Differences between revisions 6 and 25 (spanning 19 versions)
Revision 6 as of 2020-03-03 19:07:03
Size: 2323
Editor: DominicRicottone
Comment:
Revision 25 as of 2023-08-06 18:16:32
Size: 2057
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= NGINX = = Nginx =
Line 3: Line 3:
A powerful web server built for multi-threading. Can even be used as a poor man's reverse proxy. '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading).

<<TableOfContents>>
Line 11: Line 13:
On Arch Linux, install `nginx`. Most [[Linux]] and [[BSD]] distributions offer a `nginx` package.
Line 13: Line 15:
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. On [[Linux/Ubuntu|Ubuntu]], to ensure all security patches have been applied, use the upstream PPA.
Line 16: Line 18:
sudo apt update && sudo apt upgrade
Line 20: Line 21:
}}}



=== Containers ===

[[Docker]] container images are also available for the last two versions. The image is available from [[Docker/Hub|DockerHub]] as `docker.io/library/nginx` (or simply `nginx` when using `docker(1)` specifically).

Try:

{{{
docker run --detach --name my-nginx \
  --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \
  --publish 127.0.0.1:8080:80 \
  nginx:latest
Line 28: Line 44:
=== Server blocks ===

=== Location blocks ===

An example location for a uWSGI (Python) server, such as [[MoinMoinSetup|MoinMoin]].		 To check the configuration of `nginx(8)`, run...
Line 35: Line 47:
location / {
  include /etc/nginx/uwsgi_params;
  uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}		 nginx -t
Line 43: Line 52:
=== Restricting Access === === Syntax ===
Line 45: Line 54:
Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.)  * [[Nginx/Location|Location]]
 * [[Nginx/Http|Http]]
 * [[Nginx/RewritingAndReturning|Rewriting and Returning]]
 * [[Nginx/Server|Server]]
 * [[Nginx/TryFiles|Try Files]]
Line 47: Line 60:
As a good measure, the default server should return deny all requests. This will force requests to carry an external URL.
Line 49: Line 61:
{{{
server {
    listen 80 default_server;
    server_name _;
    return 444;
}
}}}
Line 57: Line 62:
To deny requests for specific files, use a location block. === Proxying ===
Line 59: Line 64:
{{{
location ~ ^\.ht {
    return 444;
}
}}}		  * [[Nginx/FastCGI|FastCGI]]
 * [[Nginx/Uwsgi|Uwsgi]]
Line 65: Line 67:
To deny requests based on the method, use a conditional statement within a server block.
Line 67: Line 68:
{{{
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}
}}}
Line 73: Line 69:
In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug. === Advanced Configuration ===
Line 75: Line 71:
----  * [[Nginx/Authentication|Authentication]]
 * [[Nginx/ClientCaching|Client Caching]]
 * [[Nginx/Compression|Compression]]
 * [[Nginx/Encryption|Encryption]]
Line 99: Line 98:
== Issues == == See also ==
Line 101: Line 100:
=== 403 on internal links (sometimes) ===

Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection.		 [[https://man.archlinux.org/man/extra/nginx/nginx.8.en|nginx(8)]]

Nginx

nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).

Contents

  1. Nginx
    1. Installation
      1. Containers
    2. Configuration
      1. Syntax
      2. Proxying
      3. Advanced Configuration
      4. Restricting Referrers
    3. See also

Installation

Most Linux and BSD distributions offer a nginx package.

On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. 

sudo add-apt-repository ppa:nginx/stable
sudo apt update
sudo apt install nginx

Containers

Docker container images are also available for the last two versions. The image is available from DockerHub as docker.io/library/nginx (or simply nginx when using docker(1) specifically).

Try: 

docker run --detach --name my-nginx \
  --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \
  --publish 127.0.0.1:8080:80 \
  nginx:latest

Configuration

To check the configuration of nginx(8), run... 

nginx -t

Syntax

Proxying

Advanced Configuration

Restricting Referrers

It is sometimes desirable to block referrals. 

valid_referers none blocked server_names
               ~example\.com;
if ($invalid_referer) {
    return 403;
}

none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.

Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).

See also

nginx(8)

CategoryRicottone

Nginx (last edited 2023-08-06 18:16:32 by DominicRicottone)