Server Side

Nginx on CentOS 7 with Modern Security Settings and as a Reverse Proxy

To install Nginx on CentOS 7

First add the EPEL repository that hosts Nginx
sudo yum install epel-release

Then install Nginx
sudo yum install nginx

To start Nginx, run
sudo systemctl start nginx

To enable Nginx to start automatically when the system starts:
sudo systemctl enable nginx

For more information on installing Nginx, check out Digital Ocean’s walkthrough

Here are some other useful commands that you’ll probably be wanting as you learn how to use Nginx.

To view live error logs:
sudo tail -f /var/log/nginx/error.log

To restart Nginx (after every config change at least):
sudo systemctl restart nginx

To look at system logs:
journalctl -xe

To setup Nginx

First, you’ll need to setup some basic configuration in the nginx.conf file, in CentOS 7 this file is located at /etc/nginx/nginx.conf. Because I am used to Apache’s configuration, I split up the various server configs into separate files and included them in nginx.conf with  include /etc/nginx/conf.d/*.conf;

I also wanted my Nginx server to be able to run PHP, so I could use WordPress. To be able to do this, you need to use a FastCGI instance and send PHP files to it.

More information on FastCGI with Nginx

This is the full nginx.conf file, with other basic  settings

DigitalOcean has a great guide on Understanding the Nginx Configuration

Now, for each website you want to host, create a .conf file in the /etc/nginx/conf.d folder. This is what a simple reverse proxy server configuration file would look like if your other server was running on port 4000. I will include my full configuration file for with all of these features and the modern security settings that I will address next at the end of this article.

For my websites, I generally use HTTP2 with HTTPS and IPv6. This is really easy to implement with Nginx. Simply replace listen 80;  with  listen [::]:443 ssl http2;

There are some great benefits for using HTTP2, and it is becoming more and more widely accepted.  Learn more about HTTP2

To send all .php files to your FastCGI process, include this location block in whatever server block you will be using with PHP.

To redirect www requests to your non-www server block, add this server block:

To redirect non-HTTPS requests to your HTTPS server block, add this server block:

Modern Security Settings

I always make sure to be up to date on the current security best practices. This usually results in receiving an A+ rating from Qualys SSL Labs – something that I’d recommend to everyone. I’ll go over a few of the features that I added to my site in order to receive this A+ security rating.

I assume you already have an SSL certificate and key, but if you don’t there are a couple ways you can obtain one for free. Let’s Encrypt and Cloudflare both offer free SSLs, and I would recommend that you take advantage of them. Every website should use an SSL, regardless of the purpose of the website.

To learn more about these settings, I would recommend you check out a Gist by Diego Plentz. He fully explains these different settings, and you can decide from there whether or not you would like to implement them.

My full default.conf file:

As you can see, this includes all the modern security settings that I showed before, as well as  how I implemented my various server blocks. It also includes my reverse proxy, as I redirect some incoming traffic to a Node.js server I have running on port 4000. I also include 5 other location blocks for specific control of those endpoints or file types. This allows me to serve static files as well as .php files from Nginx (this includes all of WordPress on the /notes route), but still allow for other routes to be forwarded to my Node.js server.

To host multiple websites on the same server with Nginx, simply add more server blocks to your configuration file, or add a new configuration file to the conf.d folder for each website that you host.

If this was helpful and you’d like to send a tip, send some Bitcoin to 1tannERvhK55jqoHhaydEbkc6rdo6iJ2i

Some helpful links:–2

Leave a Reply