DNS & Domain Setup

Configure DNS records and set up domains with Nginx virtual hosts in Centmin Mod.

Table of Contents

Related Pages

See also: Nginx Web Server, Nginx Configuration Listings, and Let's Encrypt Free SSL for complete SSL documentation.

1 Adding a New Nginx vHost

You will need to enable Centmin Mod's free SSL certificates support via its Let's Encrypt integration. If you use Cloudflare in front of your domains, use the recommended Cloudflare DNS API domain validation method instead of the default webroot validation.

Centmin Mod provides two methods for creating Nginx site domain vhost accounts:

  1. The /usr/bin/nv SSH command line method (recommended)
  2. Traditional Centmin Mod menu option #2

Method 1: Using the nv Command

The /usr/bin/nv command allows unattended or scripted creation of new Nginx vhost accounts. To create a vhost for newdomain.com with self-signed SSL and a Pure-FTPD virtual FTP user:

/usr/bin/nv -d newdomain.com -s y -u MYFTPUSERNAME

Method 2: Using Menu Option #2

Run the centmin.sh script and select option 2. You will be prompted for the domain name, SSL certificate option, and FTP username. The script will auto-generate the vhost configuration files, SSL certificates, and FTP credentials.

Enter vhost domain name to add (without www. prefix): newdomain.com

Create a self-signed SSL certificate Nginx vhost? [y/n]: y

Create FTP username for vhost domain (enter username): MYFTPUSERNAME
Auto generate FTP password (recommended) [y/n]: y

2 Document Root Structure

When a new vhost is created, Centmin Mod sets up the following directory and file structure:

Path Purpose
/home/nginx/domains/newdomain.com/public Public web root (upload files here)
/home/nginx/domains/newdomain.com/log Vhost log files directory
/usr/local/nginx/conf/conf.d/newdomain.com.conf HTTP vhost config
/usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf HTTPS/SSL vhost config
/usr/local/nginx/conf/ssl/newdomain.com/ Self-signed SSL certificate directory

For the full guide of Nginx vhost directory structure, see the Centmin Mod configuration files page.

3 vHost Configuration Files

The HTTP vhost config file at /usr/local/nginx/conf/conf.d/newdomain.com.conf contains the basic server block:

server {
  server_name newdomain.com www.newdomain.com;

  access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain.com/log/error.log;

  root /home/nginx/domains/newdomain.com/public;

  location / {
    # try_files $uri $uri/ /index.php;
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

The HTTPS/SSL vhost config at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf adds SSL directives:

server {
  listen 443 ssl http2;
  server_name newdomain.com www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  ssl_prefer_server_ciphers on;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  access_log /home/nginx/domains/newdomain.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain.com/log/error.log;

  root /home/nginx/domains/newdomain.com/public;

  location / {
    # try_files $uri $uri/ /index.php;
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

Enabling Optional Features

To enable auto index (directory listing when no index file exists), uncomment the autoindex on; directive. To enable server side includes, uncomment ssi on;. After changes, restart Nginx:

# Restart Nginx via service command
service nginx restart

# Or via Centmin Mod command shortcut
ngxrestart

4 HTTP to HTTPS Redirect

Testing Tip

Always test in an incognito/private browser session first. Use return 302 (temporary redirect) before switching to return 301 (permanent redirect) once confirmed working.

With the auto-generated SSL vhost structure, disable the HTTP vhost by renaming it:

mv /usr/local/nginx/conf/conf.d/newdomain.com.conf \
   /usr/local/nginx/conf/conf.d/newdomain.com.conf-disabled

Then add a redirect server block at the top of the .ssl.conf file. For redirecting to non-www HTTPS:

# 1st server{} - Redirect HTTP to HTTPS
server {
  server_name newdomain.com www.newdomain.com;
  return 302 https://newdomain.com$request_uri;
}

# 2nd server{} - Redirect www HTTPS to non-www HTTPS
server {
  listen 443 ssl http2;
  server_name www.newdomain.com;

  ssl_dhparam /usr/local/nginx/conf/ssl/newdomain.com/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  return 302 https://newdomain.com$request_uri;
}

# 3rd server{} - Main HTTPS site
server {
  listen 443 ssl http2;
  server_name newdomain.com;
  # ... rest of SSL config ...
}

For redirecting to www HTTPS instead, change the redirect target to https://www.newdomain.com$request_uri and adjust the server_name in the 3rd server block to www.newdomain.com.

Once redirects are confirmed working, change return 302 to return 301 and restart Nginx.

5 Switch to Paid SSL Certificate

To switch from the auto-generated self-signed SSL certificate to a paid certificate, follow the steps outlined in the Let's Encrypt Free SSL guide. You can also refer to the security headers configuration to create the unified certificate chain.

Update the SSL certificate paths in your .ssl.conf file and enable OCSP stapling:

# Change from self-signed paths:
ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/ssl.key;

# To paid SSL certificate paths:
ssl_certificate      /usr/local/nginx/conf/ssl/newdomain.com/ssl-unified.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain.com/newdomain.com.key;

# Enable OCSP stapling (only for trusted certificates):
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain.com/ssl-trusted.crt;

6 OCSP Stapling

OCSP Stapling is only used for commercial SSL certificates that are trusted by web browsers. For self-signed certificates, these settings are disabled by default.

To enable OCSP stapling, uncomment the following lines in your SSL vhost config and restart Nginx:

# Enable OCSP stapling
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;

To verify OCSP stapling is working, run via SSH:

openssl s_client -connect domain.com:443 -tls1 -tlsextdebug -status

Look for OCSP Response Status: successful (0x0) in the output. You can also verify at certificate.revocationcheck.com.

7 HSTS for SSL

Warning

HSTS tells browsers to force HTTPS for the specified max-age (up to 1 year). If your site is not fully HTTPS-ready, enabling HSTS can cause errors that persist in browsers for a long time. If using Cloudflare, configure HSTS via the Cloudflare dashboard instead.

HTTP Strict Transport Security (HSTS) forces browsers to redirect all HTTP traffic to HTTPS. To enable, uncomment the appropriate line in your SSL vhost config:

# If SSL covers subdomains:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

# If SSL does NOT cover subdomains:
add_header Strict-Transport-Security "max-age=31536000;";

For per-site HSTS (when only some sites need it), create a copy of the static files include:

# Create a HSTS-enabled copy of staticfiles.conf
cp -a /usr/local/nginx/conf/staticfiles.conf /usr/local/nginx/conf/staticfiles-hsts.conf

# Then in the HSTS-enabled vhost config, use:
#include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/staticfiles-hsts.conf;

# Restart Nginx and PHP-FPM
nprestart

8 Delete an Nginx vHost

Important

Domain deletion is a manual process by design. Always back up your data before removing a vhost. Each vhost creation logs removal commands in /root/centminlogs.

Step 1: Back Up Data

cp -a /usr/local/nginx/conf/conf.d/existingdomain.com.conf \
     /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak

cp -a /home/nginx/domains/existingdomain.com/ \
     /home/nginx/domains/existingdomain.com.bak/

Step 2: Delete Domain Files

You can find the exact removal commands logged in /root/centminlogs:

# Removal commands (from /root/centminlogs)
rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf
rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.ssl.conf
rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.crt
rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.key
rm -rf /usr/local/nginx/conf/ssl/existingdomain.com/existingdomain.com.csr
rm -rf /usr/local/nginx/conf/ssl/existingdomain.com
rm -rf /home/nginx/domains/existingdomain.com
rm -rf /root/.acme.sh/existingdomain.com
rm -rf /root/.acme.sh/existingdomain.com_ecc
rm -rf /usr/local/nginx/conf/pre-staticfiles-local-existingdomain.com.conf

Step 3: Restart Nginx

service nginx restart
# Or via shortcut:
ngxrestart

Step 4: Remove Backups

Once you are 100% sure the deleted domain is correct, remove the backups:

rm -rf /usr/local/nginx/conf/conf.d/existingdomain.com.conf.bak
rm -rf /home/nginx/domains/existingdomain.com.bak/

9 NSD DNS Setup (Menu Option 3)

Alternative DNS Options

If you prefer not to host your own DNS, you can use third-party DNS providers: Cloudflare DNS (free), DigitalOcean DNS (ns1/ns2/ns3.digitalocean.com), or your domain registrar's DNS hosting.

Setting up DNS is a two-part process:

Part 1: Register Private Nameservers

Register your own private nameservers (ns1.yourdomain.com, ns2.yourdomain.com) with your domain registrar. Tutorials from common registrars:

Part 2: NSD DNS Configuration (Menu Option 3)

Use Centmin Mod menu option #3 to set up NSD DNS on your server. You will need:

  • The domain name to add (e.g., newdomain.com)
  • The A record IP address (your server's IP)
  • IP addresses for ns1 and ns2 nameservers

IP Address Note

The ns1/ns2 assigned IP addresses should usually not be used to host other domain names. A minimum of 3 IP addresses is recommended: 1 for domains and 2 for ns1/ns2 (though you can use a single IP).

The script creates a DNS zone file at /etc/nsd/master/newdomain.com.zone with the following structure:

$TTL 14400
@       IN      SOA     ns1.newdomain.com.      hostmaster.newdomain.com. (
                                                2010091500
                                                14400
                                                3600
                                                1209600
                                                86400 )

; Nameservers
newdomain.com.       14400   IN      NS      ns1.newdomain.com.
newdomain.com.       14400   IN      NS      ns2.newdomain.com.

; A Records
newdomain.com.       14400   IN      A       YOUR_SERVER_IP
ftp                  14400   IN      A       YOUR_SERVER_IP
localhost            14400   IN      A       127.0.0.1
mail                 14400   IN      A       YOUR_SERVER_IP
ns1                  14400   IN      A       NS1_IP_ADDRESS
ns2                  14400   IN      A       NS2_IP_ADDRESS
www                  14400   IN      A       YOUR_SERVER_IP

; MX Record
newdomain.com.       14400   IN      MX      10 mail

; TXT Record (for SPF)
newdomain.com.       14400   IN      TXT     "v=spf1 a mx ip4:YOUR_SERVER_IP ~all"

After modifying the zone file, restart NSD:

service nsd restart

10 Custom Nameservers

By default, the NSD setup script creates ns1.newdomain.com and ns2.newdomain.com. You can change these later by editing the zone file at /etc/nsd/master/newdomain.com.zone.

If you switch your domain's nameservers to use your registrar's or a third-party DNS provider's nameservers, the NSD configuration on the server is bypassed. No changes to the NSD zone file are necessary in that case.

For a full step-by-step NSD DNS setup example, see the Centmin Mod Community forums guide.

11 DNS Propagation

After configuring your DNS records, verify propagation using these DNS testing tools:

The default TTL (Time To Live) in the NSD zone file is 14400 seconds (4 hours). DNS propagation can take anywhere from a few minutes to 48 hours depending on TTL settings and DNS caches worldwide.

Quick DNS Check

You can check DNS resolution from the command line using dig newdomain.com or nslookup newdomain.com. To reduce propagation time before migration, lower the TTL value in advance.

Related Documentation

Nginx Web Server

HTTP/2, HTTP/3, modules, configuration, and optimization.

Nginx Configuration Listings

Application-specific Nginx configs for WordPress, vBulletin, Xenforo, and more.

Let's Encrypt Free SSL

Free SSL certificates, security headers, and SSL testing.

Need Help With DNS or Domain Setup?

Join the Centmin Mod community forums for troubleshooting help and detailed configuration guides.

Community Forums Getting Started Guide