This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
nginx/es
Warning: Display title "nginx/es" overrides earlier display title "Nginx".
nginx es un pequeño y robusto servidor web de alto rendimiento que puede actuar también como servidor proxy reverso. Es una buena alternativa a servidores populares como Apache y lighttpd.
Instalación
Before immediately installing the www-servers/nginx package, first take a good look at the USE flags for Nginx.
Expanded USE flags
Nginx uses modules to enhance its features. To simplify the maintenance of this modular approach, the nginx ebuild uses expanded USE (USE_EXPAND) flags to denote which modules should be installed.
- HTTP related modules can be enabled through the NGINX_MODULES_HTTP variable
- Mail related modules can be enabled through the NGINX_MODULES_MAIL variable
- Third party modules can be enabled through the NGINX_ADD_MODULES variable
These variables need to be set in /etc/portage/make.conf. Their descriptions can be found in /usr/portage/profiles/desc/nginx_modules_http.desc and /usr/portage/profiles/desc/nginx_modules_mail.desc.
For example, to enable the fastcgi module:
/etc/portage/make.confNGINX_MODULES_HTTP="fastcgi"
The above will overwrite the default value of NGINX_MODULES_HTTP and set it to fastcgi. To enable the fastcgi module without overwriting the default NGINX_MODULES_HTTP value, the following USE flag notation can be specified in /etc/portage/package.use:
/etc/portage/package.usewww-servers/nginx NGINX_MODULES_HTTP: fastcgi
Ajustes USE
USE flags for www-servers/nginx Robust, small and high performance http and reverse proxy server
+http
|
Enable HTTP core support |
+http-cache
|
Enable HTTP cache support |
+http2
|
Enable HTTP2 module support |
+pcre2
|
Enable support for pcre2 |
aio
|
Enables file AIO support |
debug
|
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces |
http3
|
Enable HTTP3 module support |
ktls
|
Enable Kernel TLS offload (kTLS) |
libatomic
|
Use libatomic instead of builtin atomic operations |
pcre
|
Add support for Perl Compatible Regular Expressions |
pcre-jit
|
Enable JIT for pcre |
rtmp
|
NGINX-based Media Streaming Server |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
ssl
|
Enable HTTPS module for http. Enable SSL/TLS support for POP3/IMAP/SMTP for mail. |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
threads
|
Add threads support for various packages. Usually pthreads |
vim-syntax
|
Pulls in related vim syntax scripts |
Emerge
With the USE flags set, install www-servers/nginx:
root #emerge --ask www-servers/nginxInstallation verification
The default nginx configuration defines a virtual server with the root directory set to /var/www/localhost/htdocs. However due to bug #449136, the nginx ebuild will only create the /var/www/localhost directory and without an index file. To have a working default configuration, create the /var/www/localhost/htdocs directory and simple index file:
root #mkdir /var/www/localhost/htdocs
root #echo '¡Hola mundo!' > /var/www/localhost/htdocs/index.html
The nginx package installs an init service script allowing administrators to stop, start, or restart the service. Run the next command to start the nginx service:
root #/etc/init.d/nginx startTo verify that nginx is properly running, point a web browser to the http://localhost address or use a command-line web tool like curl:
user $curl http://localhostConfiguration
The nginx configuration is handled through the /etc/nginx/nginx.conf file.
Single site access
The following example shows a single-site access, without dynamic capabilities (such as PHP).
/etc/nginx/nginx.confConfiguración por defecto de Gentoouser nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip off;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
server {
listen 127.0.0.1;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
}
}
Multiple site access
It is possible to leverage the include directive to split the configuration in multiple files:
/etc/nginx/nginx.confConfiguración Multisitiouser nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip off;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
index index.html;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/local.confSencillo servidorserver {
listen 127.0.0.1;
server_name localhost;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
}
/etc/nginx/conf.d/local-ssl.confSencillo servidor SSLserver {
listen 443 ssl;
server_name host.tld;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
}
PHP support
Add the following lines to the nginx configuration to enable PHP support. In this example nginx is exchanging information with the PHP process via a UNIX socket.
/etc/nginx/nginx.confHabilitar soporte PHP...
http {
...
server {
...
location ~ \.php$ {
# Comprobar que hay guiones no existentes o lanzar un error 404r
# Sin esta línea nginx enviará cualquier petición que acabe en .php a php-fpm
try_files $uri =404;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/run/php-fpm.socket;
}
}
}
To support this setup, PHP needs to be built with FastCGI Process Manager support (dev-lang/php), which is handled through the fpm USE flag:
root #echo "dev-lang/php fpm" >> /etc/portage/package.useRebuild PHP with the fpm USE flag enabled:
root #emerge --ask dev-lang/phpUsing UNIX socket communication is the preferred and recommended configuration
Review the /etc/php/fpm-php5.5/php-fpm.conf configuration and add following line:
/etc/php/fpm-php5.5/php-fpm.confCorrer PHP on soporte para sockets de UNIXlisten = /run/php-fpm.socket listen.owner = nginx
Set the timezone in the php-fpm php.ini file. Substitute the <PUT_TIMEZONE_HERE> text in the FileBox below with the appropriate timezone information:
/etc/php/fpm-php5.5/php.iniConfigurar la zona horaria en php.inidate.timezone = <PONER_LA_ZONA_HORARIA_AQUÍ>
Start the php-fpm daemon:
root #/etc/init.d/php-fpm startAdd php-fpm to the default runlevel:
root #rc-update add php-fpm defaultReload nginx with changed configuration:
root #/etc/init.d/nginx reloadIP address access list
The next example shows how to allow access to a particular URL (in this case /nginx_status) only to:
- certain hosts (e.g. 192.0.2.1 127.0.0.1)
- and IP networks (e.g. 198.51.100.0/24)
/etc/nginx/nginx.confHabilitar y configurar las listas de acceso por IP para la página /nginx_statushttp {
server {
location /nginx_status {
stub_status on;
allow 127.0.0.1/32;
allow 192.0.2.1/32;
allow 198.51.100.0/24;
deny all;
}
}
}
Basic authentication
nginx allows limiting access to resources by validating the user name and password:
/etc/nginx/nginx.confHabilitar y configurar la autenticación de usuarios para la localización /http {
server {
location / {
auth_basic "Authentication failed";
auth_basic_user_file conf/htpasswd;
}
}
}
Se puede generar el fichero htpasswd mediante:
user $openssl passwdTLS support
It is warmly suggested to support only TLS and disable known insecure ciphers.
/etc/nginx/nginx.confHabilitar TLS y deshabilitar cifrados insegurosserver {
listen 443;
server_name host.tld;
ssl on;
ssl_certificate /etc/ssl/nginx/host.tld.pem;
ssl_certificate_key /etc/ssl/nginx/host.tld.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_dhparam /etc/ssl/nginx/host.tld.dh4096.pem;
}
The ebuild provides stock self signed certificates in /etc/ssl/nginx/
Forward secrecy
The diffie-hellman certificate can be created using openssl:
user $openssl dhparam -out dh4096.pem 4096Third party modules
Download third party module source and move it to /usr/src. Manually compile the selected Nginx module, then add the following line to /etc/portage/make.conf:
/etc/portage/make.confAdding third party moduleNGINX_ADD_MODULES="/usr/src/nginxmodule"
Rebuild nginx with the third party module enabled:
root #emerge --ask www-servers/nginxUsage
Service control
OpenRC
Start nginx:
root #/etc/init.d/nginx startStop nginx:
root #/etc/init.d/nginx stopAdd nginx to the default runlevel:
root #rc-update add nginx defaultReiniciar el servicio nginx:
root #/etc/init.d/nginx restartResolución de problemas
In case of problems, the following commands can help troubleshoot the situation.
Validate configuration
Verify that the running nginx configuration has no errors:
root #/usr/sbin/nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
By running nginx with the -t option, it will validate the configuration file without actually starting the nginx daemon.
Verify processes are running
Check if nginx processes are running:
user $ps aux | egrep 'nginx|PID'PID TTY STAT TIME COMMAND 26092 ? Ss 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf 26093 ? S 0:00 nginx: worker proces
Verify bound addresses and ports
Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):
root #netstat -tulpen | grep :80tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 0 12336835 -26092/nginx: master
Ver también
Recursos externos
- https://nginx.org/en/docs/beginners_guide.html - Una guía de nginx para principiantes. De ayuda para quéllos que no conocen apenas nginx.
- https://nginx.com/resources/admin-guide/ - La guía de administración de ngnix. De ayuda para administradores web que trabajan en este área.
- http://wiki.nginx.org/Main - El wiki de nginx.
- https://github.com/h5bp/server-configs-nginx - Configuración H5BP de nginx.