Master Nginx: From Beginner Setup to Full LNMP Architecture Deployment
This comprehensive guide walks you through installing and configuring Nginx, implementing access control, setting up virtual hosts, building a complete LNMP stack with MySQL and PHP‑FPM, applying performance optimizations, hardening security, and establishing monitoring for high‑performance web services.
Nginx Website Service: From Basics to LNMP Architecture
Introduction
Nginx, developed by Igor Sysoev, is a lightweight HTTP server capable of handling 30,000‑50,000 concurrent connections with low memory consumption, making it a top choice for high‑performance web services.
1. Nginx Basic Installation and Configuration
1.1 Compile and Install Nginx
Install required dependencies and create a dedicated nginx user.
# Install required packages
yum -y install pcre-devel zlib-devel gcc++ gcc
# Create nginx user (no login shell)
useradd -M -s /sbin/nologin nginx
# Extract source and configure
tar zxf nginx-1.12.0.tar.gz
cd nginx-1.12.0
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module
make && make install1.2 Create Service Script
# /etc/init.d/nginx
#!/bin/bash
#chkconfig: - 99 20
#description: Nginx Service Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start) $PROG ;;
stop) kill -QUIT $(cat $PIDF) ;;
restart) $0 stop; $0 start ;;
reload) kill -HUP $(cat $PIDF) ;;
*) echo "Usage: $0 {start|stop|restart|reload}"; exit 1 ;;
esac
exit 02. Nginx Access Control
2.1 User Authentication
Install httpd-tools, create a password file, set strict permissions, and configure auth_basic in nginx.conf.
# Install htpasswd tool
yum install -y httpd-tools
# Create password file
htpasswd -c /usr/local/nginx/passwd.db admin
chmod 400 /usr/local/nginx/passwd.db
chown nginx /usr/local/nginx/passwd.db
# nginx.conf snippet
auth_basic "Admin Area";
auth_basic_user_file /usr/local/nginx/passwd.db;2.2 IP‑Based Access Control
server {
location /admin {
deny 192.168.1.100; # block specific IP
allow 192.168.1.0/24; # allow whole subnet
allow 10.0.0.0/8; # allow internal network
deny all; # deny everything else
}
}3. Virtual Host Configuration
3.1 Name‑Based Virtual Hosts
# Site1
server {
listen 80;
server_name www.site1.com;
root /var/www/html/site1;
index index.html;
}
# Site2
server {
listen 80;
server_name www.site2.com;
root /var/www/html/site2;
index index.html;
}3.2 Port‑Based Virtual Hosts
server {
listen 8080;
root /var/www/html/site1;
index index.html;
}
server {
listen 8081;
root /var/www/html/site2;
index index.html;
}4. LNMP Architecture Setup
4.1 MySQL Installation
# Install compilation dependencies
yum -y install ncurses-devel gcc-c++ cmake
# Extract and compile MySQL
tar -zxf mysql-5.6.36.tar.gz
cd mysql-5.6.36
cmake \
-DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_EXTRA_CHARSETS=all \
-DSYSCONFDIR=/etc
make && make install
# Create mysql user and group
groupadd mysql
useradd -M -s /sbin/nologin mysql -g mysql
chown -R mysql:mysql /usr/local/mysql
# Initialize database
/usr/local/mysql/scripts/mysql_install_db \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--user=mysql4.2 PHP‑FPM Installation and Configuration
# Install PHP dependencies
yum -y install gd libxml2-devel libjpeg-devel libpng-devel
# Extract and compile PHP
tar -zxf php-5.5.38.tar.gz
cd php-5.5.38
./configure \
--prefix=/usr/local/php5 \
--with-mysql=/usr/local/mysql \
--with-mysqli=/usr/local/mysql/bin/mysql_config \
--enable-fpm \
--enable-mbstring \
--with-gd
make && make install
# php-fpm.conf (excerpt)
user = php
group = php
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 354.3 Nginx‑PHP Integration
server {
listen 80;
server_name www.example.com;
root /var/www/html;
index index.php index.html;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ \.(css|js|png|jpg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}5. Performance Optimization
5.1 Global Settings
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
multi_accept on;
accept_mutex off;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
keepalive_requests 1000;
open_file_cache max=100000 inactive=20s;
gzip on;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
client_body_buffer_size 128k;
client_max_body_size 50m;
}5.2 System Kernel Tuning
# /etc/sysctl.conf (excerpt)
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fin_timeout = 10
fs.file-max = 68157445.3 PHP‑FPM Tuning
[www]
pm = dynamic
pm.max_children = 100
pm.start_servers = 20
pm.min_spare_servers = 10
pm.max_spare_servers = 30
pm.max_requests = 10006. Security Hardening
6.1 Hide Version Information
http {
server_tokens off;
more_set_headers "Server: WebServer";
}6.2 Block Malicious Requests
map $request_method $not_allowed_method {
default 1;
GET 0;
POST 0;
HEAD 0;
}
map $http_user_agent $blocked_agent {
default 0;
~*malicious 1;
~*bot 1;
~*crawler 1;
}
server {
if ($not_allowed_method) { return 405; }
if ($blocked_agent) { return 403; }
location ~ \. { deny all; access_log off; log_not_found off; }
client_max_body_size 10m;
}6.3 SSL/TLS Configuration
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
error_page 497 https://$server_name$request_uri;
}7. Monitoring and Logging
7.1 Log Format
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" $request_time $upstream_response_time';
log_format json escape=json '{"time":"$time_iso8601","remote_addr":"$remote_addr","request":"$request","status":$status,"body_bytes_sent":$body_bytes_sent,"request_time":$request_time,"upstream_response_time":"$upstream_response_time"}';
access_log logs/access.log main;
error_log logs/error.log warn;
}7.2 Log Rotation
/etc/logrotate.d/nginx {
daily
missingok
rotate 30
compress
delaycompress
notifempty
create 644 nginx nginx
postrotate
kill -USR1 $(cat /usr/local/nginx/logs/nginx.pid) 2>/dev/null || :
endscript
}Conclusion
The guide walks through installing Nginx, configuring access control, setting up virtual hosts, building a complete LNMP stack, applying performance tweaks, hardening security, and establishing monitoring, providing a solid foundation for high‑performance, secure web services.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.