Nginx setup and configuration guide

Nginx is a complex and rubust software, for this guide, we only care about how to setup it for layer7 and layer4 configuration. This guide instroduce configuration for webserver(layer7) and load balancer(layer4), and is based on centos8 stream os, we do not cover performence tuned here.

What’s nginx?

Nginx is a widely used web server software, it can also be used as a revers proxy, load balancer, mail proxy and HTTP cache. for more introduction of it, visit here

Nginx installation on centos stream 8/9

For centos default installation, run

yum install -y nginx

the default version installed is 1.14, if you want to install a higher version, for layer4 to work, a higher version should be installed, for centos stream8, the following versions are availiable,

# dnf module list nginx
Last metadata expiration check: 1:49:01 ago on Sun 08 Jan 2023 01:07:29 PM CST.
CentOS Stream 8 - AppStream
Name             Stream              Profiles              Summary                   
nginx            1.14 [d]            common [d]            nginx webserver           
nginx            1.16                common [d]            nginx webserver           
nginx            1.18                common [d]            nginx webserver           
nginx            1.20                common [d]            nginx webserver           

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

To install a higher version, enable 1.20 version stream with dnf commond,

#dnf module reset nginx
Last metadata expiration check: 1:50:50 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
Nothing to do.
Complete!

and then dnf module enable 1.20 stream,

# dnf module enable nginx:1.20
Last metadata expiration check: 1:51:44 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
=====================================================================================
 Package            Architecture      Version               Repository          Size
=====================================================================================
Enabling module streams:
 nginx                                1.20                                          

Transaction Summary
=====================================================================================

Is this ok [y/N]: y
Complete!

after enabled, run yum install -y nginx to install the desired version.

# yum install  nginx
Last metadata expiration check: 1:53:39 ago on Sun 08 Jan 2023 01:07:29 PM CST.
Dependencies resolved.
=====================================================================================
 Package            Arch   Version                                   Repo       Size
=====================================================================================
Installing:
 nginx              x86_64 1:1.20.1-1.module_el8.6.0+1081+cd387e03   appstream 593 k
Installing dependencies:
 centos-logos-httpd noarch 85.8-2.el8                                appstream  75 k
 nginx-filesystem   noarch 1:1.20.1-1.module_el8.6.0+1081+cd387e03   appstream  26 k

Transaction Summary
=====================================================================================
Install  3 Packages

Total download size: 693 k
Installed size: 1.9 M
Is this ok [y/N]:y

Configure for webserver

To configure it as a webserver, we use certbot for certificate allocation, read here for how to install certbot on centos, we configure it for multi-domain, first, add a server block configuration file in /etc/nginx/config.d/mydomain.conf,

# vi /etc/nginx/config.d/mydomain.conf
server {
    listen 80;
    server_name mydomain.com;
    root /usr/share/nginx/html/mydomain;
    index index.html;
}

and then we use certbot to allocate a cert from let’s encrypt organization, and deploy it automatically, before run this command, you should confirm that your dns server has the right entry that resolve mydomain.com to your webserver ip.

# certbot -d mydoamin.com --nginx

after that, the default configuration file for mydomain looks like below, change mydomain for yours or others domains, for multi-site installation.

server {
    server_name mydomain.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    root /usr/share/nginx/html/mydomain;
    index index.html;
}
server {
    if ($host = www.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name mydomain.com;
    return 404; # managed by Certbot
}

Configure for reverse proxy

To configure it as a proxy, add the following configuration file

server {
    listen       80;
    server_name  mydomain.com;

    location / {
        proxy_pass http://1.2.3.4:80;
        proxy_set_header host $host;
    }
}

Configure for load balancer

To configure it as a tcp/udp load balancer based on hostnames, to dispatch traffic from port 443 based on hostname, we use nginx stream module, create a stream.conf file and add it in nginx.conf, add it outside of http block,

include  /etc/nginx/tcpconf.d/*.conf;

create a tcpconf.d directory, add a stream.conf file, configuration looks like bellow,

# mkdir /etc/nginx/tcpconf.d
# vi /etc/nginx/tcpconf.d/stream.conf

stream {
    map $ssl_preread_server_name $domain {
        hostnames;
        mydomain.com mydomain;
        .anotherdomain.com   anotherdomain;
        default  localhost;
    }
    upstream mydomain {
        server 1.2.3.4:443;
    }
    upstream anotherdomain {
        server 1.2.3.5:443;
    }
    server {
        ssl_preread on;
        listen 443;
        listen [::]:443;
        proxy_pass $domain;
    }

// for other port load balancer, 
    server {
        listen 3389;
        proxy_pass 1.2.3.6:3389;
    }
}

Others

Configure nginx to enable gzip compress for images and css, javascripts, add following configuration in server block

    gzip on;
    gzip_proxied any;
    gzip_min_length  1k;
    gzip_vary on;
    gzip_http_version 1.1;
    gzip_types application/javascript application/json text/css text/xml text/plain font/woff2 image/svg+xml image/png image/jpeg image/webp;
    gzip_comp_level 4;
    gzip_buffers     4 16k;
    gzip_disable "MSIE [1-6]\.";

Leave a Reply

Your email address will not be published. Required fields are marked *