Nginx

nginx is a robust, small and high performance web server and reverse proxy server. It is a good alternative to the popular available web servers like Apache and lighttpd.

Installation
Before immediately installing the package, first take a good look at the USE flags for Nginx.

Nginx uses modules to enhance its features. To simplify the maintenance of this modular approach, the nginx ebuild uses expanded USE flags to denote which modules should be installed. HTTP related modules can be enabled through the  variable whereas mail related modules can be enabled through the   variable.

These variables need to be set in. Their description can be found in /usr/portage/profiles/desc/nginx_modules_http.desc and /usr/portage/profiles/desc/nginx_modules_mail.desc.

Other USE flags are:

With the USE flags set, install :

Do not forget to add nginx to the default runlevel:

Operating
The nginx package installs a service script allowing administrators to stop, start or restart the service:

To verify that nginx is properly running, point your browser to it or use one of the command line web clients (like ):

Configuration
The nginx configuration is handled through the file.

Single site access
The following example shows a single-site access, without dynamic capabilities (such as PHP).

Multiple site access
It is possible to leverage the  directive to split the configuration in multiple files:

Enabling PHP support
Add the following lines to the nginx configuration to enable PHP support. In this example nginx is exchanging information with the PHP process via a UNIX socket.

To support this setup, PHP needs to be build with FastCGI Process Manager support (php-fpm), which is handled through the  USE flag:

Rebuild php with the new USE flag enabled.

Review the configuration and add following line:

Setup your timezone in the php-fpm file.

Start the php-fpm daemon:

Add php-fpm to the default runlevel:

Reload nginx with changed configuration:

Enabling an IP access list
The next example shows how to allow access to a particular URL (in this case /nginx_status) only to
 * certain hosts (e.g. 192.0.2.1 127.0.0.1)
 * and IP networks (e.g. 198.51.100.0/24)

Enabling basic authentication
The nginx allows limiting access to resources by validating the user name and password.

The htpasswd file can be generated using:

Enabling tls support
It is warmly suggested to support only TLS and disable known insecure ciphers.

The ebuild provides stock self signed certificates in /etc/ssl/nginx/

Generating Certificates
TBD

Forward Secrecy
The diffie-hellman certificate can be created using openssl

Troubleshooting
In case of problems, the following commands can help you troubleshoot the situation.

Validate configuration
Verify that the running nginx configuration has no errors.

By running  with the   option, it will validate the configuration file without actually starting an nginx daemon.

Verify processes are running
Check if the nginx processes are running:

Verify bound addresses and ports
Verify nginx daemon is listening on the right TCP port (such as 80 for HTTP or 443 for HTTPS):

External resources

 * nginx Wiki
 * H5BP nginx config