Differences between revisions 9 and 22 (spanning 13 versions)
Revision 9 as of 2021-11-17 19:44:47
Size: 2286
Editor: DominicRicottone
Comment:
Revision 22 as of 2023-04-22 20:43:06
Size: 2394
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= NGINX = = Nginx =
Line 3: Line 3:
A powerful web server built for multi-threading. Can even be used as a poor man's reverse proxy. '''`nginx(8)`''' is a web and proxy server written for modern workloads (chiefly multi-threading).

<<TableOfContents>>
Line 11: Line 13:
On Arch Linux, install `nginx`. Most [[Linux]] and [[BSD]] distributions offer a `nginx` package.
Line 13: Line 15:
On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. On [[Linux/Ubuntu|Ubuntu]], to ensure all security patches have been applied, use the upstream PPA.
Line 19: Line 21:
}}}



=== Containers ===

[[Docker]] container images are also available for the last two versions. The image is available from [[Docker/Hub|DockerHub]] as `docker.io/library/nginx` (or simply `nginx` when using `docker(1)` specifically).

Try:

{{{
docker run --detach --name my-nginx \
  --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \
  --publish 127.0.0.1:8080:80 \
  nginx:latest
Line 27: Line 44:
=== Server blocks ===

=== Location blocks ===

An example location for a uWSGI (Python) server, such as [[MoinMoinSetup|MoinMoin]].		 To check the configuration of `nginx(8)`, run...
Line 34: Line 47:
location / {
  include /etc/nginx/uwsgi_params;
  uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}		 nginx -t
Line 39: Line 49:



=== Syntax ===

 * [[Nginx/Location|Location]]
 * [[Nginx/Http|Http]]
 * [[Nginx/Server|Server]]
 * [[Nginx/TryFiles|Try Files]]



=== Proxying ===

 * [[Nginx/FastCGI|FastCGI]]
 * [[Nginx/Uwsgi|Uwsgi]]



=== Advanced Configuration ===

 * [[Nginx/Authentication|Authentication]]
 * [[Nginx/Compression|Compression]]
 * [[Nginx/Encryption|Encryption]]
Line 44: Line 78:
Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.)

As a good measure, the default server should return deny all requests. This will force requests to carry an external URL.

{{{
server {
    listen 80 default_server;
    server_name _;
    return 444;
}
}}}

To deny requests for specific files, use a location block.		 To deny requests based on the URI, use a location block.
Line 64: Line 86:
To deny requests based on the method, use a conditional statement within a server block. To deny requests based on the HTTP method, use a conditional statement.
Line 73: Line 95:

----
Line 98: Line 118:
== Issues == == See also ==
Line 100: Line 120:
=== 403 on internal links (sometimes) ===

Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection.		 [[https://man.archlinux.org/man/extra/nginx/nginx.8.en|nginx(8)]]

Nginx

nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).

Contents

  1. Nginx
    1. Installation
      1. Containers
    2. Configuration
      1. Syntax
      2. Proxying
      3. Advanced Configuration
      4. Restricting Access
      5. Restricting Referrers
    3. See also

Installation

Most Linux and BSD distributions offer a nginx package.

On Ubuntu, to ensure all security patches have been applied, use the upstream PPA. 

sudo add-apt-repository ppa:nginx/stable
sudo apt update
sudo apt install nginx

Containers

Docker container images are also available for the last two versions. The image is available from DockerHub as docker.io/library/nginx (or simply nginx when using docker(1) specifically).

Try: 

docker run --detach --name my-nginx \
  --mount type=bind,src=/path/to/web/root,dst=/usr/share/nginx/html,readonly \
  --publish 127.0.0.1:8080:80 \
  nginx:latest

Configuration

To check the configuration of nginx(8), run... 

nginx -t

Syntax

Proxying

Advanced Configuration

Restricting Access

To deny requests based on the URI, use a location block. 

location ~ ^\.ht {
    return 444;
}

To deny requests based on the HTTP method, use a conditional statement. 

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}

In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.

Restricting Referrers

It is sometimes desirable to block referrals. 

valid_referers none blocked server_names
               ~example\.com;
if ($invalid_referer) {
    return 403;
}

none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.

Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).

See also

nginx(8)

CategoryRicottone

Nginx (last edited 2023-08-06 18:16:32 by DominicRicottone)