!!! Work in progress, use at your own risk. !!!
- nginx
- certbot
- iptables
$ sudo apt update # Fetches the list of available updates
$ sudo apt full-upgrade # Installs updates; may also remove some packages, if needed
$ sudo apt autoremove # Removes any old packages that are no longer needed
Add a new user for the purposes of logging in and doing administrative work.
The root user has permissions to change every aspect of your server. This is good for the sake of administration, but regularly logging in and navigating your VPS as root isn't great for security.
adduser username
You will be prompted with:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Add the new user to the sudo group.
usermod -aG sudo remote-user
After logging out, and back in as the new user, make sure your sudo access is working. One way of doing this is by listing the /root/ directory, which is only possible with sudo access. You'll be asked for your user's password to authenticate.
sudo ls -la /root
[sudo] password for username:
$ sudo apt install nginx -y;
$ sudo systemctl enable --now nginx;
First two variables to tune are worker_processes and worker_connections.
worker_processess - how many workers should be spawn worker_connections - how many clients can be simultaneously connection
Configure worker connections to be the number of cores available. Run the following to display the cores available:
grep processor /proc/cpuinfo | wc -l
Check the core's limitations by issuing a ulimit command:
ulimit -n
Update the config with the new values.
sudo nano /etc/nginx/nginx.conf
worker_processes 1;
worker_connections 1024;
By enabling gzip can save bandwidth and improving website load time on slow connections.
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
gzip on - Enables gzip compression. gzip_vary on - Tells proxies to cache both gzipped and regular versions of a resource. gzip_min_length 1024 - Informs NGINX to not compress anything smaller than the defined size. gzip_proxied - Compress data even for clients that are connecting via proxies (here we're enabling compression if: a response header includes the "expired", "no-cache", "no-store", "private", and "Authorization" parameters). gzip_types - Enables the types of files that can be compressed. gzip_disable - "MSIE [1-6].", disable compression for Internet Explorer versions 1-6.
Timeouts also really improve the Nginx performance considerably. The keepalive connections reduce CPU and network overhead required when opening and closing connections.
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
client_body_timeout - duration server will attempt reading client body client_header_timeout - duration server will attempt reading client header keep_alive_timeout - duration keep-alive connection will stay open send_timeout - duration server will attempt to transmit response to client
Setting the appropriate log log_level can dramatically reduce the IO overhead. A good starting point is the "error" level (note: this is the default setting, used when nothing is specified).
error_log /var/log/nginx/error.log error;
If it's required to have access logging, then enable access-log buffering. This enables Nginx to buffer a series of log entries and writes them to the log file together at once instead of performing the different write operations for each request.
access_log /var/log/nginx/access.log buffer=16k
Create the website directory in /var/www
:
$ sudo mkdir -p /var/www/www.mywebsite.com
$ cd /var/www/www.mywebsite.com
$ nano index.html
Paste the following into nano editor:
<!DOCTYPE html>
<html>
<head>
<title>Nginx Static Website</title>
</head>
<body>
<h1>Hello world</h1>
</body>
</html>
Next add a server configuration block. Instead of going through site-available folders and then creating symlinks, just write the server block in there conf.d folder. It will work on all platforms and it is simpler to manage:
$ nano /etc/nginx/conf.d/www.mywebsite.com.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/www.mywebsite.com;
index index.html index.htm;
server_name _;
location ~* .(jpg|jpeg|png|gif|ico|svg)$ {
expires 30d;
}
location ~* .(css|js)$ {
expires 1d;
}
location / {
try_files $uri $uri/ =404;
}
}
Remove the default configuration and reload nginx:
$ sudo rm /etc/sites-enabled/default
$ sudo systemctl reload nginx