DEV Community

AnupamMahapatra
AnupamMahapatra

Posted on • Updated on

Just a HelloWorld Nginx webserver !. with SSL

There are many occasions when to test out a system we want a running example webserver at the end of it . An example with no bells and whistles . Just a plain webserver with a self signed cert will do. So Let me dumb it down.

The following script will give you just that:

  • Download and install nginx web server.
  • generate a self signed cert using openssl.
  • generate a couple static webpage to be served through nginx at different paths
  • edit the nginx configuration to point to the webpage and server it with the ssl certificate.
  • install firewalld and open firewall permission for http and https.

Pre-requisite:

  • Running on a CentOS/RedHat Linux with yum installed.
  • openssl installed.

Create the following script (SinglePageNginx.sh) . Give it execute access (chmod 755 SinglePageNginx.sh) and run (./SinglePageNginx.sh)

#!/bin/bash
set -e

# Create self signed cert for HTTPS reverse proxy as Nginx
openssl genrsa -out /tmp/app.key 2048
openssl req -new -key /tmp/app.key -out /tmp/app.csr -subj "/C=CA/ST=ON/L=Toronto/O=Digital/OU=IT/CN=app.local.com"
openssl x509 -req -days 365 -in /tmp/app.csr -signkey /tmp/app.key -out /tmp/app.crt
chmod 644 /tmp/app.crt /tmp/app.key
echo "self signed cert done" >> /tmp/debug.log

# Install and configure nginx for HTTPS
yum -y install nginx
mkdir -p /etc/nginx/ssl
mv -f /tmp/app.key /etc/nginx/ssl/app.key
mv -f /tmp/app.crt /etc/nginx/ssl/app.crt
chmod 755 /etc/nginx/ssl
chmod -R 644 /etc/nginx/ssl/*
mv -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
# mv -f /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak

######################
# STATIC WEB PAGE
######################
mkdir -p /etc/nginx/www
cat > /etc/nginx/www/index.html <<'EOF'  
<h1> Hello There</h1>
  <p>
    This webpage is serverd through nginx
  </p>
EOF
chmod 0755  /etc/nginx/www
chmod 644 /etc/nginx/www/index.html
echo "index webpage created "  >> /tmp/debug.log


# set conf in nginx
cat > /etc/nginx/nginx.conf <<'EOF'  
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}

http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile            on;
  tcp_nopush          on;
  tcp_nodelay         on;
  keepalive_timeout   65;
  types_hash_max_size 2048;
  include /etc/nginx/mime.types;
  default_type        application/octet-stream;
  include /etc/nginx/conf.d/*.conf;
}
EOF


# set app conf in nginx
cat > /etc/nginx/conf.d/app.conf <<'EOF'  
server {
    listen 443 ssl;
    server_name localhost;
    root /etc/nginx/www;
    error_log /var/log/nginx/app-server-error.log notice;
    index demo-index.html index.html;
    expires -1;

    ssl_certificate           /etc/nginx/ssl/app.crt;
    ssl_certificate_key       /etc/nginx/ssl/app.key;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log  /var/log/nginx/app.access.log;

    sub_filter_once off;
    sub_filter 'server_hostname' '$hostname';
    sub_filter 'server_address'  '$server_addr:$server_port';
    sub_filter 'server_url'      '$request_uri';
    sub_filter 'remote_addr'     '$remote_addr:$remote_port';
    sub_filter 'server_date'     '$time_local';
    sub_filter 'client_browser'  '$http_user_agent';
    sub_filter 'request_id'      '$request_id';
    sub_filter 'nginx_version'   '$nginx_version';
    sub_filter 'document_root'   '$document_root';
    sub_filter 'proxied_for_ip'  '$http_x_forwarded_for';

    location / {
      index index.html;
    }
}
EOF
chmod -R 644  /etc/nginx/ssl/* /etc/nginx/nginx.conf /etc/nginx/conf.d/app.conf
echo "nginx installation done" >> /tmp/debug.log


yum -y install firewalld
systemctl unmask firewalld
systemctl restart firewalld
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
systemctl enable firewalld
systemctl restart firewalld


# Start and enable on boot, nginx as a service
systemctl enable nginx
systemctl restart nginx
echo "nginx start done" >> /tmp/debug.log
Enter fullscreen mode Exit fullscreen mode

You should have a nginx running in your local

curl https://localhost:443 --insecure
Enter fullscreen mode Exit fullscreen mode

Making an imporvement on the above script. Making it even simple with a default configuration file and couple of webpages at different paths.
Again:

Create the following script (DoublePageNginx.sh) . Give it execute access (chmod 755 DoublePageNginx.sh) and run (./DoublePageNginx.sh)

#!/bin/bash
set -e

# Create self signed cert for HTTPS reverse proxy as Nginx
openssl genrsa -out /tmp/app.key 2048
openssl req -new -key /tmp/app.key -out /tmp/app.csr -subj "/C=CA/ST=ON/L=Toronto/O=Digital/OU=IT/CN=app.local.com"
openssl x509 -req -days 365 -in /tmp/app.csr -signkey /tmp/app.key -out /tmp/app.crt
chmod 644 /tmp/app.crt /tmp/app.key
echo "self signed cert done" >> /tmp/debug.log

yum -y install nginx
mkdir -p /etc/nginx/ssl
cp -f /tmp/app.key /etc/nginx/ssl/app.key
cp -f /tmp/app.crt /etc/nginx/ssl/app.crt
chmod 755 /etc/nginx/ssl && chmod -R 644 /etc/nginx/ssl/*
mv -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
echo "nginx installed" >> /tmp/debug.log

# 
cat > /etc/nginx/nginx.conf <<'EOF'  
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile            on;
  tcp_nopush          on;
  tcp_nodelay         on;
  keepalive_timeout   65;
  types_hash_max_size 2048;
  include /etc/nginx/mime.types;
  default_type        application/octet-stream;
  include /etc/nginx/conf.d/*.conf;
  server 
  {
          listen       443 ssl http2 default_server;
          listen       [::]:443 ssl http2 default_server;
          server_name  _;
          root         /etc/nginx/www;
          index index.html index.htm;
          ssl_certificate "/etc/nginx/ssl/app.crt";
          ssl_certificate_key "/etc/nginx/ssl/app.key";
          ssl_session_cache shared:SSL:1m;
          ssl_session_timeout  10m;
          ssl_ciphers HIGH:!aNULL:!MD5;
          ssl_prefer_server_ciphers on;
          # Load configuration files for the default server block.
          include /etc/nginx/default.d/*.conf;

          location / {
            # it picks up default root and checks for default index.html file at the path
            }

          location /bar {
            # it picks up default root, adds /bar to the root and looks for the default index.html file at the path
           }


          error_page 404 /404.html;
              location = /40x.html {
          }

          error_page 500 502 503 504 /50x.html;
              location = /50x.html {
          }
    }
}
EOF

## Create static webpages to serve
mkdir -p /etc/nginx/www
cat > /etc/nginx/www/index.html <<'EOF'  
<h1> Hello There</h1>
  <p>
    This webpage is serverd through nginx at default root path
  </p>
EOF
chmod 0755  /etc/nginx/www
chmod 644 /etc/nginx/www/index.html
echo "index webpage created "  >> /tmp/debug.log

mkdir -p /etc/nginx/www/bar
cat > /etc/nginx/www/bar/index.html <<'EOF'  
<h1> Hello There</h1>
  <p>
    This webpage is serverd through nginx at path /$root/bar
  </p>
EOF
chmod 0755  /etc/nginx/www/bar
chmod 644 /etc/nginx/www/bar/index.html
echo "index webpage created for /bar"  >> /tmp/debug.log

## firewalld
yum -y install firewalld
systemctl unmask firewalld
systemctl restart firewalld
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
systemctl enable firewalld
systemctl restart firewalld

systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode

You should have a nginx running in your local

curl https://localhost:443 --insecure
Enter fullscreen mode Exit fullscreen mode

Top comments (1)

Collapse
 
rabi82 profile image
Rabi

great and simple
thanks