Difference between revisions of "Nginx"
From Christoph's Personal Wiki
(Created page with "'''Nginx''' is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. ==Example Nginx configuration file== <pre> $ cat nginx.conf...") |
|||
Line 1: | Line 1: | ||
'''Nginx''' is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. | '''Nginx''' is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. | ||
− | ==Example Nginx configuration | + | ==Example Nginx configuration files== |
+ | ; Basic | ||
<pre> | <pre> | ||
$ cat nginx.conf | $ cat nginx.conf | ||
Line 75: | Line 76: | ||
} | } | ||
} | } | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | ; Using SSL/TLS | ||
+ | <pre> | ||
+ | server { | ||
+ | listen 80; | ||
+ | server_name www.example.com example.com; | ||
+ | |||
+ | # Redirect all traffic to SSL | ||
+ | rewrite ^ https://$server_name$request_uri? permanent; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443 ssl default_server; | ||
+ | |||
+ | # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used. | ||
+ | ssl_protocols SSLv3 TLSv1; | ||
+ | |||
+ | # disables all weak ciphers | ||
+ | ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; | ||
+ | |||
+ | server_name www.example.com example.com; | ||
+ | |||
+ | ## Access and error logs. | ||
+ | access_log /var/log/nginx/access.log; | ||
+ | error_log /var/log/nginx/error.log info; | ||
+ | |||
+ | ## Keep alive timeout set to a greater value for SSL/TLS. | ||
+ | keepalive_timeout 75 75; | ||
+ | |||
+ | ## See the keepalive_timeout directive in nginx.conf. | ||
+ | ## Server certificate and key. | ||
+ | ssl on; | ||
+ | ssl_certificate /etc/ssl/certs/example.com-rapidssl.crt; | ||
+ | ssl_certificate_key /etc/ssl/private/example.com-rapidssl.key; | ||
+ | ssl_session_timeout 5m; | ||
+ | |||
+ | ## Strict Transport Security header for enhanced security. See | ||
+ | ## http://www.chromium.org/sts. Here it is set it to 2 hours; | ||
+ | ## set it to whichever age you want. | ||
+ | add_header Strict-Transport-Security "max-age=7200"; | ||
+ | |||
+ | root /var/www/example.com/; | ||
+ | index index.php; | ||
} | } | ||
</pre> | </pre> |
Latest revision as of 02:30, 10 December 2022
Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
Example Nginx configuration files
- Basic
$ cat nginx.conf user www www; ## Default: nobody worker_processes 5; ## Default: 1 error_log logs/error.log; pid logs/nginx.pid; worker_rlimit_nofile 8192; events { worker_connections 4096; ## Default: 1024 } http { include conf/mime.types; include /etc/nginx/proxy.conf; include /etc/nginx/fastcgi.conf; index index.html index.htm index.php; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; tcp_nopush on; server_names_hash_bucket_size 128; # this seems to be required for some vhosts server { # php/fastcgi listen 80; server_name domain1.com www.domain1.com; access_log logs/domain1.access.log main; root html; location ~ \.php$ { fastcgi_pass 127.0.0.1:1025; } } server { # simple reverse-proxy listen 80; server_name domain2.com www.domain2.com; access_log logs/domain2.access.log main; # serve static files location ~ ^/(images|javascript|js|css|flash|media|static)/ { root /var/www/virtual/big.server.com/htdocs; expires 30d; } # pass requests for dynamic content to rails/turbogears/zope, et al location / { proxy_pass http://127.0.0.1:8080; } } upstream big_server_com { server 127.0.0.3:8000 weight=5; server 127.0.0.3:8001 weight=5; server 192.168.0.1:8000; server 192.168.0.1:8001; } server { # simple load balancing listen 80; server_name big.server.com; access_log logs/big.server.access.log main; location / { proxy_pass http://big_server_com; } } }
- Using SSL/TLS
server { listen 80; server_name www.example.com example.com; # Redirect all traffic to SSL rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl default_server; # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used. ssl_protocols SSLv3 TLSv1; # disables all weak ciphers ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; server_name www.example.com example.com; ## Access and error logs. access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log info; ## Keep alive timeout set to a greater value for SSL/TLS. keepalive_timeout 75 75; ## See the keepalive_timeout directive in nginx.conf. ## Server certificate and key. ssl on; ssl_certificate /etc/ssl/certs/example.com-rapidssl.crt; ssl_certificate_key /etc/ssl/private/example.com-rapidssl.key; ssl_session_timeout 5m; ## Strict Transport Security header for enhanced security. See ## http://www.chromium.org/sts. Here it is set it to 2 hours; ## set it to whichever age you want. add_header Strict-Transport-Security "max-age=7200"; root /var/www/example.com/; index index.php; }