Nginx Vhost & NSD DNS Setup
If English isn't your first language, you can use dropdown menu translator to translate this page into your preferred language.
- How to add a new Nginx vhost account for new domain/subdomain account ?
- How to force redirect from HTTP:// to HTTPS:// ?
- How to switch self-signed SSL certificate to paid SSL certificate ?
- How to migrate existing HTTP site to HTTPS with Letsencrypt SSL certificates ?
- Enabling OCSP Stapling for SSL
- Enabling HSTS for SSL
- How to delete Nginx vhost account for existing domain/subdomain ?
- How to setup domain / subdomain to use NSD DNS so I can host DNS on my own server instead of using my web host, registrar or DNS service provider's name servers ?
- Changing default ns1.newdomain.com and ns2.newdomain.com
How to add a new Nginx vhost account for new domain/subdomain account ?
You will need to enable Centmin Mod's free SSL certificates support via its Letsencrypt integration. If you use Cloudflare in front of your domains, pay attention to section for using the recommended Cloudflare DNS API domain validation method instead of default Letsencrypt webroot domain validation method.
Centmin Mod 131.00stable and higher has extended Nginx vhost creation routine to allow two methods of creating Nginx site domain vhost account:
- New
/usr/bin/nv
SSH command line method - Traditional Centmin Mod menu option #2
New /usr/bin/nv
SSH command line method is outlined on the here. This allows unattended or scripted creation of new Nginx site domain vhost accounts on Centmin Mod LEMP stack.
To create a new site domain Nginx vhost account for newdomain.com
with self-signed SSL enabled and Pure-FTPD virtual FTP username = MYFTPUSERNAME
, type the following in SSH command line.
/usr/bin/nv -d newdomain.com -s y -u MYFTPUSERNAME
Or via the traditional Centmin Mod menu option #2. Centmin Mod 131.00stable and higher also add self-signed SSL Nginx vhost generation support and Pure-FTPD virtual FTP user support. Below are screenshot examples for setting up newdomain.com
and newdomainipaddress = the domain's ip address (your A record and the ip address of your server the domain is hosted on). The script will output the path location where it will create the domain name's vhost conf file named newdomain.com.conf
- Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
- Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
- Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
- Vhost public web root will be at /home/nginx/domains/newdomain.com/public
- Vhost log directory will be at /home/nginx/domains/newdomain.com/log
- Full guide of Nginx vhost structure can be found on Centmin Mod configuration files page.
-------------------------------------------------------- Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com -------------------------------------------------------- Centmin Mod Menu -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu 12). Zend OpCache Install/Re-install 13). Install ioping.sh vbtechsupport.com/1239/ 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2... 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Re-install 21). Update - Nginx + PHP-FPM + Siege 22). Add Wordpress Nginx vhost + WP Super Cache 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 2 -------------------------------------------------------- --------------------------------------------- Enter vhost domain name to add (without www. prefix): newdomain.com Create a self-signed SSL certificate Nginx vhost? [y/n]: y Create FTP username for vhost domain (enter username): MYFTPUSERNAME Auto generate FTP password (recommended) [y/n]: y FTP username you entered: MYFTPUSERNAME FTP password auto generated: WpTY9dorKBQz3F@~ew70BQq8a9s76eh1! Password: Enter it again: --------------------------------------------------------------- SSL Vhost Setup... --------------------------------------------------------------- --------------------------------------------------------------- Generating self signed SSL certificate... Generating a 2048 bit RSA private key .................................................................................................................................+++ ..................................................................+++ writing new private key to 'newdomain.com.key' ----- Signature ok subject=/C=US/ST=California/L=Los Angeles/O=newdomain.com/CN=newdomain.com Getting Private key --------------------------------------------------------------- Generating dhparam.pem file - can take a few minutes... Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..........................+.........................................................................................................................................................................................................................................................................................+....................................................+..............................................................................................................................................................................................................+.....................................................................................................................................................................+.............................................................................+.............................................................................................................................+....................................................................................................+...........................................................................................+........................................................................................................................................................+.......................................................................................................................................................++*++* dhparam file generation time: 12.149109355 ------------------------------------------------------------- service nginx reload Reloading nginx configuration (via systemctl): [ OK ] systemctl restart pure-ftpd.service ------------------------------------------------------------- FTP hostname : IPADDRESS FTP port : 21 FTP mode : FTP (explicit SSL) FTP Passive (PASV) : ensure is checked/enabled FTP username created for newdomain.com : MYFTPUSERNAME FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1! ------------------------------------------------------------- vhost for newdomain.com created successfully domain: http://newdomain.com vhost conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.conf vhost ssl for newdomain.com created successfully domain: https://newdomain.com vhost ssl conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf /usr/local/nginx/conf/ssl_include.conf created Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt SSL Private Key: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key SSL CSR File: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr upload files to /home/nginx/domains/newdomain.com/public vhost log files directory is /home/nginx/domains/newdomain.com/log ------------------------------------------------------------- Current vhost listing at: /usr/local/nginx/conf/conf.d/ Jul 16 19:04 845 ssl.conf Jul 16 19:04 1.1K demodomain.com.conf Jul 16 19:08 1.6K virtual.conf Jul 20 01:09 1.9K newdomain.com.conf Jul 24 01:42 1.7K newdomain2.com.conf Jul 24 01:42 3.4K newdomain2.com.ssl.conf Jul 24 01:51 1.7K newdomain.com.conf Jul 24 01:51 3.4K newdomain.com.ssl.conf ------------------------------------------------------------- Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/newdomain.com Jul 24 01:50 1.7K newdomain.com.key Jul 24 01:50 1009 newdomain.com.csr Jul 24 01:50 1.2K newdomain.com.crt Jul 24 01:51 424 dhparam.pem ------------------------------------------------------------- Commands to remove newdomain.com rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.conf rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr rm -rf /home/nginx/domains/newdomain.com service nginx restart -------------------------------------------------------------
/usr/local/nginx/conf/conf.d/newdomain.com.conf contents
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # redirect from non-www to www # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 #server { # listen 80; # server_name newdomain.com; # return 301 $scheme://www.newdomain.com$request_uri; # } server { server_name newdomain.com www.newdomain.com; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/newdomain.com/log/error.log; root /home/nginx/domains/newdomain.com/public; # prevent access to ./directories and files #location ~ (?:^|/)\. { # deny all; #} location / { # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # More example Nginx vhost configurations at # http://centmin.com/nginx_configure.html #try_files $uri $uri/ /index.php; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
/usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf contents
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 # server { # server_name newdomain.com www.newdomain.com; # return 302 https://$server_name$request_uri; # } server { listen 443 ssl http2; server_name newdomain.com www.newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; # mozilla recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA; ssl_prefer_server_ciphers on; #add_header Alternate-Protocol 443:npn-spdy/3; #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; #add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; #spdy_headers_comp 5; ssl_buffer_size 1369; ssl_session_tickets on; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt; # ngx_pagespeed & ngx_pagespeed handler #include /usr/local/nginx/conf/pagespeed.conf; #include /usr/local/nginx/conf/pagespeedhandler.conf; #include /usr/local/nginx/conf/pagespeedstatslog.conf; # limit_conn limit_per_ip 16; # ssi on; access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m; error_log /home/nginx/domains/newdomain.com/log/error.log; root /home/nginx/domains/newdomain.com/public; # prevent access to ./directories and files #location ~ (?:^|/)\. { # deny all; #} location / { # block common exploits, sql injections etc #include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found #autoindex on; # Shows file listing times as local time #autoindex_localtime on; # Enable for vBulletin usage WITHOUT vbSEO installed # More example Nginx vhost configurations at # http://centmin.com/nginx_configure.html #try_files $uri $uri/ /index.php; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
If you want to enable auto index so you can see a directories listing of files when index.htm/index.php page doesn't exist, you need to uncomment autoindex on option and save newdomain.com.conf
file and restart nginx server.
change from
#autoindex on;
change to
autoindex on;
If you want to enable server side includes in Nginx you need to uncomment ssi on option and save newdomain.com.conf
file and restart nginx server.
change from
# ssi on;
change to
ssi on;
To restart Nginx server after saving conf changes you can either type 1 of 3 commands in SSH2 telnet:
/etc/init.d/nginx restart
or
service nginx restart
If you installed commandline shortcuts at Centmin Mod install time:
ngxrestart
How to force redirect from HTTP:// to HTTPS:// ?
I would test in incognito or private web browser session first on your local PC that accesses the site so to ensure that HTTP to HTTPS redirect works well before change 302 temporarily redirect to 301 permanent redirect
Easiest way with the Centmin Mod Nginx auto generated self-signed SSL certificate structure in place, which creates both a HTTP
vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf
and HTTPS
vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
, is to rename the HTTP
vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf
to /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled
and use only the HTTPS
vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
config file.
To rename HTTP
vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf
to /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled
in SSH window just run this command as root user. To reverse the change, just switch the file names to rename it back
mv /usr/local/nginx/conf/conf.d/newdomain.com.conf /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled
Edit the top of the /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
config file add a new server {}
context above the HTTP/2 SSL server {}
context and change it.
from
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 # server { # server_name newdomain.com www.newdomain.com; # return 302 https://$server_name$request_uri; # }
to (for redirecting http://newdomain.com
and http://www.newdomain.com
to https://newdomain.com
)
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name newdomain.com www.newdomain.com; return 302 https://newdomain.com$request_uri; }
If you also want to redirect and https://www.newdomain.com
to https://newdomain.com
), need to add and adjust /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
config file's HTTP/2 HTTPS SSL an additional 3rd server{}
context:
server { listen 443 ssl http2; server_name www.newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; return 302 https://newdomain.com$request_uri; }
so top part of HTTP/2 SSL server {}
context looks like directly below within /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
. Replace 302 to 301 once you confirm it's working. The 3 server {}
contexts are - 1st for redirecting listen port 80 non-HTTPS non-www and www domains to non-www domain HTTPS, 2nd for redirectorying listen port 443 www domain HTTPS to non-www HTTPS and final context is for actual main site non-www domain HTTPS.
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name newdomain.com www.newdomain.com; return 302 https://newdomain.com$request_uri; } server { listen 443 ssl http2; server_name www.newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; return 301 https://newdomain.com$request_uri; } server { listen 443 ssl http2; server_name newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; < snipped the rest of the nginx settings >
or to (for redirecting http://newdomain.com
and http://www.newdomain.com
to https://www.newdomain.com
)
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name newdomain.com www.newdomain.com; return 302 https://www.newdomain.com$request_uri; }
If you prefer www domain i.e. https://wwww.newdomain.com
to be the intended redirect target, you will have add a 3rd server{}
context to your Nginx HTTPS SSL vhost config file.
So the top part changes from:
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 # server { # server_name newdomain.com www.newdomain.com; # return 302 https://$server_name$request_uri; # } server { listen 443 ssl http2; server_name newdomain.com www.newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; < snipped the rest of the nginx settings >
to
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name newdomain.com www.newdomain.com; return 302 https://www.newdomain.com$request_uri; } server { listen 443 ssl http2; server_name newdomain.com; return 302 https://www.newdomain.com$request_uri; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; } server { listen 443 ssl http2; server_name www.newdomain.com; ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf; < snipped the rest of the nginx settings >
Notice the middle server{}
context tells Nginx to redirect non-www domain HTTPS requests to www domain HTTPS requests for www domain on third server{}
context. While first server{}
context tells Nginx to redirect both non-HTTPS non-www and www domain requests to HTTPS requests for www domain on third server{}
context.
The above non-www non-HTTPS to non-www HTTPS redirect vhost examples might slightly differ if you use Centmin Mod 123.09beta01 or higher's Letsencrypt SSL integrated tools as the following SSL certificate paths slightly differ for this part:
ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; include /usr/local/nginx/conf/ssl_include.conf;
the default HTTPS SSL vhost generated might look like this instead where /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf
include file contains the ssl_certificate
and ssl_certificate_key
defined paths:
include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf;
so it may look like below instead
# Centmin Mod Getting Started Guide # must read http://centmin.com/getstarted.html # For HTTP/2 SSL Setup # read http://centmin.com/nginx_configure_https_ssl_spdy.html # redirect from www to non-www forced SSL # uncomment, save file and restart Nginx to enable # if unsure use return 302 before using return 301 server { server_name newdomain.com www.newdomain.com; return 302 https://www.newdomain.com$request_uri; } server { listen 443 ssl http2; server_name newdomain.com; return 302 https://www.newdomain.com$request_uri; include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; } server { listen 443 ssl http2; server_name www.newdomain.com; include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf; include /usr/local/nginx/conf/ssl_include.conf; < snipped the rest of the nginx settings >
Then restart Nginx server for changes to take effect.
Once you're happy that the directs are working properly, you can change from 302 temporarily redirect to 301 permanent redirect by change the return 302
to return 301
and restart Nginx server.
How to switch self-signed SSL certificate to paid SSL certificate ?
If you want to switch out the auto generated self-signed SSL certificate that was auto generated via the above outlined centmin.sh menu option 2 or /usr/bin/nv cmd line nginx vhost for a paid SSL certificate, you would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided files to create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt
and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt
files referenced in your Nginx SSL vhost config file. The actual file names can be anything you want but the contents of the files need to be concatenated in the proper order of SSL certificate files provided by your paid SSL provider which include the Root CA certificate, the Intermediate CA certificate(s), and the actual SSL certificate itself. The concatenated files form the certificate chain that allows web browsers to trust your issued paid SSL certificate. Without this, your browser would report your paid SSL certificate as untrusted or as having SSL certificate chain issues.
Just the paths to those files will specifically be for /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt
and /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt
. Basically, the only difference compared with instructions outlined at Nginx SPDY SSL Configuration, is with the already auto generated self-signed SSL nginx vhost structure, the actual SPDY SSL vhost itself is already auto generated at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
and you do not need to manually create the directory at /usr/local/nginx/conf/ssl/newdomain.com
or manually create the self-signed SSL certificate files.
So to switch, the nginx vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
file's path for self-signed SSL would change and relevant settings for paid SSL certificates would be enabled by uncommenting (remove hashed #
prefix from lines).
from
ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/ssl.key; # enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt;
to
ssl_certificate /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key; # enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt;
where /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt
and /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt
are files created via concatenating instructions. Then just a matter of restarting Nginx server.
Examples of SSL certificate concatenating at Compiled list of SSL certificate file name bundles. If you're using paid SSL certificate, you might want to post in that thread to contribute the file names your SSL provider emailed you so I can build a database of known paid SSL certificate types and their provided file names.
Enabling OCSP Stapling for SSL
Online Certificate Status Protocol (OCSP) Stapling for Nginx SSL is only used for commercial SSL certificates trusted in web browsers. For self signed SSL certificates and Nginx https vhosts auto generated, the OCSP stapling settings are disabled and commented out by default
# enable ocsp stapling #resolver 8.8.8.8 8.8.4.4 valid=10m; #resolver_timeout 10s; #ssl_stapling on; #ssl_stapling_verify on; #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
Only if you have commercial SSL certificate which is fully trusted in web browsers, should you uncomment the settings and restart Nginx to enable OCSP stapling in Nginx. Where ssl_trusted_certificate file is created via concatentation of SSL providers files as outlined here.
# enable ocsp stapling resolver 8.8.8.8 8.8.4.4 valid=10m; resolver_timeout 10s; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;
Some online SSL test sites may incorrectly report if OCSP is enabled so you can also do a OCSP Stapling quick test within SSH telnet command, type the following where domain.com is the https://domain.com SSL domain you setup:
openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status
look for output:
OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0)?
Or run your SSL enabeld site through test at https://certificate.revocationcheck.com/
Enabling HSTS for SSL
Note if you're using Cloudflare you do not need to configure HSTS from Nginx side, instead you can do that via Cloudflare dashboard's Crypto tab. See Understanding HSTS (HTTP Strict Transport Security)
HTTP Strict Transport Security (HSTS
) header for Nginx SSL is only used for SSL certificates HTTPS based web sites if you want to force redirect all non-HTTPS (HTTP) traffic to HTTPS version of the site for a sepcific max-age time ins econds. HSTS header is disabled and commented out by default as some folks don't realise that it can mess up your site for HTTP traffic if you want to be able to use your site on both HTTP and HTTPS versions.
if SSL certificate covers subdomains
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
if SSL certificate DOES NOT cover subdomains
#add_header Strict-Transport-Security "max-age=31536000;";
To enable HSTS header, uncomment and remove hash #
in front of either above lines.
If you have only some sites using HSTS then make a copy of staticfiles.conf include file and use that copy in the HSTS enabled vhost's HTTP /usr/local/nginx/conf/conf.d/domain.com.conf
and HTTPS /usr/local/nginx/conf/conf.d/domain.com.ssl.conf
nginx config includes with following alteration to html location match
cp -a /usr/local/nginx/conf/staticfiles.conf /usr/local/nginx/conf/staticfiles-hsts.conf
edit /usr/local/nginx/conf/staticfiles-hsts.conf
copy and change html location match to
location ~* \.(html|htm|txt)$ { if ($server_https = 'on') { add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; } #add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; expires 30m; break; }
then for specific HSTS enabled vhost config files change include file to use the new copy commenting out the original
#include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/staticfiles-hsts.conf;
should only be done on HSTS enabled vhost sites. HSTS tells browsers to force https so if you site isn't HTTPS enabled and you use it, you will get errors that have a long permanent cache in your browsers and visitors browsers for up to 3153600 seconds.
restart nginx and php-fpm
nprestart
How to delete Nginx vhost account for existing domain/subdomain ?
When you create a domain via menu option #2 on centmin.sh you get:
- Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/existingdomain.com.conf
- Nginx SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf if you used the new self-signed SSL vhost option
- Domain top level directory at /home/nginx/domains/existingdomain.com/
If you do not have any data or have already backed up the data for the domain, deleting the domain vhost and directory is a manual process right now as I want for end users to consciously make the decision to delete rather than offer a similar menu option (in case they delete the wrong domain or delete before they back up their data).
Domain deletion steps:
Each nginx vhost created will have a logged entry in /root/centminlogs
saved as a nginx_addvhost.log
timestamped and has the list of commands to fully remove a nginx vhost you created. These commands are also outputted at end of each nginx vhost created so you can save them there.
You can use command to list all nginx_addvhost.log
logs saved in /root/centminlogs
directory:
find /root/centminlogs -type f -name "*nginx_addvhost*"
Step 1. Backup data first via SSH with these 2 commands. Where you replace existingdomain.com with your existing domain name. If you have a subdomain name, then replace it with your subdomain.existingdomain.com.
cp -a /usr/local/nginx/conf/conf.d/existingdomain.com.conf /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak
Ensure you have enough free disk space on /home partition to house your backup.
cp -a /home/nginx/domains/existingdomain.com/ /home/nginx/domains/existingdomain.com.bak/
Step 2. Delete domain
via SSH with these commands
rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf
rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf
rm -rf /home/nginx/domains/existingdomain.com/Then backup your SSL certificates at
/usr/local/nginx/conf/ssl/newdomain.com
and remove that directory.
rm -rf /usr/local/nginx/conf/ssl/newdomain.com
If you used new Centmin Mod 131.00stable and higher's Nginx vhost add option, you would of gotten commands you can use to delete the site too in Nginx vhost creation's removal log file saved to /root/centminlogs
log directory:
For Centmin Mod 131.00stable:
------------------------------------------------------------- Commands to remove existingdomain.com pure-pw userdel gsfa rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.crt rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.key rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.csr rm -rf /usr/local/nginx/conf/ssl/existingdomain.com rm -rf /home/nginx/domains/existingdomain.com rm -rf /root/.acme.sh/existingdomain.com rm -rf /root/.acme.sh/existingdomain.com_ecc rm -rf /usr/local/nginx/conf/pre-staticfiles-local-existingdomain.com.conf service nginx restart -------------------------------------------------------------
For latest beta 140.00beta01:
------------------------------------------------------------- Commands to remove existingdomain.com pure-pw userdel gsfa rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.crt rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.key rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.csr rm -rf /usr/local/nginx/conf/ssl/existingdomain.com rm -rf /home/nginx/domains/existingdomain.com rm -rf /root/.acme.sh/existingdomain.com rm -rf /root/.acme.sh/existingdomain.com_ecc rm -rf /usr/local/nginx/conf/pre-staticfiles-local-existingdomain.com.conf service nginx restart -------------------------------------------------------------
Step 3. Restart Nginx
service nginx restart
or via command shortcut
ngxrestart
Step 4. Removing backups
Once you are 100% sure deleted domain is the one you want to delete, you can remove the backups too via SSH with these 2 commands.
rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak
rm -rf /home/nginx/domains/existingdomain.com.bak/
How to setup domain / subdomain to use NSD DNS so I can host DNS on my own server instead of using my web host, registrar or DNS service provider's name servers ?
Note: If you chose to use DigitalOcean for your VPS, they also offer DNS management for your domain hosted with them. Update your domain registrar's records to point to the DigitalOcean name servers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com). Then you can manage DNS from their control panel.
Note: If you're looking for a reliable and free DNS provider, you can use Cloudflare DNS Only hosting
This is a 2 part process. If you want to you a 3rd party DNS name server provider such as your domain registrar or web hosts' own nameservers, then only need to follow Part #1 outlined below. If you want to host your own DNS nameservers on the same server as your domain(s), then you will need to follow both Part #1 and Part #2 below.
Part #1: Involves you creating or registering your own private name servers with your domain's registrar. Some tutorials from common domain name registrars are listed below:
Creating own domain name's private nameservers
- Namecheap.com Video tutorial (What Namecheap.com refers to as your 'DNS or Zone Management menu of your hosting control panel' would be the NSD DNS zone file which you setup via menu option #3 'NSD setup domain name DNS'
- Godaddy.com Registering your own Nameservers/Hosts
- DNSMadeEasy.com Vanity Domain Name Server setup (personally I use DNSMadeEasy for AnyCast IP DNS performance and higher uptime. Read my blog review on DNSMadeEasy here).
Using 3rd party web host or domain registrar DNS name servers
- How to setup namesevers at Digitalocean.com
- Namecheap.com Free DNS hosting guide (Great free DNS hosting for starters)
- How do I set my domain to use Namecheap's default DNS servers?
Part #2: Properly setting up your domain's DNS settings within NSD DNS within Centmin Mod script:
You can do this via Centmin Mod menu option #3. Below are screenshot examples for setting up newdomain.com
with newdomainipaddress = the domain's ip address you want to assign. And newdomainns1address = ns1 ip address and newdomainns2address = ns2 ip address. By default, the vhost script assumes you want to setup ns1.newdomain.com and ns2.newdomain.com with your own ip addresses on your servers.
You can see a full step by step example of setting up a local NSD DNS nameservers for your added domains on the Centmin Mod Community forums.
Note: ns1/ns2 assigned ip addresses should usually not be used to host other domain names. So a minimum of 3 ip addresses much be allocated, 1 for domain names and 2 for ns1/ns2. Although you can use the 1 IP address.
Changing default ns1.newdomain.com and ns2.newdomain.com
You can of course change this later on to use your web host, registrar or DNS service provider's own name servers by editing the newdomain.com.zone file which is created at /etc/nsd/master/newdomain.com.zone. But isn't necessary to make any changes on the server's NSD config, because when you change your domain's name servers to use your web host or domain registrar's own name server (ns1/ns2), it will bypass anything set on the server within NSD config file.
The creation script will output the path location where it will create the domain name's zone file.
-------------------------------------------------------- Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com -------------------------------------------------------- Centmin Mod Menu -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu 12). Zend OpCache Install/Re-install 13). Install ioping.sh vbtechsupport.com/1239/ 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2... 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Re-install 21). Update - Nginx + PHP-FPM + Siege 22). Add Wordpress Nginx vhost + WP Super Cache 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 3 --------------------------------------------------------
--------------------------------------------- New to NSD DNS setup ? Be sure to read NSD setup guide: http://centmin.com/nginx_domain_dns_setup.html#dns Enter domain name you want to add to NSD (without www. prefix): newdomain.com Enter IP address you want to assign to domain name (your A record): newdomainipaddress --------------------------------------------------------- You entered domain name: newdomain.com You entered domain IP address (A record): newdomainipaddress --------------------------------------------------------- Are the domain name and IP address (A record) entered correctly ? [y/n]: y --------------------------- Nameserver ns1/ns2 setup: --------------------------- Note #1: nameserver ns1/ns2 IP addresses must already exist and be assigned to this server by your web host. If unsure, ask your web host the exact IP addresses assigned to your server. Note #2: For vanity or custom name servers using your own domain name, ensure you have created them first with your domain registrar. You can see tutorial guides for Namecheap and Godaddy domain registrars for creating domain names' private name servers on web site Part #1 at http://centmin.com/nginx_domain_dns_setup.html#dns Want to abort NSD setup to check with web host and/or domain registrar first ? [y/n]: n * Enter IP address for ns1 nameserver: newdomainns1address * Enter IP address for ns2 nameserver: newdomainns2address -------------------------------------------------------------- You entered ns1.newdomain.com IP address: newdomainns1address You entered ns2.newdomain.com IP address: newdomainns2address -------------------------------------------------------------- Are the ns1/ns2 name server IP address entered correct ? [y/n]: y --------------------------------------------- checking to see if entry for newdomain.com already exists in /etc/nsd/nsd.conf ---------------------------------------------
--------------------------------------------- no entry for newdomain.com found in /etc/nsd/nsd.conf creating entry for newdomain.com ... --------------------------------------------- # # nsd.conf -- the NSD(8) configuration file, nsd.conf(5). # # Copyright (c) 2001-2006, NLnet Labs. All rights reserved. # # See LICENSE for the license. # server: hide-version: yes # Maximum number of concurrent TCP connections per server. # This option should have a value below 1000. tcp-count: 10 # Maximum number of queries served on a single TCP connection. # By default 0, which means no maximum. tcp-query-count: 0 # Override the default (120 seconds) TCP timeout. tcp-timeout: 60 # zonefile: to store pid for nsd in. pidfile: "/var/run/nsd/nsd.pid" # The directory for zonefile: files. zonesdir: "/etc/nsd" zone: name: "demo.com" zonefile: "master/demo.com.zone" zone: name: "newdomain.com" zonefile: "master/newdomain.com.zone" --------------------------------------------- Stopping nsd: Starting nsd:
--------------------------------------------- Creating zone file at /etc/nsd/master/newdomain.com.zone --------------------------------------------- $TTL 14400 @ IN SOA ns1.newdomain.com. hostmaster.newdomain.com. ( 2010091500 14400 3600 1209600 86400 ) ; Nameservers newdomain.com. 14400 IN NS ns1.newdomain.com. newdomain.com. 14400 IN NS ns2.newdomain.com. ; A Records newdomain.com. 14400 IN A newdomainipaddress ftp 14400 IN A newdomainipaddress localhost 14400 IN A 127.0.0.1 mail 14400 IN A newdomainipaddress ns1 14400 IN A newdomainns1address ns2 14400 IN A newdomainns2address pop 14400 IN A newdomainipaddress smtp 14400 IN A newdomainipaddress www 14400 IN A newdomainipaddress ; MX Record newdomain.com. 14400 IN MX 10 mail ; TXT Record (for SPF) newdomain.com. 14400 IN TXT "v=spf1 a mx ip4:newdomainipaddress ~all" --------------------------------------------- Current zone files listing at: /etc/nsd/master/ Jun 28 10:29 883 demo.com.zone Jun 29 14:20 1.3K newdomain.com.zone --------------------------------------------- --------------------------------------------- NSD entry for newdomain.com created successfully in /etc/nsd/nsd.conf NSD zone created at /etc/nsd/master/newdomain.com.zone --------------------------------------------- Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites * https://www.whatsmydns.net/ * http://www.intodns.com/ * http://dnscheck.pingdom.com/ ---------------------------------------------
/etc/nsd/master/newdomain.com.zone contents
$TTL 14400 @ IN SOA ns1.newdomain.com. hostmaster.newdomain.com. ( 2010091500 14400 3600 1209600 86400 ) ; Nameservers newdomain.com. 14400 IN NS ns1.newdomain.com. newdomain.com. 14400 IN NS ns2.newdomain.com. ; A Records newdomain.com. 14400 IN A newdomainipaddress ftp 14400 IN A newdomainipaddress localhost 14400 IN A 127.0.0.1 mail 14400 IN A newdomainipaddress ns1 14400 IN A newdomainns1address ns2 14400 IN A newdomainns2address pop 14400 IN A newdomainipaddress smtp 14400 IN A newdomainipaddress www 14400 IN A newdomainipaddress ; MX Record newdomain.com. 14400 IN MX 10 mail ; TXT Record (for SPF) newdomain.com. 14400 IN TXT "v=spf1 a mx ip4:newdomainipaddress ~all"
To restart NSD DNS server after saving changes to your NSD DNS zone file you can either type 1 of 2 commands in SSH2 telnet:
/etc/init.d/nsd restart
or
service nsd restart
Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites