How to install Nginx web server on CentOS 7 Linux

January 17, 2020January 17, 2020

In today tutorial, we want to show howto install Nginx web server on CentOS 7 Linux.

as stated in Nginx official website, Nginx accelerates content and application delivery, improves security, facilitates availability and scalability for the busiest web sites on the Internet.

Here is our environment:

OS: CentOS 7 on VMWare
Firewall: firewalld
SELinux: enforcing
IP Address: 192.168.3.128

1- Install prerequisites

Nginx is available in epel repository. so at first we must have epel repo:

# yum install epel-release

2- Install Nginx

Now we install nginx by running the following commnad:

# yum install nginx

this will install nginx and depended packages.

3- Configure Nginx

Nginx main configuration file is located in “/etc/nginx/nginx.conf”.
for example if you want to change listening port, you must find “server” block and change “listen” parameter.
here we have decided to enable TLS on Nginx.
first we create a directory for private key, certificate and Diffie-Helman (DH) key:

# mkdir /etc/pki/nginx/
# chmod 700 /etc/pki/nginx/

then generate certificate:

# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private.key -out /etc/pki/nginx/certificate.crt

the output would be:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com

then generate DH key:

# openssl dhparam -out /etc/pki/nginx/dhparam.pem 2048

now create a config file for ssl and put the following content in it:

# vim /etc/nginx/conf.d/ssl.conf

server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;

server_name server_IP_address;

ssl_certificate /etc/pki/nginx/certificate.crt;
ssl_certificate_key /etc/pki/nginx/private.key;
ssl_dhparam /etc/pki/nginx/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

root /usr/share/nginx/html;

location / {
}

error_page 404 /404.html;
location = /404.html {
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}

Note: Remember to replace server_IP_address with your own.

(Optional) you can redirect http traffic to https. first create a file:

# vim /etc/nginx/default.d/ssl-redirect.conf

and put this line in it:

# return 301 https://$host$request_uri/;

4- Configure firewall

now we must open port 80 and 443 on our firewall:

# firewall-cmd --permanent --add-service=http
# firewall-cmd --permanent --add-service=https
# firewall-cmd --reload

5- Start service

finally start nginx service:

# systemctl start nginx
# systemctl enable nginx

and open your favorite browser and point to: https://your server ip address