Installing NGINX Server

Owned by
Stonebranch
Last updated: Jun 06, 2024
4 min read

NGINX Server for Linux

The following steps require root privilege, so be sure to have the correct access before continuing.

Note

See also the SELinux configuration section.

Installing with Linux Software Packages

  • Install an NGINX Server (Linux packages).

  • Install the UDMG packages (RPM or DEB), see Installing with Linux software packages. In particular, the udmg-admin-ui-nginx package adds the standard NGINX server configuration files (/opt/udmg/etc/udmg/nginx/udmg.conf and /etc/nginx/conf.d/udmg.confto load the UDMG Admin UI assets.

Performing a Manual Installation

  • Run the following command to check the main NGINX configuration file:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If the NGINX configuration file supports include directives, there is a line like this:

include somedir/*.conf

  • Create a configuration file udmg.conf under this directory (normally /etc/nginx/conf.d). This creates 2 locations: ‘/' for the UDMG Admin UI and '/service' for the internal authentication mechanism.

Note

The default upstream port to reach the UDMG Authentication Proxy is set to 5775 in /opt/udmg/etc/udmg/nginx/udmg.conf starting from version 1.5.0.1.

Please review and make sure that the same port (either 5000 or 5775) is also defined in /opt/udmg/etc/udmg/auth-proxy/config.toml .

upstream udmg_auth_proxy {
    # UDMG Auth Proxy Configuration
    server        localhost:5775;
    ip_hash;
    keepalive 10;    
}

server {
    listen        80;
    listen    [::]:80;

    # TLS configuration
#    listen       443 ssl;
#    listen  [::]:443 ssl;
#    ssl_certificate     /etc/nginx/certs/cert.pem;
#    ssl_certificate_key /etc/nginx/certs/key.pem;
#    ssl_session_timeout 5m;
#    ssl_prefer_server_ciphers on;
#    ssl_protocols TLSv1.3 TLSv1.2;
#    ssl_ecdh_curve secp521r1:secp384r1;
# # recommanded cipher list: https://ssl-config.mozilla.org/#server=nginx&version=1.20&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.7
#    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

    server_name   localhost;

    access_log    /opt/udmg/var/log/nginx/admin.log;

    # Server Banner
    server_tokens off;

    # DEPRECATED Security Headers
    add_header X-XSS-Protection "0";
    add_header X-Frame-Options "SAMEORIGIN";

    # Security Headers
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "strict-origin";
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header X-Permitted-Cross-Domain-Policies none;

    location /service/ {
      proxy_pass         http://udmg_auth_proxy/;
      proxy_set_header   X-Real-IP       $remote_addr;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location / {
        try_files $uri $uri/ /index.html;
        root      /opt/udmg/var/www/udmg;
    }
}

Note

Debian/Ubuntu: the main log format is not defined (commented out in /etc/nginx/nginx/conf) when the installation is performed from the Debian package repository. It is necessary to either revert the access_log format to the default by removing the main from the example above or to uncomment it from the nginx.conf file. It is also possible to install the package from the NGINX official repository, which defines the main log format.  

  • Remove any /etc/nginx/conf.d/default.conf file, to disable the NGINX default landing page on port 80.
  • Validate that the configuration is correct with the following command:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

  • Create the Root directory:

# sudo mkdir -p /opt/udmg/var/www/udmg/

  • Enable and start the NGINX service using the Init system.

# sudo systemctl enable nginx

# sudo systemctl start nginx

  • Check that the HTTP server was started and is running, for example with the curl command:

# curl http://localhost:80
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.22.0</center>
</body>
</html>

This error (403) is expected, since we don't have any assets deployed.

 For configuring HTTPS and HTTP redirection, please refer to the web server documentation (Configuring HTTPS servers).

NGINX Server for Windows

The following steps require Administrator privileges, so be sure that you have the correct access before continuing.

  • Run the following command to check the main NGINX configuration file:

C:\UDMG\nginx> nginx -t
nginx: the configuration file C:\UDMG\nginx/conf/nginx.conf syntax is ok
nginx: configuration file C:\UDMG\nginx/conf/nginx.conf test is successfully

  • Create a directory under the configuration folder called "enabled".

  • Create a configuration file udmg.conf under this directory, C:\UDMG\nginx\conf\enabled:

    upstream udmg_auth_proxy {
    # UDMG Auth Proxy Configuration
    server        localhost:5775;
    ip_hash;
    keepalive 10;    
}

server {
    listen        80;
    listen    [::]:80;

    # TLS configuration
#    listen       443 ssl;
#    listen  [::]:443 ssl;
#    ssl_certificate     /etc/nginx/certs/cert.pem;
#    ssl_certificate_key /etc/nginx/certs/key.pem;
#    ssl_session_timeout 5m;
#    ssl_prefer_server_ciphers on;
#    ssl_protocols TLSv1.3 TLSv1.2;
#    ssl_ecdh_curve secp521r1:secp384r1;
# # recommanded cipher list: https://ssl-config.mozilla.org/#server=nginx&version=1.20&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.7
#    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

    server_name   localhost;

    access_log    logs//udmg.access.log;

    # Server Banner
    server_tokens off;

    # DEPRECATED Security Headers
    add_header X-XSS-Protection "0";
    add_header X-Frame-Options "SAMEORIGIN";

    # Security Headers
    add_header Content-Security-Policy "frame-ancestors 'self'";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy "strict-origin";
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header X-Permitted-Cross-Domain-Policies none;

    location /service/ {
      proxy_pass         http://udmg_auth_proxy/;
      proxy_set_header   X-Real-IP       $remote_addr;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }

     location / {
        try_files $uri $uri/ /index.html;
        root      udmg;
    }
}
  • By default, the NGINX main configuration file C:\UDMG\nginx\conf\nginx.conf has a section to provide a landing page on port 80.

  • Edit the file to remove the standard server section with the "listen 80" directive.

  • Add an include directive to load the udmg.conf file. For example, the default file is like this:

http {
  include mime.types;
  default_type application/octet-stream;


  # other parameters...


  server {

     listen 80;

     return 404;

  }

}

and must be edited to look like this:

http {
  include mime.types;
  default_type application/octet-stream;


  # other parameters...

  include "C:/UDMG/nginx/conf/enabled/*.conf";

}

  • Validate that the configuration is correct with the following command:

C:\UDMG\nginx> nginx -t
nginx: the configuration file C:\UDMG\nginx/conf/nginx.conf syntax is ok
nginx: configuration file C:\UDMG\nginx/conf/nginx.conf test is successfully

  • Create the Root directory under the NGINX main directory called udmg:

C:\UDMG\nginx> mkdir udmg

  • Start NGINX:

C:\UDMG\nginx> nginx

  • Check that the HTTP server was started and is running, for example with the curl command:

C:\>curl.exe http://localhost:80
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.23.0</center>
</body>
</html>

This error (403) is expected, since no assets have been deployed.

Notes:

  • For configuring HTTPS and HTTP redirection, please refer to the web server documentation (Configuring HTTPS servers).
  • The paths in any NGINX configuration file must be specified in UNIX style, using forward slashes '/'.
  • For running NGINX as a service please refer to the service section in UDMG for Windows Installation.