How to install Nginx web server on CentOS 7 Linux
In today tutorial, we want to show howto install Nginx web server on CentOS 7 Linux.
as stated in Nginx official website, Nginx accelerates content and application delivery, improves security, facilitates availability and scalability for the busiest web sites on the Internet.
Here is our environment:
OS: CentOS 7 on VMWare
Firewall: firewalld
SELinux: enforcing
IP Address: 192.168.3.128
1- Install prerequisites
Nginx is available in epel repository. so at first we must have epel repo:
# yum install epel-release
2- Install Nginx
Now we install nginx by running the following commnad:
# yum install nginx
this will install nginx and depended packages.
3- Configure Nginx
Nginx main configuration file is located in “/etc/nginx/nginx.conf”.
for example if you want to change listening port, you must find “server” block and change “listen” parameter.
here we have decided to enable TLS on Nginx.
first we create a directory for private key, certificate and Diffie-Helman (DH) key:
# mkdir /etc/pki/nginx/ # chmod 700 /etc/pki/nginx/
then generate certificate:
# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/private.key -out /etc/pki/nginx/certificate.crt
the output would be:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc. Organizational Unit Name (eg, section) []:Ministry of Water Slides Common Name (e.g. server FQDN or YOUR name) []:server_IP_address Email Address []:admin@your_domain.com
then generate DH key:
# openssl dhparam -out /etc/pki/nginx/dhparam.pem 2048
now create a config file for ssl and put the following content in it:
# vim /etc/nginx/conf.d/ssl.conf
server { listen 443 http2 ssl; listen [::]:443 http2 ssl; server_name server_IP_address; ssl_certificate /etc/pki/nginx/certificate.crt; ssl_certificate_key /etc/pki/nginx/private.key; ssl_dhparam /etc/pki/nginx/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; root /usr/share/nginx/html; location / { } error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
Note: Remember to replace server_IP_address with your own.
(Optional) you can redirect http traffic to https. first create a file:
# vim /etc/nginx/default.d/ssl-redirect.conf
and put this line in it:
# return 301 https://$host$request_uri/;
4- Configure firewall
now we must open port 80 and 443 on our firewall:
# firewall-cmd --permanent --add-service=http # firewall-cmd --permanent --add-service=https # firewall-cmd --reload
5- Start service
finally start nginx service:
# systemctl start nginx # systemctl enable nginx
and open your favorite browser and point to: https://your server ip address