NGINX

nginx(8) is a web and proxy server written for modern workloads (chiefly multi-threading).

Contents

Installation

Most Linux and BSD distributions offer a nginx package.

On Ubuntu, to ensure all security patches have been applied, use the upstream PPA.

sudo add-apt-repository ppa:nginx/stable
sudo apt update
sudo apt install nginx

To check the configuration of nginx(8), run...

nginx -t

An example location for a uWSGI (Python) server, such as MoinMoin.

location / {
  include /etc/nginx/uwsgi_params;
  uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}

See here for details.

Access is best restricted by returning error code 444, which causes the connection to drop without any signalling to the client.

Best practice is for the default server to deny all requests, ensuring that only known domains are served.

server {
    listen 80 default_server;
    server_name _;
    return 444;
}

To deny requests based on the URI, use a location block.

location ~ ^\.ht {
    return 444;
}

To deny requests based on the HTTP method, use a conditional statement.

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}

In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.

It is sometimes desirable to block referrals.

valid_referers none blocked server_names
               ~example\.com;
if ($invalid_referer) {
    return 403;
}

none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.

Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).

See here for details.

See here for details.