Skip to content

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
nginx+passenger (real production config)
# NOTICE: to get Nginx+Unicorn best-practices configuration see the gist https://gist.github.com/3052776
$ cd /usr/src
$ wget http://nginx.org/download/nginx-1.2.1.tar.gz
$ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
$ gem install passenger -v=3.0.12 --no-ri --no-rdoc
$ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module"
$ mkdir /tmp/client_body_temp
user app;
worker_processes 2;
worker_priority -5;
error_log /home/app/logs/nginx.error.log crit;
events {
use epoll;
worker_connections 1024;
}
http {
client_max_body_size 25m;
client_body_buffer_size 128k;
client_body_temp_path /tmp/client_body_temp;
passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12;
passenger_ruby /usr/local/bin/ruby;
passenger_pool_idle_time 0;
passenger_max_pool_size 15;
passenger_pre_start http://127.0.0.1/;
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 70;
gzip on;
gzip_http_version 1.1;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 1100;
gzip_buffers 64 8k;
gzip_comp_level 3;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml;
ssl_certificate /opt/nginx/ssl_certs/cert.crt;
ssl_certificate_key /opt/nginx/ssl_certs/server.key;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
include /opt/nginx/conf/nginx_host.conf;
}
server {
listen 80;
server_name *.host.com;
rewrite ^(.*) https://$host$1 permanent;
location ~ \.(php|html)$ {
deny all;
}
access_log /dev/null;
error_log /dev/null;
}
# HTTPS server
server {
ssl on;
listen 443 default ssl;
server_name *.host.com;
root /home/app/public_html/host_production/current/public;
try_files $uri /system/maintenance.html @passenger;
location @passenger {
passenger_enabled on;
passenger_min_instances 5;
rails_env production;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
limit_req zone=one burst=5;
}
error_page 500 502 504 /500.html;
error_page 503 @503;
location = /50x.html {
root html;
}
location = /404.html {
root html;
}
location @503 {
error_page 405 = /system/maintenance.html;
if (-f $document_root/system/maintenance.html) {
rewrite ^(.*)$ /system/maintenance.html break;
}
rewrite ^(.*)$ /503.html break;
}
if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
return 405;
}
if (-f $document_root/system/maintenance.html) {
return 503;
}
location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
location = /favicon.ico {
expires max;
add_header Cache-Control public;
}
location ~ \.(php|html)$ {
return 405;
}
access_log /dev/null;
error_log /dev/null;
}
@soulim

Thank you! Looks awesome.

@mikhailov
Owner

Alex, you are welcome

@matiaskorhonen

I'd suggest reading through the Pitfalls page on the Nginx wiki as you have a few of them in your example.

And line 74 has a funny typo ("non-pubic SSL files")

@theozaurus

I think you should be able to remove the @503 location by replacing it with:

try_files $uri /system/maintenance.html @passenger;

And moving your passenger code into location @passenger block. This allows you to more easily serve the static assets while still have your maintenance page up without ifisevil.

For those who do not want there entire site under SSL then you can ditch the two server blocks and go for something like:

server {
  listen 80;
  listen 443 default ssl;
  ...

  location @passenger {
  // or location / { if you are not using try_files
   ...
    passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
    ...
  }

This avoids any duplication and tells the rails app whether the incoming request was encrypted or not.

Another handy one is to limit the request methods with:

if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
  return 405;
}

And permanently redirecting all but local requests to the server name:

if ($host  = localhost   ) { break; }
if ($host != $server_name) { rewrite ^ $scheme://$server_name$request_uri permanent; }

For anyone who needs PCI compliance we had to chop our SSL ciphers to this:

 ssl_protocols             SSLv3 TLSv1;
 ssl_ciphers               ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH;
 ssl_prefer_server_ciphers on;

Which removes the weaker ciphers. I've not encountered any problems with browsers not supporting this - but I'm sure there are some.

@mikhailov
Owner

theoooo, thanks for comments, it's really useful tips. can you gist your ready-to-go config?

@theozaurus

Sure, you can see ours here: https://gist.github.com/716974

It's a work in progress, but is serving us well at the moment.

We haven't got into adding the cache control headers for static assets yet. We also allow friendly urls with '.' in them so any users deciding to call themselves 'theoooo.php' would get caught out with the anti bot measures you've taken. Quick way to get rid of those pesky requests otherwise though!

If anyone is interested we deploy our sites using Chef, and I'm happy to make the recipes we use for that public as well.

@mikhailov
Owner

the config files are updated:
1) try_files instead of if-then expressions
2) handle 404 for assets-contain urls
3) gzip_static directive, nginx installation script
4) minor other fixes

@ivanku

theoooo, you suggested that @503 location should be replaced with try_files $uri /system/maintenance.html @passenger;

while that surely works, it returns maintenance page with HTTP 200, and that means that search bots might index such page (or treat it as a valid site response anyway, if noindex is mentioned in the page code). I also noticed that some browsers ignore no-cache in the page content, and serve locally cached page even when the server content has been updated - thus leaving users with maintenance page instead of a functional service till they do a proper reload of the page.

Using HTTP 503 solves these problems, and also RFC 2616 suggests HTTP 503 code to be used code for servers in maintenance state.

Do you know a way to return 503 without using ifs in nginx config?

@mikhailov
Owner

ivanku, thanks for bugreport.
nginx_host.conf has been updated, please take a look at the line 67

@madcatbiz

thanks,

but this:

server_name  *.host.com;

dont work for me, need change to:

server_name  subdomain1.host.com sub2.host.com etc..;
@mikhailov
Owner

server_name can include wildcard, just take a look at official documentation here http://nginx.org/en/docs/http/server_names.html

@madcatbiz

конечно же я читал, но именно *.host.com не срабатывает, нужно было перечислить все поддомены

@mikhailov
Owner

версия nginx и конфиг?

@madcatbiz

centos 5.5
nginx 0.8.54 + passenger 3.0.4

собственно это единственно что у меня не сработало, остальное сделал по вашему конфигу, спасибо

@mikhailov
Owner

limit_req has been added to location @passenger

@pmq20

helpful. thank you very much

@sjoonk

Would you mind let us know your system spec for this config? CPU. How many core, and RAM, etc??

@mikhailov
Owner

@sjoonk it's pretty standard, EC2 HighCPU medium instance

@mikhailov
Owner

updates:

  • nginx 1.0.15, passenger 3.0.12
  • block unwanted requests by blocking .html (/phpmyadmin, /mysqladmin..)
  • client_max_body_size moved before passenger initialization, because it works in that way only
  • increase limit per zone to 10r/s
  • SSL cache via ssl_session_cache
@mikhailov
Owner

ssl_session_cache and increased ssl_session_timeout can save 25% of CPU usage

@mikhailov
Owner

--with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-0.9.8x - refer to http://nginx.2469901.n2.nabble.com/nginx-ssl-prefer-server-ciphers-and-MSIE-7-x-core-dump-td3288089.html

@mikhailov
Owner

SSL config updated

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;

@mikhailov
Owner

SSL BEAST attack fixed, locations optimized

@mikhailov
Owner

openssl upgraded to 1.0.1c to enable TLSv1.1 and TLSv1.2.
Few headers was added by security reasons:
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;

@supairish

Hey just found this gist, and I've learned a lot from it. Thanks for sharing.
Can I still use something like the following, if my Rails app is using full page caching to the file system? The files get written out with the .html extension.

location ~ .(php|html)$ {
deny all;
}

@mikhailov
Owner

@supairish yes, you can just remove "|html", the main purpose to use that is to prevent search-bots scans

@mikhailov
Owner

UPDATE: serve static assets fix

@mikhailov
Owner

UPDATE: nginx 1.2.1 instead of 1.0.15, it allows me to disable Last-Modified headers for assets

@pmq20

watching and learnt

@mikhailov
Owner

We recently moved to Nginx+Unicorn due to some passenger's segmentation faults.
You can try passenger in standalone mode, but compile mod_rails module inside is not recommended now.
Anyway, nginx upstream module help you in both cases: 1) use Unicorn, 2) use Standalone Passenger.

See this config here: https://gist.github.com/3052776.

@mentholiptuz

nice config man!

@foton

Thank you very much, this config , especially part:

try_files $uri /system/maintenance.html @passenger;

location @passenger {
     passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
 }

very helped me.
I lost 1 day to finding out how to send HTTP_X_FORWARDED_PROTO to passenger. Proxy configs was useless.

@kjakub

what location @passenger means?

@threadhead

You really shouldn't use that ssl_protocols line anymore. SSL is not secure. TLS is the new black.

ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.