Skip to content

Instantly share code, notes, and snippets.

@Dracovian Dracovian/nginx.conf Secret
Last active Sep 9, 2019

Embed
What would you like to do?
Nginx configurator and rough steps for RHEL 8
user nobody; # Set the default user for nginx.
worker_processes auto; # The number of worker processes.
worker_rlimit_nofile 1024; # The maximum number of open files per worker process.
events {
worker_connections 512; # The number of worker connections.
use epoll; # Using epoll to handle connection processing (Linux 2.6+ only)
multi_accept on; # Allows for a worker process to accept multiple connections simultaneously.
}
http {
include mime.types; # Include the built-in mime.types configuration file.
include fastcgi.conf; # Include the built-in fastcgi.conf configuration file for use with php-fpm.
open_file_cache max=2048 inactive=20s; # Store information on opened files in memory.
open_file_cache_valid 30s; # How long should it take before on open file cache is validated.
open_file_cache_min_uses 3; # How many times an open file cache can be used before regenerating a new one.
open_file_cache_errors on; # Cache file errors in our open file cache.
access_log off; # Turn off our access logs to save on disk writes (not recommended for production servers).
error_log crit; # Only log critical errors to save on disk writes (not recommended for production servers).
types_hash_max_size 2048; # The default is 1024 and nginx complains about that default setting.
types_hash_bucket_size 128; # The default is 64 and nginx complains about that default setting as well.
sendfile on; # Allow for the transfer of data between files (Linux only).
tcp_nopush on; # Enable the tcp_nopush/tcp_cork socket option (Linux only).
tcp_nodelay on; # Enable the tcp_nodelay socket option (Linux only).
gzip on; # Allow for Nginx to compress data using GZIP to save on bandwidth at the cost of higher CPU usage.
gzip_min_length 8192; # Compress all files that are larger than 8 KiB in size.
gzip_comp_level 4; # Set the compression level from the lowest at 1 to the highest at 9 (larger values result in smaller files with higher CPU usage).
gzip_vary on; # Inserts the "Vary: Accept-Encoding" response header to any request that has been compressed.
gzip_disable msie6; # Disables GZIP for those using Microsoft Internet Explorer 6.0 or older since those browsers don't natively support compressed pages.
gzip_proxied expired no-cache no-store private auth; # Enables compression for proxied requests that includes any of the "Expires", "Cache-Control" and "Authorization" response headers.
gzip_types text/css # Compress CSS files (stylesheets).
text/javascript # Compress JS files (JavaScript).
text/xml # Compress XML files (eXtensible Markup Language).
text/x-component # Compress HTC files (HTML Component).
application/javascript # Compress JS files (JavaScript).
application/x-javascript # Compress JS files (JavaScript).
application/json # Compress JSON files (JavaScript Object Notation).
application/xml # Compress XML files (eXtensible Markup Language).
application/rss+xml # Compress RSS files (RDF Site Summary).
application/atom+xml # Compress RSS files using the Atom web standards.
application/vnd.ms-fontobject # Compress EOT files (Fonts).
font/truetype # Compress TTF files (Fonts).
font/opentype # Compress OTF files (Fonts).
image/svg+xml; # Compress SVG files (Scalable Vector Graphics).
reset_timedout_connection on; # Allow for the resetting of connections that failed to receive data before timing out.
client_body_timeout 10; # Set the time in seconds before the server stops attempting to receive data from the connection.
send_timeout 2; # Set the time in seconds before the server stops attempting to send data to the connection.
keepalive_timeout 30s; # Set the time in seconds to keep the connection open on the server while waiting for a response.
keepalive_requests 4096; # Set the maximum number of requests that can be sent on a single keep-alive connection.
server_tokens off; # Remove the Nginx version from the "Server" response headers.
server {
listen 80; # Accept connections on port 80 (HTTP) from connections via IPv4.
listen [::]:80 ipv6only=on; # Accept connections on port 80 (HTTP) from connections via IPv6.
# Create our security headers.
add_header Host $host;
add_header Origin $scheme://$host;
add_header Content-Security-Policy "default-src https:; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'self'; child-src 'self'; frame-src 'none'; worker-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self'; manifest-src 'self'";
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'";
add_header Expect-CT "max-age=0, report-uri=\"$scheme://$host/\"";
root /var/www/html; # Set the root folder to serve server files from.
index index.html; # Set the default file to serve.
location / {
try_files $uri $uri/ /index.html?$args; # Default the / directory to index.
}
}
}
# Place this in /etc/systemd/system for RHEL 8 Debian hosts.
# We have to create our directories
# mkdir -p /var/log/nginx /var/cache/nginx
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /var/run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target
#!/bin/bash
auto/configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=nginx \
--group=nginx \
--build=RHEL8 \
--builddir=nginx \
--with-select_module \
--with-poll_module \
--with-threads \
--with-file-aio \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_auth_request_module \
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module=dynamic \
--with-perl_modules_path=/usr/lib64/perl5 \
--with-perl=/usr/bin/perl \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-stream_geoip_module=dynamic \
--with-stream_ssl_preread_module \
--with-compat \
--with-pcre \
--with-pcre-jit \
--with-openssl-opt=no-nextprotoneg \
--with-debug
git clone https://github.com/nginx/nginx.git
cd nginx
vim src/core/nginx.h
optional modifications to lines 12, 13, and 14:
#define nginx_version 1000000
#define NGINX_VERSION "1.0.0"
#define NGINX_VER "None of your business./" NGINX_VERSION
vim src/http/ngx_http_header_filter_module.c
optional modification to line 49:
static u_char ngx_filter_server_string[] = "Server: None of your business." CRLF;
yum -y install <pkgname>
libxml2-devel
libxslt-devel
gd-devel
GeoIP-devel
pcre-devel
openssl-devel
chmod +x confnginx.sh
./confnginx.sh
make
make install
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.