User Tools

Site Tools


Sidebar






newpage

linux:webserver:nginx

Nginx

Performance

  • uninstall nginx-full (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version includes pagespeed and everything
  • try nginx-light → it's faster (ca. 0,2sec), but few modules
  • always use latest versions from dotdeb repo

nginx.conf optimizations: # use the number of logical cores / threads:

worker_processes 8;
worker_connections 1024;
multi_accept on; 

# log buffer (reduce slow disc writes)
access_log /var/log/nginx/access.log main buffer=16k;
# gzip config
gzip on;
gzip_disable "msie6";
gzip_min_length 1400;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Cache information about frequently accessed files
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
# buffers optimzed:
client_max_body_size 20m;
client_body_buffer_size 128k;
# fix 169 upstream sent too big header while reading response header from upstream
proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;
proxy_connect_timeout  1200s;
proxy_send_timeout  1200s;
proxy_read_timeout  1200s;
fastcgi_send_timeout 1200s;
fastcgi_read_timeout 1200s;

# mitigate https://httpoxy.org:
fastcgi_param HTTP_PROXY "";
tcp_nopush on;
tcp_nodelay on;
#tcp_nopush off;	 # -> 0,1s - 0,3s slower
keepalive_timeout 5;   # instead of 65 - less ressources, same performance

mod_pagespeed

dotdeb packages include mod_pagespeed for nginx in wheezy

add dotdeb repos to /etc/apt/sources.list:

deb http://packages.dotdeb.org wheezy all
deb-src http://packages.dotdeb.org wheezy all

update and install nginx-extras from dotdeb:

apt-get update
apt-get install nginx-extras

create cache dir:

mkdir /var/cache/ngx_pagespeed/
chown www-data:www-data /var/cache/ngx_pagespeed/

edit /etc/nginx/sites-available/default:

server {
  #....
  
  pagespeed on;
  pagespeed RewriteLevel CoreFilters;
  pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
  pagespeed EnableFilters combine_css,combine_javascript,remove_comments,collapse_whitespace;
  
  #....
}

play with the filters:

https://developers.google.com/speed/pagespeed/module/config_filters

rewrites

URL-Encoding with Umlauten is a problem. Here is howto fix it:

rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1;

microcaching

Cache PHP output for a very short time on busy sites to reduce php load:

Vhost config top:

fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

server {

....

location ~ \.php$ {
# Setup var defaults
set $no_cache "";
# If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie
if ($request_method !~ ^(GET|HEAD)$) {
     set $no_cache "1";
}
# Drop no cache cookie if need be
# (for some reason, add_header fails if included in prior if-block)
if ($no_cache = "1") {
     add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
     add_header X-Microcachable "0";
}
# Bypass cache if no-cache cookie is set
if ($http_cookie ~* "_mcnc") {
     set $no_cache "1";
}
# Bypass cache if flag is set
fastcgi_no_cache $no_cache;
fastcgi_cache_bypass $no_cache;
fastcgi_cache microcache;
fastcgi_cache_key $server_name|$request_uri;
fastcgi_cache_valid 404 30m;
fastcgi_cache_valid 200 10s;
fastcgi_max_temp_file_size 1M;
fastcgi_cache_use_stale updating;
fastcgi_pass_header Set-Cookie;
fastcgi_pass_header Cookie;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

Security

Block Bots, SQL Injections, etc

Howto Block Bots in nginx.conf or included config. Here's an extensive List:

server { ...

  if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) {
  
      # Connection Closed Without Response
      # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, 
      # most commonly used to deny malicious or malformed requests.
      
      return 444;
  }
...
}

https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc

linux/webserver/nginx.txt · Last modified: 2020/11/13 04:12 by tkilla