|
Size: 165
Comment:
|
Size: 2065
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| A modern web server. | '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading). <<TableOfContents>> ---- == Installation == Most Linux and BSD distributions offer a `nginx` package. On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. {{{ sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx }}} ---- |
| Line 6: | Line 28: |
To check the configuration of `nginx(8)`, run... {{{ nginx -t }}} |
|
| Line 11: | Line 41: |
| An example location for a uWSGI (Python) server, such as [[MoinMoinSetup|MoinMoin]]. {{{ location / { include /etc/nginx/uwsgi_params; uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock; } }}} |
|
| Line 12: | Line 53: |
Access is best restricted by returning error code `444`, which causes the connection to drop without any signalling to the client. Best practice is for the default server to deny all requests, ensuring that only known domains are served. {{{ server { listen 80 default_server; server_name _; return 444; } }}} To deny requests based on the URI, use a location block. {{{ location ~ ^\.ht { return 444; } }}} To deny requests based on the HTTP method, use a conditional statement. {{{ if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } }}} In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug. === Restricting Referrers === It is sometimes desirable to block referrals. {{{ valid_referers none blocked server_names ~example\.com; if ($invalid_referer) { return 403; } }}} `none` matching missing referers (`"-"`), while `blocked` matches referers that have been deleted by a firewall. Literal server names are given with a leading or trailing asterisk (`*`). Regular expressions are given with a leading tilde (`~`). |
NGINX
nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).
Contents
Installation
Most Linux and BSD distributions offer a nginx package.
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.
sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx
Configuration
To check the configuration of nginx(8), run...
nginx -t
Server blocks
Location blocks
An example location for a uWSGI (Python) server, such as MoinMoin.
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}
Restricting Access
Access is best restricted by returning error code 444, which causes the connection to drop without any signalling to the client.
Best practice is for the default server to deny all requests, ensuring that only known domains are served.
server {
listen 80 default_server;
server_name _;
return 444;
}To deny requests based on the URI, use a location block.
location ~ ^\.ht {
return 444;
}To deny requests based on the HTTP method, use a conditional statement.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.
Restricting Referrers
It is sometimes desirable to block referrals.
valid_referers none blocked server_names
~example\.com;
if ($invalid_referer) {
return 403;
}none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.
Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).