|
Size: 2286
Comment:
|
Size: 2065
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| A powerful web server built for multi-threading. Can even be used as a poor man's reverse proxy. | '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading). <<TableOfContents>> |
| Line 11: | Line 13: |
| On Arch Linux, install `nginx`. | Most Linux and BSD distributions offer a `nginx` package. |
| Line 26: | Line 28: |
To check the configuration of `nginx(8)`, run... {{{ nginx -t }}} |
|
| Line 44: | Line 54: |
| Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.) | Access is best restricted by returning error code `444`, which causes the connection to drop without any signalling to the client. |
| Line 46: | Line 56: |
| As a good measure, the default server should return deny all requests. This will force requests to carry an external URL. | Best practice is for the default server to deny all requests, ensuring that only known domains are served. |
| Line 56: | Line 66: |
| To deny requests for specific files, use a location block. | To deny requests based on the URI, use a location block. |
| Line 64: | Line 74: |
| To deny requests based on the method, use a conditional statement within a server block. | To deny requests based on the HTTP method, use a conditional statement. |
| Line 73: | Line 83: |
---- |
|
| Line 94: | Line 102: |
| ---- == Issues == === 403 on internal links (sometimes) === Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection. |
NGINX
nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).
Contents
Installation
Most Linux and BSD distributions offer a nginx package.
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.
sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx
Configuration
To check the configuration of nginx(8), run...
nginx -t
Server blocks
Location blocks
An example location for a uWSGI (Python) server, such as MoinMoin.
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}
Restricting Access
Access is best restricted by returning error code 444, which causes the connection to drop without any signalling to the client.
Best practice is for the default server to deny all requests, ensuring that only known domains are served.
server {
listen 80 default_server;
server_name _;
return 444;
}To deny requests based on the URI, use a location block.
location ~ ^\.ht {
return 444;
}To deny requests based on the HTTP method, use a conditional statement.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.
Restricting Referrers
It is sometimes desirable to block referrals.
valid_referers none blocked server_names
~example\.com;
if ($invalid_referer) {
return 403;
}none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.
Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).