Jump to content

Nginx config review


Recommended Posts

Hey guys..
Just wondering if I can get everyone's critique on my nginx config:



server {


  server_name domain.com;

 listen       80;

  access_log  /home/cj/spectrum-access.log;

  error_log   /home/cj/spectrum-error.log;


  large_client_header_buffers 4 8k; # prevent some 400 errors


  root        /home/cj/invision;

  index       index.php;

 location / {

  index index.php index.html index.htm;

  try_files $uri $uri/ /index.php?q=$uri;

  }


  location ~ \.php$ {

    fastcgi_pass   127.0.0.1:8888;

    fastcgi_index  index.php;

    include /etc/nginx/fastcgi_params;

    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

  }

}

 



Any input would be fantastic, I have tried to read other peoples but haven't made a whole lot of sense to me. What am I missing here? I have statements like max upload in the nginx.conf rather than url config file..

Link to comment
Share on other sites

  • 4 weeks later...

replace the PHP block with:

  location ~ .php$ {

   if (!-e $document_root/$document_uri) {

	return 404;

	break;

   }

   fastcgi_pass localhost:8888;

   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

   include /etc/nginx/fastcgi_params;

  }



this avoids sending unnecessary requests (i.e. 404s) to the PHP daemon, and works also as a security measure for certain exploits.

apart from this everything's fine.

Link to comment
Share on other sites

  • 2 weeks later...

replace the PHP block with:



  location ~ \.php$ {

   if (!-e $document_root/$document_uri) {

	return 404;

	break;

   }

   fastcgi_pass localhost:8888;

   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

   include /etc/nginx/fastcgi_params;

  }

this avoids sending unnecessary requests (i.e. 404s) to the PHP daemon, and works also as a security measure for certain exploits. apart from this everything's fine.

Noooooooooo!!!!!!! This is wrong! It's also way more inefficient to use an "if" block. Using "try_files" to test for a file's existence is more efficient and "location" blocks is the preferred method. This is my config. It takes care of upload directory and other PHP exploits. It also limits log size files for common files and handles some other security concerns.


server {

	listen my:ip:v6:add:ress:80;

	listen 80;

	listen my:ip:v6:add:re:ss:443 ssl;

	listen my.ipv4.add.ress:443 ssl;

	server_name domain.com;

	index index.php index.html index.htm;

	root /path/to/domain.com/html;

	client_max_body_size 12m;

	ssl_protocols    	SSLv3 TLSv1;

    	ssl_ciphers ECDHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:DES-CBC3-SHA;

    	ssl_ecdh_curve secp521r1;

	ssl_certificate  	/etc/ssl/certs/domain_com.crt;

	ssl_certificate_key  /etc/ssl/certs/domain_com.key;

	ssl_session_cache	shared:SSL:2m;

	ssl_session_timeout  10m;

	keepalive_timeout	70;


	## Disable all methods besides HEAD, GET and POST.

	if ($request_method !~ ^(GET|HEAD|POST)$ ) {

    	return 444;

	}

	## If no favicon exists return a 204 (no content error).

	location = /favicon.ico {

    	try_files $uri =204; # can delete if you're certain that one will be found at all levels

    	log_not_found off;

    	access_log off;

	}

	## Don't log robots.txt requests.

	location = /robots.txt {

    	allow all;

    	log_not_found off;

    	access_log off;

	}


	## Static files are served directly.

	location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ {

    	output_buffers 1 64k;  # don't need this unless using AIO on FreeBSD

    	expires max;  # can set a shorter expiration like 30d if you prefer

    	log_not_found off;

	}

	## Keep a tab on the 'big' static files.

	location ~* ^.+\.(?:m4a|mp[34]|mov|ogg|pdf|wmv|flv|ppt[x]*)$ {

    	expires 30d;

	}

	## All files/directories that are protected and unaccessible from

	## the web.

	location ~* ^.*(\.(?:htaccess|txt|log*))$ {

    	return 404;


	location ~ /forums/ {

    	error_page 404 index.php;

    	try_files $uri $uri/ /forums/index.php;

    	location  ~ index.php$ {

        	fastcgi_split_path_info ^(.+\.php)(/.+)$;

        	try_files $uri =403;

        	fastcgi_pass 127.0.0.1:9000;

        	include /usr/local/etc/nginx/fastcgi_params;

        	fastcgi_buffers 64 4k;

    	}


            	location ~ \.php$ {

            	rewrite ^ / permanent;

            	}

	}


	# Deny access (403) access to all perl or php scripts in certain locations.

	location ~* /forums/(?:cache|hooks|public/style_css|public/style_images|uploads)/.*\.(?:pl|php[345]*)$ {

    	return 403;

	}


	# protect directories where users can upload malicious files

	location ^~ /forums/galleryuploads/ {

    	try_files $uri =403;

	}


	location ^~ /forums/uploads/ {

    	try_files $uri =403;

	}


	location ~ index.php$ {

    	fastcgi_split_path_info ^(.+\.php)(/.+)$;

    	try_files $uri =403;

    	fastcgi_pass 127.0.0.1:9000;

    	include /usr/local/etc/nginx/fastcgi_params;

    	fastcgi_buffers 64 4k;

	}


}


## Rewrite www.doman.com to domain.com

server {

	listen my:ip:v6:add:re:ss:80;

	listen 80;

	server_name   www.domain.com;

	rewrite ^   $scheme://domain.com$request_uri? permanent;

}




You should also edit your php.ini file:

- cgi.fix_pathinfo=1
+ cgi.fix_pathinfo=0

Please note that the paths to your files, your nginx.conf file and your fastcgi_params files may be different. Port numbers may also differ. Traditionally PHP-FPM has been run on 9000 but there's no rule about that. %7Boption%7D This also assumes your forums are in a subdirectory called "forums" This works for me and avoids use of any unnecessary "if's".

You may not need all of this (like IPv6 or SSL if you aren't using them) but it is a good basis for you to use. YMMV of course.

Link to comment
Share on other sites

  • 1 month later...

I have moved to nginx and want to enable the expiry date on the images being served from my site. I currently checked the expiry date and the images are as follows:

Expires Thu, 06 Oct 2011 16:04:32 GMT
Cache-Control max-age=604800


My current config is:




user  nobody;

# no need for more workers in the proxy mode

worker_processes  2;

error_log  /var/log/nginx/error.log info;

worker_rlimit_nofile 20480;

events {

worker_connections 5120; # increase for busier servers

use epoll; # you should use epoll here for Linux kernels 2.6.x

}




http {



server_name_in_redirect off;

server_names_hash_max_size 10240;

server_names_hash_bucket_size 1024;

include	mime.types;

default_type  application/octet-stream;

server_tokens off;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout  60;

gzip on;

gzip_vary on;

gzip_disable "MSIE [1-6]\.";

gzip_proxied any;

gzip_http_version 1.1;

gzip_min_length  1000;

gzip_comp_level  6;

gzip_buffers  16 8k;

# You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU

gzip_types	text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml;

ignore_invalid_headers on;

client_header_timeout  3m;

client_body_timeout 3m;

send_timeout	 3m;

reset_timedout_connection on;

connection_pool_size  256;

client_header_buffer_size 256k;

large_client_header_buffers 4 256k;

client_max_body_size 200M;

client_body_buffer_size 128k;

request_pool_size  32k;

output_buffers   4 32k;

postpone_output  1460;

proxy_temp_path  /tmp/nginx_proxy/;

client_body_in_file_only on;

log_format bytes_log "$msec $bytes_sent .";

include "/etc/nginx/vhosts/*";


}

So using the example above I added in:




server {


			## Static files are served directly.

			location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ {

			expires 30d;  # can set a shorter expiration like 30d if you prefer

			log_not_found off;

			}


		   }

So it looks like this:

user  nobody;

# no need for more workers in the proxy mode

worker_processes  2;

error_log  /var/log/nginx/error.log info;

worker_rlimit_nofile 20480;

events {

worker_connections 5120; # increase for busier servers

use epoll; # you should use epoll here for Linux kernels 2.6.x

}




http {



server_name_in_redirect off;

server_names_hash_max_size 10240;

server_names_hash_bucket_size 1024;

include	mime.types;

default_type  application/octet-stream;

server_tokens off;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout  60;

gzip on;

gzip_vary on;

gzip_disable "MSIE [1-6]\.";

gzip_proxied any;

gzip_http_version 1.1;

gzip_min_length  1000;

gzip_comp_level  6;

gzip_buffers  16 8k;

# You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU

gzip_types	text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml;

ignore_invalid_headers on;

client_header_timeout  3m;

client_body_timeout 3m;

send_timeout	 3m;

reset_timedout_connection on;

connection_pool_size  256;

client_header_buffer_size 256k;

large_client_header_buffers 4 256k;

client_max_body_size 200M;

client_body_buffer_size 128k;

request_pool_size  32k;

output_buffers   4 32k;

postpone_output  1460;

proxy_temp_path  /tmp/nginx_proxy/;

client_body_in_file_only on;

log_format bytes_log "$msec $bytes_sent .";

include "/etc/nginx/vhosts/*";


server {


			## Static files are served directly.

			location ~* \.(?:js|css|png|jpg|jpeg|gif|ico)$ {

			expires 30d;  # can set a shorter expiration like 30d if you prefer

			log_not_found off;

			}


		   }


}




With those changes I still get:

Expires Thu, 06 Oct 2011 16:13:49 GMT
Cache-Control max-age=604800

So not 30 days expiry! Any ideas on what I am doing wrong?

Link to comment
Share on other sites

You have the right block of code for changing the cache expiration, but you need to put it in a different file.

The config you posted above is /etc/nginx/nginx.conf, but you need to add it to a file in /etc/nginx/vhosts/. Inside that directory you'll probably find a file named with your websites domain, and inside the specific server block add your cache config.

Link to comment
Share on other sites

JimO,
Thanks for the reply it's a great post, but I am at a loss as to what you are suggesting I should replace in my own config rather than taking a copy of yours and adapting to myself? I really don't want to add options to the site conf file that are handled by my php configuration files..

Link to comment
Share on other sites

  • 4 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...