JamesBB Posted July 23, 2011 Posted July 23, 2011 Hey guys.. Just wondering if I can get everyone's critique on my nginx config: server { server_name domain.com; listen 80; access_log /home/cj/spectrum-access.log; error_log /home/cj/spectrum-error.log; large_client_header_buffers 4 8k; # prevent some 400 errors root /home/cj/invision; index index.php; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?q=$uri; } location ~ \.php$ { fastcgi_pass 127.0.0.1:8888; fastcgi_index index.php; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } Any input would be fantastic, I have tried to read other peoples but haven't made a whole lot of sense to me. What am I missing here? I have statements like max upload in the nginx.conf rather than url config file..
ensoph Posted August 15, 2011 Posted August 15, 2011 replace the PHP block with: location ~ .php$ { if (!-e $document_root/$document_uri) { return 404; break; } fastcgi_pass localhost:8888; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; } this avoids sending unnecessary requests (i.e. 404s) to the PHP daemon, and works also as a security measure for certain exploits. apart from this everything's fine.
Jim O Posted August 24, 2011 Posted August 24, 2011 replace the PHP block with: location ~ \.php$ { if (!-e $document_root/$document_uri) { return 404; break; } fastcgi_pass localhost:8888; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; } this avoids sending unnecessary requests (i.e. 404s) to the PHP daemon, and works also as a security measure for certain exploits. apart from this everything's fine. Noooooooooo!!!!!!! This is wrong! It's also way more inefficient to use an "if" block. Using "try_files" to test for a file's existence is more efficient and "location" blocks is the preferred method. This is my config. It takes care of upload directory and other PHP exploits. It also limits log size files for common files and handles some other security concerns. server { listen my:ip:v6:add:ress:80; listen 80; listen my:ip:v6:add:re:ss:443 ssl; listen my.ipv4.add.ress:443 ssl; server_name domain.com; index index.php index.html index.htm; root /path/to/domain.com/html; client_max_body_size 12m; ssl_protocols SSLv3 TLSv1; ssl_ciphers ECDHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:DES-CBC3-SHA; ssl_ecdh_curve secp521r1; ssl_certificate /etc/ssl/certs/domain_com.crt; ssl_certificate_key /etc/ssl/certs/domain_com.key; ssl_session_cache shared:SSL:2m; ssl_session_timeout 10m; keepalive_timeout 70; ## Disable all methods besides HEAD, GET and POST. if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } ## If no favicon exists return a 204 (no content error). location = /favicon.ico { try_files $uri =204; # can delete if you're certain that one will be found at all levels log_not_found off; access_log off; } ## Don't log robots.txt requests. location = /robots.txt { allow all; log_not_found off; access_log off; } ## Static files are served directly. location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ { output_buffers 1 64k; # don't need this unless using AIO on FreeBSD expires max; # can set a shorter expiration like 30d if you prefer log_not_found off; } ## Keep a tab on the 'big' static files. location ~* ^.+\.(?:m4a|mp[34]|mov|ogg|pdf|wmv|flv|ppt[x]*)$ { expires 30d; } ## All files/directories that are protected and unaccessible from ## the web. location ~* ^.*(\.(?:htaccess|txt|log*))$ { return 404; location ~ /forums/ { error_page 404 index.php; try_files $uri $uri/ /forums/index.php; location ~ index.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files $uri =403; fastcgi_pass 127.0.0.1:9000; include /usr/local/etc/nginx/fastcgi_params; fastcgi_buffers 64 4k; } location ~ \.php$ { rewrite ^ / permanent; } } # Deny access (403) access to all perl or php scripts in certain locations. location ~* /forums/(?:cache|hooks|public/style_css|public/style_images|uploads)/.*\.(?:pl|php[345]*)$ { return 403; } # protect directories where users can upload malicious files location ^~ /forums/galleryuploads/ { try_files $uri =403; } location ^~ /forums/uploads/ { try_files $uri =403; } location ~ index.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; try_files $uri =403; fastcgi_pass 127.0.0.1:9000; include /usr/local/etc/nginx/fastcgi_params; fastcgi_buffers 64 4k; } } ## Rewrite www.doman.com to domain.com server { listen my:ip:v6:add:re:ss:80; listen 80; server_name www.domain.com; rewrite ^ $scheme://domain.com$request_uri? permanent; } You should also edit your php.ini file: - cgi.fix_pathinfo=1 + cgi.fix_pathinfo=0 Please note that the paths to your files, your nginx.conf file and your fastcgi_params files may be different. Port numbers may also differ. Traditionally PHP-FPM has been run on 9000 but there's no rule about that. This also assumes your forums are in a subdirectory called "forums" This works for me and avoids use of any unnecessary "if's". You may not need all of this (like IPv6 or SSL if you aren't using them) but it is a good basis for you to use. YMMV of course.
_Mark_ Posted September 29, 2011 Posted September 29, 2011 I have moved to nginx and want to enable the expiry date on the images being served from my site. I currently checked the expiry date and the images are as follows: Expires Thu, 06 Oct 2011 16:04:32 GMT Cache-Control max-age=604800 My current config is: user nobody; # no need for more workers in the proxy mode worker_processes 2; error_log /var/log/nginx/error.log info; worker_rlimit_nofile 20480; events { worker_connections 5120; # increase for busier servers use epoll; # you should use epoll here for Linux kernels 2.6.x } http { server_name_in_redirect off; server_names_hash_max_size 10240; server_names_hash_bucket_size 1024; include mime.types; default_type application/octet-stream; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; gzip on; gzip_vary on; gzip_disable "MSIE [1-6]\."; gzip_proxied any; gzip_http_version 1.1; gzip_min_length 1000; gzip_comp_level 6; gzip_buffers 16 8k; # You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml; ignore_invalid_headers on; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; reset_timedout_connection on; connection_pool_size 256; client_header_buffer_size 256k; large_client_header_buffers 4 256k; client_max_body_size 200M; client_body_buffer_size 128k; request_pool_size 32k; output_buffers 4 32k; postpone_output 1460; proxy_temp_path /tmp/nginx_proxy/; client_body_in_file_only on; log_format bytes_log "$msec $bytes_sent ."; include "/etc/nginx/vhosts/*"; } So using the example above I added in: server { ## Static files are served directly. location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ { expires 30d; # can set a shorter expiration like 30d if you prefer log_not_found off; } } So it looks like this: user nobody; # no need for more workers in the proxy mode worker_processes 2; error_log /var/log/nginx/error.log info; worker_rlimit_nofile 20480; events { worker_connections 5120; # increase for busier servers use epoll; # you should use epoll here for Linux kernels 2.6.x } http { server_name_in_redirect off; server_names_hash_max_size 10240; server_names_hash_bucket_size 1024; include mime.types; default_type application/octet-stream; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; gzip on; gzip_vary on; gzip_disable "MSIE [1-6]\."; gzip_proxied any; gzip_http_version 1.1; gzip_min_length 1000; gzip_comp_level 6; gzip_buffers 16 8k; # You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml; ignore_invalid_headers on; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; reset_timedout_connection on; connection_pool_size 256; client_header_buffer_size 256k; large_client_header_buffers 4 256k; client_max_body_size 200M; client_body_buffer_size 128k; request_pool_size 32k; output_buffers 4 32k; postpone_output 1460; proxy_temp_path /tmp/nginx_proxy/; client_body_in_file_only on; log_format bytes_log "$msec $bytes_sent ."; include "/etc/nginx/vhosts/*"; server { ## Static files are served directly. location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ { expires 30d; # can set a shorter expiration like 30d if you prefer log_not_found off; } } } With those changes I still get: Expires Thu, 06 Oct 2011 16:13:49 GMT Cache-Control max-age=604800 So not 30 days expiry! Any ideas on what I am doing wrong?
Codehusker Posted September 30, 2011 Posted September 30, 2011 You have the right block of code for changing the cache expiration, but you need to put it in a different file. The config you posted above is /etc/nginx/nginx.conf, but you need to add it to a file in /etc/nginx/vhosts/. Inside that directory you'll probably find a file named with your websites domain, and inside the specific server block add your cache config.
_Mark_ Posted September 30, 2011 Posted September 30, 2011 Ahh I have been using Nginx Admin so hadn't realised there were multiple config files! Will give it a go, thanks for your help! :)
JamesBB Posted October 2, 2011 Author Posted October 2, 2011 JimO, Thanks for the reply it's a great post, but I am at a loss as to what you are suggesting I should replace in my own config rather than taking a copy of yours and adapting to myself? I really don't want to add options to the site conf file that are handled by my php configuration files..
Recommended Posts
Archived
This topic is now archived and is closed to further replies.