Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up NGINX


on Ubuntu,

    apt install nginx
    netstat -antupe --inet --inet6 | grep LISTEN | grep 80
service nginx status
#update-rc.d nginx defaults

    cp -pi /etc/nginx/sites-available/default /etc/nginx/sites-available/default.dist
    cp -pi /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dist
    rm -f /var/www/html/index.nginx-debian.html
echo "<p>nothing here" > /var/www/html/index.html

on RHEL/CentOS, make sure the EPEL repo is available and proceed,

    yum install nginx
    netstat -antupe --inet --inet6 | grep LISTEN | grep 80
    service nginx start
    chkconfig nginx on

    cp -pi /etc/nginx/nginx.conf /etc/nginx/nginx.conf.dist
ls -alhF /usr/share/nginx/html/


For starters

define the default index file(s) and eventually enable directory listing nginx-wide into the server or http stanza,

index index.html;
autoindex on;

also eventually define a compression log format into server or http,

    log_format compression '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" "$gzip_ratio"';

apply with service nginx restart or /usr/local/nginx/sbin/nginx -s reload.

Virtual Hosts

setup a virtual host,

    cd /usr/local/nginx/conf.d/

server {
    root /data/www/$server_name;
        access_log logs/ compression;
        error_log  logs/ warn;

    location / {
        try_files $uri $uri/ =404;

note. cannot use $server_name for access_log and error_log unless it’s fine with you to change the log folder perms accordingly (www-data needs to write in it)


e.g. with the ubuntu provided self-signed cert,

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl on;
        ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
        ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

Reverse Proxy

setup an http reverse proxy,

cd /etc/nginx/conf.d/

server {
    listen 80;

        location / {
        proxy_pass http://APPLICATION_ADDRESS:PORT;


and apply with service nginx restart or /usr/local/nginx/sbin/nginx -s reload.

Careful, some apps need to know about the vhost and port that are called. So you shall play with those settings.

Here’s some specific conf for GitLab,

    proxy_set_header Host $http_host;

Here’s a working specific conf for Gollum, assuming you’re running SSL only on the nginx side,

            proxy_pass http://localhost:4567;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;

Also jenkins conf.

Some other possible configs,

    #proxy_set_header Host $host; #instead of http_host
            #proxy_set_header X-Real-IP $remote_addr;
    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_redirect off;

Here’s another one,

        proxy_set_header X-Real-IP $remote_addr;


in the server or http stanza,

            location ^~ /private/ {
                    auth_basic "Restricted Area";
                    auth_basic_user_file htpasswd;

then create or edit a password file,

cd /usr/local/nginx/conf/
#apt install apache2-utils
#yum install httpd-?
htpasswd -c htpasswd NEW_USER
#DO NOT chmod 600 htpasswd as the www-data user needs to read it

if files exists already,

htpasswd htpasswd EXISTING_USER

and reload the service with service nginx restart or /usr/local/nginx/sbin/nginx -s reload.


Install and run the FastCGI helper,

apt-get install fcgiwrap
systemctl status fcgiwrap.socket
#systemctl status fcgiwrap.service
ls -lhF /var/run/fcgiwrap.socket

Make sure NGINX is ready for that,

ls -lhF /usr/local/nginx/conf/fastcgi_params
ls -lhF /usr/local/nginx/conf/fastcgi.conf

Make sure your script is executable,

chmod +x /data/www/vhost/index.cgi

and setup those parms into the vhost server stanza e.g.,

vi /usr/local/nginx/conf.d/vhost.conf

    index index.cgi;

#root already defined

location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
    gzip off;
    fastcgi_pass unix:/var/run/fcgiwrap.socket;
    include fastcgi_params;
    fastcgi_param DOCUMENT_ROOT /data/www/$server_name;
    fastcgi_param SCRIPT_FILENAME /data/www/$server_name$fastcgi_script_name;

/usr/local/nginx/sbin/nginx -s reload

Note. include fastcgi_params points to conf/fastcgi_params already


Fancy Directory Listing

make sure you got the build essential packages, PCRE, zlib and openssl libs,

apt install build-essential libpcre3-dev zlib1g-dev libssl-dev

fetch latest NGINX source and proceed with custom compilation,

git clone
tar xzf nginx-1.13.0.tar.gz
cd nginx-1.13.0/
./configure --with-http_addition_module --with-http_ssl_module --add-module=../ngx-fancyindex

and install the compiled package,

#make install
apt install checkinstall

then setup the thing with fancy headers & footers into the http or server context,

cd ~/
ln -s /usr/local/nginx

cd ~/nginx/html/
rm -f index.html 50x.html
echo '<p>header' > header.html
echo '<p>footer' > footer.html
touch file

cd ~/nginx/conf/
vi nginx.conf

#ls -lhF ~/nginx/modules/
#(main context) -- using static module, no need
#load_module modules/;

#root already defined

autoindex on;

location / {
    try_files $uri $uri/ =404;
    fancyindex on; # Enable fancy indexes.
    fancyindex_exact_size off; # Output human-readable file sizes.
    fancyindex_header /header.html;
    fancyindex_footer /footer.html;
    fancyindex_ignore favicon.ico robots.txt header.html footer.html css;
    fancyindex_localtime off;

move your configs to the right place (do NOT use existing /etc/nginx/conf.d/ as dpkg –purge might remove those),

mkdir /usr/local/nginx/etc/conf.d/
mv /etc/nginx/conf.d/* /usr/local/nginx/etc/conf.d/
vi /usr/local/nginx/etc/conf/nginx.conf

user www-data;
worker_processes  auto;

events {
    worker_connections  1024;

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    server {
        listen  80;
        listen  [::]:80;
        server_name _;
        return 301;

    include /usr/local/nginx/etc/conf.d/*.conf;

make sure the system vendor NGINX is NOT currently in use,

dpkg -l | grep nginx
ps aux | grep nginx
netstat -antupe --inet --inet6 | grep nginx

and finally run the thing,

cd ~/
/usr/local/nginx/sbin/nginx -V
ls -lhF /usr/local/nginx/logs/

enable it at boot time and on Ubuntu 16+, make sure the System D service for rc-local is enabled at boot time and don’t forget to make the script executable,

vi /etc/rc.local


echo -n starting custom nginx...
/usr/local/nginx/sbin/nginx && echo done
#/usr/local/nginx/sbin/nginx -s reload

systemctl status rc-local.service
chmod +x /etc/rc.local

eventually get rid of the distro package (be careful with purge, assuming /etc/nginx/ is cleaned-up!),

apt purge nginx
apt autoremove
dpkg -l | grep ^rc
dpkg --purge ...

note. to run as Docker container on foreground,

nginx -g 'daemon off;'


Cache Control

into the http stanza and before the Virtual Host Configs server stanzas,

vi nginx.conf

# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;


Home | GitHub | Donate