Linux Administration Labs

Nginx Web Server Deployment and Hardening (RHEL 8+)

Objective: Deploy and secure an Nginx web server including firewall configuration, SSH key authentication, HTTPS, SELinux, and security headers.

Prerequisites:

- Active RHEL repository subscription or configured repositories
- firewalld
- sshd
- certbot and python3-certbot-nginx
- epel-release
- Elevated privileges

• 1. Install and Enable Nginx

  sudo dnf install nginx -y
  sudo systemctl start nginx
  sudo systemctl enable nginx

  

• 2. Configure Firewall

  sudo firewall-cmd --get-active-zones
  sudo firewall-cmd --list-all
  
  sudo firewall-cmd --add-service=http --permanent
  sudo firewall-cmd --add-service=https --permanent
  sudo firewall-cmd --add-service=ssh --permanent
  sudo firewall-cmd --reload
  
  sudo firewall-cmd --list-all

  

• 3. Configure SSH Key Authentication

  On local machine:

  ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
  ssh-copy-id user@server-ip

  Verify login:

  ssh user@server-ip

  Optional hardening:

  sudo vi /etc/ssh/sshd_config
  PasswordAuthentication no
  PubkeyAuthentication yes
  
  sudo systemctl restart sshd

  

• 4. Enable HTTPS with SSL (Certbot)

  sudo dnf install certbot python3-certbot-nginx -y
  sudo certbot --nginx -d yourdomain.com
  sudo systemctl reload nginx

  

• 5. Configure Secure HTTP Headers

  sudo vi /etc/nginx/conf.d/security.conf
  
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options "nosniff";
  add_header Referrer-Policy "no-referrer";
  
  sudo systemctl reload nginx

  

• 6. Configure SELinux Context (Optional)

  sudo semanage fcontext -a -t httpd_sys_content_t /var/www/nginx/html/
  sudo restorecon -R /var/www/nginx/html/
  
  # Ensure enforcing mode
  getenforce

  

• 7. Validate Server Configuration

  • HTTPS loads successfully
  • Secure headers present (curl -I https://yourdomain.com)
  • No unnecessary services running
  • SELinux enforcing