Howto configure Nginx, PHP, Python, uWSGI, Let’s encrypt SSL, HTTP/2 on CentOS 7

Hi out there,
for many years until now, I have been using in Django projects a proven combination Apache and Mod_wsgi and I was fully satisfied. I had no reason to change anything  but the circumstances of the new project forced me to use Nginx . I heard some good things about Nginx, how it is easy to configure, how it is faster than Apache or how I can run Nginx with uWSGI to preform Python scripts.  As a bonus, we are going to add a support for PHP with Php-fpm helper.

Everyone has the right! Nginx is a great and a better choice for a powerful well-configured web server than a good old Apache.  Let’s go to look at things closer.

In this tutorial, I am going to outline how to install and setup a latest version Nginx on CentOS 7 including support Php-fpm 7.x, uWSGI and Let’s encrypt – free SSL/TLS certificates suitable for HTTPS support.



You need to have installed a functional CentOS 7 box and an access to the root account. The working Internet connection is a matter of course.


Step 1 – prepare CentOS, install necessary repos including support for PHP 7.4

First at all, we need to add repos and install current Nginx, uWSGI and PHP packages.

# add needed a repo Epel because of other dependencies
yum -y install epel-release

# remove Nginx shipped with CentOS7 if was installed
yum -y remove nginx
# add oficial Nginx repo
rpm -Uvh

# install latest Nginx, Let's encrypt, uWSGI and other necessary packages
yum -y install nginx uwsgi uwsgi-devel uwsgi-plugin-common uuid-devel libcap-devel letsencrypt

# install a repo Remi because of PHP packages
rpm -Uvh

# install PHP core packages 
yum -y --enablerepo=remi,remi-php74 install php-fpm php-common

# install popular PHP extension package that are suitable for running e.g. an instance of WordPress website
yum -y --enablerepo=remi,remi-php74 install php-opcache php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-mongodb \
php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml php-zip php-php-pecl-geoip

We are going to prepare folders for additional Nginx config files and Let’s encrypt web directory shared by all virtual hosts that is used like a webroot for SSL certificate  confirmation.

# run these bash commands for creating necessary directories and proper permission settings

mkdir /etc/nginx/domains /etc/nginx/snippets;
chown -R nginx.nginx /etc/nginx /etc/uwsgi.d /etc/uwsgi.ini;
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge;
chown -R nginx.nginx /var/www/letsencrypt;
chmod -R 770 /var/www/letsencrypt/;
mkdir /var/uwsgi;
chown nginx.nginx /var/uwsgi;
chmod 770 /var/uwsgi;
chown -R root.nginx /var/lib/php;
chown -R nginx:nginx /var/lib/php/session;

Step 2 – create configs for PHP packages,  HTTPS support and HTTP compression.

We are going to modify the main PHP.ini config using a bunch of  SED commands in order to set optimal values for important variables.

# run bash commands to set optimal values in /etc/php.ini

# cgi.fix_pathinfo = 0
# mail.add_x_header = On
# max_execution_time = 90
# max_input_time = 90
# memory_limit = 256M
# post_max_size = 128M
# upload_max_filesize = 128M
# display_errors = On
# log_errors = Off
# error_reporting = E_ALL & ~E_NOTICE
# date.timezone = "Europe/Prague"
# short_open_tag = On

sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo = 0/g' /etc/php.ini;
sed -i 's/mail.add_x_header = Off/mail.add_x_header = On/g' /etc/php.ini;
sed -i 's/max_execution_time = 30/max_execution_time = 90/g' /etc/php.ini;
sed -i 's/max_input_time = 60/max_input_time = 90/g' /etc/php.ini;
sed -i 's/memory_limit = 128M/memory_limit = 256M/g' /etc/php.ini;
sed -i 's/post_max_size = 8M/post_max_size = 128M/g' /etc/php.ini;
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 128M/g' /etc/php.ini;
sed -i 's/display_errors = Off/display_errors = On/g' /etc/php.ini;
sed -i 's/log_errors = On/log_errors = Off/g' /etc/php.ini;
sed -i 's/error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT/error_reporting = E_ALL & ~E_NOTICE/g' /etc/php.ini;
sed -i 's,;date.timezone =,date.timezone = "Europe/Prague",g' /etc/php.ini;
sed -i 's/short_open_tag = Off/short_open_tag = On/g' /etc/php.ini;

We are going to create a config snippet for php.conf for handling with *.php extension.

# the whole content of /etc/nginx/snippets/php.conf

location ~ \.php$
include fastcgi_params;
try_files $uri =404;
fastcgi_pass unix:///var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

We are going to create a config snippet ssl.conf for HTTPS support. Later you can check a quality of  SSL certificate on the page .

# the whole content of /etc/nginx/snippets/ssl.conf 

ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:HIGH:!aNULL:!MD5;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
resolver valid=864000;
resolver_timeout 10s;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

We are going to create a config snippet letsencrypt.conf for verifying Let’s encrypt SSL certificate.

# the whole content of /etc/nginx/snippets/letsencrypt.conf

location /.well-known/acme-challenge/
default_type "text/plain";
root /var/www/letsencrypt;
allow all;

We are going to create a config snippet compress.conf for the support of HTTP compression.

# the whole content of /etc/nginx/compress.conf

gzip on;
gzip_vary on;
gzip_comp_level 3; # value 3 is good compromise between saved bandwidth and CPU load 
gzip_min_length 1024; # do not compress anything smaller than 1Kb
gzip_buffers 4 32k;
gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/xml+rss;


Step 3 – compile uWSGI Python 3.8 plugin

We want to serve Python files using uWSGI application server and therefore we need to compile the appropriate uwsgi-python plugin. We are going to prepare plugin for python 3.8.  Python 3.8 is needed to compile into the folder /opt/python38 because Python 2.7 is shipped with CentOS 7.

Howto compile and install the latest Python 3.8 check out my another post.

For a compilation of I used an ugly hack with symlinks because there is no option for a setting of path to Python 3.8. (e.g. /opt/python38/bin/python3.8). Does anyone know?

# Python 3.8 has to be presented in the directory /opt/python38 and we are going to create uWSGI plugin
cd /tmp

# first at all we are going to make the ugly hack. We set temporary python 3.8 as a general Python interpret of CentOS 7.
rm -f /usr/bin/python; ln -s  /opt/python38/bin/python3 /usr/bin/python

PYTHON=python3.8; /usr/sbin/uwsgi  --build-plugin "/usr/src/uwsgi/ python38" 
chmod 644 ./ ; mv -f ./  /usr/lib64/uwsgi/

# we are going to get back shipped Python 2.7
rm -f /usr/bin/python; ln -s  /usr/bin/python2  /usr/bin/python

# test a Python version within an ugwsi plugin file
strings  /usr/lib64/uwsgi/|grep '3.8'


Step 4 – create the main config file of Nginx and an example virtual host

We are going to create the main config file of Nginx with settings for an optimal performance.

# the whole content of /etc/nginx/nginx.conf

user  nginx nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/;

events {
    worker_connections  1024;
    multi_accept on;

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    index index.php index.html index.htm;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"'
                      '$status $body_bytes_sent "$http_referer"'
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 70;
    types_hash_max_size 2048;
    client_max_body_size 128M;
    autoindex off;

    include /etc/nginx/conf.d/*.conf;    
    include /etc/nginx/domains/*.conf;

    open_file_cache max=1000 inactive=60s;
    open_file_cache_valid 120s;
    open_file_cache_min_uses 3;
    open_file_cache_errors off;

Here is an example of my virtual host for domain with enabling HTTP/ 2, SSL and SEO friendly redirection from HTTP to HTTPS.
My website is powered by Django and therefore it has to be configurated uWSGI gateway for location “/”.
All my virtual hosts are placed in folder “/home/webhosting”, etc for is root “/home/webhosting/”.

You can disable  support of PHP by commenting/deleting line with #include /etc/nginx/php.conf

# the whole content of /etc/nginx/domains/    
server {
    listen 80;
    listen [::]:80;

    include /etc/nginx/snippets/letsencrypt.conf;
    location / {
        return 301$request_uri;

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;
    root /home/webhosting/;
    index index.php index.html index.htm;

    include /etc/nginx/php.conf

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_trusted_certificate /etc/letsencrypt/live/;
    include /etc/nginx/snippets/ssl.conf;
    include /etc/nginx/compress.conf;
    client_max_body_size 128M;
    keepalive_timeout   70;
    charset     utf-8;
    access_log   /home/webhosting/;
    error_log    /home/webhosting/;

    location / {
        include    uwsgi_params;
        uwsgi_read_timeout          5m;
        uwsgi_send_timeout          5m;
        send_timeout                5m;
        uwsgi_pass unix:///var/uwsgi/;
        # uwsgi_pass server;
    location = /favicon.ico { 
        # alias  /home/webhosting/;
        access_log off;
        log_not_found off; 
    location  /robots.txt {
        # alias  /home/webhosting/;
        access_log off;
        log_not_found off;
        allow all;  
    location /static {
        alias    /home/webhosting/;

    location /media {
        alias    /home/webhosting/;
    location ~ ^/(static|media)/ {
        expires max;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    location ~* .(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|wml|swf)$ {
        expires max;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        log_not_found off; 

    location ~ /\.(?!well-known\/) {
        deny all;

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_trusted_certificate /etc/letsencrypt/live/;
    include /etc/nginx/snippets/ssl.conf;

    location / {
        return 301$request_uri;


Step 5 – setup uWSGI gateway

We are going to modify the main config file uwsgi.ini of uWSGI application server and enable emperor mode.

# the whole content of /etc/uwsgi.ini
uid = uwsgi
gid = uwsgi
emperor = /etc/uwsgi.d
pidfile = /tmp/
stats = /tmp/uwsgi_emperor_stats.sock
emperor-tyrant = true
cap = setgid,setuid
master = true
chmod-socket = 666
logto = /var/log/uwsgi_emperor.log

Here is an example uWSGI configuration for a virtual host

# the whole content of /etc/uwsgi.d/

project = mydjango
domain =
base_dir = /home/webhosting/
wsgi_file =

plugins = python38 # we use uwsgi plugin
uid = nginx
gid = nginx
disable-logging = false
umask = 002

processes = 4 # set 2 times number of CPU cores (in my case I have a dual-core processor)
threads = 2 # run each worker in threaded mode with the specified number of threads, also enable GIT threads in the Python module
limit-as = 512 # set the memory limit for a project  to 512 MB
limit-nproc = 128 # limit number of processes

touch-reload = %(base_dir)/%(project)/%(wsgi_file) # for developers - reload when the file changed (you can use bash command touch) 
chdir = %(base_dir)
virtualenv = %(base_dir)/env
wsgi-file = %(base_dir)/%(project)/%(wsgi_file)

socket = /var/uwsgi/uwsgi_%(domain).sock
# socket =

pidfile = /tmp/uwsgi_%(domain).pid
daemonize = %(base_dir)/logs/uwsgi.log
procname-prefix = %(domain)_

catch-exceptions = false # report exception as Http output
disable-logging = true # disable request logging
log-x-forwarded-for = true # use the IP from X-Forwarded-For header instead of REMOTE_ADDR
log-date = true
log-slow = 5000 # log requests slower than the specified number of milliseconds
log-big = 10 # log requestes bigger than the specified size, e.g. 10MB
log-5xx = true
log-4xx = true
memory-report = false

chmod-socket = 666
vacuum = true
master = true
thunder-lock = true
no-orphans = true
harakiri = 120 # respawn processes taking more than 120 seconds
harakiri-verbose = false
post-buffering = 8192  # up to 65535
max-requests = 5000 # respawn processes after serving 5000 requests
env = LANG=en_US.UTF-8  # set because of uploading files with file names that contain non-ASCII characters

Step 6 – do some cleanup

We are going to do some cleanup and set up autostart for Nginx, uWSGI and Php-fpm.

mkdir /var/uwsgi;
chown nginx.nginx /var/uwsgi;
chmod 770 /var/uwsgi;
chown -R root.nginx /var/lib/php;
chown -R nginx:nginx /var/lib/php/session;

chown -R nginx.nginx /etc/nginx /etc/uwsgi.d /etc/uwsgi.ini;

chown -R nginx:nginx /home/webhosting;

find /home/webhosting/ -type d  -print0 | xargs -0 chmod 0770;  # for directories
find /home/webhosting/ -type f  -print0 | xargs -0 chmod 0660;  # for files

systemctl enable nginx.service; systemctl restart nginx.service; # autostart enable
systemctl enable uwsgi.service; systemctl restart uwsgi.service; # autostart enable
systemctl enable php-fpm.service; systemctl restart php-fpm.service; # autostart enable


Step 7 – create SSL certificate for our virtual host

There are examples (either for webroot or standalone plugin) of creating SSL certificate with Let’s encrypt for a domain Choose one of them.

# a webroot plugin mode
/usr/bin/certbot certonly --webroot --non-interactive --rsa-key-size 4096 --agree-tos --no-eff-email --email -w /var/www/letsencrypt -d,

# a standalone plugin mode over http port 80, the webserver cannot run on port 80 at the same time 
/usr/bin/certbot certonly --standalone --non-interactive --rsa-key-size 4096 --agree-tos --no-eff-email --email -d,

There are two ways of cron records for a renew of SSL certificates, for either webroot or standalone plugin mode.
Choose the right one according to your case.

# for webroot plugin mode
1 22 * * * certbot renew --quiet && nginx -t && systemctl reload nginx

# for standalone plugin mode
# 1 22 * * * systemctl stop nginx; certbot renew --quiet; systemctl start nginx



And that is all.

I hope this guide will help you and if you have some tips for improvements or found a mistake, let me know.