Loading...
Latest news
HTTP2 Support and Install – Part 2
HTTP2 Support and Install – Part 1
Goaccess
CMS Master Slave Rules
Apache 2.4 with PHP-FPM
Real Time Concepts

NginX installation and support

Laxman -

Installation

  • yum install epel-release
  • yum install nginx
  • chkconfig nginx on
  • service nginx start

Edit /etc/nginx/nginx.conf and change this to the number of physical CPU cores:

  • worker_processes 1;

Configuration

Apache vs NginX

 

Virtual Host configuration

Virtual hosts go in /etc/nginx/conf.d/*.conf. nginx doesn’t have an equivalent of httpd -S, so best name your files the domain name, i.e. /etc/nginx/conf.d /example.com.conf

/etc/nginx/conf.d contains a sample virtual.conf and ssl.conf. They don’t include logging, so please add that.

HTTP example

# A virtual host using mix of IP-, name-, and port-based configuration
#
server {
listen 80;
# listen hostname:80;
# listen ip_address:80;
server_name example.com www.example.com;
root /var/www/vhosts/example.com;
index index.html;
location /admin {
allow 94.236.7.190;
deny all;
}
access_log /var/log/nginx/example.com_access.log main;
error_log /var/log/nginx/example.com_error.log;
}

HTTPS/SSL example

# A virtual host using mix of IP-, name-, and port-based configuration
#
server {
listen 443;
# listen hostname:443;
# listen ip_address:443;

server_name example.com www.example.com;
root /var/www/vhosts/example.com;
index index.html;

ssl on;
ssl_certificate /etc/nginx/ssl/2011-example.com.crt;
ssl_certificate_key /etc/nginx/ssl/2011-example.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

# PCI compliant version
# ssl_protocols -ALL +SSLv3 +TLSv1;
# ssl_ciphers HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH;

ssl_prefer_server_ciphers on;
location /admin {
allow 94.236.7.190;
deny all;
}
access_log /var/log/nginx/example.com_ssl_access.log main;
error_log /var/log/nginx/example.com_ssl_error.log;
}

PHP configuration

There are a few ways of doing this, and it depends on which distribution of PHP (RHN channels or IUS) you want to use. So first step is to choose and install your PHP.

Install PHP

Choose on of the usual ways (RHEL/RHN channels/IUS). You need at least the following.

From RHN:
  • yum install php php-cli spawn-fcgi
  • yum install php53 php53-cli spawn-fcgi
From IUS:
  • yum install php52u php52u-cli spawn-fcgi
  • yum install php53u php53u-cli php53u-fpm

Depending on the version of PHP, you need to use either php-fpm or spawn-fcgi. PHP-FPM is available in PHP 5.3 and newer. If the PHP version is 5.2, and you can’t upgrade for some reason, spawn-fcgi is one of the more elegant ways of doing it.

Configure PHP (53-IUS) with fpm

FPM can crate multiple pools, running as different users, on different ports. This is useful for per-domain configuration. The configuration is stored in /etc /php-fpm.d/*.conf

There is a /etc/php-fpm.d/www.conf default pool. Simply copy it to a file named after your domain, e.g. /etc/php-fpm.d/example.com.conf Then modify the following:

;[www]
[example.com]

;listen = 127.0.0.1:9000
;listen = 127.0.0.1:9001
listen = /var/run/php5-fpm.sock

;user = apache
user = example

;group = apache
group = example

You can, optionally, chroot the pool to the particular domain:

  • chroot = /var/www/vhosts/example.com

Be aware that, if you do this, all paths become relative, including the “root” in nginx or in Apache DocumentRoot

Enable and start the php-fpm daemon:

  • chkconfig php-fpm on
  • service php-fpm start

Configure PHP (5.2 and earlier) with spawn-fci

spawn-fcgi is available in EPEL. It starts up the fcgi processes, just like php-fpm, but without multiple pool and associated configuration.
Uncomment the last two lines in /etc/sysconfig/spawn-fcgi and change ‘apache’ to ‘nginx’ for -u and -g

  • SOCKET=/var/run/php-fcgi.sock
  • #OPTIONS=”-u apache -g apache -s $SOCKET -S -M 0600 -C 32 -F 1 -P /var/run/spawn-fcgi.pid — /usr/bin/php-cgi”
  • OPTIONS=”-u nginx -g nginx -s $SOCKET -S -M 0600 -C 32 -F 1 -P /var/run/spawn-fcgi.pid — /usr/bin/php-cgi”

To use TCP rather than a UNIX socket, do the following:

  • #SOCKET=/var/run/php-fcgi.sock
  • #OPTIONS=”-u nginx -g nginx -s $SOCKET -S -M 0600 -C 32 -F 1 -P /var/run/spawn-fcgi.pid — /usr/bin/php-cgi”
  • OPTIONS=”-u nginx -g nginx -a 127.0.0.1 -p 9000 -M 0600 -C 32 -F 1 -P /var/run/spawn-fcgi.pid — /usr/bin/php cgi”

Enable and start the spawn-fcgi daemon:

  • chkconfig spawn-fcgi on
  • service spawn-fcgi start

PHP Vhost configuration

Add the following section inside the “location /” section to enable PHP for the entire site. pick the appropriate fastcgi_pass line for your configuration:

# A virtual host using mix of IP-, name-, and port-based configuration
#
upstream php5_fpm {
# server 127.0.0.1:9001
server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
# listen somename:8080;
server_name example.com www.example.com;

root /var/www/vhosts/example.com;
index index.php;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php5_fpm;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
access_log /var/log/nginx/example.com_access.log main;
error_log /var/log/nginx/example.com_error.log;
}

rewrite support

nginx does not read apache mod_rewrite syntax, but has something similar. Here are a few examples:

example.com to www.example.com

server_name example.com www.example.com
if ($http_host != “www.example.com”) {
rewrite ^ http://www.example.com$request_uri permanent;
}

or in a more elegant (according to the nginx docs) fashion, use two vhosts:

server {
listen 80;
server_name example.com;
return 301 http://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com;

}

http to https

For the entire domain:

server {
listen 80 default;
rewrite ^ https://$host$request_uri permanent;
}

For a specific path:

location /webmail {
rewrite ^ https://$host$request_uri permanent;
}

Configuration

These are directives that go into the main nginx.conf, unless otherwise specified.

Security
Server Tokens

Turn off server tokens:

  • server_tokens off;
Server Side Includes

Turn off server side includes:

  • ssi off;
Auto index

Turn auto indexing off:

  • autoindex off;
try_files

This is already in my configuration, but it’s worth pointing out. The location block will match anything with .php in the URL – not necessarily a file that ends in .php. So try_files checks if the a file by that name exists, and if it doesn’t, it gives a 404 rather than sending it off to the fastcgi handler.

  • try_files $uri =404;

Caveats

$uri vs $request_uri

$uri = the original request, as received by the server
$request_uri = the request that may have been modified by preceding rules

Leave a Reply

Your email address will not be published. Required fields are marked *