Install Nginx on Red Hat Enterprise Linux
Prerequisites
You have received a valid SSL certificate and certificate key from your SSL provider (Certificate Authority, CA). If you want to use OCSP stapling you should also have a file for the certificate chain.
Copy these files to the server on which you’re going to set up nginx (e.g. through SSH). Move these files to appropriate directories and secure them as needed.
Move the certificate file to its default location:
mv server.pem /etc/pki/tls/certs
chown root:root /etc/pki/tls/certs/server.pem
chmod 644 /etc/pki/tls/certs/server.pemThe certificate is public, it is sent to anyone connecting to your site. It’s OK to make this file readable by anyone.
Move the certificate key to its default location:
mv server.key /etc/pki/tls/private
chown root:root /etc/pki/tls/private/server.key
chmod 600 /etc/pki/tls/private/server.keyIf SELinux is in enforcing mode (default) the files’ security context will be wrong after the move. Run the command below to fix it. Otherwise SELinux will prevent services from accessing these files for security reasons.
sudo restorecon -v /etc/pki/tls/certs/server.pem
sudo restorecon -v /etc/pki/tls/private/server.key| For security reasons these files will be ignored unless their permissions are set correctly. Make sure you set the permissions as described above. The private key must only be readable by root. Make sure to keep this file secure. Anyone with access to this key can sign data in your name and decrypt private information sent to you. |
If you use Let’s Encrypt its Certbot should
take care of storing and securing your SSL certificate, key and chain.
Preparation
Make sure your system is up-to-date and wget is installed. The
instructions use wget to download scripts from our GitHub repository.
Alternatively, if you are familiar with curl you can replace wget with
curl.
sudo yum -y update
sudo yum -y install wget.| During this installation some files will need to be edited manually. If you are familiar with vim set it as default editor with the commands below. If you are not familiar with vim please skip this and keep using the default editor. |
sudo yum -y install vim
sudo update-alternatives --install /usr/bin/editor editor /usr/bin/vim 100Install nginx
Install the required packages.
subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms"
sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum -y update
sudo yum -y install nginxConfigure nginx for Relution
Generate secure Diffie-Hellman parameters:
sudo openssl dhparam -out /etc/nginx/dhparams.pem 4096| This may take a very long time, depending on your server’s CPU. |
Create the cache directory for nginx. This is used to cache downloaded files, which reduces the load on Relution and the database when a lot of large files are downloaded at once.
sudo mkdir /usr/share/nginx/cache
sudo chown nginx:nginx /usr/share/nginx/cacheDownload the nginx configuration files:
wget https://raw.githubusercontent.com/relution-io/relution-setup/master/native/Linux/etc/nginx/conf.d/relution-ssl.conf.template
wget https://raw.githubusercontent.com/relution-io/relution-setup/master/native/Linux/etc/nginx/conf.d/relution-location.include.templateEdit the relution-ssl.conf.template and adjust it to your environment.
All values that must be replaced have placeholders in the form of
%VALUE%, for example %EXT_HOSTNAME%. You must at least replace the
following values:
The following values must be replaced:
| Placeholder | Description |
|---|---|
%EXT_HOSTNAME% |
The external hostname for your Relution server. This
must match the Common Name ( |
%SSL_CERT_PATH% |
The path to your SSL certificate |
%SSL_CERT_KEY_PATH% |
The path to your SSL certificate’s key file |
%SSL_CERT_CHAIN_PATH% |
The path to your SSL certificate’s chain |
If your Relution server is on a separate machine, change the IP
address in the proxy_pass parameter(s) to the Relution server’s IP
address. Be aware that this option exists in both
relution-ssl.conf.template and relution-location.include.template.
|
-
from
proxy_pass http://127.0.0.1:8080; -
to
proxy_pass http://<relution-ip>:8080;
| If you do not want to use OCSP stapling, comment out the following options: |
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate %SSL_CERT_CHAIN_PATH%;Move the files to the nginx directories:
sudo mv relution-ssl.conf.template /etc/nginx/conf.d/relution-ssl.conf
sudo mv relution-location.include.template /etc/nginx/conf.d/relution-location.includeIf SELinux is in enforcing mode (default) the files’ security context will be wrong after the move. Run the command below to fix it. Otherwise SELinux will prevent services from accessing these files for security reasons.
sudo restorecon -v /etc/nginx/conf.d/relution-ssl.conf
sudo restorecon -v /etc/nginx/conf.d/relution-location.includeValidate your nginx configuration with the following command:
sudo nginx -tYou should receive syntax is okay and test is successful messages.
If you receive errors check your nginx configuration for typos, etc. as
indicated in the error message.
Default server
The default nginx configuration configures a site for its placeholder
web page. If Relution’s web app is the only site hosted on this server,
you can disable this default server and make Relution the default. If
you’re hosting multiple sites (“virtual hosts”), skip this step.
Open the global nginx configuration:
sudo editor /etc/nginx/nginx.confComment the server { … } section so that it look similar to this:
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
[...]
# }There may be another server { … } section for SSL (i.e. HTTPS). If
this is the case, comment it out as well.
# server {
# listen 443 ssl default_server;
# listen [::]:443 ssl;
[...]
# }Modify the nginx configuration for Relution
sudo editor /etc/nginx/conf.d/relution-ssl.confAppend default_server to each server’s first listen option. It should
look similar to this:
server {
listen 0.0.0.0:80 default_server;
listen [::]:80;
[...]
server {
listen 0.0.0.0:443 ssl default_server;
listen [::]:443 ssl;
[...]Validate your nginx configuration to ensure everything is still correct:
sudo nginx -tYou should receive syntax is okay and test is successful messages.
If you receive errors check your nginx configuration for typos, etc. as
indicated in the error message.
Enable nginx service
If everything is ok, start and enable nginx:
sudo systemctl start nginx
sudo systemctl enable nginxIf you receive errors or the service does not start, check the log files
for errors (/var/log/nginx/error.log).
Firewall
Open ports 80 and 443 in the firewall to allow access to HTTP and HTTPS from the outside world.
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp sudo firewall-cmd --permanent --zone=public --add-port=443/tcp sudo firewall-cmd --reload
SELinux configuration
You may not be able to connect to https://<your-fqdn-hostname> right
away. If this is the case, check the error logs of nginx.
cat /var/log/nginx/relution_error.log | grep "13: Permission denied"You may see error messages similar to this:
2018/04/27 18:12:41 [crit] 11111#0: *2 connect() to <relution-ip>:8080 failed (13: Permission denied) while connecting to upstream, client: <client-ip>, server: <your-fqdn-hostname>, request: "GET / HTTP/1.1", upstream: "http://<relution-ip>:8080/", host: "<nginx-ip>"
Verify that this is indeed a SELinux issue:
sudo cat /var/log/audit/audit.log | grep nginx | grep deniedYou should see one or more denied messages similar to this:
type=AVC msg=audit(1524845545.644:365): avc: denied { name_connect } for pid=11111 comm="nginx" dest=8080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Allow nginx to connect to the other machine:
sudo setsebool -P httpd_can_network_connect 1You should now be able to connect to your Relution instance via HTTPS.