OpenSUSE 42.3/Web server

Configuring the web server (optional)

The following configuration steps are only necessary if you want to run a regular web server additionally to OpenSim on your system. Opposed to the widely spread Apache, the solution described here is way more gentle concerning resource consumption. After all we want to run an effective OpenSim system primarily.

At "Hyperweb.eu" we run a web server for the home page and to have LSL scripts communicate with the outside world. For the latter, PHP scripts are being used. (Static web pages only coded in HTML and JavaScript do not need PHP.)

Precondition

Nginx is already installed, see package selection. If you plan to integrate PHP scripts in your web pages, you also need to install php7-fpm. The configuration has to be run as user "root".

Basic configuration

Open the nginx configuration file and adjust the settings:

vi /etc/nginx/nginx.conf

[...]
user nginx;
[...]
worker_processes 4;
[...]
keepalive_timeout 2;
[...]
server {
  listen 80 default_server;
  # activate next line for IPv6 support
  ###listen [::]:80 default_server ipv6only=on;

  # directory root of websites
  root /srv/www/htdocs;
  index index.php index.html index.htm index.xhtml;

  # make site accessible from all local domains
  server_name _;

  location / {
    if (!-e $request_filename) {
      # activate next line for feature "url mod-rewrite"
      ###rewrite ^/([^?]*)(?:\?(.*))? /index.php?title=$1&$2 last;
      # activate next line for normal mode without mod-rewrite
      return 404;
    }
    if ($uri ~* "\.(ico|css|js|gif|jpe?g|png|woff|svg|eot|ttf)(\?[0-9]+)?$") {
      expires max;
      break;
    }
  }

#  # pass the PHP scripts to FastCGI server
#  location ~ \.php$ {
#    if (!-e $request_filename) {
#      return 404;
#    }
#    #internal communication with php7-fpm over IP
#    fastcgi_pass 127.0.0.1:1234;
#    fastcgi_index index.php;
#    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#    include fastcgi_params;
#  }

  # deny access to .htaccess files, if Apache's document root concurs with nginx's one
  location ~ /\.ht {
    deny  all;
  }
}
[...]

Annotations:

For worker_processes "4" is recommended, for keepalive_timeout "2". It is recommandable to exchange the whole existing "server {...}" block completely with the example shown here.

The web server listens on port 80 because that’s where web browsers are searching by default. Optional you can activate IPv6 access by uncommenting the second "listen..." line, of course only if your server has an additional IPv6 address. The script part following server_name _; apply for all domains on this server. The directory root /srv/www/htdocs; points to the directory we created for the web pages, with a symbolic link (explained below). index contains a list of names for start pages in the given order.

You may uncomment the line with "rewrite..." if you need the so-called mod rewrite feature, for example to create short URLs in dynamic web pages. Otherwise activate the other line with "return 404" (default here) to show an error page. The PHP block is commented out here, if PHP is needed see the next section below. The final block contains protective means against attacks on the Apache rights management - thus it could also be commented out in our case.

Register the service and run it for the first time

systemctl enable nginx.service
systemctl start nginx.service

Tests:
systemctl status nginx.service has to show "running" in green (among others). A request to the domain of your server using your browser should produce an error page "403 Forbidden" and below that the text "nginx/1.13.1" (respectively the actual installed version).

Simplifying maintenance

For convenience, web pages should be uploaded by a user with limited privileges who is allowed to log in remotely (see hardening SSH). For this purpose we set up a link for the home page in his login directory.

cd /home/exampleuser (change to his login directory)
mkdir htdocs (create a new sub directory for the web pages)
chown exampleuser htdocs (assign to owner exampleuser)
chgrp users htdocs (assign to group users)

Now we create a symbolic link to the new directory so that we do not have to adjust the paths in every configuration file.

cd /srv/www
rm -rf htdocs (delete the whole web directory with all files and subdirectories)
ln -s /home/exampleuser/htdocs htdocs (create symbolic link)

Test:
Log in to the server as exampleuser. Upload an HTML file named index.htm or index.html to the directory htdocs. Example:

<html>
  <body>
    My first web page! :-)
  </body>
</html>

A request to the domain of your server has to show the content of the html file.

Hint: If you only want to display static HTML pages with JavaScript (without PHP scripts), your configuration work is done now!

Configuring PHP (optional)

The following configuration steps are only necessary if you want to run server side scripts in PHP in your web pages. Static HTML pages or those containing JavaScript (which run in the client’s browser) do not need PHP.

Configuring php-fpm

Copy and thus activate the example configuration files:
cp /etc/php7/fpm/php-fpm.conf.default /etc/php7/fpm/php-fpm.conf
cp /etc/php7/fpm/php-fpm.d/www.conf.default /etc/php7/fpm/php-fpm.d/www.conf

Adjust rights of the PHP session directory (drwx-wx-wt):
chmod 1733 /var/lib/php7

Open the PHP configuration file and change four settings as shown below:
vi /etc/php7/fpm/php-fpm.d/www.conf

 [...]
 pm.max_children = 10
 [...]
 pm.start_servers = 5
 [...]
 pm.min_spare_servers = 5
 [...]
 pm.max_spare_servers = 10
 [...]

Register the service and run it for the first time

systemctl enable php-fpm.service
systemctl start php-fpm.service

Tests:
systemctl status php-fpm.service has to show "running" in green (among others).
netstat -tapn shows a list of active Internet connections. nginx has to listen on port 80 and php-fpm on port 9000.

Caution! OpenSim must not be running during these tests because OpenSim also uses port 9000 (at least when you follow this tutorial). Whichever is running first, wins. The other one crashes.

Reconfigure communication to a free port

After the first test reopen the PHP configuration file. Further the PHP service shall use a free TCP port.
vi /etc/php7/fpm/php-fpm.d/www.conf

 [...]
 listen = 127.0.0.1:1234
 [...]

Annotation: Here in the example port 1234 is used, which we assume to be free. In the firewall the port should not be opened, as the data are transferred only between two programs inside of the same machine.

Binding nginx to php-fpm

Open the nginx configuration file and uncomment the region shown below. In the example of the previous section above this region was commented out completely:

vi /etc/nginx/nginx.conf

  # pass the PHP scripts to FastCGI server
  location ~ \.php$ {
    if (!-e $request_filename) {
      return 404;
    }
    # internal communication with php7-fpm over IP
    fastcgi_pass 127.0.0.1:1234;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

Annotations:

The block following location ~ \.php$ is only being called if the web page has lowercase ".php" as suffix. fastcgi_pass 127.0.0.1:1234; is the connection to php7-fpm. If a path without file name is being requested, index.php shall be searched for. fastcgi_param SCRIPT_FILENAME is followed by variables which - put together - result in the absolute path to the web page requested. Finally another config file is included which will not be explained further in this tutorial.

Restart the services to activate the changes

systemctl restart php-fpm.service
systemctl restart nginx.service

Tests:
systemctl status php-fpm.service has to show "running" in green (among others).
systemctl status nginx.service has to show "running" in green (among others).
Upload the following PHP script with the name info.php to the htdocs directory and call from your browser:

 <?php
 phpinfo();
 ?>

If your browser shows the following table with all the PHP configuration parameters, the configuration finished successfully.


Have fun scripting!



Continued: Online updates