Skip to content
A hardened baseline configuration for the Nginx web server.
Shell Nginx
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

18F FISMA Ready Nginx

The following was written against nginx stable 1.6.2 (tarball) (released 2014-08-05, changelog).

Installation notes

The primary configuration command we use is:

./configure --prefix=/etc/nginx \
  --sbin-path=/usr/sbin/nginx \
  --conf-path=/etc/nginx/nginx.conf \
  --error-log-path=/var/log/nginx/error.log \
  --http-log-path=/var/log/nginx/access.log \
  --pid-path=/var/run/ \
  --lock-path=/var/run/nginx.lock \
  --user=nginx \
  --group=nginx \
  --with-http_ssl_module \


Nginx configuration files:

  • nginx.conf - The main, server-wide nginx config settings.
  • vhosts/default.conf - A working configuration for a test app serving up a static file, on HTTP and HTTPS (with a self-signed cert).
  • ssl/ssl.rules - A set of SSL parameters appropriate for a vhost configuration file to include. Individual vhosts will still need to use their own ssl_certificate and ssl_certificate_key parameters, as vhosts/default.conf does.

These files expect that the directory structure will be preserved in /etc/nginx. In other words, nginx.conf should be at /etc/nginx/nginx.conf, and ssl/ssl.rules should be at /etc/nginx/ssl/ssl.rules.

And an additional helper script:

  • - An init script for nginx, to allow nginx to start on boot, and to allow control of nginx with the service command. Expects certain paths to have been passed to nginx upon ./configure.
You can’t perform that action at this time.