CentOS installation Nginx-1.6.2 + Security Configuration, centosnginx-1.6.2
Note: All of the following operations are performed in the CentOS 6.5 x86_64-bit system.
# Preparations #
Before installing Nginx, make sure that pcre and other basic components have been installed using yum. For details, see CentOS basic components for installing LNMP environment.
Create a www user group and user, and do not allow the logon permission:
# Id wwwid: www: none of the above users # groupadd www # useradd-g www-s/sbin/nologin www # id wwwuid = 501 (www) gid = 501 (www) group = 501 (www)
# Nginx installation #
Start to download Nginx and compile and install it:
# cd /usr/local/src# wget http://nginx.org/download/nginx-1.6.2.tar.gz# tar zxf nginx-1.6.2.tar.gz# cd nginx-1.6.2# ./configure --prefix=/usr/local/nginx-1.6.2 --group=www --user=www --with-http_ssl_module --with-pcre --with-http_stub_status_module --with-http_gzip_static_moduleConfiguration summary + using system PCRE library + using system OpenSSL library + md5: using OpenSSL library + sha1: using OpenSSL library + using system zlib library nginx path prefix: "/usr/local/nginx-1.6.2" nginx binary file: "/usr/local/nginx-1.6.2/sbin/nginx" nginx configuration prefix: "/usr/local/nginx-1.6.2/conf" nginx configuration file: "/usr/local/nginx-1.6.2/conf/nginx.conf" nginx pid file: "/usr/local/nginx-1.6.2/logs/nginx.pid" nginx error log file: "/usr/local/nginx-1.6.2/logs/error.log" nginx http access log file: "/usr/local/nginx-1.6.2/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp"# make && make install# ln -s /usr/local/nginx-1.6.2/ /usr/local/nginx# chown -R www:www /usr/local/nginx# chown -R www:www /usr/local/nginx-1.6.2
Add the Nginx sbin directory to PATH:
# vim /etc/profileexport PATH=$PATH:/usr/local/mysql/bin:$JAVA_HOME/bin:/usr/local/nginx/sbin# source /etc/profile
View the Nginx version information and check whether the previous step is successful:
# nginx -Vnginx version: nginx/1.6.2built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx-1.6.2 --group=www --user=www --with-http_ssl_module --with-pcre --with-http_stub_status_module
So far, Nginx has been installed.
# Nginx start/restart/close #
Configure related paths for Nginx webapps (this is to facilitate O & M management and put different Web projects in this directory ):
# mkdir -p /data/www
Modify the configuration file:
# vim /usr/local/nginx/conf/nginx.confuser www;worker_processes 1;events { worker_connections 1024;}http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; gzip on; server { listen 80; server_name localhost; location / { root html; index index.html index.htm; } }}
Start Nginx:
# nginx
In this case, open the browser access address http: // youripaddress and you can see:
So far, Nginx has been started successfully.
Generally, after the nginx. conf configuration file is modified, you can directly restart the configuration to make the configuration take effect. Before restarting, check whether the configuration file is correct:
# nginx -tnginx: the configuration file /usr/local/nginx-1.6.2/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx-1.6.2/conf/nginx.conf test is successful# nginx -s reload
In addition, you can send a signal to restart the instance:
# kill -HUP ${master_pid}
The command to close is as follows:
# nginx -s quit# nginx -s stop
Note: quit indicates that the request is closed after the request ends, and stop indicates that the request is closed immediately.
You can also disable it by sending a signal:
# kill -QUIT ${nginx_master}# kill -TERM ${nginx_master}# kill -9 ${nginx_master}
Note:-QUIT indicates that the process is stopped with ease, and the process is closed after all requests are completed. TERM indicates that the process is immediately closed;-9 indicates that the process is forcibly disabled.
For future management convenience, we will write a STARTUP script here, and then we can use the service command to start it, as shown below:
# vim /etc/init.d/nginxd#!/bin/sh# chkconfig: 2345 85 15# description:Nginx ServerNGINX_HOME=/usr/local/nginx-1.6.2NGINX_SBIN=$NGINX_HOME/sbin/nginxNGINX_CONF=$NGINX_HOME/conf/nginx.confNGINX_PID=$NGINX_HOME/logs/nginx.pidNGINX_NAME="Nginx". /etc/rc.d/init.d/functionsif [ ! -f $NGINX_SBIN ]then echo "$NGINX_NAME startup: $NGINX_SBIN not exists! " exitfistart() { $NGINX_SBIN -c $NGINX_CONF ret=$? if [ $ret -eq 0 ]; then action $"Starting $NGINX_NAME: " /bin/true else action $"Starting $NGINX_NAME: " /bin/false fi}stop() { kill `cat $NGINX_PID` ret=$? if [ $ret -eq 0 ]; then action $"Stopping $NGINX_NAME: " /bin/true else action $"Stopping $NGINX_NAME: " /bin/false fi}restart() { stop start}check() { $NGINX_SBIN -c $NGINX_CONF -t}reload() { kill -HUP `cat $NGINX_PID` && echo "reload success!"}relog() { kill -USR1 `cat $NGINX_PID` && echo "relog success!"}case "$1" in start) start ;; stop) stop ;; restart) restart ;; check|chk) check ;; status) status -p $NGINX_PID ;; reload) reload ;; relog) relog ;; *) echo $"Usage: $0 {start|stop|restart|reload|status|check|relog}" exit 1esac# chmod +x /etc/init.d/nginxd# chkconfig nginxd on
In this way, you can start it through the service:
# service nginxd start
# Nginx Security Configuration #
1. First, set not to allow directory browsing. The default configuration is not allowed.
autoindex off
2. Enable access logs. nginx is enabled by default. We recommend that you separately store the logs in the/data directory for convenience of O & M management.
access_log /data/www/logs/localhost.access.log
3. Ensure Directory Security. Because Nginx is started by a www user, hackers will gain the permissions of the www user after they successfully intrude into the server, therefore, it is necessary to ensure that the owner of the website's Web directories and files is different from that of the starting users to prevent the website from being maliciously tampered with and deleted by hackers. The owner of website Web directories and files can be set to root. The Web directory permission is set to 755, and the Web File Permission is set to 644. Only directories with read and write permissions such as the upload directory can be set to 777. To prevent hackers from uploading Trojans to the 777 permission directory, you must also ensure that the 777 permission directory does not have the permission to execute scripts. There are two solutions:
1) For businesses using PHP, the configuration is as follows:
location ~* ^/data/www/logs/.*\.(php|php5)$ { deny all;}
Note: Of course, the safest option is to use a whitelist for the PHP executable directory. This will be detailed in the PHP installation section.
2) For non-PHP services (such as python and cgi), you must disable external access to the 777 directory. The configuration is as follows:
location ~ ^/data/www/logs/ { deny all;}
4. Restrict the IP addresses used to manage directories. For example, restrict access to nginx:
server { location /nginx-admin { stub_status on; access_log logs/nginx-admin.log; allow 11.12.23.0/24; deny all; } location /admin { ... }}
Note: The above configuration 11.12.23.0/24 refers to the IP address segment of the current O & M client.
Enter the IP address on the machine that allows the IP address. You can see:
The error 403 is displayed, for example:
5. Delete the default Nginx homepage and other pages, and use your own homepage to replace them.
6. The IP address is not allowed to directly access the server. The advantage is that when the IP address is leaked, other domain names are used to point to the IP address, and the error code such as 500 can be set to be returned. For example:
server { listen 80 default; return 500;}server { listen 80; server_name www.tencent.com tencent.com; root /data/www/tencent; access_log /data/logs/nginx/tencent.access.log; error_log /data/logs/nginx/tencent.error.log;}
Note: The above configuration indicates that an error will occur when you use an IP address for direct access, but when you use a domain name for access (for example, it is normal to request tencent.com ).