kritik/NGINX.configure_install

## easy_lets-encrypt
sudo apt-get update
sudo apt-get install nginx -y
# install certbot

# in the conf
events {}
http{
  server {
    listen 80;
    server_name your_domain.ee;
    location / {
      return 200 "Hello from nginx";
    }
  }
}
certbot --nginx
ls -l /etc/letsencrypt/live/your_domain.ee/
crontab -e > @daily certbot renew # check, it may be already set

## faq
For AB testing/beta testing we can use
1) http://nginx.org/en/docs/http/ngx_http_split_clients_module.html#split_clients
2) set different upstream and then redirect users by if command

We can add visitor's country/city to headers from IP via nginx GoIP module, instead rails apps

## nginx
# TODO: add server push
#
# var doc: http://nginx.org/en/docs/varindex.html
# dynamic modules https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/
context - block of configuration
directive - line of option and value
worker_process auto; # 1CPU->1 worker. Number workes cannot be more than CPU. lscpu
events{
  worker_connections 1024; # can take number from ulimit -n
  multi_accept: on; #accep immediatelly all connections, default: on
  use epoll;
}
http{
  # upstream doc: https://nginx.org/en/docs/http/ngx_http_upstream_module.html
  # roundrobin - 1 after another (no config)
  # sticky sessions - by ip hash (add ip_hash;)
  # least loaded - checks if server is still dealing with connection (add least_conn;)
  upstream balancer{
    #ip_hash; # to set sticky session
    least_conn;
    server localhost:10001;
    server localhost:10002;
  }

  open_file_cache*:* # helps to cache reading files from HD
  add_header X-Frame-Options SAMEORIGIN; # iframe works if from same domain

  include mime.types; - allows nginx to set correct mime types based on extension

  gzip on; # standard directive, everything after this one will be influenced by gzip, incl server.
           # NB! if set after logic, then don't apply.
           # but if put inside server then server will also see
  gzip_min_length 100; #in bytes
  gzip_compression_level 3; # recommended 1-4;
  gzip_types text/plain text/css;
  gzip_types text/javascript;
  gzip_types text/html; #default only this
  gzip_disable "msie6";

  server_tokens off; # will hide nginx version

  server {
    listen 443 ssl http2;

    if ($http_user_agent ~* badbot){ return 403 }
    if ($http_referer ~* badbot){ return 403 }

    location @my-server {
        proxy_pass http://balancer/; # it's better to set "/" to the end as convention
        http2_push_preload on; # allow push preload
                               # server has to add header: Link: </style.css>; as=style; rel=preload, </favicon.ico>; as=image; rel=preload
                               # h= ActionController::Base.helpers
                               # response.headers["Link"] = "<#{h.asset_pack_path("application.css")}>; as=style; rel=preload,<#{h.asset_path("application.css")}>; as=style; rel=preload, </#{h.asset_pack_path("application.js")}>; as=script; rel=preload"
      add_header proxied nginx; # adds header to the client (response), rails won't see it
      proxy_set_header proxied2 nginx; # adds header to the rails (request), client won't see it.
    }

    # location ordering
    # 1. =      # exact match
    # 2. ^~     # preferable prefix
    # 3. ~ & *~ # regexp matching (*~) - case insensitive
    # 4. no modifier prefix match
    location = /exact-path{
      access_log off; # swithecs log only here
      error_log off; # swithecs log only here
      root /path/in/fs; # custom path
      try_files $uri $uri/ index.php?$args =404; # tries file by url and if not found then returns 404
    }
    location /home {
      rewrite ^ /index.html; #request will be sent to index.html
    }
    location ~* \.(js|css|png)$ {
      expires 1M; # in 1 month
      access_log off; # no need to log
      add_header Pragma public; # old way of cache-control
      add_header Cache-Control public;
      add_header Vary Accept-Encoding;
    }
  }
}

## NGINX.configure_install
./configure --help|grep without
./configure --with-http_v2_module --with-http_ssl_module --without-http_autoindex_module

# todo: add brotli installation guides for Debian
	sudo apt-get update
	sudo apt-get install nginx -y
	# install certbot

	# in the conf
	events {}
	http{
	server {
	listen 80;
	server_name your_domain.ee;
	location / {
	return 200 "Hello from nginx";
	}
	}
	}
	certbot --nginx
	ls -l /etc/letsencrypt/live/your_domain.ee/
	crontab -e > @daily certbot renew # check, it may be already set
	For AB testing/beta testing we can use
	1) http://nginx.org/en/docs/http/ngx_http_split_clients_module.html#split_clients
	2) set different upstream and then redirect users by if command

	We can add visitor's country/city to headers from IP via nginx GoIP module, instead rails apps
	# TODO: add server push
	#
	# var doc: http://nginx.org/en/docs/varindex.html
	# dynamic modules https://docs.nginx.com/nginx/admin-guide/dynamic-modules/dynamic-modules/
	context - block of configuration
	directive - line of option and value
	worker_process auto; # 1CPU->1 worker. Number workes cannot be more than CPU. lscpu
	events{
	worker_connections 1024; # can take number from ulimit -n
	multi_accept: on; #accep immediatelly all connections, default: on
	use epoll;
	}
	http{
	# upstream doc: https://nginx.org/en/docs/http/ngx_http_upstream_module.html
	# roundrobin - 1 after another (no config)
	# sticky sessions - by ip hash (add ip_hash;)
	# least loaded - checks if server is still dealing with connection (add least_conn;)
	upstream balancer{
	#ip_hash; # to set sticky session
	least_conn;
	server localhost:10001;
	server localhost:10002;
	}

	open_file_cache: # helps to cache reading files from HD
	add_header X-Frame-Options SAMEORIGIN; # iframe works if from same domain

	include mime.types; - allows nginx to set correct mime types based on extension

	gzip on; # standard directive, everything after this one will be influenced by gzip, incl server.
	# NB! if set after logic, then don't apply.
	# but if put inside server then server will also see
	gzip_min_length 100; #in bytes
	gzip_compression_level 3; # recommended 1-4;
	gzip_types text/plain text/css;
	gzip_types text/javascript;
	gzip_types text/html; #default only this
	gzip_disable "msie6";

	server_tokens off; # will hide nginx version

	server {
	listen 443 ssl http2;

	if ($http_user_agent ~* badbot){ return 403 }
	if ($http_referer ~* badbot){ return 403 }

	location @my-server {
	proxy_pass http://balancer/; # it's better to set "/" to the end as convention
	http2_push_preload on; # allow push preload
	# server has to add header: Link: </style.css>; as=style; rel=preload, </favicon.ico>; as=image; rel=preload
	# h= ActionController::Base.helpers
	# response.headers["Link"] = "<#{h.asset_pack_path("application.css")}>; as=style; rel=preload,<#{h.asset_path("application.css")}>; as=style; rel=preload, </#{h.asset_pack_path("application.js")}>; as=script; rel=preload"
	add_header proxied nginx; # adds header to the client (response), rails won't see it
	proxy_set_header proxied2 nginx; # adds header to the rails (request), client won't see it.
	}

	# location ordering
	# 1. = # exact match
	# 2. ^~ # preferable prefix
	# 3. ~ & ~ # regexp matching (~) - case insensitive
	# 4. no modifier prefix match
	location = /exact-path{
	access_log off; # swithecs log only here
	error_log off; # swithecs log only here
	root /path/in/fs; # custom path
	try_files $uri $uri/ index.php?$args =404; # tries file by url and if not found then returns 404
	}
	location /home {
	rewrite ^ /index.html; #request will be sent to index.html
	}
	location ~* \.(js\|css\|png)$ {
	expires 1M; # in 1 month
	access_log off; # no need to log
	add_header Pragma public; # old way of cache-control
	add_header Cache-Control public;
	add_header Vary Accept-Encoding;
	}
	}
	}
	./configure --help\|grep without
	./configure --with-http_v2_module --with-http_ssl_module --without-http_autoindex_module

	# todo: add brotli installation guides for Debian