====== Nginx ====== ====== Performance ====== * uninstall nginx-full (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version includes pagespeed and everything * try nginx-light -> it's faster (ca. 0,2sec), but few modules * always use latest versions from dotdeb repo **nginx.conf optimizations:** ** # use the number of** logical cores / threads: worker_processes 8; worker_connections 1024; multi_accept on; # log buffer (reduce slow disc writes) access_log /var/log/nginx/access.log main buffer=16k; # gzip config gzip on; gzip_disable "msie6"; gzip_min_length 1400; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # Cache information about frequently accessed files open_file_cache max=2000 inactive=20s; open_file_cache_valid 60s; open_file_cache_min_uses 5; open_file_cache_errors off; # buffers optimzed: client_max_body_size 20m; client_body_buffer_size 128k; # fix 169 upstream sent too big header while reading response header from upstream proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_connect_timeout 1200s; proxy_send_timeout 1200s; proxy_read_timeout 1200s; fastcgi_send_timeout 1200s; fastcgi_read_timeout 1200s; # mitigate https://httpoxy.org: fastcgi_param HTTP_PROXY ""; tcp_nopush on; tcp_nodelay on; #tcp_nopush off; # -> 0,1s - 0,3s slower keepalive_timeout 5; # instead of 65 - less ressources, same performance ===== mod_pagespeed ===== dotdeb packages include mod_pagespeed for nginx in wheezy **add dotdeb repos to /etc/apt/sources.list:** deb http://packages.dotdeb.org wheezy all deb-src http://packages.dotdeb.org wheezy all ** update and install nginx-extras from dotdeb:** apt-get update apt-get install nginx-extras **create cache dir:** mkdir /var/cache/ngx_pagespeed/ chown www-data:www-data /var/cache/ngx_pagespeed/ **edit /etc/nginx/sites-available/default:** server { #.... pagespeed on; pagespeed RewriteLevel CoreFilters; pagespeed FileCachePath "/var/cache/ngx_pagespeed/"; pagespeed EnableFilters combine_css,combine_javascript,remove_comments,collapse_whitespace; #.... } **play with the filters:** https://developers.google.com/speed/pagespeed/module/config_filters ===== rewrites ===== URL-Encoding with Umlauten is a problem. Here is howto fix it: rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1; ===== microcaching ===== Cache PHP output for a very short time on busy sites to reduce php load: Vhost config top: fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP:100m inactive=60m; fastcgi_cache_key "$scheme$request_method$host$request_uri"; server { .... location ~ \.php$ { # Setup var defaults set $no_cache ""; # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie if ($request_method !~ ^(GET|HEAD)$) { set $no_cache "1"; } # Drop no cache cookie if need be # (for some reason, add_header fails if included in prior if-block) if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Bypass cache if flag is set fastcgi_no_cache $no_cache; fastcgi_cache_bypass $no_cache; fastcgi_cache microcache; fastcgi_cache_key $server_name|$request_uri; fastcgi_cache_valid 404 30m; fastcgi_cache_valid 200 10s; fastcgi_max_temp_file_size 1M; fastcgi_cache_use_stale updating; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; ====== Security ====== ===== Block Bots, SQL Injections, etc ===== Howto Block Bots in nginx.conf or included config. Here's an extensive List: server { ... if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) { # Connection Closed Without Response # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, # most commonly used to deny malicious or malformed requests. return 444; } ... } https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc