Last active
March 21, 2016 06:41
-
-
Save rchurchley/25ade0315849d3fdb9ac to your computer and use it in GitHub Desktop.
The nginx web server can be installed from Homebrew (OS X) or the usual package repositories (Linux). This gist contains a few sample configurations to get started with.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /usr/local/etc/nginx/nginx.conf | |
# /etc/nginx/nginx.conf | |
user nginx; | |
worker_processes auto; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
include mime.types; | |
default_type application/octet-stream; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 5; | |
gzip on; | |
gzip_comp_level 2; | |
gzip_min_length 1024; | |
gzip_proxied any; | |
gzip_types text/plain | |
text/css | |
text/js | |
text/xml | |
text/javascript | |
application/javascript | |
application/json | |
application/xml | |
application/rss+xml | |
application/x-javascript | |
image/svg+xml; | |
server { | |
listen 80; | |
return 444; | |
} | |
include /etc/nginx/conf.d/*.conf; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a new user to maintain public files | |
useradd www | |
# Create folder for site and set permissions / SELinux context | |
sudo mkdir -p /srv/www | |
sudo chown www:www /srv/www | |
chmod 775 /srv/www | |
semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?" | |
restorecon /srv/www | |
# Start nginx | |
systemctl start nginx.service | |
systemctl enable nginx.service |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /usr/local/etc/nginx/conf.d/example.conf | |
# /etc/nginx/conf.d/example.conf | |
server { | |
listen 80; | |
server_name *.example.com; | |
root /srv/www/example.com; | |
access_log /var/log/nginx/example.access; | |
error_log /var/log/nginx/example.error error; | |
index index.html; | |
charset utf-8; | |
if ($request_method !~ ^(GET|HEAD)$ ) { | |
return 444; | |
} | |
location ~ favicon.ico$ { | |
log_not_found off; | |
} | |
location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|css|js)$ { | |
expires 1w; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
location ~ ^(.+?)/?$ { | |
try_files $1 $1/index.html $1.html; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /usr/local/etc/nginx/conf.d/example.conf | |
# /etc/nginx/conf.d/example.conf | |
server { | |
listen 80; | |
server_name *.example.com; | |
root /srv/www/example.com; | |
access_log /var/log/nginx/example.access; | |
error_log /var/log/nginx/example.error error; | |
index index.php index.html; | |
charset utf-8; | |
location ~ favicon.ico$ { | |
log_not_found off; | |
} | |
location ~* \.(jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|css|js)$ { | |
expires 1w; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
location / { | |
try_files $uri $uri/ /index.php?q=$uri&args; | |
} | |
location ~ \.php$ { | |
set $no_cache ""; | |
# If not GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie | |
if ($request_method !~ ^(GET|HEAD)$) { | |
set $no_cache "1"; | |
} | |
if ($no_cache = "1") { | |
add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; | |
add_header X-Microcachable "0"; | |
} | |
if ($http_cookie ~* "_mcnc") { | |
set $no_cache "1"; | |
} | |
# Bypass cache if flag is set | |
fastcgi_no_cache $no_cache; | |
fastcgi_cache_bypass $no_cache; | |
fastcgi_cache microcache; | |
fastcgi_cache_key $server_name|$request_uri; | |
fastcgi_cache_valid 404 30m; | |
fastcgi_cache_valid 200 10s; | |
fastcgi_max_temp_file_size 1M; | |
fastcgi_cache_use_stale updating; | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include fastcgi_params; | |
} | |
### Security directives | |
# Rate-limit to prevent brute force login attempts | |
location = /wp-login.php { | |
limit_req zone=one burst=1 nodelay; | |
# Same as other PHP files | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
include /etc/nginx/fastcgi_params; | |
} | |
# Deny access to sensitive files | |
location ~ /(\.|wp-config.php|wp-comments-post.php|readme.html|license.txt) { | |
deny all; | |
} | |
# Mitigate damage if site is compromised | |
location ~ /uploads/.*\.php$ { | |
# Deny access to maliciously uploaded scripts. | |
deny all; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment