Nginx

• Nginx
• location PHP
• • www
  • no-www
  • HTTPS
  • URI
• • Gzip
  • SSL
  • Upstream
• • SSL

Nginx

     Nginx.

• nginx -V - Nginx, .
• nginx -t - .
• nginx -s reload - Nginx.

location PHP

   PHP, FPM  CGI   .

location ~ \.php$ {
  try_files $uri =404;
  client_max_body_size 64m;
  client_body_buffer_size 128k;
  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  fastcgi_pass unix:/path/to/php.sock;
}

www

www c www:

server {
  listen 80;
  server_name example.org;
  return 301 $scheme://www.example.org$request_uri;
}

server {
  listen 80;
  server_name www.example.org;
}

 HTTPS,      server{},    443 .

no-www

   c *www*     *www*:

server {
  listen 80;
  server_name example.org;
}

server {
  listen 80;
  server_name www.example.org;
  return 301 $scheme://example.org$request_uri;
}

 HTTPS,      server{},    443 .

HTTPS

HTTP  HTTPS:  

server {
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;

  # let the browsers know that we only accept HTTPS
  add_header Strict-Transport-Security max-age=2592000;
}

`/`    URL,   ,   URL    .    *example.com/index.php*  *example.com/do?some=123*   .  

rewrite ^([^.\?]*[^/])$ $1/ permanent;

location = /oldpage.html {
    return 301 http://example.org/newpage.html;
  }

server {
  server_name old-site.com;
  return 301 $scheme://new-site.com$request_uri;
}

URI

location /old-site {
  rewrite ^/old-site/(.*) http://example.org/new-site/$1 permanent;
}

 . Nginx   : Expires  Cache-Control.

location /static {
  root /data;
  expires max;
}

( ) :

location = /empty.gif {
  empty_gif;
  expires -1;
}

Gzip

gzip  on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
  text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
  text/javascript application/javascript application/x-javascript
  text/x-json application/json application/x-web-app-manifest+json
  text/css text/plain text/x-component
  font/opentype application/x-font-ttf application/vnd.ms-fontobject
  image/x-icon;
gzip_disable "msie6";

     Nginx,         .

open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

SSL

SSL SSL SSL/TLS .

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Upstream

c Upstream :

upstream backend {
  server 127.0.0.1:8080;
  keepalive 32;
}

server {

  location /api/ {
    proxy_pass http://backend;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
  }
}

Stub Status , with-http_stub_status_module :

location /status {
  stub_status on;
  access_log off;
}

             (, , ).

Nginx     [Luameter](https://luameter.com/),         Nginx Lua .           JSON:

• /.

•   : 1xx, 2xx, 3xx, 4xx, 5xx.
  

• / .

•  , , ,   .
  

•       .
  

• ...

Luameter.

  [ngxtop](https://github.com/lebinh/ngxtop).

        :

:

server/location ,   :

auth_basic "This is Protected";
auth_basic_user_file /path/to/password-file;

location /local {
  allow 127.0.0.1;
  deny all;
}

SSL

• SSLv3, . POODLE SSL Attack.
• , . Mozilla Server Side TLS and Nginx.

# dont use SSLv3 ref: POODLE CVE-2014-356 - http://nginx.com/blog/nginx-poodle-ssl/
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  

# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers  on;

, ** **. - API, . - , ( .gif) . post_action, - .

location = /empty.gif {
  empty_gif;
  expires -1;
  post_action @track;
}

location @track {
  internal;
  proxy_pass http://tracking-backend;
}

  -    :

location ~* \.(eot|ttf|woff) {
  add_header Access-Control-Allow-Origin *;
}

• Nginx Official Guide
• HTML 5 Boilerplate's Sample Nginx Configuration
• Nginx Pitfalls
• @lebinh, .
• @elasticweb.