Configure a NGINX Website with Server Blocks and SSL on RHEL8.

Every day more and more of the world’s websites choose to run on NGINX.

Today there are 300 million, nearly double the number from August 2017. There are a number of reasons that NGINX is still growing. It is a "One for All" type webserver.

The configuration is slightly different from a basic httpd/apache web setup. Here I will walk you through a basic setup of two websites on the same host. (Virtual Host = HTTPD, or Server Blocks = NGINX ) A server block is a section in the configuration file that houses information for a specific website.

With RHEL8 using AppStream and BaseOS in RedHat Enterprise Linux 8.x

You will need to know how to search and install what you are needing to work with. For those of you that are new to AppStream think of it like Pythons pip. Detail about AppStream and BaseOS can be found here. An introduction to AppStream and BaseOS in Red Hat Enterprise Linux 8 It is way beyond the scope of this post, but I will give a quick demo if new to using modules.

I switched to root user by sudo -i command. Knowing the name of the package you want. See what options are available to work with.

List AppStream modules

Knowing how to locate the modules that you will find yourself using over time is a necessity.

[root@spohnz-lab ~]# yum module list *nginx*
Last metadata expiration check: 1:22:53 ago on Mon 11 May 2020 12:33:04 PM EDT.
Red Hat Enterprise Linux 8.1 AppStream (dvd)
Name                    Stream                    Profiles                    Summary
nginx                   *1.14 [d]*                  common [d]                  nginx webserver
nginx                   1.16                      common [d]                  nginx webserver

The 1.14 version is the default at the moment. Notice the [d] after the version number.

Reset the packages

  • Lets reset the stream and switch to the 1.16 version to install that.
[root@spohnz-lab ~]# yum module reset -y nginx
Red Hat Enterprise Linux 8.1 BaseOS (dvd)                           887 kB/s | 2.8 kB     00:00
Red Hat Enterprise Linux 8.1 AppStream (dvd)                        2.9 MB/s | 3.2 kB     00:00
Dependencies resolved.
Nothing to do.
Complete!

Install the NGINX package.

[root@spohnz-lab ~]# yum module install -y nginx:1.16
...output omitted...

Make directories for your web content.

I realize that most online tutorials suggest you add your content root directories to someplace like /usr/share/. I put this in /srv/nginx than in /usr/share. The /usr/share directory is for OS data; /srv is for data used by services provided by this system and managed by the site.

[root@spohnz-lab ~]# mkdir -p /srv/nginx/{webservera,webserverb}/www
[root@spohnz-lab ~]# echo 'This is the landing page for webservera' > /srv/nginx/webservera/www/index.html
[root@spohnz-lab ~]# echo 'This is the landing page for webserverb' > /srv/nginx/webserverb/www/index.html

Use semanage fcontext to ensure that the policy is correctly updated to httpd_sys_content_t

[root@spohnz-lab ~]# semanage fcontext -a -t httpd_sys_content_t '/srv/nginx(/.*)?'

Then restorecon would set the type to httpd_sys_content_t which Nginx can serve.

[root@spohnz-lab ~]# restorecon -vvFR /srv/nginx

Set up configuration files

Create a file in /etc/nginx/conf.d/. Name it something_that_relates_to_your_project.conf. For this example we named it webservera.example.com.

This file is not your web site data, it is a file that directs the flow of your site data. Give it a .conf extension.

   server {
       listen 80 ; 
       server_name _;
       return 301 https://$server_name$request_uri; 
   }
   server {
       listen 443 ssl; 
       server_name webservera.example.com;
       ssl_certificate /etc/pki/nginx/webservera.example.com.crt; 
       ssl_certificate_key /etc/pki/nginx/private/webservera.example.com.key; 
       location / {
           root /usr/share/nginx/webservera/www; 
           index index.html index.htm;
       }
   }
  • listen 80 ; This points out the port that we want the server to listen on. Default is port 80. SSL(https) is port 443.
  • return 301 https://$server_name$request_uri; The redirecting to https://
  • listen 443 ssl; After the redirect points to here we now read a new port address with the SSL protocol.
  • ssl_certificate /etc/pki/nginx/webservera.example.com.crt; This is the location of your cert weather it is self signed or not.
  • ssl_certificate_key /etc/pki/nginx/private/webservera.example.com.key; This is the location for your key.
  • root /usr/share/nginx/webservera/www; This is the location of your web sites html and css files.

We are redirecting the http (80) to https (443) in order to verify the crt and key files.

Verify that the configuration looks good with (nginx -t)

[root@spohnz-lab ~]# nginx -t

  • Do the same for the other configuration file. Since we are hosting two virtual servers, rename the site and locations from servera to serverb. Remember to end it with a .conf filename /etc/nginx/conf.d/webserverb.example.com.conf
server {
    listen 80 ;
    server_name webserverb.example.com;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2;
    server_name webserverb.example.com;
    ssl_certificate /etc/pki/nginx/webserverb.example.com.crt;
    ssl_certificate_key /etc/pki/nginx/private/webserverb.example.com.key;
    location / {
        root /usr/share/nginx/webserverb/www;
        # alias /usr/share/nginx/html;
        index index.html index.htm;
    }
}
EOT

Create the certificate and key directories.

If you are going through this tutorial then you may already have certs and keys for these sites but if not then lets create a self signed one with openssl.

Create the directories.

The /etc/pki/nginx directory is for the cert and the /etc/pki/nginx/private is for the key. They both have separate permissions.

[root@spohnz-lab ~]# mkdir /etc/pki/nginx/ /etc/pki/nginx/private

Edit permissions for file locations

[root@spohnz-lab ~]# chmod 0755 /etc/pki/nginx
[root@spohnz-lab ~]# chmod 0700 /etc/pki/nginx/private

Install TLS/SSL certs and keys.

[root@spohnz-lab ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/nginx/webservera.example.com.crt

  • I posted a variant of what returned for me. So you can see the steps to go through in the terminal.
Generating a RSA private key
......................+++++
.....................................................+++++
writing new private key to '/etc/pki/nginx/webservera.example.com.crt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:TX
Locality Name (eg, city) [Default City]:Dallas
Organization Name (eg, company) [Default Company Ltd]:spohnz.com
Organizational Unit Name (eg, section) []:nginx
Common Name (eg, your name or your server's hostname) []:lab
Email Address []:dallasspohnz@gmail.com
-----BEGIN CERTIFICATE-----
MIID7TCCAtWgAwIBAgIUbeTkQvkmGvwWtzsqGy3WxAwRKLIwDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJUWDEPMA0GA1UEBwwGRGFsbGFz
MRMwEQYDVQQKDApzcG9obnouY29tMQ4wDAYDVQQLDAVuZ2lueDEMMAoGA1UEAwwD
bGFiMSUwIwYJKoZIhvcNAQkBFhZkYWxsYXNzcG9obnpAZ21haWwuY29tMB4XDTIw
MDUxMjE3NTkwNVoXDTIxMDUxMjE3NTkwNVowgYUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJUWDEPMA0GA1UEBwwGRGFsbGFzMRMwEQYDVQQKDApzcG9obnouY29tMQ4w
DAYDVQQLDAVuZ2lueDEMMAoGA1UEAwwDbGFiMSUwIwYJKoZIhvcNAQkBFhZkYWxs
YXNzcG9obnpAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEApWkUxboD+CqdEsgOoMltI6WoyeXWJZ1TjxcahPcfp8oiSHTEXd+91BzS5gKB
KSmvw+sQUnKMvr4H39IbrHZQRenobF6PL6358cRSoif7+FcSys0XuZ6z/THZM4yR
WHUzFqP9uvOJYhE6HjRHXVSRysfjMd7TWUCsMUklNR09L5QQlrdDVNELtEkePlJP
GTWI+v4BnSjtCoAK0sjBOJeyXeErkVoMZYTkN4+tYyDVm9fGvvHxKkoy+X6eogMg
IkNkahEJ8Je1EfpreywmgXCNmeLq6LohL0jF6BMgKc61HcKoIBGNUtBFoZmlqNte
8kHe0ZXEZfwaRhYoe9dKHqDzVwIDAQABo1MwUTAdBgNVHQ4EFgQUkodk/rGv0rjr
fsnNFzsU25h9f5gwHwYDVR0jBBgwFoAUkodk/rGv0rjrfsnNFzsU25h9f5gwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAVPbvQk9iyiUHFlxmIjqz
w01cWO/SBlRmxvqicb7YEwiRXa46K0WqIJJd5BWOtUA4tkl8gcCtHARcpt/KyYWt
84bnPjWXorz++BHcdNKXswyVk4g25DhEXZYX4LlMP+E5pR2tgXQw0RG6osBtSlPT
U+d2U3uvCV2GtyicwX1yy0DgxTP9r5je0yKBwgHHn41MdD3HnPnZ7I9ezh3RP1Jj
rCSKbxhmfH9Vm2166idAo24YTmIAhoF2sBKzIdnPZskN4okWFF1kNsDZMOydvvv6
jg==
-----END CERTIFICATE-----

WARNING: Don’t forget to do the same for webserverb.example.com the same way.

Enable and start NGINX

[root@spohnz-lab ~]# systemctl enable --now nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.

Add http and https services to firewall-cmd

[root@spohnz-lab ~]#   firewall-cmd --permanent --add-service=http --add-service=https
[root@spohnz-lab ~]#   firewall-cmd --reload

NGINX has a nice soft reload that doesn’t inturrupt other processes. nginx -s reload works great for testing.

That’s it. Hope all goes smoothly for you. If not then NGINX as well as Red Hat has some great documentation to learn from.

SELINUX USER’S AND ADMINISTRATOR’S GUIDE

Nginx documentation

No Comments Yet