Difference between revisions of "Nginx (1.14)"
(One intermediate revision by the same user not shown) | |||
Line 156: | Line 156: | ||
# Use 4096 bits if you are using a 4096-bit cert. | # Use 4096 bits if you are using a 4096-bit cert. | ||
ssl_dhparam /etc/certs/dhparam.pem; | ssl_dhparam /etc/certs/dhparam.pem; | ||
− | |||
− | |||
## | ## | ||
Line 178: | Line 176: | ||
gzip_types text/plain text/css text/xml text/mathml text/javascript application/x-javascript application/xhtml+xml application/atom+xml application/json application/xml application/xml+rss text/javascript image/x-icon; | gzip_types text/plain text/css text/xml text/mathml text/javascript application/x-javascript application/xhtml+xml application/atom+xml application/json application/xml application/xml+rss text/javascript image/x-icon; | ||
− | # | + | # Create an expires map for (generally) static data. |
− | # | + | map $sent_http_content_type $expires { |
− | + | default off; | |
− | # | + | image/jpeg 168h; |
+ | image/png 168h; | ||
+ | image/svg+xml 168h; | ||
+ | image/tiff 168h; | ||
+ | image/webp 168h; | ||
+ | audio/flac 168h; | ||
+ | audio/ogg 168h; | ||
+ | audio/mpeg 168h; | ||
+ | audio/x-m4a 168h; | ||
+ | audio/x-wav 168h; | ||
+ | video/mpeg 168h; | ||
+ | } | ||
+ | |||
+ | # Block requests that don't specify a proper domain. | ||
+ | server { | ||
+ | listen 80 default_server; | ||
+ | return 444; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 default_server; | ||
+ | return 444; | ||
+ | } | ||
+ | |||
+ | # Renamed directory, limit to .conf | ||
+ | include /etc/nginx/sites/*.conf; | ||
+ | ---- | ||
− | + | == /root/fpmnginx.conf == | |
− | |||
− | |||
− | |||
− | + | I have a script do most of the job of framing a website for me. It takes this file and replaces things as needed. This defaults to setting up a wiki, but it is decent enough for a default and easy to modify. | |
− | + | ||
− | + | server { | |
− | + | listen IPADDRESS:80; | |
− | + | server_name *.DOMAIN; | |
− | + | ||
+ | location ~ ^(?!(/\.well-known/)) { | ||
+ | rewrite ^(.*)$ https://DOMAIN/$1 redirect; | ||
+ | } | ||
− | + | location / { | |
− | + | root /home/USERNAME/docs; | |
− | + | } | |
− | + | } | |
− | |||
− | |||
− | + | server { | |
− | + | listen IPADDRESS:80; | |
− | + | server_name DOMAIN; | |
− | |||
− | |||
− | + | location ~ ^(?!(/\.well-known/)) { | |
− | + | rewrite ^(.*)$ https://$host$1 redirect; | |
− | + | } | |
− | + | location / { | |
− | + | root /home/USERNAME/docs; | |
− | + | } | |
− | |||
− | |||
− | |||
− | |||
} | } | ||
− | |||
− | + | server { | |
+ | listen IPADDRESS:443; # ssl; | ||
+ | server_name *.DOMAIN; | ||
+ | #ssl_certificate /etc/certs/DOMAIN.pem; | ||
+ | #ssl_certificate_key /etc/certs/DOMAIN.key; | ||
+ | |||
+ | rewrite ^(.*)$ https://DOMAIN/$1 redirect; | ||
+ | } | ||
− | + | server { | |
+ | listen IPADDRESS:443; # ssl http2; | ||
+ | server_name DOMAIN; | ||
+ | #ssl_certificate /etc/certs/DOMAIN.pem; | ||
+ | #ssl_certificate_key /etc/certs/DOMAIN.key; | ||
+ | index index.php; | ||
include /etc/nginx/fastcgi_params; | include /etc/nginx/fastcgi_params; | ||
include /etc/nginx/include_common; | include /etc/nginx/include_common; | ||
root /home/USERNAME/docs; | root /home/USERNAME/docs; | ||
error_page 404 /index.php; | error_page 404 /index.php; | ||
− | access_log /var/log/nginx/access- | + | access_log /var/log/nginx/access-DOMAIN.log; |
− | error_log /var/log/nginx/error- | + | error_log /var/log/nginx/error-DOMAIN.log; |
location ~* ^/w/images/ { | location ~* ^/w/images/ { | ||
Line 239: | Line 266: | ||
} | } | ||
access_log off; | access_log off; | ||
− | expires | + | expires $expires; |
} | } | ||
location ~ \.php$ { | location ~ \.php$ { | ||
if (-f $request_filename) { | if (-f $request_filename) { | ||
− | fastcgi_pass unix:/ | + | fastcgi_pass unix:/home/USERNAME/sock/DOMAIN-fpm.sock; |
} | } | ||
} | } | ||
Line 253: | Line 280: | ||
try_files $uri $uri/ /index.php?q=$uri&$args; | try_files $uri $uri/ /index.php?q=$uri&$args; | ||
+ | } | ||
+ | |||
{{Bottom Buster}} | {{Bottom Buster}} |
Latest revision as of 19:44, 22 January 2021
I do have some documentation laying around about how to setup fastcgi and Apache. It is ancient at this point, however. I cannot recommend nginx enough, across the board, for all webserving needs.
Supporting Files
/etc/nginx/mime.types
You'll sometimes want to add to these. For example:
audio/flac flac;
/etc/nginx/fastcgi_params
This is only really relevant for php setups over fastcgi.
fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https if_not_empty;
# PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
fastcgi_index index.php; fastcgi_ignore_client_abort on; fastcgi_buffers 64 4k; fastcgi_read_timeout 300; fastcgi_send_timeout 300;
location = /.user.ini { return 404; }
/etc/nginx/include_common
I use this to make server-spanning changes quickly if needed...
include /etc/nginx/valid_referers; if ($request_method !~ ^(GET|HEAD|OPTIONS|POST)$ ) { return 405; } if ($http_user_agent = "") { return 403; } if ($http_user_agent ~* "^Java") { return 403; }
Blank user agents, and those beginning with 'Java', are almost always malicious. If you don't use software that makes use of the OPTIONS request method, you may wish to remove that.
/etc/nginx/valid_referers
none blocked 1.2.3.* other.ipv4.classc.*
Referenced in the above file, I just add all of my domains here, rather than try to worry about them individually.
/etc/nginx/nginx.conf
user www-data; # 4 is probably overkill for my current server, but you probably will want at least two, even if binding them to the same CPU. worker_processes 4; # For sanity. Note that neighboring numbers are actually the same physical core, hyperthreading doesn't actually double your computer's power. worker_cpu_affinity 10000000 00100000 00001000 00000010; worker_rlimit_nofile 65536; # Yup, notice. Have had a few problems where I have needed this. error_log /var/log/nginx/error.root.log notice; pid /var/run/nginx.pid;
# Rather than risk not knowing what is up with my modules, declare the ones I want explicitly. load_module modules/ngx_http_echo_module.so; load_module modules/ngx_http_geoip_module.so; load_module modules/ngx_http_image_filter_module.so; load_module modules/ngx_http_subs_filter_module.so; load_module modules/ngx_http_xslt_filter_module.so;
events { worker_connections 4096; # multi_accept on; }
http { ## # Basic Settings ##
sendfile on; tcp_nopush on; tcp_nodelay on; types_hash_max_size 4096; server_tokens off;
# server_names_hash_bucket_size 64; # server_name_in_redirect off;
include /etc/nginx/mime.types; default_type application/octet-stream;
# max_body_size limits how big the total size of a request is - such as a file upload. Obviously, this will vary depending on your application. client_max_body_size 32m; # I keep limit rate in the event that I may need it. #limit_rate 64k; output_buffers 2 256k;
# nginx is pretty robust in my experience, so long keepalive timeouts and allowing a crazy number of requests works just fine. client_body_timeout 15; client_header_timeout 15; send_timeout 15; keepalive_timeout 75; keepalive_requests 10000;
# Nginx uses it's own non-blocking resolver. # In 1.6, you can add ipv6=on to resolve names to IPv6 addresses. resolver [::1] 66.96.80.43 66.96.80.194 valid=30s; resolver_timeout 1s;
# Nginx now puts these in /var/lib/nginx by default. Better this than making a new tmpfs partition for them. client_body_temp_path /tmp/nginx_body 2 2; fastcgi_temp_path /tmp/nginx_fcgi 2 2; proxy_temp_path /tmp/nginx_prox 2 2; scgi_temp_path /tmp/nginx_scgi 2 2; uwsgi_temp_path /tmp/nginx_uwsi 2 2;
## # SSL Settings ##
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH:DH:!ADH:!DSS:!aNULL:!NULL;
ssl_ecdh_curve secp384r1;
# Makes an enormous difference in performance over SSL. Practically required. ssl_session_cache shared:SSL:32m; ssl_session_timeout 30m;
ssl_session_tickets on; ssl_stapling on; ssl_stapling_verify on;
# Specifying better DH Parameters. Nginx uses 1024 bits by default. # Generated via: # openssl dhparam -out dhparam.pem 4096 # Use 4096 bits if you are using a 4096-bit cert. ssl_dhparam /etc/certs/dhparam.pem;
## # Logging Settings ##
access_log /var/log/nginx/access.http.log; error_log /var/log/nginx/error.http.log notice;
## # Gzip Settings ##
gzip on; # Need to enable the module for gzip_static to work. # gzip_static on; gzip_comp_level 9; gzip_min_length 512; gzip_vary on; gzip_types text/plain text/css text/xml text/mathml text/javascript application/x-javascript application/xhtml+xml application/atom+xml application/json application/xml application/xml+rss text/javascript image/x-icon;
# Create an expires map for (generally) static data. map $sent_http_content_type $expires { default off; image/jpeg 168h; image/png 168h; image/svg+xml 168h; image/tiff 168h; image/webp 168h; audio/flac 168h; audio/ogg 168h; audio/mpeg 168h; audio/x-m4a 168h; audio/x-wav 168h; video/mpeg 168h; }
# Block requests that don't specify a proper domain. server { listen 80 default_server; return 444; }
server { listen 443 default_server; return 444; }
# Renamed directory, limit to .conf include /etc/nginx/sites/*.conf;
/root/fpmnginx.conf
I have a script do most of the job of framing a website for me. It takes this file and replaces things as needed. This defaults to setting up a wiki, but it is decent enough for a default and easy to modify.
server { listen IPADDRESS:80; server_name *.DOMAIN;
location ~ ^(?!(/\.well-known/)) { rewrite ^(.*)$ https://DOMAIN/$1 redirect; }
location / { root /home/USERNAME/docs; } }
server { listen IPADDRESS:80; server_name DOMAIN;
location ~ ^(?!(/\.well-known/)) { rewrite ^(.*)$ https://$host$1 redirect; }
location / { root /home/USERNAME/docs; } }
server { listen IPADDRESS:443; # ssl; server_name *.DOMAIN; #ssl_certificate /etc/certs/DOMAIN.pem; #ssl_certificate_key /etc/certs/DOMAIN.key;
rewrite ^(.*)$ https://DOMAIN/$1 redirect; }
server { listen IPADDRESS:443; # ssl http2; server_name DOMAIN; #ssl_certificate /etc/certs/DOMAIN.pem; #ssl_certificate_key /etc/certs/DOMAIN.key;
index index.php; include /etc/nginx/fastcgi_params; include /etc/nginx/include_common; root /home/USERNAME/docs; error_page 404 /index.php; access_log /var/log/nginx/access-DOMAIN.log; error_log /var/log/nginx/error-DOMAIN.log;
location ~* ^/w/images/ { if ($invalid_referer) { return 444; } access_log off; expires $expires; }
location ~ \.php$ { if (-f $request_filename) { fastcgi_pass unix:/home/USERNAME/sock/DOMAIN-fpm.sock; } }
location ~ ^/wiki/ { rewrite ^/wiki/(.*)$ /w/index.php?title=$1; }
try_files $uri $uri/ /index.php?q=$uri&$args; }