Nginx
Updated 14 April 2021
Installing and setting up Nginx
First install Nginx:
emerge -a www-servers/nginx
Nginx configuration
Все настройки как самого Nginx прописываются в файле /etc/nginx/nginx.conf. Параметры для сайтов хранятся в каталоге /etc/nginx/sites-enabled.
При установке пакета www-servers/nginx, самоподписной сертификат создаётся автоматически сроком на 10 лет. Для перегенерации его выполните:
openssl req -x509 -subj "/CN=_" -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Запустите Nginx:
/etc/init.d/nginx start
Add Nginx to autostart:
rc-update add nginx
Выполните настройку, чтобы Nginx на неописанные сайты закрывал соединение без ответа.
/etc/nginx/sites-enabled/_noname.conf
server {
listen 80 default_server;
server_name _;
access_log /var/log/nginx/noname_80.access_log main;
return 444;
}
server {
listen 443 ssl default_server;
ssl_ciphers aNULL;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_tickets off;
server_name _;
access_log /var/log/nginx/noname_443.access_log main;
return 444;
}
Перезагрузите настройки Nginx:
/etc/init.d/nginx reload
Examples of Nginx configuration
Create a config file for localhost:
server { # Порт, на котором работает ресурс listen 80; # Название ресурса, по которому будет осуществляться доступ server_name localhost; # Пути, по которым будут записываться логи access_log /var/log/nginx/localhost.access_log main; error_log /var/log/nginx/localhost.error_log info; # Корневая папка ресурса root /var/calculate/www/localhost/htdocs; }
Create an index file to check the health of the server:
mkdir -p /var/calculate/www/localhost/htdocs
echo 'Hello!' > /var/calculate/www/localhost/htdocs/index.html
Перед тем, как перезапускать службу Nginx, всегда выполняйте проверку правильности сделанных изменений командой nginx -t
Если всё верно, то будет выведено следующее:
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
If this was successful, reread the Nginx configuration:
/etc/init.d/nginx reload
Чтобы проверить, что Nginx работает и есть доступ, воспользуйтесь консольным веб-клиентом curl:
curl http://localhost
Hello!
Configuring reverse proxy on Nginx
A reverse proxy is usually understood as a server that receives a request from a client but does not process it independently, but sends it in whole or in part to other (upstream) servers for processing. In other words, it does not redirect the client, but sends a request on its own and then sends back the answer to the client.
Configure a reverse proxy ~~example.org~ that communicates with the internal HTTP service running on port 8080:
server {
listen 80;
server_name www.example.org example.org;
access_log /var/log/nginx/proxy.log;
location / {
proxy_pass http://127.0.0.1:8080;
}
}
Configuring HTTPS for Nginx
Create a DH key:
Generating DH parameters, 4096 bit long safe prime, generator 2 This is going to take a long time
Create a file describing the general SSL parameters:
# This file contains important security parameters. If you modify this file # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating # this file. ssl_session_cache shared:le_nginx_SSL:1m; ssl_session_timeout 1440m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; ssl_dhparam /etc/nginx/ssl-dhparams.pem;
Getting a Let's Encrypt certificate
Get the www.example.org and example.org~ domain certificates for Nginx, as described in the manual.
Example of HTTPS configuration
Add HTTPS settings for example.org:
server {
listen 80;
listen 443 ssl;
server_name www.example.org example.org;
include ssl.conf;
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
access_log /var/log/nginx/example.org.access_log main;
error_log /var/log/nginx/example.org.error_log info;
include acme.conf;
root /var/calculate/www/example.org/htdocs;
}
Installing and configuring PHP-FPM
PHP-FPM (FastCGI Process Manager) is a high-performance and scalable interface for interaction between a web server and a web application, a further development of the CGI technology.
The main advantage of FastCGI is the separation between the dynamic language and the web server. This technology allows you to run Web servers and CGI processes on multiple hosts, thus improving scalability and security without noticeable loss of performance.
To install PHP-FPM, run:
emerge -a dev-lang/php
Once all the relevant information is displayed for installation, you must accept the default version of PHP. You can cancel the installation and specify the required version of PHP at the next installation try. Use php -m to display all available and running extensions.
Использование UNIX-сокета для взаимодействия Nginx c PHP является предпочтительным и рекомендуемым вариантом!
Edit the pool for handling the sites for which this socket will be specified in the configuration:
[www] ... ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. user = nginx group = nginx ; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on ; a specific port; ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. listen = /run/php-fpm.socket ; Set permissions for unix socket, if one is used. In Linux, read/write ; permissions must be set in order to allow connections from a web server. Many ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0660 listen.owner = nginx listen.group = nginx ;listen.mode = 0660 ; The number of child processes to be created when pm is set to 'static' and the ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. ; This value sets the limit on the number of simultaneous requests that will be ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP ; CGI. The below defaults are based on a server without much resources. Don't ; forget to tweak pm.* to fit your needs. ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: This value is mandatory. pm.max_children = 20
Make the necessary changes to the configuration file: deny execution of any code on the server under the PHP process when loading the file and specify the time zone.
[PHP] ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; http://php.net/cgi.fix-pathinfo cgi.fix_pathinfo=0 [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = "Europe/Moscow"
Note
In this example, the path is for PHP 7.4. Edit the path if you use a different version of PHP.
Start the PHP-FPM service:
/etc/init.d/php-fpm start
Add PHP-FPM to autostart:
rc-update add php-fpm
Example of Nginx configuration with PHP code
To provide PHP support, add the following to the configuration of the site running under Nginx. In the example below, Nginx exchanges information with the PHP process via a UNIX socket. In the server block, add the location block, which will contain the rules for working with PHP.
Apply the settings:
# localhost server { listen 80; server_name lempcss.example.org; access_log /var/log/nginx/lempcss.example.org.access_log main; error_log /var/log/nginx/lempcss.example.org.error_log info; root /var/calculate/www/localhost/htdocs; location ~ \.php$ { # Check for non existing scripts or for error 404 # Without this line, nginx will immediately send any requests ending with .php to php-fpm try_files $uri =404; include /etc/nginx/fastcgi.conf; fastcgi_pass unix:/run/php-fpm.socket; } }
Create a file and put the code for outputting information about PHP in it:
echo '<?php phpinfo(); ?>' > /var/calculate/www/localhost/htdocs/info.php
Edit access rights for all files in the root folder of the site:
chown -R nginx:nginx /var/calculate/www/localhost/htdocs
Add the corresponding entry to DNS. In the absence of DNS, you can add the entry to the static table of names of the computer from which the site will be accessed.
For Linux based systems, edit the list of domain names:
192.168.0.1 lempcss.example.org
Check that Nginx has been configured correctly and re-read the file:
nginx -t && /etc/init.d/nginx reload
Run PHP-FPM:
/etc/init.d/php-fpm start
Type http://lempcss.example.org/info.php in your browser. If everything is OK, you will see a page with complete info on PHP.