General nginx configuration
The default configuration is located at /etc/nginx/nginx.conf
:
user www-data;
worker_processes 4;
pid /var/run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
##
# Directory index
##
index index.php index.html index.htm
##
# Pass real IP address from frontend (Varnish) to nginx
# Only needed if nginx is not used as the real frontend.
##
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Best practices
Do not use
root /path/to/document-root/
in alocation
block, but define it in theserver
block.
Maybe error-pages might be served from a common directory?# redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/www; }
Just use the
index
directive once, preferrably in thehttp
block. When the sites are generally the same (i.e. all WordPress sites) then it is possible to defineindex index.php index.html index.htm
in/etc/nginx/nginx.conf
. Otherwise you define it in theserver
block in/etc/nginx/sites-available/dom.tld
.Use
try_files
, notif
, to check if the requested file exists:try_files $uri $uri/ /index.php?q=$uri&$args;
For WordPress it is also possible to just use this:
try_files $uri $uri/ /index.php
In general it is advised not to use
if
.Use an absolute path in the
acccess_log
anderror_log
directive. A relative path is relative to the nginx directory, not the document root (what you might expect, at least I did).access_log /var/log/nginx/{DOM}.{TLD}.access.log
or
access_log /home/sites/{DOM}.{TLD}/log/access.log
In the second example you have to take into account that these files are not part of the log rotation and can therefore increase in size quickly.
Optional: To redirect www.example.com to example.com (or vice versa) you can use the following construction:
server { server_name www.example.com; return 301 $scheme://example.com$request_uri; } server { server_name example.com; [...] }
Check also the Pitfalls page on the nginx wiki.
Server block
Create for each site a seperate config file in /etc/nginx/sites-available/
. The default configuration looks like:
server {
server_name .{DOM}.{TLD};
access_log /var/log/nginx/{DOM}.{TLD}.access_log;
error_log /var/log/nginx/{DOM}.{TLD}.error_log;
root /home/sites/{DOM}.{TLD}/www;
index index.php index.html index.htm;
# Do not log requests or 404 errors for the favicon.
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Do not log requests or 404 errors for robots.txt.
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Handle default content.
location / {
# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php;
}
location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Disable expiration for asset files. Do not log 404's.
location ~* .(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# Deny access to apache .htaccess files
location ~ /.ht
{
deny all;
}
}
Activate catch-all configuration
Usually it is best to have a specific site handle the traffic that is not explicitly sent to any of the enabled sites. This site will act a the catch-all website.
In order to designate one of the configuration files as the default file, just add the word default
after the portnumber. And in that case, it is also better to replace the servername with the underscore (_
):
listen 80 default;
server_name _;
Turn off server tokens
If you don’t wish to disclose the version number your nginx
is running at, it is possible to turn it off in the configuration file using the server_tokens
directive.
server_tokens off;
This will exclude the version number from error pages and response headers.
Keep in mind that this will not keep a hacker out of your server. At best, it just makes it for a certain group of attackers more difficult (but these are also the ones you wouldn’t be afraid of anyway). A skilled attacker won’t be put off by this.