CentOS 7 – Installing NGINX + Phusion Passenger

Update: Please read the instructions provided by the Phusion Passenger developers for a detailed and updated how-to.

Today, I’m sharing with you how I’ve installed NGINX and Phusion Passenger in my CentOS 7 lab using the RPM packages provided kindly by Ulyaoth.  Phusion Passenger offers an installer (passenger-install-nginx-module) that helps you to install NGINX and Passenger easily and in five minutes, but Ulyaoth’s sbagmeijer does an impressive work packaging so many useful tools and servers and it’s always a good idea to use RPMs.

We’ll start configuring the EPEL and Ulyaoth repositories:

cat <<EOT > /etc/yum.repos.d/uylaoth.repo
[ulyaoth]
name=Ulyaoth Repository
baseurl=https://repos.ulyaoth.net/CentOS/\$releasever/\$basearch/
enabled=1
gpgcheck=1
gpgkey=https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/Repository/ulyaoth/SOURCES/RPM-GPG-KEY-ulyaoth
EOT

yum install -y epel-release

Now we’ll install the nginx-passenger package from the Ulyaoth repository:

yum install -y ulyaoth-nginx-passenger5

We’ll set the server name in the /etc/nginx/conf.d/default.conf file:

server_name tornasol.artemit.local;

We’ll change the following line in the /etc/nginx/conf.d/passenger.conf

passenger_instance_registry_dir /var/run/passenger;

We’ll add the following line in the /root/.bash_profile file to add a new environment var needed by passenger-status (remember to open a new session to load the new var :-D):

echo 'export PASSENGER_INSTANCE_REGISTRY_DIR=/var/run/passenger' >> /root/.bash_profile

We’ll create the /var/run/passenger directory and set permissions and ownership:

mkdir /var/run/passenger
chmod -R 755 /var/run/passenger
chown -R nginx:nginx /var/run/passenger

We’ll add the following config file so /var/run/passenger temporary directory is created after a system restart:

cat <<EOT > /etc/tmpfiles.d/passenger.conf
d /var/run/passenger 0755 nginx nginx
EOT

We should add a rule to the firewall allowing http traffic:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" accept'

firewall-cmd --reload

We should enable the service to start at boot time:

systemctl enable nginx.service

Finally we’ll start the service and check that it’s running (we’ll see nginx and Passenger binaries):

systemctl start nginx.service

systemctl status nginx.service

[...]
nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled)
Active: active (running) since vie 2015-04-03 12:41:52 CEST; 8s ago
...
CGroup: /system.slice/nginx.service
├─20924 PassengerAgent watchdog
├─20927 PassengerAgent server
├─20932 PassengerAgent logger
├─20942 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
└─20944 nginx: worker process
[...]

And don’t forget to test your NGINX server listening by default in port 80:

Of course if you’re using SELinux you may run the following commands.

yum install -y policycoreutils-python

We’ll change the context for the root html directory (we set read and write permissions, you can set readonly permissiones using httpd_sys_content_t instead) :

semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html(/.*)?"
restorecon -Rv /usr/share/nginx/html

We’ll change the context for the passenger log directory :

semanage fcontext -a -t httpd_log_t "/var/log/passenger(/.*)?"
restorecon -Rv /var/log/passenger

We’ll change the context for the PassengerAgent binary:

semanage fcontext -a -t httpd_exec_t "/etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent"
restorecon -v /etc/nginx/modules/passenger/buildout/support-binaries/PassengerAgent

We’ll change the context for Passenger’s native support:

semanage fcontext -a -t httpd_exec_t /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so
restorecon -v /etc/nginx/modules/passenger/buildout/ruby/ruby-2.0.0-x86_64-linux/passenger_native_support.so

We’ll change the context for passenger-status and passenger-memory-stats:

semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-memory-stats"
semanage fcontext -a -t bin_t "/etc/nginx/modules/passenger/bin/passenger-status"
restorecon -v /etc/nginx/modules/passenger/bin/passenger-memory-stats
restorecon -v /etc/nginx/modules/passenger/bin/passenger-status

We’ll set the following SELinux boolean variables:

setsebool -P httpd_run_stickshift 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_tmp_exec 1

We’ll add an SELinux policy so PassengerAgent runs fine:

yum install -y policycoreutils-devel

mkdir /root/policy
cd /root/policy

cat < /root/policy/passengeragent.te
policy_module(passengeragent, 1.0)
gen_require(\`
type httpd_t;
type httpd_tmp_t;
type httpd_var_run_t;
type kernel_t;
class capability2 block_suspend;
class capability sys_ptrace;')

allow httpd_t self:capability2 block_suspend;
allow httpd_t self:capability sys_ptrace;
allow httpd_t httpd_tmp_t:file execute;
allow httpd_t httpd_var_run_t:file execute;
EOT

make -f /usr/share/selinux/devel/Makefile passengeragent.pp

semodule -i passengeragent.pp

And that’s all, I hope this post helps you and I wait for your feedback about errors and suggestions.

Thanks for reading!