NGINX

A powerful web server built for multi-threading. Can even be used as a poor man's reverse proxy.

Installation

On Arch Linux, install nginx.

On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.

sudo add-apt-repository ppa:nginx/stable
sudo apt update
sudo apt install nginx

Configuration

Server blocks

Location blocks

An example location for a uWSGI (Python) server, such as MoinMoin.

location / {
  include /etc/nginx/uwsgi_params;
  uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}

Restricting Access

Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.)

As a good measure, the default server should return deny all requests. This will force requests to carry an external URL.

server {
    listen 80 default_server;
    server_name _;
    return 444;
}

To deny requests for specific files, use a location block.

location ~ ^\.ht {
    return 444;
}

To deny requests based on the method, use a conditional statement within a server block.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}

In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.

Restricting Referrers

It is sometimes desirable to block referrals.

valid_referers none blocked server_names
               ~example\.com;
if ($invalid_referer) {
    return 403;
}

none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.

Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).

Issues

403 on internal links (sometimes)

Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection.

CategoryRicottone