CentOS7下配置Nginx

背景

最近倒騰服務器的時候，選擇了CentOS7操做系統，在安裝配置Nginx的時候遇到了Permission Denied問題。按照chown和chmod進行配置無果，後來定位到SELinux問題。

SELinux是什麼？

When you upgrade a running system to Red Hat Enterprise Linux (RHEL) 6.6 or CentOS 6.6, the Security Enhanced Linux (SELinux) security permissions that apply to NGINX are relabelled to a much stricter posture. Although the permissions are adequate for the default configuration of NGINX, configuration for additional features can be blocked and you need to permit them explicitly in SELinux. This article describes the possible issues and recommended ways to resolve them.

Nginx安裝

按照以下配置，是能夠正常啓動nginx，而且訪問到nginx的歡迎頁面。

# 添加nginx源
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# 安裝
sudo yum install -y nginx
# 啓動
systemctl start nginx.service

自定義配置

配置文件地址：

/etc/nginx/nginx.conf

自定義配置文件一般放到conf.d目錄下：

$nginx_conf/conf.d/default.conf

添加自定義項目配置

server {
    listen       8081;
    server_name  localhost;

    access_log  /var/log/nginx/access.log  main;

    location / {
      root   /home/custom/web;   # 自定義路徑
      index  index.html index.htm;
    }
}

此時再啓動nginx程序，發現沒法正常啓動。

systemctl start nginx

因而，使用nginx命令啓動，啓動正常，可是訪問頁面出現403權限問題。

nginx # nginx命令啓動

403權限問題日誌，能夠查看到日誌信息。

2018/09/18 23:41:37 [error] 1266#1266: *1 "/home/custom/web/index.html" is forbidden (13: Permission denied), client: xxx.xxx.xxx.xxx, server: localhost, request: "GET / HTTP/1.1", xxx.xxx.xxx.xxx:8081"

經過網上查找資料，你們解決方法是使用root用戶啓動。須要修改nginx.conf文件。

# /etc/nginx/nginx.conf

#user  nginx;
user  root;
worker_processes  1;
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
	......
}

SELinux下如何配置

這樣用root用戶啓動程序，在生產環境下是強烈不建議的，存在很大的安全問題。因此須要繼續研究SELinux開啓下，如何進行配置。

在默認倉庫下，nginx可以正常啓動。查看文件路徑信息，

ll -Zd /usr/share/nginx/html/

# drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /usr/share/nginx/html/

其中，system_u:object_r:httpd_sys_content_t:s0 是當前路徑的安全上下文配置。 經過chcon命令，設置新的目錄地址配置

chcon -Ru system_u /home/custom/web
chcon -Rt httpd_sys_content_t /home/custom/web

此時，將user設置回nginx，而且關閉SELinux下，是可以正常訪問的。

setenforce 0
systemctl start nginx

可是，當開啓SELinux的時候，啓動，出現以下錯誤日誌：

[root@localhost mgzy]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@localhost mgzy]# systemctl status nginx.service
● nginx.service - nginx - high performance web server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 三 2018-09-19 03:07:23 CST; 7s ago
     Docs: http://nginx.org/en/docs/
  Process: 12298 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)

9月 19 03:07:23 localhost.localdomain systemd[1]: Starting nginx - high performance web server...
9月 19 03:07:23 localhost.localdomain nginx[12298]: nginx: [emerg] open() "/etc/nginx/none" failed (13: Permission denied)
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service: control process exited, code=exited status=1
9月 19 03:07:23 localhost.localdomain systemd[1]: Failed to start nginx - high performance web server.
9月 19 03:07:23 localhost.localdomain systemd[1]: Unit nginx.service entered failed state.
9月 19 03:07:23 localhost.localdomain systemd[1]: nginx.service failed.

日誌中，看到/etc/nginx/none文件，有點懵逼，可是Permission denied說明仍是權限問題。此時經過nginx啓動後，可以生成一個none文件。此時，須要執行以下命令：

# make the process type httpd_t permissive
semanage permissive -a httpd_t

至此，在SELinux下，配置nginx可以正常工做。

其餘說明

經過以下命令可以查看到nginx依賴的安全信息。

# grep nginx /var/log/audit/audit.log | audit2allow -m nginx

module nginx 1.0;

require {
	type httpd_t;
	type unreserved_port_t;
	type httpd_config_t;
	class tcp_socket name_bind;
	class file { append create };
	class dir { add_name write };
}

#============= httpd_t ==============
allow httpd_t httpd_config_t:dir { add_name write };
allow httpd_t httpd_config_t:file { append create };

參考資料

1. https://blog.csdn.net/aqzwss/article/details/51134591
2. https://linux.die.net/man/8/httpd_selinux
3. http://man.linuxde.net/semanage
4. https://www.getpagespeed.com/server-setup/nginx/nginx-selinux-configuration