edoceo

Installing and Configuring Nginx

The Nginx proxy server is an excellent addtion to the external face of any web-service. You can off-load some rewrite rules, route traffic to different back-ends and sanatise all requests before they hit the back-end.

Installation

Using either apt-get or emerge

~ # apt-get install nginx

On Gentoo there are loads of configurable modules, enable the ones you need - or all of them if you'd like. I find that these are the most useful: "http http-cache ipv6 pcre ssl" and then also add the NGINX_MODULES_HTTP to your liking. Lots to chose from here, get at least "browser charset fastcgi geo gzip proxy referer rewrite" Others you may be interested in are: "geo geoip memcached realip upload_progress"

~ # emerge -av nginx
[ebuild  N     ] dev-libs/geoip-1.6.0-r1  USE="-city ipv6 -static-libs"
[ebuild  N     ] www-servers/nginx-1.2.1  USE="-aio -debug http http-cache ipv6 -libatomic pcre -pcre-jit (-selinux) ssl -vim-syntax"
   NGINX_MODULES_HTTP="access -addition -ajp auth_basic -auth_pam -auth_request autoindex browser -cache_purge charset -dav -dav_ext -degradation -echo empty_gif fancyindex fastcgi -flv geo geoip -gunzip gzip gzip_static headers_more -image_filter limit_conn limit_req lua map memcached metrics -mogilefs mp4 -naxsi perl proxy -push_stream -random_index realip referer rewrite scgi -secure_link -security -slowfs_cache spdy split_clients ssi -sticky -stub_status -sub upload_progress -upstream_check upstream_ip_hash userid uwsgi -xslt"
   NGINX_MODULES_MAIL="-imap pop3 smtp" 702 kB

One of the first things is to isolate the user & group that Nginx runs as, we have a dedicated account for this purpose.

~ # useradd --comment 'Nginx' --shell /bin/false --home /dev/null nginx

Nginx Basics

Now lets make Nginx proxy request to our back-end Apache servers, that is - for our non-static assets. Take a look in the /etc/nginx/nginx.conf file.

We listen on the external interface, port 80 & 443 (for SSL

# Logging is for chumps :p
error_log /dev/null crit;
user nginx;
worker_processes 8;

http {
    server {
        listen       80;
        server_name  edoceo.com;

        include "rewrite.conf"

        location / {
            proxy_pass   http://127.0.0.1:80;
        }
    }
}
http {
    server {
        listen       443;
        server_name  edoceo.com;
        ssl                 on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        include "rewrite.conf"

        location / {
            proxy_pass   http://127.0.0.1:80;
        }
    }
}

Adjust as necessary for your environment.

Nginx SSL Configurations §

Various SSL Configuration of nginx, show certificate chains if necessary and cipher specifications.

server {
	listen       443 default_server ssl;
	server_name  edoceo.com;

	# Enable the SSL Engine (< 0.7.14)
	ssl on;
	# The certificate or file.
	ssl_certificate     /etc/ssl/server.crt;
	# A noDES key for the CRT
	ssl_certificate_key /etc/ssl/server.key;
}

You may need to create the certificate chain, in which case you cat the certificates together.

cat server.crt ca-intermediate.crt > bundle.pem
	ssl_certificate     /etc/ssl/bundle.pem;

Nginx Example Rules §

Here's a few examples of tricks we do with Nginx

Serve Static Files Locally

This shows three external paths to access the CSS, and dedicated paths for the other resources.

location /c {
    root      /var/www/css;
    autoindex off;
}
location /css {
    root      /var/www/css;
    autoindex off;
}
location /d7/css {
    root      /var/www/css;
    autoindex off;
}

location /i {
    root      /var/www/images;
    autoindex off;
}
location /j {
    root      /var/www/javascript;
    autoindex off;
}

Force SSL

location ~* /admin {
    rewrite (.*) https://$host$1 permanent;
}
location ~* /user {
    rewrite (.*) https://$host$1 permanent;
}

Nginx Deployment Picture

Here's a pretty picture of how we typically deploy Nginx.

See Also

Loading Comments from Disqus...