CentOS 7.6 Installs nginx, configures ports to access websites, and switches the root directory

Keywords: Operation & Maintenance Nginx sudo firewall SELinux

20190329 CentOS 7.6 Install nginx and configure ports to access websites

1. Query nginx

yum search nginx
	Loaded plug-in: fastest mirror
	Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
	Determining fastest mirrors
	 * base: mirrors.aliyun.com
	 * extras: mirrors.aliyun.com
	 * updates: mirrors.aliyun.com
	epel                                                                12744/12744
	......

** If you have an old version, you can uninstall and install it again

2. Installing nginx

sudo yum install -y nginx

//Start and set to boot
//Basic Directives:
	sudo systemctl start nginx.service
	sudo systemctl enable nginx.service
	sudo systemctl status nginx.service
	sudo systemctl restart nginx.service

//View the version and confirm startup
 nginx -v
	nginx version: nginx/1.12.2
ps -ef |grep nginx

//Test site configuration
	sudo nginx -t
	
	curl 127.0.0.1

3. Configure the website accessed by port 8080

Reference resources

https://m.linuxidc.com/Linux/2019-02/156789.htm https://blog.csdn.net/yongzhang52545/article/details/51282914

1.  inspect nginx configuration file
	sudo  vim /etc/nginx/nginx.conf
	The contents are summarized as follows:
			    server {
	        listen       80 default_server;
	        listen       [::]:80 default_server;
	        server_name  _;
	        root         /usr/share/nginx/html;
	....
	# Load modular configuration files from the /etc/nginx/conf.d directory.
	    # See http://nginx.org/en/docs/ngx_core_module.html#include
	    # for more information.
	    include /etc/nginx/conf.d/*.conf;
	    
	    Configure the website module to be placed in  /etc/nginx/conf.d/*.conf lower
2. Create a new website: chuangke.conf 
	sudo touch /etc/nginx/conf.d
	sudo vim  chuangke.conf
	Add the following
		server {
        listen       8080;
        server_name  127.0.0.1;
        root        /usr/share/nginx/chuangke;
        # root    /var/www/chuangke;
        index   index.html;

        location / {
        }
    }

Test the configuration
    sudo nginx -t
	nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
	nginx: configuration file /etc/nginx/nginx.conf test is successful

restart nginx
 sudo systemctl restart nginx

Test website
curl 127.0.0.1:8080 
Use root    /var/www/chuangke Always 403 mistakes?!
	    <html>
	<head><title>403 Forbidden</title></head>
	<body bgcolor="white">
	<center><h1>403 Forbidden</h1></center>
	<hr><center>nginx/1.12.2</center>
	</body>
	</html>

4. Open 8080 Port

1. View firewall status
	sudo systemctl status firewalld
	
	sudo firewall-cmd --state
		running
2. Firewall Basic Command
	# open
	service firewalld start
	# restart
	service firewalld restart
	# Close
	sudo service firewalld stop
	
	# View firewall rules
	sudo firewall-cmd --list-all 
	sudo firewall-cmd --state
3. Open port 8080
	sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
	
	//service iptables restart
	sudo systemctl restart firewalld.service
	
	sudo firewall-cmd --reload

4. I don't know why, so I shut myself out. ssh No connection!
	sudo firewall-cmd --list-all 
		public (active)
		  target: default
		  icmp-block-inversion: no
		  interfaces: enp0s3
		  sources: 
		  services: ssh dhcpv6-client
		  ports: 
		  protocols: 
		  masquerade: no
		  forward-ports: 
		  source-ports: 
		  icmp-blocks: 
		  rich rules: 
	** As you can see, ports None of them!	  
	** When you simply add ports again, add ports 20, 22 first.
	sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
	sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
	sudo firewall-cmd --zone=public --add-port=21/tcp --permanent
	sudo firewall-cmd --zone=public --add-port=20/tcp --permanent
	sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
	sudo firewall-cmd --zone=public --add-port=4433/tcp --permanent

//service iptables restart
	sudo systemctl restart firewalld.service
//Reviewing Firewall Rules
	sudo firewall-cmd --list-all 
		public (active)
		  target: default
		  icmp-block-inversion: no
		  interfaces: enp0s3
		  sources: 
		  services: ssh dhcpv6-client
		  ports: 80/tcp 22/tcp 21/tcp 20/tcp 8080/tcp 4433/tcp
		  protocols: 
		  masquerade: no
		  forward-ports: 
		  source-ports: 
		  icmp-blocks: 
		  rich rules: 
** Now you can safely exit and re-enter ssh Now!

5. An error occurred by adding another port (e.g. 4433)

	1. Testing: The above chuangke.conf After the port is changed to 4433
		sudo systemctl restart nginx
		//Error returned!
			Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

2. test nginx Configuration is OK!
	sudo nginx -t
		nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
		nginx: configuration file /etc/nginx/nginx.conf test is successful
	
3. View error messages
		sudo systemctl status nginx.service
			......
		3 Month 2915:07:26 centos7-71 nginx[18289]: nginx: [emerg] bind() to 0.0.0.0:4433 failed (13: Permission denied)
			......
			3 Month 2915:07:26 centos7-71 systemd[1]: Unit nginx.service entered failed state.
			3 Month 2915:07:26 centos7-71 systemd[1]: nginx.service failed.

Port 4433 is not allowed!

6. Semanagement Solves http Port Access Configuration (Selinux)

Reference resources https://blog.csdn.net/runsnail2018/article/details/81185138 https://zhb1208.iteye.com/blog/1432957

1. Direct installation semanage Will prompt: No semanage
	sudo yum update
	sudo yum install semanage 
		//Loaded plug-in: fastest mirror
		Loading mirror speeds from cached hostfile
		 * base: mirrors.aliyun.com
		 * extras: mirrors.aliyun.com
		 * updates: mirrors.aliyun.com
		//No software package semanage is available.
		//Error: No need to deal with

2. Follow the reference document to execute the setup and installation commands
	1). yum provides /usr/sbin/semanage
	2). yum -y install policycoreutils-python
	3). Now it can be executed. semanage Ordered
3. See http Accessible ports
	sudo semanage port -l | grep http_port_t
			http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
		pegasus_http_port_t            tcp      5988
	** No port 4433 was found!	
4. Add 4433 to http Access port
	sudo semanage port -a -t http_port_t  -p tcp 4433
5. Look again. http port 
sudo semanage port -l | grep http_port_t
		http_port_t                    tcp      4433, 80, 81, 443, 488, 8008, 8009, 8443, 9000
		pegasus_http_port_t            tcp      5988
** Now you can visit 4433.
	sudo systemctl restart nginx
	sudo systemctl status nginx.service
	OK!

I haven't figured out what SELinux is for! Now it's a bit clear!

It's not just about opening a port from the firewall. Also configure which ports specific services (this time HTTP) can use

6. Switching root directory has been 403 errors

Reference resources https://blog.csdn.net/a690392431/article/details/85914076

** This blog should be correct! However, I follow the operation, or not!

There's no way out!
Have to shut down SELinux first! Learn later!

sudo vim /etc/selinux/config
		# by wzh 20190329 disable SELINUX
		SELINUX=disabled
		# SELINUX=enforcing

Restart will take effect!

View SELinux
sestatus
	SELinux status:                 disabled

Posted by SmokyBarnable on Sat, 30 Mar 2019 11:42:30 -0700

Programmer Group