Home Linux NGINX Best Practices on Initial Setup

NGINX Best Practices on Initial Setup

by Lakindu Jayasena
4.5k views 10 mins read
NginxBestPractices

Nginx is a lightweight, high-performance and feature rich open source web server/proxy server, as well as a load balancer. Most of them has heard of Apache, but Nginx is also up in the popularity with serving over 50% of the traffic on the internet. The major reason is the fast adoption of the Nginx is because of its speed and can handling hundreds of thousands of concurrent connections. Since the original release of NGINX however, websites have expanded from basic HTML pages to dynamic, multi-layered content and now supports all the components of the modern Web, including WebSocket, HTTP/2, and streaming of multiple video formats and it runs on UNIX, GNU/Linux, BSD variants, Mac OS X, Solaris, and Microsoft Windows.

Though NGINX became recognized as the fastest web server, the scalable underlying architecture has proved ideal for many web tasks beyond serving content. Because it can handle a high number of connections, NGINX is commonly used as a reverse proxy and load balancer to manage incoming traffic and distribute it to upstream servers – anything from database servers to microservices.

This article will help you to install and do the basic configurations on the Nginx server with best practices running on Linux or UNIX-like operating systems.

Installing Nginx Server

Before proceeding with the installation of Nginx, update all the system packages:

 apt-get update 

Install and start Nginx service:

 apt-get install nginx systemctl start nginx systemctl enable nginx #Automatically start the service on bootup 

After the Nginx installation, can check the version of Nginx by using the following command:

 nginx -v 

First of all, we will see Nginx default configuration files & locations:

  • /etc/nginx/ – The Nginx server configuration directory and nginx.conf is the main configuration file.
  • /etc/nginx/sites-available – Custom all virtual host configuration location.
  • /etc/nginx/sites-enabled – enabled virtual host configuration location (this is symbolic link to sites-availabale configurations).
  • /var/www/html – The default document root location.
  • /var/log/nginx – The default log files location.

Configuring the Nginx server blocks (Virtual Hosts)

This is similar to the virtual hosts concept in Apache and can be used to encapsulate configuration details and host more than one domain off of a single server.

The default Nginx configuration files are kept inside /etc/nginx/sites-available directory and it is symbolically linked with files inside /etc/nginx/sites-enabled/ directory. Usually needs to create a separate file in the sites-available directory for each domain/subdomain (in this post I am using mytechnix.com) and set up a symlink in the sites-enabled directory.

Remove the symlink in /etc/nginx/sites-enabled/default to disable the default configuration file.

 unlink /etc/nginx/sites-enabled/default 

Create a new directory for document root and the configuration file for the website and add the below configurations in the configuration file and save. Also, create a basic index file in /var/www/example.com.

 mkdir -p /var/www/mytechnix.com/ vim /var/www/mytechnix.com/index.html echo "Welcome to MyTechnix" > /var/www/mytechnix.com/index.html 

vi /etc/nginx/sites-available/layerstack.com

 server { listen 80; listen [::]:80; server_name mytechnix.com www.mytechnix.com; root /var/www/mytechnix.com index index.html; location / { try_files $uri $uri/ =404; } } 

Configure Nginx to use your SSL/TLS Certificate

Transport Layer Security (TLS) is the successor to Secure Socket Layer (SSL). It provides stronger security and more efficiency, and contains enhancements not found in SSL such as Forward Secrecy, compatibility with modern OpenSSL cipher suites, and HSTS.

Create a folder to store the SSL certificates inside the Nginx configuration using following command.

 mkdir /etc/nginx/ssl 

Then copy the certificate and the private key file to created location. Please rename the files to show which domain they are associated.

 cp /path/to/your/certificate.crt /etc/nginx/ssl/mytechnix.com.crt cp /path/to/your/private.key /etc/nginx/ssl/mytechnix.com.key 

Add the SSL configure details inside the HTTPS server block, define the location of your certificates and Save the file and exit.

 server { listen 443 ssl default_server; listen [::]:443 ssl default_server; ssl_certificate /etc/nginx/ssl/mytechnix.com.crt; ssl_certificate_key /etc/nginx/ssl/mytechnix.com.key; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; server_name mytechnix.com www.mytechnix.com; root /var/www/mytechnix.com; index index.html; } 

Redirect HTTP Traffic to HTTPS

When end users type your website’s domain, the normal behavior is that the site is loaded over HTTP, which means unencrypted. By configuring HTTP redirection, NGINX will redirect their browser to your site using an HTTPS connection. Also, this useful to help increase your page rank on search engine results. The only change is to add a redirection inside the HTTP block.

 server { listen 80; server_name mytechnix.com www.mytechnix.com; return 301 https://mytechnix.com$request_uri; } 

Configure Custom Access and Error Log

Nginx server has an exceptional logging facility which is highly customizable. All client requests to the server are recorded in the access log in a specified format using the ngx_http_log_module module. The default log file is locate at /var/log/nginx/access.log on Linux systems and the default format for logging is normally the combined or main format.

You can specify multiple logs using the access_log directives on the same level, here we are using more than one log file in the http or server block.

 server{ #Default log format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #request tracing using custom format log_format custom '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$http_x_forwarded_for" $request_id ' '$geoip_country_name $geoip_country_code ' '$geoip_region_name $geoip_city '; #Default log format access_log /var/log/nginx/mytechnix.com_access.log; #Custom log format access_log /var/log/nginx/mytechnix.com_custom_access.log custom; #Error Log #Severity Levels: debug, info, notice, warn, error error_log /var/log/nginx/mytechnix.com_error.log warn; } 

Full Configuration Sample

 server { listen 80; listen [::]:80; server_name mytechnix.com www.mytechnix.com; return 301 https://mytechnix.com$request_uri; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name mytechnix.com www.mytechnix.com; root /var/www/mytechnix.com; index index.html; ssl_certificate /etc/nginx/ssl/mytechnix.com.crt; ssl_certificate_key /etc/nginx/ssl/mytechnix.com.key; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; access_log /var/log/nginx/mytechnix.com_access.log; error_log /var/log/nginx/mytechnix.com_error.log warn; location / { try_files $uri $uri/ =404; } } 

Enable & Verify Configuration

Finally, create a new symlink to the /etc/nginx/sites-enabled/ directory for enabling the configuration.

 ln -s /etc/nginx/sites-available/mytechnix.com /etc/nginx/sites-enabled/ 

Once the changes have done in the Nginx configuration files, then should check the configuration for any syntax errors in it using following command.

 nginx -t 

Reload your NGINX configuration:

 nginx -s reload 

Related Articles

2 comments

Top 15 Nginx Server Security Hardenings December 7, 2020 - 6:25 PM

[…] you did not read my previous posts regarding Nginx Best Practices on Initial Setup and Nginx Performance Tuning, please first go and read them to get a basic idea about the Nginx web […]

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.