Lab 1: Setting up Nginx - Aaron's Projects

Prerequisites

This guide requires:

- active subscription to RHEL repos, or, add your own repos to /etc/yum.d"
- firewalld
- sshd
- certbot and python3-certbot-nginx
- epel-release (Extra Packages for Enterprise Linux)
- elevated privileges

1. Installing Web Server Package

Step 1.1: Install Nginx

Install Nginx using DNF:

sudo dnf install nginx -y

Step 1.1: Start and Enable Nginx

Start the Nginx service and enable it to run at boot:


sudo systemctl start nginx
sudo systemctl enable nginx

2. Configure Firewall

Step 2.1: Check Firewall Status

Determine firewall zone for interface:

sudo firewall-cmd --get-active-zones
                       sudo firewall-cmd --list-all

Step 2.2: Open Ports for Services

Allow HTTP, HTTPS, and SSH traffic:


sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

Step 2.3: Verify Firewall Rules

List active zones and services to confirm:


sudo firewall-cmd --list-all
sudo firewall-cmd --get-active-zones

3. Configuring SSH Keys for Secure Access

Step 3.1: Generate SSH Key Pair

On your local machine, generate an SSH key pair:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Press Enter to accept the default location, and optionally set a passphrase.

Step 3.2: Copy Public Key to Server

Transfer your public key to the server:

ssh-copy-id user@server-ip

Step 3.3: Verify Key-Based Login

Test SSH login without a password:

ssh user@server-ip

Step 3.4: Disable Password Authentication

For additional security, edit the SSH configuration:

sudo vi /etc/ssh/sshd_config
# Set the following:
PasswordAuthentication no
PubkeyAuthentication yes

sudo systemctl restart sshd

4. Hardening Web Server

Step 4.1: Enable HTTPS with SSL

Install Certbot and obtain a certificate:

sudo dnf install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com
sudo systemctl reload nginx

Verify your site now loads with HTTPS.

Step 4.2: Configure Secure HTTP Headers

Edit Nginx configuration to add headers:

sudo vi /etc/nginx/conf.d/security.conf

# Example headers:
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "no-referrer";

Reload Nginx to apply changes: sudo systemctl reload nginx

Step 4.3: Remove Unnecessary Packages

List and remove unneeded services to reduce attack surface:

sudo dnf list installed
sudo dnf remove package-name -y

5. Hardening Web Server

Step 5.1: Setting SELinux Context

Create a new directory in your preferred location (ex; /var/www/nginx/html:

sudo semanage fcontext -a -t httpd_sys_content_t /var/www/nginx/html/
sudo restorecon -R /var/www/nginx/html/

# Ensure: SELINUX=enforcing SELinux enforcing

verify new context

ls -lz

6. Validate server setting

Test your site:

HTTPS works
Secure headers are present (curl -I https://yourdomain.com)
No unneeded services are running
SELinux is enforcing