Default nginx config file

Added on May 22nd, 2012 and marked as config nginx webserver

General nginx configuration

The default configuration is located at /etc/nginx/nginx.conf:

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Directory index
    ##
    index index.php index.html index.htm

    ##
    # Pass real IP address from frontend (Varnish) to nginx
    # Only needed if nginx is not used as the real frontend.
    ##
    #set_real_ip_from 127.0.0.1;
    #real_ip_header X-Forwarded-For;

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Best practices

Do not use root /path/to/document-root/ in a location block, but define it in the server block.
Maybe error-pages might be served from a common directory?

  # redirect server error pages to the static page /50x.html
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
      root /usr/share/nginx/www;
  }

Just use the index directive once, preferrably in the http block. When the sites are generally the same (i.e. all WordPress sites) then it is possible to define index index.php index.html index.htm in /etc/nginx/nginx.conf. Otherwise you define it in the server block in /etc/nginx/sites-available/dom.tld.
Use try_files, not if, to check if the requested file exists:
```
  try_files $uri $uri/ /index.php?q=$uri&$args;
```
For WordPress it is also possible to just use this:
```
  try_files $uri $uri/ /index.php
```
In general it is advised not to use if.
Use an absolute path in the acccess_log and error_log directive. A relative path is relative to the nginx directory, not the document root (what you might expect, at least I did).
```
  access_log /var/log/nginx/{DOM}.{TLD}.access.log
```
or
```
  access_log /home/sites/{DOM}.{TLD}/log/access.log
```
In the second example you have to take into account that these files are not part of the log rotation and can therefore increase in size quickly.

Optional: To redirect www.example.com to example.com (or vice versa) you can use the following construction:

  server {
      server_name www.example.com;
      return 301 $scheme://example.com$request_uri;
  }
  server {
      server_name example.com;
      [...]
  }

Check also the Pitfalls page on the nginx wiki.

Server block

Create for each site a seperate config file in /etc/nginx/sites-available/. The default configuration looks like:

server {
    server_name .{DOM}.{TLD};
    access_log /var/log/nginx/{DOM}.{TLD}.access_log;
    error_log /var/log/nginx/{DOM}.{TLD}.error_log;
    root /home/sites/{DOM}.{TLD}/www;
    index index.php index.html index.htm;

    # Do not log requests or 404 errors for the favicon.
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # Do not log requests or 404 errors for robots.txt.
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Handle default content.
    location / {
        # This is cool because no php is touched for static content
        try_files $uri $uri/ /index.php;
    }

    location ~ .php$ {
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }

    # Disable expiration for asset files. Do not log 404's.
    location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

    # Deny access to apache .htaccess files
    location ~ /.ht
    {
        deny all;
    }
}

Activate catch-all configuration

Usually it is best to have a specific site handle the traffic that is not explicitly sent to any of the enabled sites. This site will act a the catch-all website.

In order to designate one of the configuration files as the default file, just add the word default after the portnumber. And in that case, it is also better to replace the servername with the underscore (_):

listen 80 default;
server_name _;

Turn off server tokens

If you don’t wish to disclose the version number your nginx is running at, it is possible to turn it off in the configuration file using the server_tokens directive.

server_tokens off;

This will exclude the version number from error pages and response headers.

Keep in mind that this will not keep a hacker out of your server. At best, it just makes it for a certain group of attackers more difficult (but these are also the ones you wouldn’t be afraid of anyway). A skilled attacker won’t be put off by this.