Nginx Vhost & NSD DNS Setup

If English isn't your first language, you can use dropdown menu translator to translate this page into your preferred language.




How to add a new Nginx vhost account for new domain/subdomain account ?

You will need to enable Centmin Mod's free SSL certificates support via its Letsencrypt integration. If you use Cloudflare in front of your domains, pay attention to section for using the recommended Cloudflare DNS API domain validation method instead of default Letsencrypt webroot domain validation method.

Centmin Mod 131.00stable and higher has extended Nginx vhost creation routine to allow two methods of creating Nginx site domain vhost account:

  1. New /usr/bin/nv SSH command line method
  2. Traditional Centmin Mod menu option #2

New /usr/bin/nv SSH command line method is outlined on the here. This allows unattended or scripted creation of new Nginx site domain vhost accounts on Centmin Mod LEMP stack.

To create a new site domain Nginx vhost account for newdomain.com with self-signed SSL enabled and Pure-FTPD virtual FTP username = MYFTPUSERNAME, type the following in SSH command line.

/usr/bin/nv -d newdomain.com -s y -u MYFTPUSERNAME

Or via the traditional Centmin Mod menu option #2. Centmin Mod 131.00stable and higher also add self-signed SSL Nginx vhost generation support and Pure-FTPD virtual FTP user support. Below are screenshot examples for setting up newdomain.com and newdomainipaddress = the domain's ip address (your A record and the ip address of your server the domain is hosted on). The script will output the path location where it will create the domain name's vhost conf file named newdomain.com.conf

  • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
  • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
  • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
  • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
  • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
  • Full guide of Nginx vhost structure can be found on Centmin Mod configuration files page.

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 2
--------------------------------------------------------

---------------------------------------------

Enter vhost domain name to add (without www. prefix): newdomain.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

Create FTP username for vhost domain (enter username): MYFTPUSERNAME
Auto generate FTP password (recommended) [y/n]: y

FTP username you entered: MYFTPUSERNAME
FTP password auto generated: WpTY9dorKBQz3F@~ew70BQq8a9s76eh1!

Password: 
Enter it again: 
---------------------------------------------------------------
SSL Vhost Setup...
---------------------------------------------------------------

---------------------------------------------------------------
Generating self signed SSL certificate...
Generating a 2048 bit RSA private key
.................................................................................................................................+++
..................................................................+++
writing new private key to 'newdomain.com.key'
-----
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=newdomain.com/CN=newdomain.com
Getting Private key
---------------------------------------------------------------
Generating dhparam.pem file - can take a few minutes...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................+.........................................................................................................................................................................................................................................................................................+....................................................+..............................................................................................................................................................................................................+.....................................................................................................................................................................+.............................................................................+.............................................................................................................................+....................................................................................................+...........................................................................................+........................................................................................................................................................+.......................................................................................................................................................++*++*
dhparam file generation time: 12.149109355

-------------------------------------------------------------
service nginx reload
Reloading nginx configuration (via systemctl):  [  OK  ]
systemctl restart pure-ftpd.service

-------------------------------------------------------------
FTP hostname : IPADDRESS
FTP port : 21
FTP mode : FTP (explicit SSL)
FTP Passive (PASV) : ensure is checked/enabled
FTP username created for newdomain.com : MYFTPUSERNAME
FTP password created for newdomain.com : WpTY9dorKBQz3F@~ew70BQq8a9s76eh1!
-------------------------------------------------------------
vhost for newdomain.com created successfully

domain: http://newdomain.com
vhost conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.conf

vhost ssl for newdomain.com created successfully

domain: https://newdomain.com
vhost ssl conf file for newdomain.com created: /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
/usr/local/nginx/conf/ssl_include.conf created
Self-signed SSL Certificate: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt
SSL Private Key: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key
SSL CSR File: /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr

upload files to /home/nginx/domains/newdomain.com/public
vhost log files directory is /home/nginx/domains/newdomain.com/log

-------------------------------------------------------------
Current vhost listing at: /usr/local/nginx/conf/conf.d/

                       
Jul 16  19:04   845    ssl.conf
Jul 16  19:04   1.1K   demodomain.com.conf
Jul 16  19:08   1.6K   virtual.conf
Jul 20  01:09   1.9K   newdomain.com.conf
Jul 24  01:42   1.7K   newdomain2.com.conf
Jul 24  01:42   3.4K   newdomain2.com.ssl.conf
Jul 24  01:51   1.7K   newdomain.com.conf
Jul 24  01:51   3.4K   newdomain.com.ssl.conf

-------------------------------------------------------------
Current vhost ssl files listing at: /usr/local/nginx/conf/ssl/newdomain.com

                       
Jul 24  01:50   1.7K   newdomain.com.key
Jul 24  01:50   1009   newdomain.com.csr
Jul 24  01:50   1.2K   newdomain.com.crt
Jul 24  01:51   424    dhparam.pem

-------------------------------------------------------------
Commands to remove newdomain.com

 rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key
 rm -rf /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.csr
 rm -rf /home/nginx/domains/newdomain.com
 service nginx restart
-------------------------------------------------------------

/usr/local/nginx/conf/conf.d/newdomain.com.conf contents

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html

# redirect from non-www to www 
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name newdomain.com;
#            return 301 $scheme://www.newdomain.com$request_uri;
#       }

server {
  server_name newdomain.com www.newdomain.com;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain.com/log/error.log;

  root /home/nginx/domains/newdomain.com/public;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}

  location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://lb1.centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

/usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf contents

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name newdomain.com www.newdomain.com;
#    return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name newdomain.com www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  # mozilla recommended
  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header  X-Content-Type-Options "nosniff";
  #add_header X-Frame-Options DENY;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;
  
  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt;  

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain.com/log/error.log;

  root /home/nginx/domains/newdomain.com/public;

  # prevent access to ./directories and files
  #location ~ (?:^|/)\. {
  # deny all;
  #}  

  location / {

# block common exploits, sql injections etc
#include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # Enable for vBulletin usage WITHOUT vbSEO installed
  # More example Nginx vhost configurations at
  # http://lb1.centminmod.com/nginx_configure.html
  #try_files    $uri $uri/ /index.php;

  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

If you want to enable auto index so you can see a directories listing of files when index.htm/index.php page doesn't exist, you need to uncomment autoindex on option and save newdomain.com.conf file and restart nginx server.

change from

  #autoindex  on;

change to

  autoindex  on;

If you want to enable server side includes in Nginx you need to uncomment ssi on option and save newdomain.com.conf file and restart nginx server.

change from

  # ssi  on;

change to

   ssi  on;

To restart Nginx server after saving conf changes you can either type 1 of 3 commands in SSH2 telnet:

/etc/init.d/nginx restart

or

service nginx restart

If you installed commandline shortcuts at Centmin Mod install time:

ngxrestart


How to force redirect from HTTP:// to HTTPS:// ?

I would test in incognito or private web browser session first on your local PC that accesses the site so to ensure that HTTP to HTTPS redirect works well before change 302 temporarily redirect to 301 permanent redirect

Easiest way with the Centmin Mod Nginx auto generated self-signed SSL certificate structure in place, which creates both a HTTP vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf and HTTPS vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf, is to rename the HTTP vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf to /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled and use only the HTTPS vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf config file.

To rename HTTP vhost /usr/local/nginx/conf/conf.d/newdomain.com.conf to /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled in SSH window just run this command as root user. To reverse the change, just switch the file names to rename it back

mv /usr/local/nginx/conf/conf.d/newdomain.com.conf /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled

Edit the top of the /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf config file add a new server {} context above the HTTP/2 SSL server {} context and change it.

from

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name newdomain.com www.newdomain.com;
#    return 302 https://$server_name$request_uri;
# }

to (for redirecting http://newdomain.com and http://www.newdomain.com to https://newdomain.com)

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
    server_name newdomain.com www.newdomain.com;
    return 302 https://newdomain.com$request_uri;
 }

If you also want to redirect and https://www.newdomain.com to https://newdomain.com), need to add and adjust /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf config file's HTTP/2 HTTPS SSL an additional 3rd server{} context:

server {
  listen 443 ssl http2;
  server_name www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  return 302 https://newdomain.com$request_uri;
}

so top part of HTTP/2 SSL server {} context looks like directly below within /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf. Replace 302 to 301 once you confirm it's working. The 3 server {} contexts are - 1st for redirecting listen port 80 non-HTTPS non-www and www domains to non-www domain HTTPS, 2nd for redirectorying listen port 443 www domain HTTPS to non-www HTTPS and final context is for actual main site non-www domain HTTPS.

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
    server_name newdomain.com www.newdomain.com;
    return 302 https://newdomain.com$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  return 301 https://newdomain.com$request_uri;
}

server {
  listen 443 ssl http2;
  server_name newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

< snipped the rest of the nginx settings >

or to (for redirecting http://newdomain.com and http://www.newdomain.com to https://www.newdomain.com)

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
    server_name newdomain.com www.newdomain.com;
    return 302 https://www.newdomain.com$request_uri;
 }

If you prefer www domain i.e. https://wwww.newdomain.com to be the intended redirect target, you will have add a 3rd server{} context to your Nginx HTTPS SSL vhost config file.

So the top part changes from:

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
# server {
#   server_name newdomain.com www.newdomain.com;
#    return 302 https://$server_name$request_uri;
# }

server {
  listen 443 ssl http2;
  server_name newdomain.com www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

< snipped the rest of the nginx settings >

to

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
   server_name newdomain.com www.newdomain.com;
    return 302 https://www.newdomain.com$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name newdomain.com;
  return 302 https://www.newdomain.com$request_uri;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;
}

server {
  listen 443 ssl http2;
  server_name www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

< snipped the rest of the nginx settings >

Notice the middle server{} context tells Nginx to redirect non-www domain HTTPS requests to www domain HTTPS requests for www domain on third server{} context. While first server{} context tells Nginx to redirect both non-HTTPS non-www and www domain requests to HTTPS requests for www domain on third server{} context.

The above non-www non-HTTPS to non-www HTTPS redirect vhost examples might slightly differ if you use Centmin Mod 123.09beta01 or higher's Letsencrypt SSL integrated tools as the following SSL certificate paths slightly differ for this part:

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

the default HTTPS SSL vhost generated might look like this instead where /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf include file contains the ssl_certificate and ssl_certificate_key defined paths:

  include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

so it may look like below instead

# Centmin Mod Getting Started Guide
# must read http://lb1.centminmod.com/getstarted.html
# For HTTP/2 SSL Setup
# read http://lb1.centminmod.com/nginx_configure_https_ssl_spdy.html

# redirect from www to non-www  forced SSL
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
 server {
   server_name newdomain.com www.newdomain.com;
    return 302 https://www.newdomain.com$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name newdomain.com;
  return 302 https://www.newdomain.com$request_uri;

  include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;
}

server {
  listen 443 ssl http2;
  server_name www.newdomain.com;

  include /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

< snipped the rest of the nginx settings >

Then restart Nginx server for changes to take effect.

Once you're happy that the directs are working properly, you can change from 302 temporarily redirect to 301 permanent redirect by change the return 302 to return 301 and restart Nginx server.


How to switch self-signed SSL certificate to paid SSL certificate ?

If you want to switch out the auto generated self-signed SSL certificate that was auto generated via the above outlined centmin.sh menu option 2 or /usr/bin/nv cmd line nginx vhost for a paid SSL certificate, you would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided files to create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crt files referenced in your Nginx SSL vhost config file. The actual file names can be anything you want but the contents of the files need to be concatenated in the proper order of SSL certificate files provided by your paid SSL provider which include the Root CA certificate, the Intermediate CA certificate(s), and the actual SSL certificate itself. The concatenated files form the certificate chain that allows web browsers to trust your issued paid SSL certificate. Without this, your browser would report your paid SSL certificate as untrusted or as having SSL certificate chain issues.

Just the paths to those files will specifically be for /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt and /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt. Basically, the only difference compared with instructions outlined at Nginx SPDY SSL Configuration, is with the already auto generated self-signed SSL nginx vhost structure, the actual SPDY SSL vhost itself is already auto generated at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf and you do not need to manually create the directory at /usr/local/nginx/conf/ssl/newdomain.com or manually create the self-signed SSL certificate files.

So to switch, the nginx vhost /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf file's path for self-signed SSL would change and relevant settings for paid SSL certificates would be enabled by uncommenting (remove hashed # prefix from lines).

from

ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/ssl.key;

# enable ocsp stapling
#resolver 8.8.8.8 8.8.4.4 valid=10m;
#resolver_timeout 10s;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com-trusted.crt;

to

  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt;

where /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt and /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt are files created via concatenating instructions. Then just a matter of restarting Nginx server.

Examples of SSL certificate concatenating at Compiled list of SSL certificate file name bundles. If you're using paid SSL certificate, you might want to post in that thread to contribute the file names your SSL provider emailed you so I can build a database of known paid SSL certificate types and their provided file names.


Enabling OCSP Stapling for SSL

Online Certificate Status Protocol (OCSP) Stapling for Nginx SSL is only used for commercial SSL certificates trusted in web browsers. For self signed SSL certificates and Nginx https vhosts auto generated, the OCSP stapling settings are disabled and commented out by default

  # enable ocsp stapling
  #resolver 8.8.8.8 8.8.4.4 valid=10m;
  #resolver_timeout 10s;
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt; 

Only if you have commercial SSL certificate which is fully trusted in web browsers, should you uncomment the settings and restart Nginx to enable OCSP stapling in Nginx. Where ssl_trusted_certificate file is created via concatentation of SSL providers files as outlined here.

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;

Some online SSL test sites may incorrectly report if OCSP is enabled so you can also do a OCSP Stapling quick test within SSH telnet command, type the following where domain.com is the https://domain.com SSL domain you setup:

  openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status

look for output:

  OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)?

Or run your SSL enabeld site through test at https://certificate.revocationcheck.com/


Enabling HSTS for SSL

Note if you're using Cloudflare you do not need to configure HSTS from Nginx side, instead you can do that via Cloudflare dashboard's Crypto tab. See Understanding HSTS (HTTP Strict Transport Security)

HTTP Strict Transport Security (HSTS) header for Nginx SSL is only used for SSL certificates HTTPS based web sites if you want to force redirect all non-HTTPS (HTTP) traffic to HTTPS version of the site for a sepcific max-age time ins econds. HSTS header is disabled and commented out by default as some folks don't realise that it can mess up your site for HTTP traffic if you want to be able to use your site on both HTTP and HTTPS versions.

if SSL certificate covers subdomains

  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

if SSL certificate DOES NOT cover subdomains

  #add_header Strict-Transport-Security "max-age=31536000;";

To enable HSTS header, uncomment and remove hash # in front of either above lines.

If you have only some sites using HSTS then make a copy of staticfiles.conf include file and use that copy in the HSTS enabled vhost's HTTP /usr/local/nginx/conf/conf.d/domain.com.conf and HTTPS /usr/local/nginx/conf/conf.d/domain.com.ssl.conf nginx config includes with following alteration to html location match

cp -a /usr/local/nginx/conf/staticfiles.conf  /usr/local/nginx/conf/staticfiles-hsts.conf

edit /usr/local/nginx/conf/staticfiles-hsts.conf copy and change html location match to

    location ~* \.(html|htm|txt)$ {
    if ($server_https = 'on') {
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    }
  #add_header Pragma public;
  add_header Cache-Control "public, must-revalidate, proxy-revalidate";
  access_log off;
  expires 30m;
  break;
        }

then for specific HSTS enabled vhost config files change include file to use the new copy commenting out the original


#include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/staticfiles-hsts.conf;

should only be done on HSTS enabled vhost sites. HSTS tells browsers to force https so if you site isn't HTTPS enabled and you use it, you will get errors that have a long permanent cache in your browsers and visitors browsers for up to 3153600 seconds.

restart nginx and php-fpm

nprestart


How to delete Nginx vhost account for existing domain/subdomain ?

When you create a domain via menu option #2 on centmin.sh you get:

  • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/existingdomain.com.conf
  • Nginx SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf if you used the new self-signed SSL vhost option
  • Domain top level directory at /home/nginx/domains/existingdomain.com/

If you do not have any data or have already backed up the data for the domain, deleting the domain vhost and directory is a manual process right now as I want for end users to consciously make the decision to delete rather than offer a similar menu option (in case they delete the wrong domain or delete before they back up their data).

Domain deletion steps:

Each nginx vhost created will have a logged entry in /root/centminlogs saved as a nginx_addvhost.log timestamped and has the list of commands to fully remove a nginx vhost you created. These commands are also outputted at end of each nginx vhost created so you can save them there.

You can use command to list all nginx_addvhost.log logs saved in /root/centminlogs directory:

  find /root/centminlogs -type f -name "*nginx_addvhost*"

Step 1. Backup data first via SSH with these 2 commands. Where you replace existingdomain.com with your existing domain name. If you have a subdomain name, then replace it with your subdomain.existingdomain.com.

  cp -a /usr/local/nginx/conf/conf.d/existingdomain.com.conf /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak

Ensure you have enough free disk space on /home partition to house your backup.

  cp -a /home/nginx/domains/existingdomain.com/ /home/nginx/domains/existingdomain.com.bak/

Step 2. Delete domain

via SSH with these commands

  rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf

  rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf

  rm -rf /home/nginx/domains/existingdomain.com/

Then backup your SSL certificates at /usr/local/nginx/conf/ssl/newdomain.com and remove that directory.

  rm -rf /usr/local/nginx/conf/ssl/newdomain.com

If you used new Centmin Mod 131.00stable and higher's Nginx vhost add option, you would of gotten commands you can use to delete the site too in Nginx vhost creation's removal log file saved to /root/centminlogs log directory:

For Centmin Mod 131.00stable:

 
-------------------------------------------------------------
Commands to remove existingdomain.com

 pure-pw userdel gsfa
 rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.crt
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.key
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.csr
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com
 rm -rf /home/nginx/domains/existingdomain.com
 rm -rf /root/.acme.sh/existingdomain.com
 rm -rf /root/.acme.sh/existingdomain.com_ecc
 rm -rf /usr/local/nginx/conf/pre-staticfiles-local-existingdomain.com.conf
 service nginx restart
-------------------------------------------------------------

For latest beta 140.00beta01:

 
-------------------------------------------------------------
Commands to remove existingdomain.com

 pure-pw userdel gsfa
 rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf
 rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.crt
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.key
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.csr
 rm -rf /usr/local/nginx/conf/ssl/existingdomain.com
 rm -rf /home/nginx/domains/existingdomain.com
 rm -rf /root/.acme.sh/existingdomain.com
 rm -rf /root/.acme.sh/existingdomain.com_ecc
 rm -rf /usr/local/nginx/conf/pre-staticfiles-local-existingdomain.com.conf
 service nginx restart
-------------------------------------------------------------

Step 3. Restart Nginx

  service nginx restart

or via command shortcut

  ngxrestart

Step 4. Removing backups

Once you are 100% sure deleted domain is the one you want to delete, you can remove the backups too via SSH with these 2 commands.

  rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak

  rm -rf /home/nginx/domains/existingdomain.com.bak/


How to setup domain / subdomain to use NSD DNS so I can host DNS on my own server instead of using my web host, registrar or DNS service provider's name servers ?

Note: If you chose to use DigitalOcean for your VPS, they also offer DNS management for your domain hosted with them. Update your domain registrar's records to point to the DigitalOcean name servers (ns1.digitalocean.com, ns2.digitalocean.com, ns3.digitalocean.com). Then you can manage DNS from their control panel.

Note: If you're looking for a reliable and free DNS provider, you can use Cloudflare DNS Only hosting

This is a 2 part process. If you want to you a 3rd party DNS name server provider such as your domain registrar or web hosts' own nameservers, then only need to follow Part #1 outlined below. If you want to host your own DNS nameservers on the same server as your domain(s), then you will need to follow both Part #1 and Part #2 below.

Part #1: Involves you creating or registering your own private name servers with your domain's registrar. Some tutorials from common domain name registrars are listed below:

Creating own domain name's private nameservers

Using 3rd party web host or domain registrar DNS name servers

Part #2: Properly setting up your domain's DNS settings within NSD DNS within Centmin Mod script:

You can do this via Centmin Mod menu option #3. Below are screenshot examples for setting up newdomain.com with newdomainipaddress = the domain's ip address you want to assign. And newdomainns1address = ns1 ip address and newdomainns2address = ns2 ip address. By default, the vhost script assumes you want to setup ns1.newdomain.com and ns2.newdomain.com with your own ip addresses on your servers.

You can see a full step by step example of setting up a local NSD DNS nameservers for your added domains on the Centmin Mod Community forums.

Note: ns1/ns2 assigned ip addresses should usually not be used to host other domain names. So a minimum of 3 ip addresses much be allocated, 1 for domain names and 2 for ns1/ns2. Although you can use the 1 IP address.

Changing default ns1.newdomain.com and ns2.newdomain.com

You can of course change this later on to use your web host, registrar or DNS service provider's own name servers by editing the newdomain.com.zone file which is created at /etc/nsd/master/newdomain.com.zone. But isn't necessary to make any changes on the server's NSD config, because when you change your domain's name servers to use your web host or domain registrar's own name server (ns1/ns2), it will bypass anything set on the server within NSD config file.

The creation script will output the path location where it will create the domain name's zone file.

--------------------------------------------------------
Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu                   
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
3).  NSD setup domain name DNS
4).  Nginx Upgrade / Downgrade
5).  PHP Upgrade / Downgrade
6).  XCache Re-install
7).  APC Cache Re-install
8).  XCache Install
9).  APC Cache Install
10). Memcached Server Re-install
11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
12). Zend OpCache Install/Re-install
13). Install ioping.sh vbtechsupport.com/1239/
14). SELinux disable
15). Install/Reinstall ImagicK PHP Extension
16). Change SSHD Port Number
17). Multi-thread compression: pigz,pbzip2,lbzip2...
18). Suhosin PHP Extension install
19). Install FFMPEG and FFMPEG PHP Extension
20). NSD Re-install
21). Update - Nginx + PHP-FPM + Siege
22). Add Wordpress Nginx vhost + WP Super Cache
23). Update Centmin Mod Code Base
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ] 3
--------------------------------------------------------

---------------------------------------------

New to NSD DNS setup ? Be sure to read NSD setup guide:
http://lb1.centminmod.com/nginx_domain_dns_setup.html#dns

Enter domain name you want to add to NSD (without www. prefix): newdomain.com

Enter IP address you want to assign to domain name (your A record): newdomainipaddress
---------------------------------------------------------
You entered domain name: newdomain.com
You entered domain IP address (A record): newdomainipaddress
---------------------------------------------------------

Are the domain name and IP address (A record) entered correctly ? [y/n]: y

---------------------------
Nameserver ns1/ns2 setup:
---------------------------

Note #1:
nameserver ns1/ns2 IP addresses must already exist and be assigned to this
server by your web host. If unsure, ask your web host the exact IP addresses
assigned to your server.


Note #2:
For vanity or custom name servers using your own domain name, ensure you
have created them first with your domain registrar. You can see tutorial guides
for Namecheap and Godaddy domain registrars for creating domain names'
private name servers on web site Part #1 at 
http://lb1.centminmod.com/nginx_domain_dns_setup.html#dns


Want to abort NSD setup to check with web host and/or domain registrar first ? [y/n]: n
* Enter IP address for ns1 nameserver: newdomainns1address

* Enter IP address for ns2 nameserver: newdomainns2address
--------------------------------------------------------------
You entered ns1.newdomain.com IP address: newdomainns1address
You entered ns2.newdomain.com IP address: newdomainns2address
--------------------------------------------------------------

Are the ns1/ns2 name server IP address entered correct ? [y/n]: y

---------------------------------------------
checking to see if entry for newdomain.com already exists in /etc/nsd/nsd.conf
---------------------------------------------

---------------------------------------------
no entry for newdomain.com found in /etc/nsd/nsd.conf
creating entry for newdomain.com ...
---------------------------------------------

#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#

server:
        hide-version: yes

        # Maximum number of concurrent TCP connections per server.
        # This option should have a value below 1000.
        tcp-count: 10

        # Maximum number of queries served on a single TCP connection.
        # By default 0, which means no maximum.
        tcp-query-count: 0

        # Override the default (120 seconds) TCP timeout.
        tcp-timeout: 60

        # zonefile: to store pid for nsd in.
        pidfile: "/var/run/nsd/nsd.pid"

        # The directory for zonefile: files.
        zonesdir: "/etc/nsd"

zone:
        name: "demo.com"
        zonefile: "master/demo.com.zone"
zone:
        name: "newdomain.com"
        zonefile: "master/newdomain.com.zone"
---------------------------------------------
Stopping nsd: 
Starting nsd:

---------------------------------------------
Creating zone file at /etc/nsd/master/newdomain.com.zone
---------------------------------------------
$TTL 14400
@       IN      SOA     ns1.newdomain.com.      hostmaster.newdomain.com. (
                                                2010091500
                                                14400
                                                3600
                                                1209600
                                                86400 )

; Nameservers
newdomain.com.       14400   IN      NS      ns1.newdomain.com.
newdomain.com.       14400   IN      NS      ns2.newdomain.com.

; A Records
newdomain.com.       14400   IN      A       newdomainipaddress
ftp                     14400   IN      A       newdomainipaddress
localhost       14400   IN      A       127.0.0.1
mail            14400   IN      A       newdomainipaddress
ns1                     14400   IN      A       newdomainns1address
ns2                     14400   IN      A       newdomainns2address
pop                     14400   IN      A       newdomainipaddress
smtp            14400   IN      A       newdomainipaddress
www                     14400   IN      A       newdomainipaddress

; MX Record
newdomain.com.       14400   IN      MX      10 mail

; TXT Record (for SPF)
newdomain.com.       14400   IN      TXT     "v=spf1 a mx ip4:newdomainipaddress ~all"

---------------------------------------------
Current zone files listing at: /etc/nsd/master/
                       
Jun 28  10:29   883    demo.com.zone
Jun 29  14:20   1.3K   newdomain.com.zone
---------------------------------------------

---------------------------------------------
NSD entry for newdomain.com created successfully in /etc/nsd/nsd.conf
NSD zone created at /etc/nsd/master/newdomain.com.zone

---------------------------------------------
Remember to check your domain name's DNS is properly configured
at both your domain registrar & web server end (NSD) by running
domain name through these 3 dns test sites
* https://www.whatsmydns.net/
* http://www.intodns.com/
* http://dnscheck.pingdom.com/
---------------------------------------------

/etc/nsd/master/newdomain.com.zone contents

$TTL 14400
@       IN      SOA     ns1.newdomain.com.      hostmaster.newdomain.com. (
                                                2010091500
                                                14400
                                                3600
                                                1209600
                                                86400 )

; Nameservers
newdomain.com.       14400   IN      NS      ns1.newdomain.com.
newdomain.com.       14400   IN      NS      ns2.newdomain.com.

; A Records
newdomain.com.       14400   IN      A       newdomainipaddress
ftp                     14400   IN      A       newdomainipaddress
localhost       14400   IN      A       127.0.0.1
mail            14400   IN      A       newdomainipaddress
ns1                     14400   IN      A       newdomainns1address
ns2                     14400   IN      A       newdomainns2address
pop                     14400   IN      A       newdomainipaddress
smtp            14400   IN      A       newdomainipaddress
www                     14400   IN      A       newdomainipaddress

; MX Record
newdomain.com.       14400   IN      MX      10 mail

; TXT Record (for SPF)
newdomain.com.       14400   IN      TXT     "v=spf1 a mx ip4:newdomainipaddress ~all"

To restart NSD DNS server after saving changes to your NSD DNS zone file you can either type 1 of 2 commands in SSH2 telnet:

/etc/init.d/nsd restart

or

service nsd restart

Remember to check your domain name's DNS is properly configured at both your domain registrar & web server end (NSD) by running domain name through these 3 dns test sites