Skip to content

Instantly share code, notes, and snippets.

@KishCom

KishCom/setupNGINX.sh

Last active June 28, 2016 20:55
Show Gist options
  • Save KishCom/2347ef5d4dbef308eeded202dc395ef0 to your computer and use it in GitHub Desktop.
Save KishCom/2347ef5d4dbef308eeded202dc395ef0 to your computer and use it in GitHub Desktop.
Download ZIP
NGINX 1.10.1 on Ubuntu 14.04
Raw
setupNGINX.sh
##DIY NGINX for 14.04
sudo apt-get -y install build-essential libpcre3 libpcre3-dev zlib1g-dev checkinstall libgeoip-dev
wget http://nginx.org/download/nginx-1.10.1.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2h.tar.gz
tar zxvf nginx-1.10.1.tar.gz
tar zxvf openssl-1.0.2h.tar.gz
cd nginx-1.10.1
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/etc/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=www-data --group=www-data --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 --with-openssl=/home/ubuntu/openssl-1.0.2h --with-http_geoip_module=dynamic
make
sudo checkinstall --pkgname=nginx --pkgversion=1.10.1 --nodoc
#Verify
nginx -V
sudo adduser --system --no-create-home --disabled-login --disabled-password --group www-data
sudo mkdir -p /var/cache/nginx
sudo mkdir -p /etc/nginx/sites-enabled
sudo mkdir -p /etc/nginx/sites-available
#NGINX upstart (/etc/init/nginx.conf):
# nginx
description "nginx http daemon"
author "George Shammas <[email protected]>"
start on (filesystem and net-device-up IFACE!=lo)
stop on runlevel [!2345]
env DAEMON=/usr/sbin/nginx
env PID=/var/run/nginx.pid
expect fork
respawn
respawn limit 10 5
#oom never
pre-start script
$DAEMON -t
if [ $? -ne 0 ]
then exit $?
fi
end script
exec $DAEMON
#NGINX conf (/etc/nginx/nginx.conf):
# User and group used by worker processes
user www-data;
load_module "modules/ngx_http_geoip_module.so";
# Ideally # of worker processes = # of CPUs or cores
# Set to auto to autodetect
# max_clients = worker_processes * worker_connections
worker_processes auto;
pid /run/nginx.pid;
# Maximum number of open file descriptors per process
# should be > worker_connections
worker_rlimit_nofile 10240;
events {
# Use epoll on Linux 2.6+
use epoll;
# Max number of simultaneous connections per worker process
worker_connections 2048;
# Accept all new connections at one time
multi_accept on;
}
http {
##
# Basic Settings
##
# Hide nginx version information
server_tokens off;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write()
sendfile on;
# Tell Nginx not to send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out (adds TCP_CORK)
# Send the response header and the beginning of a file in one packet
# Send a file in full packets
tcp_nopush on;
# Tell Nginx to enable the Nagle buffering algorithm for TCP packets
# which collates several smaller packets together into one larger packet
# thus saving bandwidth at the cost of a nearly imperceptible increase to latency
tcp_nodelay off;
send_timeout 30;
# How long to allow each connection to stay idle;
# Longer values are better for each individual client, especially SSL
# But means that worker connections are tied up longer.75
keepalive_timeout 60;
keepalive_requests 200;
# client_header_timeout 20;
# client_body_timeout 20;
reset_timedout_connection on;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
# default_type application/octet-stream;
default_type text/html;
charset UTF-8;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
# Enable Gzip compression
gzip on;
# This should be turned on if pre-compressed copies (.gz) of static files exist
# If NOT it should be left off as it will cause extra I/O
# default: off
# gzip_static on;
# Do NOT compress anything smaller than 256 bytes
gzip_min_length 256;
# Fuck IE6
gzip_disable "msie6";
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (rare)
# would display gibberish if their proxy gave them the gzipped version.
# gzip_vary on;
# Compress data even for clients that are connecting via proxies
# Identified by the "Via" header
gzip_proxied any;
# Compression level (1-9)
# 5 is the perfect compromise between size and CPU usage
gzip_comp_level 5;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types
text/plain
text/css
application/json
application/x-javascript
text/xml
application/xml
application/xml+rss
text/javascript;
# Cache open file descriptors, their sizes and mtime
# information on existence of directories
# file lookup error such as "file not found", "no read permission" and so on
#
# Pros: nginx can immediately begin sending data when a popular file is requested
# and will also immediately send a 404 if a file doesn't exist, and so on
#
# Cons: The server will NOT react immediately to changes on file system
# which may be undesirable
#
# Config: inactive files are released from the cache after 20 seconds
# whereas active (recently requested) files are re-validated every 30 seconds
# File descriptors will NOT be cached unless they are used at least twice in 20s (inactive)
#
# A maximum of the 1000 most recently used file descriptors will be cached at any time
#
# Production servers with stable file collections will definitely want to enable the cache
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Uncomment it if you installed maxmind geoip (https://www.howtoforge.com/using-geoip-with-nginx-on-ubuntu-12.04)
##
#geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
#geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
#geoip_proxy 192.168.100.0/24;
#geoip_proxy_recursive on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# NGINX default
# NGINX Good SSL
server {
server_tokens off;
client_max_body_size 30M;
server_name myapp.example.com;
listen 443 ssl;
access_log /var/log/nginx/myapp.example.com.access.log;
error_log /var/log/nginx/myapp.example.com.error.log;
root /usr/share/nginx/html;
index index.html index.htm;
ssl_certificate /etc/nginx/ssl/myapp.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/myapp.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# Generate a a stronger Diffie-Hellman ephemeral parameter
#cd /etc/ssl/certs
#openssl dhparam -out dhparam.pem 4096
# And then tell nginx to use it for DHE key-exchange, uncomment:
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/html text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
location / {
# Want to use the proxy cache?
# put this into the "http { ... }" context found in /etc/nginx.conf:
# proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=backcache:8m max_size=50m;
# proxy_temp_path /tmp;
# proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
#
# Then uncomment these guys:
#proxy_cache backcache;
#proxy_cache_bypass $http_cache_control;
#proxy_cache_valid 200 302 5m;
#proxy_cache_valid 404 1m;
#proxy_ignore_headers Set-Cookie;
#proxy_ignore_headers Cache-Control;
#add_header X-Proxy-Cache $upstream_cache_status;
# Put the IP and Port for the internally addressed VM here:
proxy_pass http://localhost:8888;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_read_timeout 60;
proxy_connect_timeout 60;
proxy_set_header Host $host;
proxy_set_header "X-Forwarded-For" $proxy_add_x_forwarded_for;
# Is this app using websockets? Uncomment:
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "upgrade";
# Enable if you setup geoip
proxy_set_header GEOIP_COUNTRY_CODE $geoip_country_code;
proxy_set_header GEOIP_COUNTRY_CODE3 $geoip_country_code3;
proxy_set_header GEOIP_COUNTRY_NAME $geoip_country_name;
proxy_set_header GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
proxy_set_header GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
proxy_set_header GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
proxy_set_header GEOIP_REGION $geoip_region;
proxy_set_header GEOIP_CITY $geoip_city;
proxy_set_header GEOIP_POSTAL_CODE $geoip_postal_code;
proxy_set_header GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
proxy_set_header GEOIP_LATITUDE $geoip_latitude;
proxy_set_header GEOIP_LONGITUDE $geoip_longitude;
}
}
server {
listen 80;
server_name myapp.example.com;
server_name_in_redirect off;
rewrite ^ https://$host$request_uri? permanent;
}
# Start and verify
sudo service nginx start
curl -I localhost
# Optional GeoIP Stuff
sudo mkdir /etc/nginx/geoip
cd /etc/nginx/geoip
sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
sudo gunzip GeoIP.dat.gz
sudo wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
sudo gunzip GeoLiteCity.dat.gz
# uncomment geoip_country and geoip_city in /etc/nginx/nginx.conf
@KishCom
Copy link
Author

KishCom commented Jun 28, 2016

TODO:

  • pcre-jit module
  • without mail modules
  • Options to use LibreSSL OR OpenSSL
  • How to check for latest versions of OpenSSL + NGINX

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment