http {
...
server_tokens   off;
...
}

These are the original articles;

http://rubyjudo.com/2006/11/2/nginx-ssl-rails
http://articles.slicehost.com/2007/12/19/ubuntu-gutsy-self-signed-ssl-certificates-and-nginx
http://blog.skateinmars.net/post/2007/11/01/phpMyAdmin-and-HTTPS-on-nginx

The aim is to run phpMyAdmin in secured mode served by nginx.

Create Keys and Certificates

Make a temp directory and remove it later after the setup succeed.

mkdir /home/username/temp
cd /home/username/temp

Create the private key, it will require a passphrase (it will be removed later on)

openssl genrsa -des3 -out pma.key 1024

Create the CSR (Certificate Signing Request), and enter the information required;

openssl req -new -key pma.key -out pma.csr

Then we remove the passphrase entered earlier when we create the key, if not, the box will ask us to enter the passphrase on every reboot.

cp pma.key pma.key.org
openssl rsa -in pma.key.org -out pma.key

Afterward, the digital certificate itself

openssl x509 -req -days 365 -in pma.csr -signkey pma.key -out pma.crt

The last thing is to put the files in the right place, to be called later by nginx, the final directory will depend on your config, in my case I want to put it inside nginx directory.

mkdir /usr/local/nginx/cert
cp pma.crt pma.key /usr/local/nginx/cert

Feel free to delete the temporary directory created for this purpose, or you might want to wait until your setup is done.

Nginx Virtual Host HTTPS

This is my final setup on phpMyAdmin subdomain (only the server part), I really can’t explain anything for now :), I just now it worked.

server {
listen pma.yourdomain.com:443;
client_max_body_size 10M;
index index.php;
server_name pma.yourdomain.com;
root /var/www/pma.yourdomain.com;

ssl on;
ssl_certificate /usr/local/nginx/certs/pma.crt;
ssl_certificate_key /usr/local/nginx/certs/pma.key;

location / {
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect false;
proxy_max_temp_file_size 0;
}

location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
include /usr/local/nginx/conf/fastcgi_params;

}

}

This article intends to show you a step by step tutorial on how to install (and do basic configuration) for Nginx powered Web Sites with PHP (through php-fpm) and MySQL Enabled in CentOS 5.1 (x86_64) Virtual Box. The Box is from Magnet VPS (Entry with 128MB Dedicated RAM, 256MB SWAP Space and 5GB HDD Space).

Install and Securing (Basic) MySQL

yum install -y mysql-server mysql-devel
service mysqld start
mysql_secure_installation

Enter current password for root (enter for none): Enter
Set root password? [Y/n] Y
New password: rootpasssql
Re-enter new password: rootpasssql
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Install Required Package for Compiling

We need to install a few basic package since this is a very base install of CentOS, some of the package will depend on your wanted php configuration.

yum install -y wget patch gcc libtool libmcrypt-devel libxml2-devel flex bison make pcre-devel zlib-devel openssl-devel gd-devel

Install PHP From Source

We are going to install PHP 5.2.6 along with php-fpm patch (patch for PHP to improve FastCGI SAPI Usage in Production)

cd /usr/local/src
wget http://id2.php.net/get/php-5.2.6.tar.gz/from/id2.php.net/mirror
tar xzvf php-5.2.6.tar.gz
wget http://php-fpm.anight.org/downloads/head/php-5.2.6-fpm-0.5.8.diff.gz
gzip -cd php-5.2.6-fpm-0.5.8.diff.gz | patch -d php-5.2.6 -p1
cd php-5.2.6
./configure --enable-fastcgi --enable-fpm --with-mcrypt --with-zlib --enable-mbstring --with-openssl --with-mysql --with-mysql-sock --with-gd --with-jpeg-dir=/usr/lib --enable-gd-native-ttf --without-sqlite --disable-pdo --disable-reflection --with-libdir=lib64
make all install
strip /usr/local/bin/php-cgi

Adjust php-fpm configuration, remove the comment sign in line 63 and 65, adjust the user in which nginx will run, in this example I am using nobody (default)

vi /usr/local/etc/php-fpm.conf
<value name="user">nobody</value>
<value name="group">nobody</value>

Now we will install X-Cache opcode php cacher

cd /usr/local/src
wget http://xcache.lighttpd.net/pub/Releases/1.2.2/xcache-1.2.2.tar.gz
tar xzvf xcache-1.2.2.tar.gz
cd xcache-1.2.2
phpize
./configure --with-php-config=/usr/local/bin/php-config --enable-xcache
make install

Insert xcache in php.ini

vi /usr/local/lib/php.ini

magic_quotes_gpc=0
[xcache-common]
zend_extension = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/xcache.so
[xcache]
xcache.shm_scheme = "mmap"
xcache.size = 64M

Check your PHP Installation

php -v
PHP 5.2.6 (cli) (built: Jun 28 2008 08:56:02)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with XCache v1.2.2, Copyright (c) 2005-2007, by mOo

Init Script for php-fpm

Put php-fpm init script in your rc.local to auto start during reboot

cd /etc/init.d/
ln -s /usr/local/sbin/php-fpm php-fpm

## add this line to /etc/rc.local ##
/etc/init.d/php-fpm

Install Nginx

Now we will install nginx, the current stable version is 0.6.31, check their site for updates;

export NGINX=0.6.31
cd /usr/local/src
wget http://sysoev.ru/nginx/nginx-${NGINX}.tar.gz
tar xfz nginx-${NGINX}.tar.gz
cd nginx-${NGINX}
./configure --pid-path=/usr/local/nginx/logs/nginx.pid --sbin-path=/usr/local/sbin/nginx --with-md5=/usr/lib --with-sha1=/usr/lib --with-http_ssl_module  --with-http_dav_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module
make
make install

Nginx Daemon for CentOS

Get Nginx daemon for CentOS and add the service to startup so it start automatically during reboot.

wget http://notrocketsurgery.com/files/nginx -O /etc/init.d/nginx
chmod 750 /etc/init.d/nginx
## Install start-stop-daemon ##
cd /usr/local/src
wget http://developer.axis.com/download/distribution/apps-sys-utils-start-stop-daemon-IR1_9_18-1.tar.gz
tar zxvf apps-sys-utils-start-stop-daemon-IR1_9_18-1.tar.gz
cd apps/sys-utils/start-stop-daemon-IR1_9_18-1/
gcc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/sbin
chkconfig --add nginx
chkconfig --level 345 nginx on

Configure Nginx

This is a sample configuration for wordpress running on nginx web sites. Notice that I am disabling logs, the sample is only for basic configuration, you should read more on nginx manual for the configuration directive.

service nginx start
## Edit the main configuration File ##
vi /usr/local/nginx/conf/nginx.conf
## Put only these lines ##
user  nobody;
worker_processes  5;
error_log  /var/log/nginx/error.log;
events {
worker_connections  768;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nodelay on;
keepalive_timeout 10 10;
gzip on;
gzip_comp_level 1; gzip_proxied any;
gzip_types text/plain text/html text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

server {
listen  80;
server_name your.hostname.tld;
location / {
root   html;
autoindex  off;
index  index.html index.htm;
}
}
include /usr/local/nginx/sites-enabled/*;
}

## Make a sites config ##
cd /usr/local/nginx
mkdir sites-enabled
cd sites-enabled
vi yourwordpressblog.tld

## Put these lines ##

server {
listen yourwordpressblog.tld:80;
server_name yourwordpressblog.tld www.yourwordpressblog.tld;
index index.php;
root /var/www/yourwordpressblog.tld;

location / {
error_page 404 = //index.php?q=$uri;
}

location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /usr/local/nginx/conf/fastcgi_params;
}
}

## Add this line to fastcgi_params /usr/local/nginx/fastcgi_params##
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

Make the root www directory for your wordpressblog, this is subject for security notice in the future, I haven’t look further.

mkdir -p /var/www/yourwordpressblog.tld
touch /var/www/yourwordpressblog.tld/index.php
chown -R nobody.nobody /var/www/yourwordpressblog.tld

Restart nginx, but make sure that your domain already resolved to your nginx web server, otherwise it will fail to start.

service nginx restart

Update

It is now CentOS 5.3, PHP and fpm patch 5.2.10, and nginx 0.7.61 stable release. This post is obsolete, unless you can modify the steps.

Required Pack

Install the required package using yum;

yum install gettext httpd mysql mysql-server perl

yum install php php-mysql php-xml php-imap php-mbstring php-mcrypt php-pecl-Fileinfo php-pecl-memcache php-pear-DB php-pear-File php-pear-Log php-pear-Mail-Mime php-pear-Auth-SASL php-pear-Date php-pear-HTTP-Request php-pear-Mail php-pear-Net-Sieve php-pear-Net-Socket php-pear-Net-SMTP

yum install openssl perl-Net-SSLeay

yum install php-devel gcc

Start the Service

Start Apache and MySQL daemon, and add them to startup script so it will survive reboot.

service httpd restart
chkconfig httpd on

service mysqld restart
chkconfig mysqld on

Standard MySQL First Step After Install

Run the mysql_secure script to do basic securing MySQL and give root password to your MySQL databases;

mysql_secure_installation

Apache and Basic Virtual Host Configuration

Edit the apache configuration file to fit your requirement.

vi /etc/httpd/conf/httpd.conf

###Modify

Listen vvv.xxx.yyy.zzz:80  <--Put your IP Address here

###Add

<Directory “/path/to/rootwwwdir/public_html”>
Options Indexes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
AllowOverride None
</Directory>

<Directory “/path/to/rootwwwdir/public_html”>
Options Indexes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
AllowOverride None
</Directory>

Virtual Host Configuration

NameVirtualHost vvv.xxx.yyy.zzz:80

<VirtualHost vvv.xxx.yyy.zzz:80>
ServerAdmin hostmaster@magnet-id.com
DocumentRoot /path/to/rootwwwdir/public_html
ServerName virt1.magnet-id.com
ErrorLog logs/virt1.magnet-id.com-error_log
CustomLog logs/virt1.magnet-id.com-access_log common
</VirtualHost>

<VirtualHost vvv.xxx.yyy.zzz:80>
ServerAdmin hostmaster@magnet-id.com
DocumentRoot /path/to/rootwwwdir/public_html
ServerName virt2.magnet-id.com
ErrorLog logs/virt2.magnet-id.com-error_log
CustomLog logs/virt2.magnet-id.com-access_log common
</VirtualHost>

###Empty the file
/etc/httpd/conf.d/welcome.conf