default version installed is 1.14, if you want to install a higher version, for layer4 to work, a higher version should be installed, for centos stream8, the following versions are availiable,
# dnf module list nginx
Last metadata expiration check: 1:49:01 ago on Sun 08 Jan 2023 01:07:29 PM CST.
CentOS Stream 8 - AppStream
Name Stream Profiles Summary
nginx 1.14 [d] common [d] nginx webserver
nginx 1.16 common [d] nginx webserver
nginx 1.18 common [d] nginx webserver
nginx 1.20 common [d] nginx webserver
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalledTo install a higher version, enable 1.20 version stream with dnf commond,
#dnf module reset nginx
Last metadata expiration check: 1:50:50 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
Nothing to do.
Complete!and then dnf module enable 1.20 stream,
# dnf module enable nginx:1.20
Last metadata expiration check: 1:51:44 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
=====================================================================================
Package Architecture Version Repository Size
=====================================================================================
Enabling module streams:
nginx 1.20
Transaction Summary
=====================================================================================
Is this ok [y/N]: y
Complete!after enabled, run yum install -y nginx to install the desired version.
# yum install nginx
Last metadata expiration check: 1:53:39 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
=====================================================================================
Package Arch Version Repo Size
=====================================================================================
Installing:
nginx x86_64 1:1.20.1-1.module_el8.6.0+1081+cd387e03 appstream 593 k
Installing dependencies:
centos-logos-httpd noarch 85.8-2.el8 appstream 75 k
nginx-filesystem noarch 1:1.20.1-1.module_el8.6.0+1081+cd387e03 appstream 26 k
Transaction Summary
=====================================================================================
Install 3 Packages
Total download size: 693 k
Installed size: 1.9 M
Is this ok [y/N]:yConfigure for webserver
To configure it as a webserver, we use certbot for certificate allocation, read here for how to install certbot on centos, we configure it for multi-domain, first, add a server block configuration file in /etc/nginx/config.d/mydomain.conf,
# vi /etc/nginx/config.d/mydomain.conf
server {
listen 80;
server_name mydomain.com;
root /usr/share/nginx/html/mydomain;
index index.html;
}and then we use certbot to allocate a cert from let’s encrypt organization, and deploy it automatically, before run this command, you should confirm that your dns server has the right entry that resolve mydomain.com to your webserver ip.
# certbot -d mydoamin.com --nginxafter that, the default configuration file for mydomain looks like below, change mydomain for yours or others domains, for multi-site installation.
server {
server_name mydomain.com;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
root /usr/share/nginx/html/mydomain;
index index.html;
}
server {
if ($host = www.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mydomain.com;
return 404; # managed by Certbot
}Configure for reverse proxy
To configure it as a proxy, add the following configuration file
server {
listen 80;
server_name mydomain.com;
location / {
proxy_pass http://1.2.3.4:80;
proxy_set_header host $host;
}
}Configure for load balancer
To configure it as a tcp/udp load balancer based on hostnames, to dispatch traffic from port 443 based on hostname, we use nginx stream module, create a stream.conf file and add it in nginx.conf, add it outside of http block,
include /etc/nginx/tcpconf.d/*.conf;create a tcpconf.d directory, add a stream.conf file, configuration looks like bellow,
# mkdir /etc/nginx/tcpconf.d
# vi /etc/nginx/tcpconf.d/stream.conf
stream {
map $ssl_preread_server_name $domain {
hostnames;
mydomain.com mydomain;
.anotherdomain.com anotherdomain;
default localhost;
}
upstream mydomain {
server 1.2.3.4:443;
}
upstream anotherdomain {
server 1.2.3.5:443;
}
server {
ssl_preread on;
listen 443;
listen [::]:443;
proxy_pass $domain;
}
// for other port load balancer,
server {
listen 3389;
proxy_pass 1.2.3.6:3389;
}
}
Others
Configure nginx to enable gzip compress for images and css, javascripts, add following configuration in server block
gzip on;
gzip_proxied any;
gzip_min_length 1k;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml text/plain font/woff2 image/svg+xml image/png image/jpeg image/webp;
gzip_comp_level 4;
gzip_buffers 4 16k;
gzip_disable "MSIE [1-6]\.";