NGINX
A powerful web server built for multi-threading. Can even be used as a poor man's HAProxySetup.
Installation
On Arch, install NGINX.
On Ubuntu, to ensure all security patches available have been applied, use the upstream PPA.
sudo apt update && sudo apt upgrade sudo add-apt-repository ppa:nginx/stable sudo apt update sudo apt install nginx
Configuration
Server blocks
Location blocks
An example location for a uWSGI (Python) server, such as MoinMoin.
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:///var/www/my-wsgi-app/my-wsgi-app.sock;
}Often, uWSGI apps recommend adding uwsgi_modifier1 30 to rewrite PATH_INFO and SCRIPT_NAME. This is a deprecated measure, and is unstable for Python 3+. Instead, configure uWSGI.
Restricting Access
Access is best restricted by returning error 444 on any restricted requests. (Error 444 means the connection is dropped--the client gets no indication about availability or permission.)
As a good measure, the default server should return deny all requests. This will force requests to carry an external URL.
server {
listen 80 default_server;
server_name _;
return 444;
}To deny requests for specific files, use a location block.
location ~ ^\.ht {
return 444;
}To deny requests based on the method, use a conditional statement within a server block.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}In all circumstances, conditional statements should be the last resort technique. They can be less than intuitive and difficult to debug.
Restricting Referrers
It is sometimes desirable to block referrals.
valid_referers none blocked server_names
~example\.com;
if ($invalid_referer) {
return 403;
}none matching missing referers ("-"), while blocked matches referers that have been deleted by a firewall.
Literal server names are given with a leading or trailing asterisk (*). Regular expressions are given with a leading tilde (~).
Issues
403 on internal links (sometimes)
Do you have referral blocking on? It's possible that you are blocking your own referrals. Whenever the URL is reloaded, the referral header is dropped, allowing the connection.