Jump to content

NGINX Issue

Stentorian
 Share
Go to solution Solved by meun5,

What it appears that you want to do is setup virtual hosts. This would allow each site to have their own unique configuration, whilst still be hosted by the same NGINX instance. To do so, I am going to assume you already have NGINX installed. If not, here is a guide for RHEL: https://access.redhat.com/solutions/1211673. The latest NGINX version as of time of writing for RHEL 7 and 8 appears to be 1.14.1.

 

Once NGINX is installed the configuration files will be in either /etc/nginx or /etc/opt/rh/rh-nginx114/nginx/, dependent on the package you install. Older versions may be in a different folder. You will have to consult the manual that came with your NGINX installation. The rest of this post will assume that the configuration directory is /etc/nginx

 

Once you have determined the configuration file location, you can then configure NGINX to load different virtual hosts. Typically, the main configuration file is nginx.conf, however this may be different depending on system configuration. Look for the include directive approximately 3/4 of the way through the file. Usually, it will state something similar to this, 

include /etc/nginx/conf.d/*.conf;

but that may be different dependent on the version of NGINX installed. Older versions may have this instead, 

include /etc/nginx/sites-enabled/*;

That directive refers to path where NGINX will look for additional configuration files. You may add more include directives to nginx.conf if you wish to add additional configuration directories. The rest of this post will assume /etc/nginx/conf.d/ is the directory for additional configuration files. Note: whilst you may add virtualhost configurations directly to the main nginx.conf file, it is best practice to separate each site into its own file. The rest of this post will assume that each site will have its own virtualhost file.

 

Once the additional configuration directory has been determined, we can now setup virtual hosts. Create a new file in the /etc/nginx/conf.d/. With the defaults with this directory, NGINX will only interpret files with the .conf extension, but is dependent on system and service configuration. Best practice is usually have the site address as the file name, for example: sub.domain.ru.conf, for the address: sub.domain.ru. This is up to personal preference though. Once this file has been created, a virtual host block can be added to it.

 

Virtual host blocks typically have the following format: 

server {
    listen       443 ssl http2; # HTTP/2 TLS IPv4 Listen Directive
    listen       [::]:443 ssl http2; # HTTP/2 TLS IPv6 Listen Directive
    server_name  sub.domain.ru; # The Domain for this Virtual Host

    charset utf-8; # Charset to use. Usually UTF-8 is fine. Consult the documentation of the software to determine if a more appriopiate charset is needed.

    ssl_certificate /etc/pki/tls/sub.domain.ru/fullchain.pem; # Path to the TLS Certificate
    ssl_certificate_key /etc/pki/tls/sub.domain.ru/privkey.pem; # Path to the TLS Certificate Key

    ssl_protocols TLSv1.2 TLSv1.1; # TLS Protocols to use.
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # TLS Ciphers to use
    ssl_prefer_server_ciphers on; # Prefer server ciphers to mitigate downgrade attacks.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # Enable HSTS with preloading

    ssl_stapling on; # Enable OSCP Stapling. This reduces the traffic to OSCP responders.
    ssl_trusted_certificate /etc/pki/tls/sub.domain.ru/chain.pem; # List of Trusted Certificates used to verify client certificates if enabled and OCSP responses if ssl stapling is enabled.
    ssl_stapling_verify on; # Verify OSCP responses.

    root /srv/web; # The root of the application directory.

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }

    location / {
        ...
    }
}

The paths, and the root/location directives will be different depending on how you configure NGINX and what you want to do with NGINX.

 

After you have created all your virtual hosts, it is best to run "nginx -t" as an appropriate user to ensure that there are no mistakes in the configuration. Once this has been done, you can reload NGINX to load the new configs. On RHEL, this is usually accomplished with "systemctl reload nginx", though the name of the service may change dependent on how NGINX was installed and configured. On other systems, it may be different. A reboot of the server would also work.

 

Once all that is done, you can go ahead and test the virtual hosts and make sure they are all operating correctly.

 

Note: The example configuration provided here is to be used as a starting point only, and has not been audited to ensure it meets current security and privacy guidelines or regulations. It is up to you to adjust it to meet all applicable laws and regulations.

vhost.sample.conf

Posted

Hello, 

 

I am HR for a company called KewlHost which are still in development and we are looking for someone to help us with a NGINX issue. We are trying to use NGINX on one of our nodes that we own to host several sites. At the moment, we need one for the main website, one for the gameserver panel and one for the billing website. We also want 3 - 4 dummy sites that we can change in the future.

 

It would be appreciated if someone could help, either by providing a tutorial on how to do it or by sending a message to me on Discord (Stentorian#9524) so you can help us out. Either way would be much appreciated.

 

Many Thanks, 

Stentorian

 

EDIT: All of the sites need to have SSL encryption on them. We have LetsEncrypt keys but we need it to support SSL. 

Current PC: 

Spoiler

Motherboard: MSI Z390-A PRO

CPU: Intel Core i7-9700K @ 3.60GHz

Memory: 32GB (4x8GB) Corsair Vengeance 

Graphics Card: NVIDIA GeForce RTX 3060 Ti

Boot: Crucial P2 500GB (M.2)

SSD: Crucial BX500 1TB

HDD: Seagate ST2000DM001 2TB

HDD: Seagate Barracuda 4TB

PSU: Gigabyte P750GM 750W

Case: IONZ KZ10

Current Laptop:

Spoiler

Name: Lenovo ThinkBook 14 20SL003JUK

CPU: Intel i7-1065G7 @ 3GHz

Graphics: Intel Iris Graphics

RAM: 16GB DDR4 @ 2667MHz

SSD: 480GB Western Digital M.2

Secondary SSD: 240GB Adata SATA

Other Gear:

Spoiler

Phone: Google Pixel 6 (128GB)

Headphones: Steelseries Arctis 3

Microphone: Blue Snowball Ice

Speakers: Creative T100

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

If you are working HR you should do what you do best: Hire somebody.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Solution

What it appears that you want to do is setup virtual hosts. This would allow each site to have their own unique configuration, whilst still be hosted by the same NGINX instance. To do so, I am going to assume you already have NGINX installed. If not, here is a guide for RHEL: https://access.redhat.com/solutions/1211673. The latest NGINX version as of time of writing for RHEL 7 and 8 appears to be 1.14.1.

 

Once NGINX is installed the configuration files will be in either /etc/nginx or /etc/opt/rh/rh-nginx114/nginx/, dependent on the package you install. Older versions may be in a different folder. You will have to consult the manual that came with your NGINX installation. The rest of this post will assume that the configuration directory is /etc/nginx

 

Once you have determined the configuration file location, you can then configure NGINX to load different virtual hosts. Typically, the main configuration file is nginx.conf, however this may be different depending on system configuration. Look for the include directive approximately 3/4 of the way through the file. Usually, it will state something similar to this, 

include /etc/nginx/conf.d/*.conf;

but that may be different dependent on the version of NGINX installed. Older versions may have this instead, 

include /etc/nginx/sites-enabled/*;

That directive refers to path where NGINX will look for additional configuration files. You may add more include directives to nginx.conf if you wish to add additional configuration directories. The rest of this post will assume /etc/nginx/conf.d/ is the directory for additional configuration files. Note: whilst you may add virtualhost configurations directly to the main nginx.conf file, it is best practice to separate each site into its own file. The rest of this post will assume that each site will have its own virtualhost file.

 

Once the additional configuration directory has been determined, we can now setup virtual hosts. Create a new file in the /etc/nginx/conf.d/. With the defaults with this directory, NGINX will only interpret files with the .conf extension, but is dependent on system and service configuration. Best practice is usually have the site address as the file name, for example: sub.domain.ru.conf, for the address: sub.domain.ru. This is up to personal preference though. Once this file has been created, a virtual host block can be added to it.

 

Virtual host blocks typically have the following format: 

server {
    listen       443 ssl http2; # HTTP/2 TLS IPv4 Listen Directive
    listen       [::]:443 ssl http2; # HTTP/2 TLS IPv6 Listen Directive
    server_name  sub.domain.ru; # The Domain for this Virtual Host

    charset utf-8; # Charset to use. Usually UTF-8 is fine. Consult the documentation of the software to determine if a more appriopiate charset is needed.

    ssl_certificate /etc/pki/tls/sub.domain.ru/fullchain.pem; # Path to the TLS Certificate
    ssl_certificate_key /etc/pki/tls/sub.domain.ru/privkey.pem; # Path to the TLS Certificate Key

    ssl_protocols TLSv1.2 TLSv1.1; # TLS Protocols to use.
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # TLS Ciphers to use
    ssl_prefer_server_ciphers on; # Prefer server ciphers to mitigate downgrade attacks.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # Enable HSTS with preloading

    ssl_stapling on; # Enable OSCP Stapling. This reduces the traffic to OSCP responders.
    ssl_trusted_certificate /etc/pki/tls/sub.domain.ru/chain.pem; # List of Trusted Certificates used to verify client certificates if enabled and OCSP responses if ssl stapling is enabled.
    ssl_stapling_verify on; # Verify OSCP responses.

    root /srv/web; # The root of the application directory.

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny  all;
    }

    location / {
        ...
    }
}

The paths, and the root/location directives will be different depending on how you configure NGINX and what you want to do with NGINX.

 

After you have created all your virtual hosts, it is best to run "nginx -t" as an appropriate user to ensure that there are no mistakes in the configuration. Once this has been done, you can reload NGINX to load the new configs. On RHEL, this is usually accomplished with "systemctl reload nginx", though the name of the service may change dependent on how NGINX was installed and configured. On other systems, it may be different. A reboot of the server would also work.

 

Once all that is done, you can go ahead and test the virtual hosts and make sure they are all operating correctly.

 

Note: The example configuration provided here is to be used as a starting point only, and has not been audited to ensure it meets current security and privacy guidelines or regulations. It is up to you to adjust it to meet all applicable laws and regulations.

vhost.sample.conf

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×