Configure a NGINX Website with Server Blocks and SSL on RHEL8.

Every day more and more of the world’s websites choose to run on NGINX.

Today there are 300 million, nearly double the number from August 2017. There are a number of reasons that NGINX is still growing. It is a "One for All" type webserver.

The configuration is slightly different from a basic httpd/apache web setup. Here I will walk you through a basic setup of two websites on the same host. (Virtual Host = HTTPD, or Server Blocks = NGINX ) A server block is a section in the configuration file that houses information for a specific website.

With RHEL8 using AppStream and BaseOS in RedHat Enterprise Linux 8.x

You will need to know how to search and install what you are needing to work with. For those of you that are new to AppStream think of it like Pythons pip. Detail about AppStream and BaseOS can be found here. An introduction to AppStream and BaseOS in Red Hat Enterprise Linux 8 It is way beyond the scope of this post, but I will give a quick demo if new to using modules.

I switched to root user by sudo -i command. Knowing the name of the package you want. See what options are available to work with.

List AppStream modules

Knowing how to locate the modules that you will find yourself using over time is a necessity.

[root@spohnz-lab ~]# yum module list *nginx*
Last metadata expiration check: 1:22:53 ago on Mon 11 May 2020 12:33:04 PM EDT.
Red Hat Enterprise Linux 8.1 AppStream (dvd)
Name                    Stream                    Profiles                    Summary
nginx                   *1.14 [d]*                  common [d]                  nginx webserver
nginx                   1.16                      common [d]                  nginx webserver

The 1.14 version is the default at the moment. Notice the [d] after the version number.

Reset the packages

  • Lets reset the stream and switch to the 1.16 version to install that.
[root@spohnz-lab ~]# yum module reset -y nginx
Red Hat Enterprise Linux 8.1 BaseOS (dvd)                           887 kB/s | 2.8 kB     00:00
Red Hat Enterprise Linux 8.1 AppStream (dvd)                        2.9 MB/s | 3.2 kB     00:00
Dependencies resolved.
Nothing to do.

Install the NGINX package.

[root@spohnz-lab ~]# yum module install -y nginx:1.16
...output omitted...

Make directories for your web content.

I realize that most online tutorials suggest you add your content root directories to someplace like /usr/share/. I put this in /srv/nginx than in /usr/share. The /usr/share directory is for OS data; /srv is for data used by services provided by this system and managed by the site.

[root@spohnz-lab ~]# mkdir -p /srv/nginx/{webservera,webserverb}/www
[root@spohnz-lab ~]# echo 'This is the landing page for webservera' > /srv/nginx/webservera/www/index.html
[root@spohnz-lab ~]# echo 'This is the landing page for webserverb' > /srv/nginx/webserverb/www/index.html

Use semanage fcontext to ensure that the policy is correctly updated to httpd_sys_content_t

[root@spohnz-lab ~]# semanage fcontext -a -t httpd_sys_content_t '/srv/nginx(/.*)?'

Then restorecon would set the type to httpd_sys_content_t which Nginx can serve.

[root@spohnz-lab ~]# restorecon -vvFR /srv/nginx

Set up configuration files

Create a file in /etc/nginx/conf.d/. Name it something_that_relates_to_your_project.conf. For this example we named it

This file is not your web site data, it is a file that directs the flow of your site data. Give it a .conf extension.

   server {
       listen 80 ; 
       server_name _;
       return 301 https://$server_name$request_uri; 
   server {
       listen 443 ssl; 
       ssl_certificate /etc/pki/nginx/; 
       ssl_certificate_key /etc/pki/nginx/private/; 
       location / {
           root /usr/share/nginx/webservera/www; 
           index index.html index.htm;
  • listen 80 ; This points out the port that we want the server to listen on. Default is port 80. SSL(https) is port 443.
  • return 301 https://$server_name$request_uri; The redirecting to https://
  • listen 443 ssl; After the redirect points to here we now read a new port address with the SSL protocol.
  • ssl_certificate /etc/pki/nginx/; This is the location of your cert weather it is self signed or not.
  • ssl_certificate_key /etc/pki/nginx/private/; This is the location for your key.
  • root /usr/share/nginx/webservera/www; This is the location of your web sites html and css files.

We are redirecting the http (80) to https (443) in order to verify the crt and key files.

Verify that the configuration looks good with (nginx -t)

[root@spohnz-lab ~]# nginx -t

  • Do the same for the other configuration file. Since we are hosting two virtual servers, rename the site and locations from servera to serverb. Remember to end it with a .conf filename /etc/nginx/conf.d/
server {
    listen 80 ;
    return 301 https://$server_name$request_uri;
server {
    listen 443 ssl http2;
    ssl_certificate /etc/pki/nginx/;
    ssl_certificate_key /etc/pki/nginx/private/;
    location / {
        root /usr/share/nginx/webserverb/www;
        # alias /usr/share/nginx/html;
        index index.html index.htm;

Create the certificate and key directories.

If you are going through this tutorial then you may already have certs and keys for these sites but if not then lets create a self signed one with openssl.

Create the directories.

The /etc/pki/nginx directory is for the cert and the /etc/pki/nginx/private is for the key. They both have separate permissions.

[root@spohnz-lab ~]# mkdir /etc/pki/nginx/ /etc/pki/nginx/private

Edit permissions for file locations

[root@spohnz-lab ~]# chmod 0755 /etc/pki/nginx
[root@spohnz-lab ~]# chmod 0700 /etc/pki/nginx/private

Install TLS/SSL certs and keys.

[root@spohnz-lab ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/

  • I posted a variant of what returned for me. So you can see the steps to go through in the terminal.
Generating a RSA private key
writing new private key to '/etc/pki/nginx/'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TX
Locality Name (eg, city) [Default City]:Dallas
Organization Name (eg, company) [Default Company Ltd]
Organizational Unit Name (eg, section) []:nginx
Common Name (eg, your name or your server's hostname) []:lab
Email Address []

WARNING: Don’t forget to do the same for the same way.

Enable and start NGINX

[root@spohnz-lab ~]# systemctl enable --now nginx
Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/nginx.service.

Add http and https services to firewall-cmd

[root@spohnz-lab ~]#   firewall-cmd --permanent --add-service=http --add-service=https
[root@spohnz-lab ~]#   firewall-cmd --reload

NGINX has a nice soft reload that doesn’t inturrupt other processes. nginx -s reload works great for testing.

That’s it. Hope all goes smoothly for you. If not then NGINX as well as Red Hat has some great documentation to learn from.


Nginx documentation

Did you find this article valuable?

Support Dallas Spohn by becoming a sponsor. Any amount is appreciated!