Install the NGINX Web Server and Proxy on Oracle Linux

6
0
Send lab feedback

Install the NGINX Web Server and Proxy on Oracle Linux

Introduction

NGINX is a lightweight HTTP/S server capable of higher performance and lower memory use than a typical Apache web server deployment. However, this performance gain comes at the cost of some functionality and flexibility. NGINX has also gained in popularity as a powerful proxy service capable of functioning as a direct HTTP proxy, a reverse proxy with caching, an SMTP, POP3, or IMAP proxy, or a generic TCP/UDP proxy. NGINX also provides load-balancing services with fault tolerance.

Objectives

In this tutorial, you'll learn how to:

  • Install and enable the NGINX web server
  • Create a custom site
  • Enable SSL using a self-signed certificate

Prerequisites

  • Minimum of a single Oracle Linux system

  • Each system should have Oracle Linux installed and configured with:

    • A non-root user account with sudo access
    • Access to the Internet

If using Oracle Cloud Infrastructure (OCI), create ingress security rules for destination ports 80, 443, and 8080 from anywhere.

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

  1. Open a terminal on the Luna Desktop.

  2. Clone the linux-virt-labs GitHub project.

    git clone https://github.com/oracle-devrel/linux-virt-labs.git

  3. Change into the working directory.

    cd linux-virt-labs/ol

  4. Install the required collections.

    ansible-galaxy collection install -r requirements.yml

  5. Deploy the lab environment.

    ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6" -e use_nginx=true

    The free lab environment requires the extra variable local_python_interpreter, which sets ansible_python_interpreter for plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.

    The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.

    Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.

Install and Enable NGINX

Install the NGINX Package

  1. Open a terminal and create an environment variable on the ol-node-01 instance.

    The command creates an environment variable containing the instance's public IP address, which we'll use later in this tutorial.

    ssh oracle@<ip_address_of_instance> "echo export IP=<ip_address_of_instance> | tee -a ~/.bashrc > /dev/null"

    Note: When typing this command, replace both occurrences of <ip_address_of_instance> with the actual IP address.

  2. Connect via SSH to the ol-node-01 instance.

    ssh oracle@<ip_address_of_instance>

  3. Install the NGINX package and all of its dependencies.

    sudo dnf install -y nginx

Enable and Start the NGINX Service

  1. Enable and start the NGINX service for immediate access and make the service start automatically after a reboot.

    sudo systemctl enable --now nginx.service

  2. Check the status of the service.

    The service starts a web server that listens on TCP port 80 by default.

    sudo systemctl status nginx

    The default service listens on port 80 for all server names. Server names are defined using the server_name directive, and NGINX determines which server block to use for a given request by evaluating its configuration files. The configuration may specify a server using any combination of exact names, wildcard names, and regular expressions.

Configure the Firewall Rules

If you use a custom firewall profile or an OCI instance, open the firewall port for the NGINX web service (80).

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

Depending on your installation, your instance may have a public-facing IP address in OCI and different ingress rules for the virtual cloud network (VCN) applied. Therefore, you may need to configure additional security list rules or update your network security group configuration.

Test the Default Installation

There are several ways to test the deployment, such as a browser or cURL. The method you choose will depend on your network and firewall configuration. In the case of OCI, you must also account for the VCN security list rules.

  1. Test local access using cURL.

    This test tries to access the NGINX test page from a terminal session connected via SSH to the instance where NGINX is running. This connection type verifies the service is working and bypasses any firewall rules or OCI ingress security rules.

    curl http://$(hostname -i)

    The $(hostname -i) grabs the IP address of the instance. If this is an OCI instance, that is the instance's private IP address. You can also replace $(hostname -i) with localhost when testing on the instance where we installed NGINX.

  2. Test remote access using a browser.

    Open a browser and access the NGINX test page using the instance's IP address.

    If this is an OCI instance, you'll need to use the instance's public IP address. The public IP address is the IP address you use when connecting to the instance using SSH.

    The NGINX web server opens the default test page /usr/share/nginx/html/index.html.

  3. Test remote access using a terminal.

    1. Open a new terminal.

    2. Use cURL to access the NGINX test page using the instance's IP address.

    If this is an OCI instance, you'll need to use the instance's public IP address. The public IP address is the IP address you use when connecting to the instance using SSH.

    curl http://<ip_address_of_instance>
    1. Exit the terminal and switch to a terminal connected to ol-node-01.

Create a Custom NGINX Configuration

To change the root path for your web server, do not edit the /etc/nginx/nginx.conf file directly. Instead, create a site-specific configuration in the /etc/nginx/conf.d directory as a preferred method. For example, create the file /etc/nginx/conf.d/default.conf and populate it with a configuration for your site.

  1. Create a directory to host a new site.

    sudo mkdir /srv/website

  2. Create an index.html file to display to visitors to the new site.

    cat << EOF | sudo tee /srv/website/index.html > /dev/null
<html>
<head>
<title>Hello</title>
</head>
<body><p>Hello World!</p></body>
</html>
EOF

  3. Update the permissions to give the nginx process ownership of the directory and set the appropriate SELinux security context.

    sudo chown -R nginx:nginx /srv/website
sudo chcon -Rt httpd_sys_content_t /srv/website

  4. Create a custom NGINX configuration at /etc/nginx/conf.d/default.conf for visitors to the server IP address.

    cat << EOF | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
server {
  server_name   $(hostname -i) $IP;
  root           /srv/website;
  index          index.html;
}
EOF

    The $(hostname -i) inserts the instance's IP address. For OCI instances, this is the private IP address. To access an NGINX site running on an OCI instance from outside of OCI, you must also include the public IP address or a hostname that resolves on the public Internet. The $IP environment variable, which we set at the beginning of this tutorial, represents the public IP address.

  5. Restart the NGINX web service to load the new configuration.

    sudo systemctl restart nginx

  6. Switch to the open browser.

  7. Query the page again to confirm the configuration and page changes.

  8. Switch back to the terminal.

  9. You can debug and view connection details or issues by tailing the log files.

    sudo tail -f /var/log/nginx/access.log -f /var/log/nginx/error.log

    Use Ctrl-C to exit the tail application after watching the log files.

Configure HTTPS to Secure the Service

As a best practice, secure all communications between a web browser and your NGINX server using HTTPS. A secure setup requires a TLS certificate.

Create TLS/SSL Certificates

Oracle strongly recommends using a TLS certificate signed by an external Certificate Authority (CA). See https://docs.oracle.com/en/operating-systems/oracle-linux/certmanage/ for more information.

However, this tutorial will use a self-signed certificate for demonstration purposes.

  1. Create the certificate and key.

    openssl req -new -x509 -days 30 -nodes -newkey rsa:2048 -keyout server.key \
-addext "subjectAltName = DNS:$IP" \
-out server.crt -subj "/C=US/ST=Ca/L=Sunnydale/CN=$(hostname -i)"

    We assign the instance's IP address to the certificate's CN value using $(hostname -i) and the OCI public IP address using the subjectAltName option. You can remove the --addext line if you do not need it for your environment. This option allows adding multiple names to a certificate by including several DNS:<hostname_or_ip_address>, each separated by a comma.

  2. Create a directory to store the keys and certificates for NGINX.

    sudo mkdir -p /etc/pki/nginx/private

  3. Copy the certificate to /etc/pki/nginx/server.crt and the key file to /etc/pki/nginx/private/server.key.

    sudo cp server.crt /etc/pki/nginx/
sudo cp server.key /etc/pki/nginx/private

Update the NGINX Configuration for TLS/SSL

  1. Replace the /etc/nginx/conf.d/default.conf file.

    The updated file includes a configuration for a TLS-enabled website and a 301 redirect for HTTP traffic. The 301 redirect automatically redirects HTTP traffic to the HTTPS site.

    cat << EOF | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
server {
 server_name   $(hostname -i) $IP;
 return 301 https://\$host\$request_uri;
}

server {
 listen       443 ssl http2;
 listen       [::]:443 ssl http2;
 server_name    $(hostname -i) $IP;
 root           /srv/website;
 index          index.html;
 ssl_certificate "/etc/pki/nginx/server.crt";
 ssl_certificate_key "/etc/pki/nginx/private/server.key";
 ssl_session_cache shared:SSL:1m;
 ssl_session_timeout  10m;
 ssl_ciphers PROFILE=SYSTEM;
 ssl_prefer_server_ciphers on;
}
EOF

    Note that if you are hosting for multiple domains, you can specify different ssl_certificate and ssl_certificate_key values for each server_name configuration that you create in the /etc/nginx/conf.d directory.

  2. Restart the NGINX service to load the new configuration.

    sudo systemctl restart nginx

Update the Firewall

Enable the firewall port 443 for the NGINX HTTPS web service and reload the default firewall service.

sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Confirm a Working HTTPS Configuration

  1. Use cURL to access the site locally using HTTPS.

    curl -k https://$(hostname -i)

    The -k option bypasses the certificate check and is required in this scenario. Otherwise, cURL prevents you from accessing a site using a self-signed certificate.

  2. Test remote access using a browser.

    Open a browser and access the NGINX server using the instance's IP address. If you prefix the request with http://, the browser will redirect you to the HTTPS site.

    Note: Most browsers display a security risk warning when accessing a site using a self-signed certificate. Approve the security warning based on the browser used. For Chrome, click the Advanced button and then the Proceed to localhost (unsafe) link.

Next Steps

Thank you for completing this tutorial. Hopefully, these steps have given you a better understanding of installing, configuring, and using the NGINX web server.

SSR