|
Size: 1809
Comment:
|
Size: 2286
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| A powerful web server built for multi-threading. Can even be used as a poor man's [[HAProxySetup||HAProxy]]. | '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading). <<TableOfContents>> ---- == Installation == Most Linux and BSD distributions offer a `nginx` package. On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. {{{ sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx }}} |
| Line 11: | Line 29: |
| To check the configuration of `nginx(8)`, run... {{{ nginx -t }}} |
|
| Line 15: | Line 41: |
| An example location for a uWSGI (Python) server, such as [[Python/MoinMoin|MoinMoin]]. {{{ location / { include /etc/nginx/uwsgi_params; uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock; } }}} === Encryption === See [[NGINX/SSL|here]] for details. === Authentication === |
|
| Line 17: | Line 62: |
| Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.) | Access is best restricted by returning error code `444`, which causes the connection to drop without any signalling to the client. |
| Line 19: | Line 64: |
| As a good measure, the default server should return deny all requests. This will force requests to carry an external URL. | Best practice is for the default server to deny all requests, ensuring that only known domains are served. |
| Line 29: | Line 74: |
| To deny requests for specific files, use a location block. | To deny requests based on the URI, use a location block. |
| Line 37: | Line 82: |
| To deny requests based on the method, use a conditional statement. | To deny requests based on the HTTP method, use a conditional statement. |
| Line 46: | Line 91: |
---- |
|
| Line 67: | Line 110: |
| ---- | === FastCGI === See [[NGINX/FastCGI|here]] for details. |
| Line 71: | Line 118: |
| == Issues == | === UWSGI === |
| Line 73: | Line 120: |
| === 403 on internal links (sometimes) === Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection. |
See [[NGINX/UWSGI|here]] for details. |
NGINX
nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).
Contents
Installation
Most Linux and BSD distributions offer a nginx package.
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.
sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx
Configuration
To check the configuration of nginx(8), run...
nginx -t
Server blocks
Location blocks
An example location for a uWSGI (Python) server, such as MoinMoin.
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}
Encryption
See here for details.
Authentication
Restricting Access
Access is best restricted by returning error code 444, which causes the connection to drop without any signalling to the client.
Best practice is for the default server to deny all requests, ensuring that only known domains are served.
server {
listen 80 default_server;
server_name _;
return 444;
}To deny requests based on the URI, use a location block.
location ~ ^\.ht {
return 444;
}To deny requests based on the HTTP method, use a conditional statement.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.
Restricting Referrers
It is sometimes desirable to block referrals.
valid_referers none blocked server_names
~example\.com;
if ($invalid_referer) {
return 403;
}none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.
Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).
FastCGI
See here for details.
UWSGI
See here for details.