Install Nginx
- 🐧 Linux Command Line
Ansible Playbook
Core
Install Nginx
install-nginx.sh
#!/bin/sh
# Interactive input for variables
read -p "Please enter the version of Nginx (e.g., 1.26.2): " nginx_version
read -p "Please enter the run group name (default: www): " run_group
run_group=${run_group:-www}
read -p "Please enter the run user name (default: www): " run_user
run_user=${run_user:-www}
# Check if the specified group and user exist, create if not
id -g ${run_group} >/dev/null 2>&1
[ $? -ne 0 ] && groupadd ${run_group}
id -u ${run_user} >/dev/null 2>&1
[ $? -ne 0 ] && useradd -g ${run_group} -M -s /sbin/nologin ${run_user}
# Install required dependencies
dnf -y install tar wget gcc gcc-c++ make zlib-devel pcre-devel openssl-devel libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed
# Download headers-more-nginx-module
git clone https://github.com/openresty/headers-more-nginx-module /usr/local/headers-more-nginx-module
# Create Nginx cache directory and set permissions
mkdir -p /var/cache/nginx
chown ${run_user}:${run_group} /var/cache/nginx
# Download and compile Nginx
cd /usr/local/src/
wget http://nginx.org/download/nginx-${nginx_version}.tar.gz
tar -xzf nginx-${nginx_version}.tar.gz
cd nginx-${nginx_version}
./configure \
--prefix=/usr/local/nginx \
--sbin-path=/usr/sbin/nginx \
--pid-path=/run/nginx.pid \
--lock-path=/run/nginx.lock \
--user=${run_user} \
--group=${run_group} \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/cache/nginx/client_body \
--http-proxy-temp-path=/var/cache/nginx/proxy \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi \
--http-scgi-temp-path=/var/cache/nginx/scgi \
--with-compat \
--with-debug \
--with-file-aio \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_degradation_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-threads \
--add-module=/usr/local/headers-more-nginx-module \
--add-module=/usr/local/ModSecurity-nginx
make && make install
mkdir -p /var/log/nginx/
touch /var/log/nginx/error.log
touch /var/log/nginx/access.log
chown -R www:www /var/log/nginx
chmod -R 750 /var/log/nginx
Create Nginx Service
/etc/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Create Nginx Configuration
/usr/local/nginx/conf/nginx.conf
user www www;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=req_limit_20:10m rate=20r/s;
limit_req_zone $binary_remote_addr zone=req_limit_10:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
map $status $fail2banlog {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1000;
gzip_static on;
keepalive_timeout 15s;
client_header_timeout 10s;
send_timeout 10s;
client_max_body_size 10m;
client_body_timeout 10s;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
more_set_headers 'X-Frame-Options "SAMEORIGIN"';
more_set_headers 'X-XSS-Protection "1; mode=block"';
more_set_headers 'X-Content-Type-Options "nosniff"';
include /usr/local/nginx/conf/vhosts/*.conf;
}
Start Nginx Service
mkdir -p /usr/local/nginx/conf/vhosts/
systemctl daemon-reload
systemctl enable --now nginx
systemctl status nginx
nginx.yml
- name: Compile and install Nginx with ModSecurity
hosts: all
remote_user: root
vars:
nginx_version: "1.26.2"
run_group: "www"
run_user: "www"
tasks:
- name: Ensure group exists
group:
name: "{{ run_group }}"
state: present
- name: Ensure user exists
user:
name: "{{ run_user }}"
group: "{{ run_group }}"
shell: /sbin/nologin
create_home: false
state: present
- name: Install required packages
dnf:
name:
- wget
- gcc
- gcc-c++
- make
- zlib-devel
- pcre-devel
- openssl-devel
- libxml2-devel
- libxslt-devel
- gd
- gd-devel
- perl-ExtUtils-Embed
state: present
- name: Clone headers-more-nginx-module
git:
repo: https://github.com/openresty/headers-more-nginx-module
dest: /usr/local/headers-more-nginx-module
version: master
force: true
- name: Create Nginx cache directory
file:
path: /var/cache/nginx
owner: "{{ run_user }}"
group: "{{ run_group }}"
state: directory
mode: "0755"
- name: Download Nginx source code
get_url:
url: "http://nginx.org/download/nginx-{{ nginx_version }}.tar.gz"
dest: "/usr/local/src/nginx-{{ nginx_version }}.tar.gz"
- name: Extract Nginx source code
unarchive:
src: "/usr/local/src/nginx-{{ nginx_version }}.tar.gz"
dest: "/usr/local/src/"
remote_src: true
- name: Configure Nginx with ModSecurity
command: >
./configure
--prefix=/usr/local/nginx
--sbin-path=/usr/sbin/nginx
--pid-path=/run/nginx.pid
--lock-path=/run/nginx.lock
--user={{ run_user }}
--group={{ run_group }}
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/cache/nginx/client_body
--http-proxy-temp-path=/var/cache/nginx/proxy
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi
--http-scgi-temp-path=/var/cache/nginx/scgi
--with-compat
--with-debug
--with-file-aio
--with-http_addition_module
--with-http_auth_request_module
--with-http_dav_module
--with-http_degradation_module
--with-http_flv_module
--with-http_gunzip_module
--with-http_gzip_static_module
--with-http_image_filter_module=dynamic
--with-http_mp4_module
--with-http_perl_module=dynamic
--with-http_random_index_module
--with-http_realip_module
--with-http_secure_link_module
--with-http_slice_module
--with-http_ssl_module
--with-http_stub_status_module
--with-http_sub_module
--with-http_v2_module
--with-http_xslt_module=dynamic
--with-mail=dynamic
--with-mail_ssl_module
--with-pcre
--with-pcre-jit
--with-stream=dynamic
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-threads
--add-module=/usr/local/headers-more-nginx-module
--add-module=/usr/local/ModSecurity-nginx
args:
chdir: "/usr/local/src/nginx-{{ nginx_version }}"
register: configure_output
changed_when: configure_output.rc != 0
- name: Compile and install Nginx (/tmp/nginx_build_output.log)
shell: |
set -o pipefail
make -j$(nproc) | tee /tmp/nginx_build_output.log
make install
args:
chdir: "/usr/local/src/nginx-{{ nginx_version }}"
register: build_output
changed_when: build_output.rc != 0
- name: Show build output
debug:
var: build_output.stdout_lines
- name: Create systemd service for Nginx
copy:
dest: /etc/systemd/system/nginx.service
mode: "0644"
content: |
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
- name: Ensure required directories exist
file:
path: /usr/local/nginx/conf/vhosts
state: directory
owner: "{{ run_user }}"
group: "{{ run_group }}"
mode: "0755"
- name: Deploy Nginx main configuration file
copy:
dest: /usr/local/nginx/conf/nginx.conf
owner: "{{ run_user }}"
group: "{{ run_group }}"
mode: "0644"
content: |
user {{ run_user }} {{ run_group }};
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=req_limit_20:10m rate=20r/s;
limit_req_zone $binary_remote_addr zone=req_limit_10:10m rate=10r/s;
map $status $fail2banlog {
~^[23] 0;
default 1;
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1000;
gzip_static on;
keepalive_timeout 15s;
client_header_timeout 10s;
send_timeout 10s;
client_max_body_size 10m;
client_body_timeout 10s;
client_body_buffer_size 1K;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
more_set_headers 'X-Frame-Options "SAMEORIGIN" always';
more_set_headers 'X-XSS-Protection "1; mode=block" always';
more_set_headers 'X-Content-Type-Options "nosniff" always';
include /usr/local/nginx/conf/vhosts/*.conf;
}
- name: Reload systemd
systemd:
daemon_reload: true
- name: Enable and start Nginx
systemd:
name: nginx
enabled: true
state: started