How to Build a High‑Performance, Secure Nginx Web Server on CentOS

Abstract: Web services are the most exposed services on the Internet. Choosing the right software to build a Web server that can handle high concurrency and resist attacks is a long‑term challenge. This article shares a practical, efficient, and secure Nginx Web server setup based on real‑world experience.

Why Choose Nginx for a Web Server

Apache and Nginx are the two most popular Web servers. Apache, the world’s most used server, offers an open API and runs on almost any platform, but its process‑based model struggles with high‑traffic sites and memory‑intensive applications like PHP.

Nginx ("engine x") is a high‑performance HTTP and reverse‑proxy server originally developed for the high‑traffic Russian site Rambler.ru. Released under a BSD‑style license, it is known for stability, rich features, example configurations, and low resource consumption.

In the early Internet, sites handled only tens of thousands of IPs per day, and Apache was sufficient. As traffic grew exponentially, Apache became a bottleneck, especially for memory‑heavy workloads. Nginx was designed for high concurrency, reverse proxying, and modular extensibility, making it ideal for modern large‑scale deployments.

Key advantages of Nginx as a Web server: lower resource usage, support for up to 50,000 concurrent connections, and efficient event‑driven architecture (epoll/kqueue).

As a load‑balancing server: Nginx can directly serve Rails and PHP or act as an HTTP proxy, offering better CPU efficiency than Perl‑based solutions.

Nginx is easy to install, has a concise configuration, and can run 24/7 without frequent restarts, even allowing seamless version upgrades.

Nginx Installation

1. Installation Overview

System: CentOS‑6.6

Software: nginx‑1.8.0.tar.gz

Method: Compile from source

Location: /opt/program/nginx-1.8.0

Download URL:

http://nginx.org/en/download.html

2. Required Packages

# yum install gcc-c++
# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# find -name nginx
# ./nginx
# ./nginx/sbin/nginx
# ./nginx-1.2.6/objs/nginx

Remove any existing Nginx installation before proceeding:

# yum remove nginx

3. Build and Install

Upload the source package to /opt/software and run:

# cd /opt/program
# mkdir nginx
# tar -zxvf ../software/nginx-1.8.0.tar.gz
# cd nginx-1.8.0
# ./configure --prefix=/opt/program/nginx

Note: the installation prefix can be changed (e.g., /usr/local/nginx).

# make
# make install

4. Service Configuration

# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# service iptables restart

5. Start Nginx

Method 1

# /opt/program/nginx/sbin/nginx -c /opt/program/nginx/sbin/nginx/conf/nginx.conf

Method 2

# /opt/program/nginx/sbin/nginx
# ps -ef | grep nginx
# pkill -9 nginx
# /opt/program/nginx/sbin/nginx -s reload
# netstat -na|grep 80
# Open a browser and visit http://<em>ip</em>:80

Configuring Nginx for High Concurrency

1. General Optimizations

Edit nginx.conf and adjust the following parameters: worker_processes 8; Set the number of worker processes according to CPU cores (e.g., 8 for two 4‑core CPUs).

worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 65535;

worker_connections 65535;

Maximum connections per worker; total connections ≈ worker_processes * worker_connections.

keepalive_timeout 60;

client_header_buffer_size 4k;

open_file_cache max=65535 inactive=60s;

open_file_cache_valid 80s;

open_file_cache_min_uses 1;

2. Kernel Parameter Tuning

Edit /etc/sysctl.conf and apply:

net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30

These settings enable Nginx to handle over 50,000 concurrent connections.

Nginx Security Hardening

1. Remove Unnecessary Modules

Compile Nginx with only required modules, e.g.:

# ./configure --without-http_autoindex_module --without-http_ssi_module
# make
# make install

2. Install SELinux Policy for Nginx

# yum -y install selinux-policy-targeted selinux-policy-devel
# cd /opt
# wget 'http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc'
# tar -zxvf se-ngix_1_0_10.tar.gz
# cd se-ngix_1_0_10/nginx
# make
# /usr/sbin/semodule -i nginx.pp

3. Buffer Overflow Protection

client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

4. Limit Concurrent Connections

limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;

5. Restrict Allowed HTTP Methods

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}

6. Block Malicious User‑Agents

if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403; }
if ($http_user_agent ~* Sosospider|YodaoBot) { return 403; }

7. Prevent Image Hotlinking

location /images/ {
    valid_referers none blocked www.example.com example.com;
    if ($invalid_referer) { return 403; }
}

8. Rate‑Limit Connections per IP via iptables

# /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
# /sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP
# service iptables save

9. Protect Server Filesystem

# find /nginx -user nginx
# find /usr/local/nginx/html -user nginx
# ls -l /usr/local/nginx/html/

Ensure files are owned by root or another non‑nginx user and remove editor backup files.

Conclusion

This article demonstrates a practical, customized Nginx setup that balances performance and security. Nginx is a powerful tool beyond basic web serving, and further extensions can be explored to unlock more capabilities.