Nginx


nginx is a robust, small, high performance web server and reverse proxy server. It is a good alternative to popular web servers like Apache and lighttpd.

Installation[edit | edit source]

Before immediately installing the www-servers/nginx package, first take a good look at the USE flags for Nginx.

Expanded USE flags[edit | edit source]

Nginx uses modules to enhance its features. To simplify the maintenance of this modular approach, the nginx ebuild uses expanded USE (USE_EXPAND) flags to denote which modules should be installed.

  • HTTP related modules can be enabled through the NGINX_MODULES_HTTP variable
  • Mail related modules can be enabled through the NGINX_MODULES_MAIL variable
  • Third party modules can be enabled through the NGINX_ADD_MODULES variable

These variables need to be set in /etc/portage/make.conf. Their descriptions can be found in /var/db/repos/gentoo/profiles/desc/nginx_modules_http.desc and /var/db/repos/gentoo/profiles/desc/nginx_modules_mail.desc.

For example, to enable the fastcgi module:

FILE /etc/portage/make.conf
NGINX_MODULES_HTTP="fastcgi"

The above will overwrite the default value of NGINX_MODULES_HTTP and set it to fastcgi. To enable the fastcgi module without overwriting the default NGINX_MODULES_HTTP value, the following USE flag notation can be specified in /etc/portage/package.use:

FILE /etc/portage/package.use
www-servers/nginx NGINX_MODULES_HTTP: fastcgi

USE flags[edit | edit source]

USE flags for www-servers/nginx Robust, small and high performance http and reverse proxy server

aio Enables file AIO support
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
http Enable HTTP core support
http-cache Enable HTTP cache support
http2 Enable HTTP2 module support
ipv6 Add support for IP version 6
libatomic Use libatomic instead of builtin atomic operations
libressl Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)
pcre Add support for Perl Compatible Regular Expressions
pcre-jit Enable JIT for pcre
rtmp NGINX-based Media Streaming Server
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
ssl Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail.
threads Add threads support for various packages. Usually pthreads
vim-syntax Pulls in related vim syntax scripts
Data provided by the Gentoo Package Database · Last update: 2021-03-09 18:45 More information about USE flags

Emerge[edit | edit source]

With the USE flags set, install www-servers/nginx:

root #emerge --ask www-servers/nginx

Installation verification[edit | edit source]

The default nginx configuration defines a virtual server with the root directory set to /var/www/localhost/htdocs. However due to bug #449136, the nginx ebuild will only create the /var/www/localhost directory and without an index file. To have a working default configuration, create the /var/www/localhost/htdocs directory and simple index file:

root #mkdir /var/www/localhost/htdocs
root #echo 'Hello, world!' > /var/www/localhost/htdocs/index.html

The nginx package installs an init service script allowing administrators to stop, start, or restart the service. Run the next command to start the nginx service:

root #/etc/init.d/nginx start

To verify that nginx is properly running, point a web browser to the http://localhost address or use a command-line web tool like curl:

user $curl http://localhost

Configuration[edit | edit source]

The nginx configuration is handled through the /etc/nginx/nginx.conf file.

Single site access[edit | edit source]

The following example shows a single-site access, without dynamic capabilities (such as PHP).

FILE /etc/nginx/nginx.confGentoo's default configuration
user nginx nginx;
worker_processes 1;
 
error_log /var/log/nginx/error_log info;
 
events {
	worker_connections 1024;
	use epoll;
}
 
http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
 
	log_format main
		'$remote_addr - $remote_user [$time_local] '
		'"$request" $status $bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'"$gzip_ratio"';
 
	client_header_timeout 10m;
	client_body_timeout 10m;
	send_timeout 10m;
 
	connection_pool_size 256;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 2k;
	request_pool_size 4k;
 
	gzip off;
 
	output_buffers 1 32k;
	postpone_output 1460;
 
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
 
	keepalive_timeout 75 20;
 
	ignore_invalid_headers on;
 
	index index.html;
 
	server {
		listen 127.0.0.1;
		server_name localhost;
 
		access_log /var/log/nginx/localhost.access_log main;
		error_log /var/log/nginx/localhost.error_log info;
 
		root /var/www/localhost/htdocs;
	}
}

Multiple site access[edit | edit source]

It is possible to leverage the include directive to split the configuration in multiple files:

FILE /etc/nginx/nginx.confMultisite configuration
user nginx nginx;
worker_processes 1;
 
error_log /var/log/nginx/error_log info;
 
events {
	worker_connections 1024;
	use epoll;
}
 
http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
 
	log_format main
		'$remote_addr - $remote_user [$time_local] '
		'"$request" $status $bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'"$gzip_ratio"';
 
	client_header_timeout 10m;
	client_body_timeout 10m;
	send_timeout 10m;
 
	connection_pool_size 256;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 2k;
	request_pool_size 4k;
 
	gzip off;
 
	output_buffers 1 32k;
	postpone_output 1460;
 
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
 
	keepalive_timeout 75 20;
 
	ignore_invalid_headers on;
 
	index index.html;
 
	include /etc/nginx/conf.d/*.conf;
}
FILE /etc/nginx/conf.d/local.confSimple host
server {
        listen 127.0.0.1;
        server_name localhost;
  
        access_log /var/log/nginx/localhost.access_log main;
        error_log /var/log/nginx/localhost.error_log info;
  
        root /var/www/localhost/htdocs;
}
FILE /etc/nginx/conf.d/local-ssl.confSimple SSL host
server {
    listen 443 ssl;
    server_name host.tld;
    ssl_certificate /etc/ssl/nginx/host.tld.pem;
    ssl_certificate_key /etc/ssl/nginx/host.tld.key;
}

PHP support[edit | edit source]

Add the following lines to the nginx configuration to enable PHP support. In this example nginx is exchanging information with the PHP process via a UNIX socket.

FILE /etc/nginx/nginx.confEnabling PHP support
...
http {
...
    server { 
    ...
            location ~ \.php$ {
                       # Test for non-existent scripts or throw a 404 error
                       # Without this line, nginx will blindly send any request ending in .php to php-fpm
                       try_files $uri =404;
                       include /etc/nginx/fastcgi.conf;
                       fastcgi_pass unix:/run/php-fpm.socket;
           }
    }
}

To support this setup, PHP needs to be built with FastCGI Process Manager support (dev-lang/php), which is handled through the fpm USE flag:

root #echo "dev-lang/php fpm" >> /etc/portage/package.use

Rebuild PHP with the fpm USE flag enabled:

root #emerge --ask dev-lang/php
Note
Using UNIX socket communication is the preferred and recommended configuration

For PHP 7.0 and newer PHP versions use following configuration:

FILE /etc/php/fpm-php7.1/fpm.d/www.confRunning PHP with UNIX socket support
listen = /run/php-fpm.socket
listen.owner = nginx

Set the timezone in the php-fpm php.ini file. Substitute the <PUT_TIMEZONE_HERE> text in the FileBox below with the appropriate timezone information:

FILE /etc/php/fpm-php5.5/php.iniSetup timezone in php.ini
date.timezone = <PUT_TIMEZONE_HERE>

Start the php-fpm daemon:

root #/etc/init.d/php-fpm start

Add php-fpm to the default runlevel:

root #rc-update add php-fpm default

Reload nginx with changed configuration:

root #/etc/init.d/nginx reload

Alternatively, for systemd:

root #systemctl enable php-fpm@7.1
root #systemctl start php-fpm@7.1

IP address access list[edit | edit source]

The next example shows how to allow access to a particular URL (in this case /nginx_status) only to:

  • certain hosts (e.g. 192.0.2.1 127.0.0.1)
  • and IP networks (e.g. 198.51.100.0/24)
FILE /etc/nginx/nginx.confEnabling and configuring an IP access lists for /nginx_status page
http {
    server { 
            location /nginx_status {
                     stub_status on;
                     allow 127.0.0.1/32;
                     allow 192.0.2.1/32;
                     allow 198.51.100.0/24;
                     deny all;
             }
     }
}

Basic authentication[edit | edit source]

nginx allows limiting access to resources by validating the user name and password:

FILE /etc/nginx/nginx.confEnabling and configuring user authentication for the / location
http {
    server { 
            location / {
                   auth_basic           "Authentication failed";
                   auth_basic_user_file conf/htpasswd;
             }
     }
}

The htpasswd file can be generated using:

user $openssl passwd

Third party modules[edit | edit source]

Download third party module source and move it to /usr/src. Manually compile the selected Nginx module, then add the following line to /etc/portage/make.conf:

FILE /etc/portage/make.confAdding third party module
NGINX_ADD_MODULES="/usr/src/nginxmodule"

Rebuild nginx with the third party module enabled:

root #emerge --ask www-servers/nginx

Usage[edit | edit source]

Service control[edit | edit source]

OpenRC[edit | edit source]

Start nginx web server:

root #rc-service nginx start

Stop nginx web server:

root #rc-service nginx stop

Add nginx to the default runlevel so that the service starts automatically on system reboot:

root #rc-update add nginx default

Reload nginx configuration without dropping connections:

root #rc-service nginx reload

Restart the nginx service:

root #rc-service nginx restart

systemd[edit | edit source]

Start nginx web server:

root #systemctl start nginx

Stop nginx web server:

root #systemctl stop nginx

Check the status of the service:

root #systemctl status nginx

Enable service to start automatically on system reboot:

root #systemctl enable nginx

Reload nginx configuration without dropping connections:

root #systemctl reload nginx

Restart the nginx service:

root #systemctl restart nginx

Troubleshooting[edit | edit source]

In case of problems, the following commands can help troubleshoot the situation.

Validate configuration[edit | edit source]

Verify that the running nginx configuration has no errors:

root #/usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

By running nginx with the -t option, it will validate the configuration file without actually starting the nginx daemon. Use the -c option with the full path to the file to test configuration files in non-default locations.

Verify processes are running[edit | edit source]

Check if nginx processes are running:

user $ps aux | egrep 'nginx|PID'
  PID TTY      STAT   TIME COMMAND
26092 ?        Ss     0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
26093 ?        S      0:00 nginx: worker proces

Verify bound addresses and ports[edit | edit source]

Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):

root #netstat -tulpen | grep :80
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      0          12336835   -26092/nginx: master

See also[edit | edit source]

  • Apache — an efficient, extensible web server. It is one of the most popular web servers used the Internet.
  • Lighttpd — a fast and lightweight web server.

External resources[edit | edit source]

This article is issued from Gentoo. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.