Nginx configuration, security, and other information

Nginx is rapidly gaining popularity in the WebHosting world, especially since performance, speed, and scaling are becoming ever more important.  Nginx is capable of handling a large amount of concurrent connections with a fair amount of ease. It is used today in over 25% or so of the top 10,000 websites which tells you how much its performance is valued.  It is especially written to handle the C10K problem which means that it is designed to handle 10,000 concurrent connections on a website.

In the past several months with various clients, rolling out Nginx has been a real treat to work with.  In my recent dealings with Nginx, I have compiled some odds and ends of things I have run into with Nginx configuration wise, security, etc, and the workarounds or configuration details to get around those things.

Installing Nginx in Ubuntu:

• apt-get update && apt-get install nginx

Hiding Nginx Server Version:

Add the following to nginx.conf under a server configuration block:

• server_tokens off;

Default Nginx Server configuration block for WordPress

server {
        listen   80;


        root /var/www;
        index index.php index.html index.htm;

        server_name yourservername;

        location / {
                try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
              root /usr/share/nginx/www;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ \.php$ {
                try_files $uri =404;
                #fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                 }
        

}

Redirecting a Site in Nginx

Deleting Pagespeed Cache Nginx

• touch /var/ngx_pagespeed_cache/cache.flush

Output Current Nginx configuration to a text file:

• nginx -V &> text.txt

SSL configuration Nginx

Create the certificate key:

cd /etc/nginx/conf

# openssl genrsa -des3 -out server.key 2048
# openssl req -new -key server.key -out server.csr
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Change the server block to something similar to the following:

server {
server_name example.com;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
access_log /usr/local/nginx/logs/ssl.access.log;
error_log /usr/local/nginx/logs/ssl.error.log;
}

Nginx.conf with Pagespeed module and gzip settings

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
       worker_connections 1024;
       multi_accept on;
}


http {
	
	server_tokens off;

	fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WPCACHE:100m inactive=60m;
	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	fastcgi_cache_use_stale error timeout invalid_header http_500;

	include /etc/nginx/conf/wp_fastcgicache.conf;

       pagespeed on;
       pagespeed FileCachePath /var/ngx_pagespeed_cache;
       ##
       # Basic Settings
       ##

       sendfile on;
       tcp_nopush on;
       tcp_nodelay on;
       keepalive_timeout 65;
       types_hash_max_size 2048;
       # server_tokens off;

       # server_names_hash_bucket_size 64;
       # server_name_in_redirect off;

       include /etc/nginx/mime.types;
       default_type application/octet-stream;

       ##
       # Logging Settings
       ##

       access_log off;
       error_log /var/log/nginx/error.log;

       # Gzip Settings
    	gzip on;
    	gzip_static on;
    	gzip_disable "msie6";
    	gzip_vary on;
    	gzip_proxied any;
	gzip_min_length 860;
    	gzip_comp_level 7;
    	gzip_buffers 16 8k;
    	gzip_http_version 1.1;
    	gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml font/truetype application/x-font-ttf font/opentype application/vnd.ms-fontobject image/svg+xml;

       ##
       # nginx-naxsi config
       ##
       # Uncomment it if you installed nginx-naxsi
       ##

       #include /etc/nginx/naxsi_core.rules;

       ##
       # nginx-passenger config
       ##
       # Uncomment it if you installed nginx-passenger
       ##
       
       #passenger_root /usr;
       #passenger_ruby /usr/bin/ruby;

       ##
       # Virtual Host Configs
       ##

       include /etc/nginx/conf.d/*.conf;
       include /etc/nginx/sites-enabled/*;
	proxy_buffer_size   128k;
	proxy_buffers   4 256k;
	proxy_busy_buffers_size   256k;
       
}

Final Thoughts

These are just a few things I have ran into in configuring and setting up Nginx on a few WordPress installations and tweaks that have presented themselves in going along.  Please comment additional tweaks you guys have seen that have made a difference in your Nginx environments.

About The Author

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don’t have to.

See author's posts