public
Last active

nginx+passenger (real production config)

  • Download Gist
installation.sh
Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# NOTICE: to get Nginx+Unicorn best-practices configuration see the gist https://gist.github.com/3052776
 
$ cd /usr/src
$ wget http://nginx.org/download/nginx-1.2.1.tar.gz
$ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz
 
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
 
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
 
$ gem install passenger -v=3.0.12 --no-ri --no-rdoc
$ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module"
 
$ mkdir /tmp/client_body_temp
nginx.conf
Nginx
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
user app;
worker_processes 2;
worker_priority -5;
 
error_log /home/app/logs/nginx.error.log crit;
 
events {
use epoll;
worker_connections 1024;
}
 
 
http {
client_max_body_size 25m;
client_body_buffer_size 128k;
client_body_temp_path /tmp/client_body_temp;
 
passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12;
passenger_ruby /usr/local/bin/ruby;
passenger_pool_idle_time 0;
passenger_max_pool_size 15;
passenger_pre_start http://127.0.0.1/;
 
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 70;
 
gzip on;
gzip_http_version 1.1;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 1100;
gzip_buffers 64 8k;
gzip_comp_level 3;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml;
 
ssl_certificate /opt/nginx/ssl_certs/cert.crt;
ssl_certificate_key /opt/nginx/ssl_certs/server.key;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
 
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
 
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
 
include /opt/nginx/conf/nginx_host.conf;
}
nginx_host.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
server {
listen 80;
server_name *.host.com;
rewrite ^(.*) https://$host$1 permanent;
 
location ~ \.(php|html)$ {
deny all;
}
 
access_log /dev/null;
error_log /dev/null;
}
 
 
# HTTPS server
server {
ssl on;
listen 443 default ssl;
server_name *.host.com;
 
root /home/app/public_html/host_production/current/public;
try_files $uri /system/maintenance.html @passenger;
 
location @passenger {
passenger_enabled on;
passenger_min_instances 5;
rails_env production;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
limit_req zone=one burst=5;
}
 
 
error_page 500 502 504 /500.html;
error_page 503 @503;
 
location = /50x.html {
root html;
}
 
location = /404.html {
root html;
}
 
location @503 {
error_page 405 = /system/maintenance.html;
if (-f $document_root/system/maintenance.html) {
rewrite ^(.*)$ /system/maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
 
if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
return 405;
}
 
if (-f $document_root/system/maintenance.html) {
return 503;
}
 
 
location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
 
 
location = /favicon.ico {
expires max;
add_header Cache-Control public;
}
 
 
location ~ \.(php|html)$ {
return 405;
}
 
 
access_log /dev/null;
error_log /dev/null;
}

Thank you! Looks awesome.

Alex, you are welcome

I'd suggest reading through the Pitfalls page on the Nginx wiki as you have a few of them in your example.

And line 74 has a funny typo ("non-pubic SSL files")

I think you should be able to remove the @503 location by replacing it with:

try_files $uri /system/maintenance.html @passenger;

And moving your passenger code into location @passenger block. This allows you to more easily serve the static assets while still have your maintenance page up without ifisevil.

For those who do not want there entire site under SSL then you can ditch the two server blocks and go for something like:

server {
  listen 80;
  listen 443 default ssl;
  ...

  location @passenger {
  // or location / { if you are not using try_files
   ...
    passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
    ...
  }

This avoids any duplication and tells the rails app whether the incoming request was encrypted or not.

Another handy one is to limit the request methods with:

if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
  return 405;
}

And permanently redirecting all but local requests to the server name:

if ($host  = localhost   ) { break; }
if ($host != $server_name) { rewrite ^ $scheme://$server_name$request_uri permanent; }

For anyone who needs PCI compliance we had to chop our SSL ciphers to this:

 ssl_protocols             SSLv3 TLSv1;
 ssl_ciphers               ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH;
 ssl_prefer_server_ciphers on;

Which removes the weaker ciphers. I've not encountered any problems with browsers not supporting this - but I'm sure there are some.

theoooo, thanks for comments, it's really useful tips. can you gist your ready-to-go config?

Sure, you can see ours here: https://gist.github.com/716974

It's a work in progress, but is serving us well at the moment.

We haven't got into adding the cache control headers for static assets yet. We also allow friendly urls with '.' in them so any users deciding to call themselves 'theoooo.php' would get caught out with the anti bot measures you've taken. Quick way to get rid of those pesky requests otherwise though!

If anyone is interested we deploy our sites using Chef, and I'm happy to make the recipes we use for that public as well.

the config files are updated:
1) try_files instead of if-then expressions
2) handle 404 for assets-contain urls
3) gzip_static directive, nginx installation script
4) minor other fixes

theoooo, you suggested that @503 location should be replaced with try_files $uri /system/maintenance.html @passenger;

while that surely works, it returns maintenance page with HTTP 200, and that means that search bots might index such page (or treat it as a valid site response anyway, if noindex is mentioned in the page code). I also noticed that some browsers ignore no-cache in the page content, and serve locally cached page even when the server content has been updated - thus leaving users with maintenance page instead of a functional service till they do a proper reload of the page.

Using HTTP 503 solves these problems, and also RFC 2616 suggests HTTP 503 code to be used code for servers in maintenance state.

Do you know a way to return 503 without using ifs in nginx config?

ivanku, thanks for bugreport.
nginx_host.conf has been updated, please take a look at the line 67

thanks,

but this:

server_name  *.host.com;

dont work for me, need change to:

server_name  subdomain1.host.com sub2.host.com etc..;

server_name can include wildcard, just take a look at official documentation here http://nginx.org/en/docs/http/server_names.html

конечно же я читал, но именно *.host.com не срабатывает, нужно было перечислить все поддомены

версия nginx и конфиг?

centos 5.5
nginx 0.8.54 + passenger 3.0.4

собственно это единственно что у меня не сработало, остальное сделал по вашему конфигу, спасибо

limit_req has been added to location @passenger

helpful. thank you very much

Would you mind let us know your system spec for this config? CPU. How many core, and RAM, etc??

@sjoonk it's pretty standard, EC2 HighCPU medium instance

updates:

  • nginx 1.0.15, passenger 3.0.12
  • block unwanted requests by blocking .html (/phpmyadmin, /mysqladmin..)
  • client_max_body_size moved before passenger initialization, because it works in that way only
  • increase limit per zone to 10r/s
  • SSL cache via ssl_session_cache

ssl_session_cache and increased ssl_session_timeout can save 25% of CPU usage

SSL config updated

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;

SSL BEAST attack fixed, locations optimized

openssl upgraded to 1.0.1c to enable TLSv1.1 and TLSv1.2.
Few headers was added by security reasons:
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;

Hey just found this gist, and I've learned a lot from it. Thanks for sharing.
Can I still use something like the following, if my Rails app is using full page caching to the file system? The files get written out with the .html extension.

location ~ .(php|html)$ {
deny all;
}

@supairish yes, you can just remove "|html", the main purpose to use that is to prevent search-bots scans

UPDATE: serve static assets fix

UPDATE: nginx 1.2.1 instead of 1.0.15, it allows me to disable Last-Modified headers for assets

watching and learnt

We recently moved to Nginx+Unicorn due to some passenger's segmentation faults.
You can try passenger in standalone mode, but compile mod_rails module inside is not recommended now.
Anyway, nginx upstream module help you in both cases: 1) use Unicorn, 2) use Standalone Passenger.

See this config here: https://gist.github.com/3052776.

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.