Installing NGINX Server
- Stonebranch (Deactivated)
- Olivier Michaut
NGINX Server for Linux
The following steps require root privilege, so be sure to have the correct access before continuing.
Note
See also the SELinux configuration section.
NGINX is not provided with the UDMG installation packages. It must be installed before the other UDMG components.
After the installation, it must be configured to serve the UDMG Admin UI application. This is performed with the udmg.conf file, it can be deployed either with the udmg-admin-ui-nginx package or set up manually. Both options are detailed below.
Upgrading from a pre 2.0 UDMG release
If you are upgrading an installation of UDMG from any release before 2.0.0.0, the following changes in the udmg.conf file must be reviewed carefully.
Note
upstream udmg_auth_proxy
The default upstream port to reach the UDMG Authentication Proxy is set to 5775 in /opt/udmg/etc/udmg/nginx/udmg.conf starting from version 1.5.0.1.
Please review and make sure that the same port (either 5000 or 5775) is also defined in /opt/udmg/etc/udmg/auth-proxy/config.toml .
Note
New security related settings
Note
access_log
- The log format for the access_log directive used to be set to
mainin the UDMG 1.5 and prior releases. This was causing an 'unknown log format main' error on Debian/Ubuntu systems when NGINX was installed from the Debian package repository. The Debian NGINX package does does not define themainlog format by default (it is commented out in /etc/nginx/nginx/conf). This was not happening when installing from the NGINX official repository, which defines themainlog format. The log format is reverted to the default ('combined') and it is left to the administrator to enable a more detailed log format. - The log folder location is moved from
/opt/udmg/var/log/nginx/to/var/opt/udmg/nginx/and accessible for the 'adm' user group.
NGINX installation and configuration
Installing with Linux Software Packages
- Install an NGINX Server (Linux packages).
Install the UDMG packages (RPM or DEB), see Installing with Linux software packages. In particular, the
udmg-admin-ui-nginxpackage adds the standard NGINX server configuration files (/opt/udmg/etc/udmg/nginx/udmg.confand/etc/nginx/conf.d/udmg.conf) to load the UDMG Admin UI assets.
Performing a Manual Installation
- Install an NGINX Server (Linux packages).
Run the following command to check the main NGINX configuration file:
# nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful
If the NGINX configuration file supports include directives, there is a line like this:
include somedir/*.conf
- Create a configuration file
udmg.confunder this directory (normally/etc/nginx/conf.d). This creates 2 locations: ‘/' for the UDMG Admin UI and'/service'for the internal authentication mechanism.
upstream udmg_auth_proxy {
# UDMG Auth Proxy Configuration
server localhost:5775;
ip_hash;
keepalive 10;
}
server {
listen 80;
listen [::]:80;
# TLS configuration
# listen 443 ssl;
# listen [::]:443 ssl;
# ssl_certificate /etc/nginx/certs/cert.pem;
# ssl_certificate_key /etc/nginx/certs/key.pem;
# ssl_session_timeout 5m;
# ssl_prefer_server_ciphers on;
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ecdh_curve secp521r1:secp384r1;
# # recommanded cipher list: https://ssl-config.mozilla.org/#server=nginx&version=1.20&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.7
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
server_name localhost;
access_log /var/opt/udmg/nginx/admin.log;
# Server Banner
server_tokens off;
# DEPRECATED Security Headers
add_header X-XSS-Protection "0";
add_header X-Frame-Options "SAMEORIGIN";
# Security Headers
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "strict-origin";
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header X-Permitted-Cross-Domain-Policies none;
location /service/ {
proxy_pass http://udmg_auth_proxy/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
try_files $uri $uri/ /index.html;
root /opt/udmg/var/www/udmg;
}
}
- Create the log directory:
# sudo /var/opt/udmg/nginx/admin.log
- Create the Root directory where the UDMG Admin UI will be installed:
# sudo
Verify and enable NGINX
- NGINX default configuration provides a HTTP Server Test Page page on port 80. Disable it by removing one of the following files (this depends on the NGINX version and OS flavor):
/etc/nginx/conf.d/default.conf
/etc/nginx/sites-enabled/default
- Validate that the configuration is correct with the following command:
# nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful
- Enable and start the NGINX service using the Init system.
# sudo
# sudo
- Check that the HTTP server was started and is running, for example with the
curlcommand:
# curl http://localhost:80<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.22.0</center></body></html>
This error (403) is expected, since we don't have any assets deployed.
For configuring HTTPS and HTTP redirection, please refer to the web server documentation (Configuring HTTPS servers).
NGINX Server for Windows
The following steps require Administrator privileges, so be sure that you have the correct access before continuing.
- Install NGINX (see nginx for Windows), for example under
C:\UDMG\nginx.
Run the following command to check the main NGINX configuration file:
C:\UDMG\nginx> nginx -tnginx: the configuration file C:\UDMG\nginx/conf/nginx.conf syntax is oknginx: configuration file C:\UDMG\nginx/conf/nginx.conf test is successfully
- Create a directory under the configuration folder called "enabled".
Create a configuration file
udmg.confunder this directory,C:\UDMG\nginx\conf\enabled:upstream udmg_auth_proxy { # UDMG Auth Proxy Configuration server localhost:5775; ip_hash; keepalive 10; } server { listen 80; listen [::]:80; # TLS configuration # listen 443 ssl; # listen [::]:443 ssl; # ssl_certificate /etc/nginx/certs/cert.pem; # ssl_certificate_key /etc/nginx/certs/key.pem; # ssl_session_timeout 5m; # ssl_prefer_server_ciphers on; # ssl_protocols TLSv1.3 TLSv1.2; # ssl_ecdh_curve secp521r1:secp384r1; # # recommanded cipher list: https://ssl-config.mozilla.org/#server=nginx&version=1.20&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.7 # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; server_name localhost; access_log logs//udmg.access.log; # Server Banner server_tokens off; # DEPRECATED Security Headers add_header X-XSS-Protection "0"; add_header X-Frame-Options "SAMEORIGIN"; # Security Headers add_header Content-Security-Policy "frame-ancestors 'self'"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy "strict-origin"; add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; add_header X-Permitted-Cross-Domain-Policies none; location /service/ { proxy_pass http://udmg_auth_proxy/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location / { try_files $uri $uri/ /index.html; root udmg; } }- By default, the NGINX main configuration file C:\UDMG\nginx\conf\nginx.conf has a section to provide a landing page on port 80.
Edit the file to remove the standard server section with the "listen 80" directive.
- Add an include directive to load the udmg.conf file. For example, the default file is like this:
http { include mime.types; default_type application/octet-stream;
# other parameters...
server {
listen 80;
return 404;
}
}
It must be edited to look like this:
http { include mime.types; default_type application/octet-stream;
# other parameters...
include "C:/UDMG/nginx/conf/enabled/*.conf";
}
- Validate that the configuration is correct with the following command:
C:\UDMG\nginx> nginx -tnginx: the configuration file C:\UDMG\nginx/conf/nginx.conf syntax is oknginx: configuration file C:\UDMG\nginx/conf/nginx.conf test is successfully
- Create the Root directory under the NGINX main directory called udmg:
C:\UDMG\nginx> mkdir udmg
- Start NGINX:
C:\UDMG\nginx> nginx
- Check that the HTTP server was started and is running, for example with the
curlcommand:
C:\>curl.exe http://localhost:80<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.23.0</center></body></html>
This error (403) is expected, since no assets have been deployed.
Notes:
- For configuring HTTPS and HTTP redirection, please refer to the web server documentation (Configuring HTTPS servers).
- The paths in any NGINX configuration file must be specified in UNIX style, using forward slashes '/'.
- For running NGINX as a service please refer to the service section in UDMG for Windows Installation.