1. Requirements
- FreeBSD 9.2.1.6+
- Permanent storage (preferably a ZFS volume)
- DNS domain or a static IP
- Internet access
2. References
3. Create Ngnix jail and install Nginx server
Create a new jail (e.g. name www) and add storage to the jail so we can keep our configuration and log files in a secure place. I'll mount my storage in '/mnt/www' inside the jail.
SSH to your FreeBSD, enter the jail (jexec www tcsh) and install Nginx package using pkg manager.
pkg update && pkg upgrade
pkg install nginx
pkg autoremove
pkg install nginx
pkg autoremove
- Note: The first time it will have to upgrade repositories, so don't worry if it downloads a lot of data.
4. Create configuration files
Configuration files are stored in the directory '/usr/local/etc/nginx/'. First we should create main configuration with this content:
file /usr/local/etc/nginx/nginx.conf
#user nobody;
worker_processes 3;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
log_format apache
'$remote_addr - $remote_user [$time_local] '
'"$scheme://$host" '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_cookie"';
access_log /var/log/nginx-access.log apache;
# include SSL configuration
server_tokens off;
include /usr/local/etc/nginx/nginx.conf.ssl;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
# Compression
gzip on;
gzip_buffers 256 8k;
gzip_comp_level 2;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/css text/javascript text/mathml text/plain text/xml application/x-javascript application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# include domain server configuration
include /usr/local/etc/nginx/nginx.conf.domain_name;
}
#user nobody;
worker_processes 3;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
log_format apache
'$remote_addr - $remote_user [$time_local] '
'"$scheme://$host" '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_cookie"';
access_log /var/log/nginx-access.log apache;
# include SSL configuration
server_tokens off;
include /usr/local/etc/nginx/nginx.conf.ssl;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
# Compression
gzip on;
gzip_buffers 256 8k;
gzip_comp_level 2;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/css text/javascript text/mathml text/plain text/xml application/x-javascript application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# include domain server configuration
include /usr/local/etc/nginx/nginx.conf.domain_name;
}
I recommend to use SSL certificates (e.g. selfsigned) so we can include this common SSL configuration file to the main configuration.
file /usr/local/etc/nginx/nginx.conf.ssl
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA";
add_header Strict-Transport-Security "max-age=31536000";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA";
add_header Strict-Transport-Security "max-age=31536000";
When you are using PHP for multiple domain, it is better to exclude this common configuration to separated file. If you are using only static HTML code, don't include this file in the file 'nginx.conf.domain_name'.
file /usr/local/etc/nginx/nginx.conf.php
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php {
return 403;
}
location / {
# This is cool because no php is touched for static content
# try_files $uri $uri/ /index.php?q=$uri&$args;
try_files $uri $uri/ @rewrite; expires max;
}
location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(config|temp|logs)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php {
return 403;
}
location / {
# This is cool because no php is touched for static content
# try_files $uri $uri/ /index.php?q=$uri&$args;
try_files $uri $uri/ @rewrite; expires max;
}
location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(config|temp|logs)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
And finally we can create domain server configuration file.
/usr/local/etc/nginx/nginx.conf.domain_name
server {
listen 80;
listen 443;
# catch domain without www prefix and all subdomain names
server_name domain_name *.domain_name;
# and rewrite them with www prefix
return 301 $scheme://www.domain_name$request_uri;
}
server {
listen 80;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
root /usr/local/www/drupal;
index index.php;
include /usr/local/etc/nginx/nginx.conf.php;
}
server {
listen 443 ssl;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/domain_name.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/domain_name.key;
# where the WWW content is stored.
root /usr/local/www/domain_name;
index index.php;
access_log /var/log/domain_name_access.log;
error_log /var/log/domain_name_error.log;
# include PHP configuration
include /usr/local/etc/nginx/nginx.conf.php;
# for HTML static content comment out lines below
# and comment lines above with "root", "index" and "include"
# in both server section for 80 and 443 listen port
# location / {
# root /usr/local/www/domain_name;
# index index.html index.htm
# }
}
server {
listen 80;
listen 443;
# catch domain without www prefix and all subdomain names
server_name domain_name *.domain_name;
# and rewrite them with www prefix
return 301 $scheme://www.domain_name$request_uri;
}
server {
listen 80;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
root /usr/local/www/drupal;
index index.php;
include /usr/local/etc/nginx/nginx.conf.php;
}
server {
listen 443 ssl;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/domain_name.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/domain_name.key;
# where the WWW content is stored.
root /usr/local/www/domain_name;
index index.php;
access_log /var/log/domain_name_access.log;
error_log /var/log/domain_name_error.log;
# include PHP configuration
include /usr/local/etc/nginx/nginx.conf.php;
# for HTML static content comment out lines below
# and comment lines above with "root", "index" and "include"
# in both server section for 80 and 443 listen port
# location / {
# root /usr/local/www/domain_name;
# index index.html index.htm
# }
}
- Note: Rewrite 'domain_name' with your own domain name.
5. Final configuration
Finally, let's edit /etc/rc.conf so Nginx starts automatically during start of the jail.
echo "nginx_enable=\"YES\"" >> /etc/rc.conf
- Note: You can start the Ngnix manually with the command 'service nginx start'.
6. Logrotate
Add the following entry in '/etc/newsyslog.conf' for rotating log files at the first day of every month at midnight. See 'man 5 newsyslog.conf' for more informations. Newsyslog is already being called once per hour by cron.
/var/log/domain_name_*.log 664 24 * $M1D0 GJ /var/run/nginx.pid 30
1. Requirements
- FreeBSD 9.2.1.6+
- Permanent storage (preferably a ZFS volume)
- DNS domain or a static IP
- Internet access
2. References
3. Create Ngnix jail and install Nginx server
Create a new jail (e.g. name www) and add storage to the jail so we can keep our configuration and log files in a secure place. I'll mount my storage in '/mnt/www' inside the jail.
SSH to your FreeBSD, enter the jail (jexec www tcsh) and install Nginx package using pkg manager.
pkg update && pkg upgrade
pkg install nginx
pkg autoremove
pkg install nginx
pkg autoremove
- Note: The first time it will have to upgrade repositories, so don't worry if it downloads a lot of data.
4. Create configuration files
Configuration files are stored in the directory '/usr/local/etc/nginx/'. First we should create main configuration with this content:
file /usr/local/etc/nginx/nginx.conf
#user nobody;
worker_processes 3;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
log_format apache
'$remote_addr - $remote_user [$time_local] '
'"$scheme://$host" '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_cookie"';
access_log /var/log/nginx-access.log apache;
# include SSL configuration
server_tokens off;
include /usr/local/etc/nginx/nginx.conf.ssl;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
# Compression
gzip on;
gzip_buffers 256 8k;
gzip_comp_level 2;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/css text/javascript text/mathml text/plain text/xml application/x-javascript application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# include domain server configuration
include /usr/local/etc/nginx/nginx.conf.domain_name;
}
#user nobody;
worker_processes 3;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
log_format apache
'$remote_addr - $remote_user [$time_local] '
'"$scheme://$host" '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_cookie"';
access_log /var/log/nginx-access.log apache;
# include SSL configuration
server_tokens off;
include /usr/local/etc/nginx/nginx.conf.ssl;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
# Compression
gzip on;
gzip_buffers 256 8k;
gzip_comp_level 2;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/css text/javascript text/mathml text/plain text/xml application/x-javascript application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml;
gzip_vary on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# include domain server configuration
include /usr/local/etc/nginx/nginx.conf.domain_name;
}
I recommend to use SSL certificates (e.g. selfsigned) so we can include this common SSL configuration file to the main configuration.
file /usr/local/etc/nginx/nginx.conf.ssl
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA";
add_header Strict-Transport-Security "max-age=31536000";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA";
add_header Strict-Transport-Security "max-age=31536000";
When you are using PHP for multiple domain, it is better to exclude this common configuration to separated file. If you are using only static HTML code, don't include this file in the file 'nginx.conf.domain_name'.
file /usr/local/etc/nginx/nginx.conf.php
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php {
return 403;
}
location / {
# This is cool because no php is touched for static content
# try_files $uri $uri/ /index.php?q=$uri&$args;
try_files $uri $uri/ @rewrite; expires max;
}
location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(config|temp|logs)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ \..*/.*\.php {
return 403;
}
location / {
# This is cool because no php is touched for static content
# try_files $uri $uri/ /index.php?q=$uri&$args;
try_files $uri $uri/ @rewrite; expires max;
}
location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-fpm.sock;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location ~ ^/(README.md|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(config|temp|logs)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
And finally we can create domain server configuration file.
/usr/local/etc/nginx/nginx.conf.domain_name
server {
listen 80;
listen 443;
# catch domain without www prefix and all subdomain names
server_name domain_name *.domain_name;
# and rewrite them with www prefix
return 301 $scheme://www.domain_name$request_uri;
}
server {
listen 80;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
root /usr/local/www/drupal;
index index.php;
include /usr/local/etc/nginx/nginx.conf.php;
}
server {
listen 443 ssl;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/domain_name.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/domain_name.key;
# where the WWW content is stored.
root /usr/local/www/domain_name;
index index.php;
access_log /var/log/domain_name_access.log;
error_log /var/log/domain_name_error.log;
# include PHP configuration
include /usr/local/etc/nginx/nginx.conf.php;
# for HTML static content comment out lines below
# and comment lines above with "root", "index" and "include"
# in both server section for 80 and 443 listen port
# location / {
# root /usr/local/www/domain_name;
# index index.html index.htm
# }
}
server {
listen 80;
listen 443;
# catch domain without www prefix and all subdomain names
server_name domain_name *.domain_name;
# and rewrite them with www prefix
return 301 $scheme://www.domain_name$request_uri;
}
server {
listen 80;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
root /usr/local/www/drupal;
index index.php;
include /usr/local/etc/nginx/nginx.conf.php;
}
server {
listen 443 ssl;
server_name www.domain_name;
# comment line below to Roundcube work correctly
add_header X-Frame-Options DENY;
ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/domain_name.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/domain_name.key;
# where the WWW content is stored.
root /usr/local/www/domain_name;
index index.php;
access_log /var/log/domain_name_access.log;
error_log /var/log/domain_name_error.log;
# include PHP configuration
include /usr/local/etc/nginx/nginx.conf.php;
# for HTML static content comment out lines below
# and comment lines above with "root", "index" and "include"
# in both server section for 80 and 443 listen port
# location / {
# root /usr/local/www/domain_name;
# index index.html index.htm
# }
}
- Note: Rewrite 'domain_name' with your own domain name.
5. Final configuration
Finally, let's edit /etc/rc.conf so Nginx starts automatically during start of the jail.
echo "nginx_enable=\"YES\"" >> /etc/rc.conf
- Note: You can start the Ngnix manually with the command 'service nginx start'.
6. Logrotate
Add the following entry in '/etc/newsyslog.conf' for rotating log files at the first day of every month at midnight. See 'man 5 newsyslog.conf' for more informations. Newsyslog is already being called once per hour by cron.
/var/log/domain_name_*.log 664 24 * $M1D0 GJ /var/run/nginx.pid 30
Comments