|
Size: 2286
Comment:
|
Size: 4018
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = NGINX = | = Nginx = |
| Line 3: | Line 3: |
| A powerful web server built for multi-threading. Can even be used as a poor man's reverse proxy. | '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading). <<TableOfContents>> |
| Line 11: | Line 13: |
| On Arch Linux, install `nginx`. | Most [[Linux]] and [[BSD]] distributions offer a `nginx` package. |
| Line 13: | Line 15: |
| On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. | On [[Linux/Ubuntu|Ubuntu]], to ensure all security patches have been applied, use the upstream PPA. |
| Line 19: | Line 21: |
| }}} === Containers === [[Docker]] container images are also available for the last two versions. The image is available from [[Docker/Hub|DockerHub]] as `docker.io/library/nginx` (or simply `nginx` when using `docker(1)` specifically). Try: {{{ docker run --detach --name my-nginx \ --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \ --publish 127.0.0.1:8080:80 \ nginx:latest |
|
| Line 27: | Line 44: |
| To check the configuration of `nginx(8)`, run... {{{ nginx -t }}} |
|
| Line 29: | Line 54: |
| === Location blocks === | Servers listen on one or more addresses and ports, specified on the `listen` directive. If the address is left off, `nginx(8)` listens on all addresses for that server. Servers can share addresses and/or ports. |
| Line 31: | Line 56: |
| An example location for a uWSGI (Python) server, such as [[MoinMoinSetup|MoinMoin]]. | If `nginx(8)` receives a request, it is routed between the listening servers based on the ''domain name''. Each server is meant to represent a single web domain, which should be specified on the `server_name` directive. If a server needs to respond as any domain, enter `_` as the name. If no server name matches, the request is routed to the ''default server'', which is marked by the `default_server` option on the `listen` directive. `nginx(8)` requires one (and only one) server be marked as default. Typically, the default server is configured with a server name of `_` and returns error 444 to all requests. |
| Line 34: | Line 63: |
| location / { include /etc/nginx/uwsgi_params; uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock; |
server { listen 80 default_server; server_name _; return 444; } server { listen 80; server_name example.com; root /var/www; location / { try_files $uri $uri/ /index.html; } |
| Line 42: | Line 83: |
| === Restricting Access === | === Locations === |
| Line 44: | Line 85: |
| Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.) | Generally, locations map to the local file system. |
| Line 46: | Line 87: |
| As a good measure, the default server should return deny all requests. This will force requests to carry an external URL. | The `try_files` directive checks if a file exists, and then reroutes based on the syntax. In the below example, if `$uri` does not exist, the request is routed to the `@uwsgi` location. |
| Line 49: | Line 90: |
| server { listen 80 default_server; server_name _; return 444; |
try_files $uri @uwsgi; location / { root /var/www; } location @uwsgi { include uwsgi_params; uwsgi_pass unix:///run/myapp.sock; } location ~ .(png|gif|jpe?g)$ { root /usr/local/share/myapp/static; } location = /robots.txt { root /var/www; |
| Line 56: | Line 110: |
| To deny requests for specific files, use a location block. | === Configuration Syntax === * [[Nginx/Location|Location]] * [[Nginx/Http|Http]] * [[Nginx/Server|Server]] === Proxying === * [[Nginx/FastCGI|FastCGI]] * [[Nginx/Uwsgi|Uwsgi]] === Advanced Configuration === * [[Nginx/Authentication|Authentication]] * [[Nginx/Compression|Compression]] * [[Nginx/Encryption|Encryption]] === Restricting Access === To deny requests based on the URI, use a location block. |
| Line 64: | Line 144: |
| To deny requests based on the method, use a conditional statement within a server block. | To deny requests based on the HTTP method, use a conditional statement. |
| Line 73: | Line 153: |
---- |
|
| Line 98: | Line 176: |
| == Issues == | == See also == |
| Line 100: | Line 178: |
| === 403 on internal links (sometimes) === Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection. |
[[https://man.archlinux.org/man/extra/nginx/nginx.8.en|nginx(8)]] |
Nginx
nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).
Contents
Installation
Most Linux and BSD distributions offer a nginx package.
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.
sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx
Containers
Docker container images are also available for the last two versions. The image is available from DockerHub as docker.io/library/nginx (or simply nginx when using docker(1) specifically).
Try:
docker run --detach --name my-nginx \ --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \ --publish 127.0.0.1:8080:80 \ nginx:latest
Configuration
To check the configuration of nginx(8), run...
nginx -t
Server blocks
Servers listen on one or more addresses and ports, specified on the listen directive. If the address is left off, nginx(8) listens on all addresses for that server. Servers can share addresses and/or ports.
If nginx(8) receives a request, it is routed between the listening servers based on the domain name. Each server is meant to represent a single web domain, which should be specified on the server_name directive. If a server needs to respond as any domain, enter _ as the name.
If no server name matches, the request is routed to the default server, which is marked by the default_server option on the listen directive. nginx(8) requires one (and only one) server be marked as default.
Typically, the default server is configured with a server name of _ and returns error 444 to all requests.
server {
listen 80 default_server;
server_name _;
return 444;
}
server {
listen 80;
server_name example.com;
root /var/www;
location / {
try_files $uri $uri/ /index.html;
}
}
Locations
Generally, locations map to the local file system.
The try_files directive checks if a file exists, and then reroutes based on the syntax. In the below example, if $uri does not exist, the request is routed to the @uwsgi location.
try_files $uri @uwsgi;
location / {
root /var/www;
}
location @uwsgi {
include uwsgi_params;
uwsgi_pass unix:///run/myapp.sock;
}
location ~ .(png|gif|jpe?g)$ {
root /usr/local/share/myapp/static;
}
location = /robots.txt {
root /var/www;
}
Configuration Syntax
Proxying
Advanced Configuration
Restricting Access
To deny requests based on the URI, use a location block.
location ~ ^\.ht {
return 444;
}To deny requests based on the HTTP method, use a conditional statement.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.
Restricting Referrers
It is sometimes desirable to block referrals.
valid_referers none blocked server_names
~example\.com;
if ($invalid_referer) {
return 403;
}none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.
Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).