CentOS7下配置Nginx

背景

最近倒腾服务器的时候，选择了CentOS7操做系统，在安装配置Nginx的时候遇到了Permission Denied问题。按照chown和chmod进行配置无果，后来定位到SELinux问题。

SELinux是什么？

When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.

Nginx安装

按照以下配置，是能够正常启动nginx，而且访问到nginx的欢迎页面。

# 添加nginx源
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安装
sudo yum install -y nginx
# 启动
systemctl start nginx.service

自定义配置

配置文件地址：

/etc/nginx/nginx.conf

自定义配置文件一般放到conf.d目录下：

$nginx_conf/conf.d/default.conf

添加自定义项目配置

server {
    listen       8081;
    server_name  localhost;

    access_log  /var/log/nginx/access.log  main;

    location / {
      root   /home/custom/web;   # 自定义路径
      index  index.html index.htm;
    }
}

此时再启动nginx程序，发现没法正常启动。

systemctl start nginx

因而，使用nginx命令启动，启动正常，可是访问页面出现403权限问题。

nginx # nginx命令启动

403权限问题日志，能够查看到日志信息。

2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"

经过网上查找资料，你们解决方法是使用root用户启动。须要修改nginx.conf文件。

# /etc/nginx/nginx.conf

#user  nginx;
user  root;
worker_processes  1;
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
	......
}

SELinux下如何配置

这样用root用户启动程序，在生产环境下是强烈不建议的，存在很大的安全问题。因此须要继续研究SELinux开启下，如何进行配置。

在默认仓库下，nginx可以正常启动。查看文件路径信息，

ll -Zd /usr/share/nginx/html/

# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/

其中，system_u:object_r:httpd_sys_content_t:s0 是当前路径的安全上下文配置。 经过chcon命令，设置新的目录地址配置

chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web

此时，将user设置回nginx，而且关闭SELinux下，是可以正常访问的。

setenforce 0
systemctl start nginx

可是，当开启SELinux的时候，启动，出现以下错误日志：

[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
     Docs: http://nginx.org/en/docs/
  Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)

9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.

日志中，看到/etc/nginx/none文件，有点懵逼，可是Permission denied说明仍是权限问题。此时经过nginx启动后，可以生成一个none文件。此时，须要执行以下命令：

# make the process type httpd_t permissive
semanage permissive -a httpd_t

至此，在SELinux下，配置nginx可以正常工做。

其余说明

经过以下命令可以查看到nginx依赖的安全信息。

# grep nginx /var/log/audit/audit.log | audit2allow -m nginx

module nginx 1.0;

require {
	type httpd_t;
	type unreserved_port_t;
	type httpd_config_t;
	class tcp_socket name_bind;
	class file { append create };
	class dir { add_name write };
}

#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };

参考资料

1. https://blog.csdn.net/aqzwss/article/details/51134591
2. https://linux.die.net/man/8/httpd_selinux
3. http://man.linuxde.net/semanage
4. https://www.getpagespeed.com/server-setup/nginx/nginx-selinux-configuration