Nginx with Reverse Proxy


Last modified: February 4, 2021

Overview

Note:

This document refers to Nginx functionality when you install the ea-nginx package. This package is our new, updated version of Nginx. For information about our previous version of Nginx, now our ea-nginx-standalone package, read our Nginx Standalone documentation.

This document explains how to install Nginx with Reverse Proxy on a server that runs cPanel & WHM and EasyApache 4. This version of Nginx uses caching in order to serve content more quickly.

Nginx is an open source web server that also provides a reverse proxy, load balancing, and caching. cPanel & WHM’s Nginx with Reverse Proxy passes dynamic content through a proxy to Apache┬«.

Warning:
Nginx is experimental. You must install the Experimental Repository to use it.

Requirements

To install Nginx on your server, you must meet the following requirements:

  • Run EasyApache 4.

  • Install the Experimental Repository. Use the following command to install this repository:

    yum install ea4-experimental

  • Possess root user access to the server.

  • Install the ea-ruby27-mod_passenger Apache module. When you install the ea-nginx package, the system will install this module and other necessary Ruby modules if they don’t already exist.

    Note:
    • If your system runs CentO6, install the ea-ruby24-mod_passenger Apache module.
    • Phusion Passenger┬« functions the same in both Nginx and Apache.

  • Install the mod_remoteip Apache module. This module allows Apache to log the IP address correctly when you use Nginx as a reverse proxy.

Compatibility

Nginx takes the place of Apache as the primary web server. The installation will change Apache’s default ports and assign those port numbers to Nginx.

For more information, read the Nginx configuration changes section below.

Note:

If you do not want to proxy all of your content through Apache, you can use our standalone version of Nginx.

Install or uninstall Nginx

Install

To install Nginx, use the EasyApache 4 interface, or run the following command on the command line as the root user:

yum --enablerepo=EA4-experimental install ea-nginx

Uninstall

To uninstall Nginx, run the following command on the command line as the root user:

yum erase ea-nginx

The Nginx installation

When you install cPanel & WHM’s version of Nginx with Reverse Proxy, the installation process will change your server’s Apache installation to use different ports. Nginx will proxy all requests to Apache.

Note:

The process will only change your Apache ports if your Apache configuration uses the default ports of 80 and 443.

When you install Nginx, the installation process installs the ea-ruby27-mod_passenger Apache module. This module is required.

Nginx configuration changes

When you install Nginx on your server, the installation process makes several changes to your system.

Most notably, the installation configures Apache to no longer act as the primary web server. Because of this, the Nginx installation will create proxies for Mailman and AutoSSL.

Caching

Nginx reverse proxies to Apache and caches all requests by default.

Nginx caches data on a per-user basis. The cache file is stored in the following location, where type represents the type of caching, and username represents the username:

/var/cache/ea-nginx/type/username

Nginx with Reverse Proxy uses the type proxy for the proxy_pass directive. The cache directories use 700 permissions, restricted to the nobody and root users.

Configuration files

The system creates the /etc/nginx/conf.d/ea-nginx.conf configuration file.

Custom configurations

Warning:
  • Do not edit any of the files that Nginx owns. Changing these files may result in unexpected behavior.

  • If you create custom configuration files, you may change Nginx behavior in undesired ways. For example, if your custom block matches the PHP block, the server may serve the source code instead of PHP.

If you want to customize the server blocks for Nginx, create an include file that ends in .conf in the appropriate location. A server block is the same thing as a virtual host in Apache.

For more information about server blocks, including examples, read Nginx’s Server Block Examples documentation.

Note:

Do not use cpanel- as the prefix for any custom files you create.

Global configuration

Place any global .conf files that you create in the /etc/nginx/conf.d/ directory.

If you want to adjust every server block on your server, create your .conf file in the /etc/nginx/conf.d/server-includes/ directory.

Note:
Make certain that you also reference your .conf file with an include directive in the file that you want to use it in.

User configuration

Note:

In the following examples, username represents the username, and domainname represents the fully-qualified domain name.

This fully-qualified domain name must be one of the following:

  • The server block’s main domain.

  • The server block’s subdomain for addon domains and their subdomains.

  • The server block’s subdomain for subdomains that are not addon domains.

To customize every server block that a user owns, create your .conf file in following directory:

/etc/nginx/conf.d/users/username

To customize a specific server block for a specific domain, create your .conf file in the following directory:

/etc/nginx/conf.d/users/username/domainname/

Apache configuration

The Nginx installation makes the following changes to your Apache configuration:

  • Changes the Apache port to the first available port under 1024. This will usually be port 81.

  • Changes the Apache SSL port to the first available port under 1024. This will usually be port 444.

    Note:
    Your Apache ports will only change if your configuration uses the default ports 80 and 443. The installation ignores custom port numbers.

  • Adds the following to the /etc/nginx/conf.d/ea-nginx.conf file:

    1
    2
    3
    4
    5
    6
    
    map $host $CPANEL_APACHE_PROXY_IP {
            default 127.0.0.1;
        }  
    map $host $CPANEL_APACHE_PROXY_PORT {
            default 81;
        }

File access

Nginx does not serve files that start with .ht by default. There may be other files that you want to restrict access to.

The easiest solution is to not include restricted-access files in the document root. However, if this is not possible, you can also explicitly restrict access to files.

For example, if you serve your website from a git repository, you may want to prevent access to the site’s .git directory. To do this, create a .conf file in the appropriate location and add the following commands to your file:

1
2
3
4
5
6
location ~ /\.git {
	   deny all;
	   log_not_found off;
	   access_log off;
	   return 404;
   }  

After you save the file, reload your server to activate the configuration change.

For more information, read the Nginx Location Priority documentation.

Log Files

Nginx with Reverse Proxy does not currently support logging.

If you require logging, then you must either use Apache or use Nginx Standalone.

Run Nginx

To stop or restart Nginx, use the /usr/local/cpanel/scripts/restartsrv_nginx script.

We strongly recommend that you only use the cPanel script or WHM’s Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager) to restart Nginx.

To use the restart commands in CentOS 7 to restart Nginx, you must use the reload option. This option ensures a graceful restart:

systemctl reload nginx.service

For more information, read our How to Restart Services documentation.

Configure a user

The system integrates Nginx into your user and domain changes.

The system uses the /usr/local/cpanel/scripts/ea-nginx script to make these changes. You do not need to run this script.

The system creates the .conf file in the following location, where username represents the username:

/etc/nginx/conf.d/users/username.conf

Configure an application

In cPanel & WHM version 90 and later, you can use cPanel’s Application Manager interface (Home >> cPanel >> Software >> Application Manager) to configure applications.

In previous version of cPanel & WHM, you must run the /usr/local/cpanel/scripts/ea-nginx script to update your configuration and restart the server.

Limitations

If one of your domains matches a proxy domain, the system will warn you that it will ignore conflicting duplicate entries. This conflict may result in unexpected behavior.

Warning:
  • If you use Nginx and ModSecurity┬« 2 or lower, your ModSecurity rules will not apply.

  • Nginx will not serve any file with a name starting with .ht for security reasons.

  • If you create an alias, make certain that your path’s location ends with a trailing slash (/). If your path does not end with a /, then your path is vulnerable to a path traversal exploit.

  • For more information, read the Nginx Security Advisories documentation.

Third-party Integration

Third-party integrators can use the following information to determine if Nginx caching is active. You can only use caching if you install the ea-nginx package. We also display the caching status in the Nginx Caching section of the [cPanel Interface]().

If the /etc/nginx/ea-nginx/cache.json file exists, then the ea-nginx package is installed on the server. You can determine if caching is enabled or disabled based on the following information:

  • If the enabled key exists in the following userdata file, its value determines if Nginx caching is enabled. In this example, user represents the username:
    /var/cpanel/userdata/user/nginx-cache.json
  • If the enabled key exists in the following global configuration file, its value determines if Nginx caching is enabled. In this example, user represents the username:
    /etc/nginx/ea-nginx/cache.json
  • If the enabled key does not exist in either file, then caching is enabled by default.

If the /etc/nginx/ea-nginx/cache.json file does not exists, then ea-nginx is not installed on the server.

If the /etc/nginx/ea-nginx/enable.standalone file exists, the ea-nginx-standalone package is installed, and caching is not enabled on the server.

Troubleshooting

Could not build the server names_hash

You may receive an error that resembles the following message:

1
2
3
could not build the server_names_hash,
you should increase either server_names_hash_max_size: 512
or server_names_hash_bucket_size: 32

If you receive this error message, increase the value of the following directives in the /etc/nginx/conf.d/ea-nginx.conf and the /etc/nginx/conf.d/settings.json files:

  • server_names_hash_max_size

  • server_names_hash_bucket_size

For more information, read the Nginx Server Names documentation.

Nginx will not restart

If you used the nginx command to start Nginx, then the /usr/local/cpanel/scripts/restartsrv_nginx and systemctl restart nginx.service commands will not work. To correct this, perform the following steps:

  1. Stop the service with the /usr/sbin/nginx -s stop command.

  2. Restart Nginx with one of the following commands:

    • /usr/local/cpanel/scripts/restartsrv_nginx start

    • systemctl start nginx.service

    • /etc/init.d/nginx start

Additional Documentation