Install Nginx on AlmaLinux
Prerequisites
You have received a valid SSL certificate and certificate key from your SSL provider (Certificate Authority, CA). If you want to use OCSP stapling you should also have a file for the certificate chain.
Copy these files to the server on which you’re going to set up nginx (e.g. through SSH). Move these files to appropriate directories and secure them as needed.
Move the certificate file to its default location:
sudo mv server.pem /etc/pki/tls/certs
sudo chown root:root /etc/pki/tls/certs/server.pem
sudo chmod 644 /etc/pki/tls/certs/server.pem
The certificate is public, it is sent to anyone connecting to your site. It’s OK to make this file readable by anyone.
Move the certificate key to its default location:
sudo mv server.key /etc/pki/tls/private
sudo chown root:root /etc/pki/tls/private/server.key
sudo chmod 600 /etc/pki/tls/private/server.key
If SELinux is in enforcing mode (default) the files’ security context will be wrong after the move. Run the command below to fix it. Otherwise SELinux will prevent services from accessing these files for security reasons.
sudo restorecon -v /etc/pki/tls/certs/server.pem
sudo restorecon -v /etc/pki/tls/private/server.key
For security reasons these files will be ignored unless their permissions are set correctly. Make sure you set the permissions as described above. The private key must only be readable by root. Make sure to keep this file secure. Anyone with access to this key can sign data in your name and decrypt private information sent to you. |
If you use Let’s Encrypt
its Certbot should
take care of storing and securing your SSL certificate, key and chain.
Preparation
Make sure your system is up-to-date and wget
is installed. The
instructions use wget
to download scripts from our GitHub repository.
Alternatively, if you are familiar with curl
you can replace wget with
curl.
sudo yum -y update
sudo yum -y install wget
During this installation some files will need to be edited manually. If you are familiar with vim set it as default editor with the commands below. If you are not familiar with vim please skip this and keep using the default editor. |
sudo yum -y install vim
sudo update-alternatives --install /usr/bin/editor editor /usr/bin/vim 100
Install nginx
Install the required packages.
sudo yum -y install epel-release
sudo yum -y install nginx
Configure nginx for Relution
Generate secure Diffie-Hellman parameters:
sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096
This may take a very long time, depending on your server’s CPU. |
Create the cache directory for nginx. This is used to cache downloaded files, which reduces the load on Relution and the database when a lot of large files are downloaded at once.
sudo mkdir /usr/share/nginx/cache
sudo chown nginx:nginx /usr/share/nginx/cache
Download the nginx configuration files:
sudo wget https://raw.githubusercontent.com/relution-io/relution-setup/master/native/Linux/etc/nginx/conf.d/relution-ssl.conf.template
sudo wget https://raw.githubusercontent.com/relution-io/relution-setup/master/native/Linux/etc/nginx/conf.d/relution-location.include.template
Edit the relution-ssl.conf.template
and adjust it to your environment.
All values that must be replaced have placeholders in the form of
%VALUE%
, for example %EXT_HOSTNAME%
. You must at least replace the
following values:
Placeholder | Description |
---|---|
%EXT_HOSTNAME% |
The external hostname for your Relution server. This
must match the Common Name ( |
%SSL_CERT_PATH% |
The path to your SSL certificate |
%SSL_CERT_KEY_PATH% |
The path to your SSL certificate’s key file |
%SSL_CERT_CHAIN_PATH% |
The path to your SSL certificate’s chain |
If your Relution server is on a separate machine, change the IP
address in the proxy_pass parameter(s) to the Relution server’s IP
address. Be aware that this option exists in both
relution-ssl.conf.template and relution-location.include.template .
|
-
from
proxy_pass http://127.0.0.1:8080;
-
to
proxy_pass http://<relution-ip>:8080;
If you do not want to use OCSP stapling, comment out the following options: |
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate %SSL_CERT_CHAIN_PATH%;
Move the files to the nginx directories:
sudo mv relution-ssl.conf.template /etc/nginx/conf.d/relution-ssl.conf
sudo mv relution-location.include.template /etc/nginx/conf.d/relution-location.include
If SELinux is in enforcing mode (default) the files’ security context will be wrong after the move. Run the command below to fix it. Otherwise SELinux will prevent services from accessing these files for security reasons.
sudo restorecon -v /etc/nginx/conf.d/relution-ssl.conf
sudo restorecon -v /etc/nginx/conf.d/relution-location.include
Validate your nginx configuration with the following command:
sudo nginx -t
You should receive syntax is okay
and test is successful
messages.
If you receive errors check your nginx configuration for typos, etc. as
indicated in the error message.
Default server
The default nginx configuration configures a site for its placeholder
web page. If Relution’s web app is the only site hosted on this server,
you can disable this default server
and make Relution the default. If
you’re hosting multiple sites (“virtual hosts”), skip this step.
Open the global nginx configuration:
sudo editor /etc/nginx/nginx.conf
Comment the server { … }
section so that it look similar to this:
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
[...]
# }
There may be another server { … }
section for SSL (i.e. HTTPS). If
this is the case, comment it out as well.
# server {
# listen 443 ssl default_server;
# listen [::]:443 ssl;
[...]
# }
Modify the nginx configuration for Relution
sudo editor /etc/nginx/conf.d/relution-ssl.conf
Append default_server
to each server’s first listen option. It should
look similar to this:
server {
listen 0.0.0.0:80 default_server;
listen [::]:80;
[...]
server {
listen 0.0.0.0:443 ssl default_server;
listen [::]:443 ssl;
[...]
Validate your nginx configuration to ensure everything is still correct:
sudo nginx -t
You should receive syntax is okay
and test is successful
messages.
If you receive errors check your nginx configuration for typos, etc. as
indicated in the error message.
Enable nginx service
If everything is ok, start and enable nginx:
sudo systemctl start nginx
sudo systemctl enable nginx
If you receive errors or the service does not start, check the log files
for errors (/var/log/nginx/error.log
).
Firewall
Open ports 80 and 443 in the firewall to allow access to HTTP and HTTPS from the outside world.
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
SELinux configuration
You may not be able to connect to https://<your-fqdn-hostname>
right
away. If this is the case, check the error logs of nginx.
sudo cat /var/log/nginx/relution_error.log | grep "13: Permission denied"
You may see error messages similar to this:
2018/04/27 18:12:41 [crit] 11111#0: *2 connect() to <relution-ip>:8080 failed (13: Permission denied) while connecting to upstream, client: <client-ip>, server: <your-fqdn-hostname>, request: "GET / HTTP/1.1", upstream: "http://<relution-ip>:8080/", host: "<nginx-ip>"
Verify that this is indeed a SELinux issue:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
You should see one or more denied
messages similar to this:
type=AVC msg=audit(1524845545.644:365): avc: denied { name_connect } for pid=11111 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Allow nginx to connect to the other machine:
sudo setsebool -P httpd_can_network_connect 1
You should now be able to connect to your Relution instance via HTTPS.