Install Nginx¶
Step 1. Install the binary¶
Nginx is available in Debian’s default software repositories, making it possible to install it from conventional package management tools.
sudo apt update
sudo apt install nginx
Step 2. Adjusting the firewall¶
Before testing Nginx, it’s necessary to modify the firewall settings to allow outside access to the default web ports. Assuming that you followed the instructions in the prerequisites, you should have a UFW firewall configured to restrict access to your server.
During installation, Nginx registers itself with UFW to provide a few application profiles that can be used to enable or disable access to Nginx through the firewall.
List the ufw application profiles by typing:
sudo ufw app list
# Output
Available applications:
...
Nginx Full
Nginx HTTP
Nginx HTTPs
OpenSSH
From the output, there are three profiles available for Nginx:
- Nginx Full: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
- Nginx HTTP: This profile opens only port 80 (normal, unencrypted web traffic)
- Nginx HTTPS: This profile opens only port 443 (TLS/SSL encrypted traffic)
Base on your requirements, allow the traffic. In our case, it will be
sudo ufw allow 'Nginx Full'
Step 3. Check nginx status¶
systemctl status nginx
You can access the default Nginx landing page to confirm that the software is running properly by navigating to your server’s IP address. If you do not know your server’s IP address, you can type this at your server’s command prompt:
# get server ip
ip addr show eth0 | grep inet | awk '{ print $2; }' | sed 's/\/.*$//'
# check the default nginx welcome page
http://your_server_ip
Step4. Nginx useful commands¶
#
sudo systemctl stop/start/restart/reload nginx
# start automatically when the server boots
sudo systemctl disable/enable nginx
Step 5. Setting Up Server Blocks (Incomplete)¶
When using the Nginx web server, server blocks (similar to virtual hosts in Apache) can be used to encapsulate configuration details and host more than one domain on a single server.
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-debian-11
Step 6. Important Nginx Files and Directories¶
6.1 Content¶
/var/www/html: The actual web content, which by default only consists of the default Nginx page you saw earlier, is served out of the /var/www/html directory. This can be changed by altering Nginx configuration files.
6.2 Server Configuration¶
- /etc/nginx: The Nginx configuration directory. All of the Nginx configuration files reside here.
- /etc/nginx/nginx.conf: The main Nginx configuration file. This can be modified to make changes to the Nginx global configuration.
- /etc/nginx/sites-available/: The directory where per-site server blocks can be stored. Nginx will not use the configuration files found in this directory unless they are linked to the
sites-enableddirectory. Typically, all server block configuration is done in this directory, and then enabled by linking to the other directory. - /etc/nginx/sites-enabled/: The directory where enabled per-site server blocks are stored. Typically, these are created by linking to configuration files found in the
sites-availabledirectory. - /etc/nginx/snippets: This directory contains configuration fragments that can be included elsewhere in the Nginx configuration. Potentially repeatable configuration segments are good candidates for refactoring into snippets.
6.3 Server Logs¶
- /var/log/nginx/access.log: Every request to your web server is recorded in this log file unless Nginx is configured to do otherwise.
- /var/log/nginx/error.log: Any Nginx errors will be recorded in this log.
Step 7. Set Nginx as a Reverse proxy¶
We suppose we already have a service which runs on http://127.0.0.1:8080/. We will set Nginx as the Reverse proxy of this service.
7.1 Create a new server block¶
We suppose this service is called my-app.casd.local, we need to create a new server block for this domain.
sudo vim /etc/nginx/sites-availabe/my-app
Add below config to the my-app file (i.e. similar to the virtual hosts in apache)
# set a backend upstream
upstream my-app {
server 127.0.0.1:8080 fail_timeout=0;
}
# a server listen to port 80, which will redirect request to port 443
server {
listen 80;
server_name my-app.casd.local;
# redirect http request to https
return 301 https://$host$request_uri;
}
# a server listen to port 443, which will ensure https resolution
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/private/private_key.pem;
# all request will be redirected to the backend_chart upstream
location / {
include proxy_params;
proxy_pass http://my-app;
}
}
8. Set up firewall to block remote access of the backend service¶
To avoid users access the backend service directly, we can set port 8080 can be only accessed via 127.0.0.1.
9. Some best practices¶
9.1 Set the nginx server in production¶
We can notice in /etc/nginx, there are two folders
- sites-available
- sites-enabled
The best solution is to write the configuration file in sites-available then create a symbolic link in sites-enabled
All the server conf in sites-enabled will be activated automatically by the nginx server.
For example
cd /etc/nginx
# create the origin conf file
touch sites-available/test_site.conf
# create the soft link to activate the conf
ln -s sites-available/test_site.conf sites-enabled/test_site.conf
server {
listen 80;
server_name deb.casd.local;
# redirect http request to https
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/casd_wildcard.pem;
ssl_certificate_key /etc/ssl/private/casd_wildcard_key.pem;
server_name deb.casd.local;
location / {
root /package-repo/aptly/.aptly/public;
autoindex on;
charset utf-8;
autoindex_exact_size off;
try_files $uri $uri/ =404;
}
}