h5bp / server-configs-nginx Goto Github PK

Hello.

I just read on the nginx site:

nginx uses absolute paths only, all relative paths in configuration files are relative to --prefix==PATH.

Sadly the prefix path is usually /usr/share/nginx on ubuntu systems (not sure about others), and not the config path. This explains why I can't include any h5bp configs properly :(

Could the paths be changed to absolute paths? Specifically the basic.conf?

Is the current head "stable"?

I love this resource and it's really helped a couple of large client servers, but I feel one tiny thing is missing: fastcgi config.

Any chance of adding some defaults for fastgci setups?

View www.istlsfastyet.com

it's config is in: https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx.conf

Hello,

I tried to use the boilerplate with guacamole.
I defined upstream as this:

upstream guac {
      server 127.0.0.1:8080;
}
server {
    listen                  443 ssl http2;
    server_name             guac.example.invalid;

    include h5bp/directive-only/ssl.conf;
    include h5bp/directive-only/ssl-stapling.conf;

    # ssl stuff

    rewrite_log on;
    error_log /var/log/nginx/guac.error.log notice;
    access_log /var/log/nginx/guac.access.log main;

    location / {
        access_log              off;
        proxy_pass              http://guac;
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        Connection "upgrade";
        proxy_set_header        Proxy-Connection "Keep-Alive";
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        Host $http_host;

        proxy_buffering         off;
        proxy_set_header        X-Forwarded-Proto  $scheme;
        proxy_set_header        X-NginX-Proxy  true;
        proxy_http_version 1.1;
    }

    # Include the basic h5bp config set
    #include h5bp/basic.conf;
}

However; if I enable the basic.conf, the expires.conf will break guacamole. Because the ~.css|js|jpg etc rules are more specific, they will never be passed to upstream.

Also, this will not work with try_files $uri @proxy;.

As the .js files are generated and not directly inside the guacamole .war file, I cannot set a static root.

This means, the basic.conf will break any upstream where those files aren't served locally.

Hi all,

How would you feel about adding hotlink protection? Would it have a general enough audience for this repo?

From a quick google search I see:

location ~ .(gif|png|jpe?g|variousvideofiles)$ {
     valid_referers blocked example.com *.example.com;
     if ($invalid_referer) {
        return   403;
    }
}

But this has an if, and I don't know what the proper methodology behind selecting file types would be. If this would be welcome I can work on it.

In https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf, should worker_processes really be set to 2 by default or auto? It seems like it would be better to set it to auto by default? I was just curious as to the rationale of this?

Currently the sample site files and the docs say:

Define host definitions here.
It'd be a good thing if you keep your hosts indexed by domain name, eg:

example.com (handles traffic from both www.example.com and example.com)
foobar.com (as above)
test.foobar.com (handles traffic from both www.test.foobar.com and test.foobar.com)

I agree with that using the domain name in the filename. However, since these files are Nginx config files they should retain that distinction and have a .conf extension. Not only for semantic purposes, but also to ensure IDEs will correctly parse the file as the intended filetype. I'm using PhpStorm with Nginx support and my config files are highlighted and checked for errors, but opening a .com file will not work.

Since there are essentially countless TLDs that can be used these days. Not enforcing a .conf extension will cause a lot of files to be parsed wrongly by IDEs. Take for example the TLD .py for Paraguay. Do we really want a dev's IDE to think example.py is a Python file?

My proposal is to add the appropriate extension to the sample files and update the documentation. Thoughts?

For each of the locations in expires.conf the line add_header Cache-Control "public"; would seem to be unnecessary and as best I can tell inconsistent with the html5-boilerplate .htaccess file. There is an old issue (h5bp/html5-boilerplate#201) about the .htaccess file that discusses this and conclusion seems to be that adding that header isn't a good default.

So am I missing something or should those lines be removed?

Perhaps we should show the default value nginx specifies in addition to why we have changed it in nginx.conf.

We've done this here and this is a good example of what most of the lines should be like: https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf#L81

nginx.conf:63

  # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which
  # collates several smaller packets together into one larger packet, thus saving
  # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
  tcp_nodelay     off;

Up to 500ms [3] is a lot of latency. It's enabled by default for a reason.

Please, remove this from your configs, because many people will blindly copy it without realizing consequences.

[1] http://en.wikipedia.org/wiki/Nagle's_algorithm

In general, since Nagle's algorithm is only a defense against careless applications, it will not benefit a carefully written application that takes proper care of buffering; the algorithm has either no effect, or negative effect on the application.

[2] http://www.stuartcheshire.org/papers/NagleDelayedAck/
[3] http://developers.slashdot.org/comments.pl?sid=174457&threshold=1&commentsort=0&mode=thread&cid=14515105

I think would be good to also add "text/calendar ics" in mime.types . :)

Hello!

I am using the ssl.example.com template (with my domain of course) and if I visit http://mysite.com on a browser that has not visited https://mysite.com before, I get a Nginx error. I also get the same error when using website tester tools like Pingdom or PageSpeed Insights. The exact error is "400 bad request the plain http request was sent to https port". Let me know if you would like to see my exact configuration file.

I assumed that this case would be handled by the redirect towards the top of the config.
http://mysite.com > https://mysite.com

Any thoughts/ideas?

Thanks.

nginx has rate limiting in core: http://wiki.nginx.org/HttpLimitReqModule
Perhaps someone could provide a conf snippet for using it.

To help get started, here's an extract of a nginx conf I wrote that proxies to Drupal (which is relatively slow and heavy), and rate limits all requests to prevent aggressive crawlers from unwittingly DDOS-ing the server.

gzip_disable "MSIE [1-6]\.(?!.*SV1)";

log_format  proxy  '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$http_host" "$proxy_add_x_forwarded_for" $request_time';

limit_req_zone $binary_remote_addr zone=drupal:5m rate=1r/s;

server {
  listen   80;

  if ($host ~* www\.(.*)) {
     set $host_without_www $1;
     rewrite ^(.*)$ http://$host_without_www$1 permanent; # $1 contains '/foo', not 'www.mydomain.com/foo'
  }

  root /var/shared/sites/project/site;

  #proxy ip's
  proxy_set_header X-Real-IP  $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_read_timeout 1800;

  access_log  /var/log/nginx/access.log;
  error_log   /var/log/nginx/error.log;

  gzip on;
  gzip_static on;

  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  #charset koi8-r;

  # Proxy to Drupal
  error_page 404 = @drupal_unlimited;

  # deny access to .ht files
  location ~ ^\. {
    deny all;
  }


  # try and serve static content
  location ~* \.(txt|jpg|jpeg|gif|png|bmp|flv|pdf|ps|doc|mp3|wmv|wma|wav|ogg|mpg|mpeg|mpg4|htm|zip|bz2|tar|tgz|rar|xls|docx|avi|djvu|mp4|rtf|ico)(\.gz)?$ {
    expires max;
    try_files $uri @drupal;
    break;
  }

  # try and serve html files or proxy to drupal
  location ~* \.(html|xml)$ {
    add_header Cache-Control no-cache,no-store,must-validate;
    try_files $uri @drupal;
    break;
  }

  # Proxy to drupal
  location @drupal {
    limit_req zone=drupal burst=10 nodelay;
    access_log  /var/log/nginx/proxy.access.log proxy;
    proxy_pass http://127.0.0.1:8000;
  }

  # Proxy to drupal, without rate limit
  location @drupal_unlimited {
    access_log  /var/log/nginx/proxy.access.log proxy;
    proxy_pass http://127.0.0.1:8000;
  }

}

My new Nginx installation has a conf.d folder instead of conf. Perhaps the conf folder should be changed to conf.d.

I recently merged in your excellent nginx.conf to my Nginx Docker image. I've been using this image for hosting my blog as I describe here.

It occurred to me that this image / idea is better suited to be developed under the h5bp umbrella. Your mission is roughly to democratize good web practices and it seems a tuned high performance h5bp Nginx Docker image would help. There are growing number of Docker hosting platforms launching. Using them plus the Nginx Docker container couldn't be easier. Load your website files into an image and push to your host.

Thoughts?

Proposal and discussion on adding the Public-Key-Pins header to the ssl.example.com file, but have it commented out.

For example:

add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains'

Reference:

• https://tools.ietf.org/html/rfc7469
• https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
• https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

I came across a Hacker News post that linked to this website that lists SSL cipher snippets for all the major web servers. My question is how does the Nginx snippet featured compare to the current ssl.conf used by this repository. Any lines worth bringing over to the ssl configuration? I know very little about SSL ciphers, however I thought would start a conversion on this topic. Thanks to the maintainers of this repository, I really appreciate the work!

missing semi-colon at end of includes for example include h5bp/direcive-only/ssl.conf.

Using compression with SSL opens you up to vulnerabilities like BREACH, CRIME, or other chosen plain-text attacks.

http://stackoverflow.com/questions/2767211/can-you-use-gzip-over-ssl-and-connection-keep-alive-headers

Hey team,

I am currently have apache2 running as a proxy for a Java Jetty app. I want to switch from Apache to nginx and have run into some issues. When creating a new site-available/enabled and adding the proxypass server block I get 404 errors. When I add the same block to nginx.conf in the http {} I get the proxy to work. Is there any advice or suggestions on getting this to work without modifying nginx.conf and using the best practice sites-enabled/available.

Here is the code I am using successfully in nginx.conf and unsuccessfully in sites-enabled:

    server {
        listen          80;
        server_name     _;
        location / {
                proxy_pass      http://localhost:8000;
                proxy_redirect  off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

Thanks!

Getting this error with the current nginx config setup:

could not build the types_hash, you should increase either types_hash_max_size: 1024 or types_hash_bucket_size: 32

Adding one of those types to nginx.conf seems to fix it for me. Running this on an Ubuntu 13.10 server.

For some bizarre reason, this specific file is causing redirect to any requests to non existing file on my host.

mysite.com/assets/frontend/default/stylesheets/0fb7b19_pr_1.css?v=1.0.0

will be redirected to

mysite.com/assets/frontend/default/stylesheets/app.php

The weird thing is that this happens only for certain extensions (css, js, xml, ... are among those)

Uncomment that file out will fix the issue.

server {
        #listen   80; ## listen for ipv4; this line is default and implied
        #listen   [::]:80 default ipv6only=on; ## listen for ipv6

        root /var/www/vhosts/mysite.com/w/w/w/www/web;
        #index app.php index.html index.htm;

        # Make site accessible from http://www.mysite.com
        server_name www.mysite.com;

        access_log /var/www/vhosts/mysite.com/w/w/w/www/logs/access_mysite.log;
        error_log /var/www/vhosts/mysite.com/w/w/w/www/logs/error_mysite.log;
        # Specify a character set
        charset utf-8;

        # h5bp nginx configs
        include conf/h5bp.conf;

        # strip app.php/ prefix if it is present
        #rewrite ^/app\.php/?(.*)$ /$1 permanent;

        location / {
                index app.php;
                # First attempt to serve request as file, then
                # as directory, then fall back to index.html
                try_files $uri @rewriteapp;

                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        # Don't log robots.txt or favicon.ico files
        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt  { access_log off; log_not_found off; }

        #404 errors handled by our application, for instance Symfony
        error_page 404 app.php;

         location @rewriteapp {
              rewrite ^ /app.php last;
        }

        location ~ ^/(app|app_dev|config|backend/app|backend/app_dev)\.php(/|$) {
            fastcgi_send_timeout  1m;
            fastcgi_read_timeout 1m;
            fastcgi_connect_timeout 1m;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

            # With php5-cgi alone:
            # fastcgi_pass 127.0.0.1:9000;
            # With php5-fpm:
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            include fastcgi_params;
            fastcgi_param  SCRIPT_FILENAME /web$fastcgi_script_name;

        }

        # Deny access to .htaccess
        location ~ /\.ht {
            deny all;
        }
}

I am referring to this line:

https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/directive-only/spdy.conf#L5

Recently run into a problem with Chrome m43 (the current stable version), where it attempts to send HTTP2_SESSION_PING to our site (hosted on Azure VM), but failed, and cause Chrome to stall for 10 seconds before firing the actual request.

https://code.google.com/p/chromium/issues/detail?id=505712

Since chrome does work with SPDY without server announcing it, is there any benefit in doing so?

The value “auto” will auto detect the optimal number of worker processes.

The "auto" parameter is supported starting from versions 1.3.8 and 1.2.5.
http://nginx.org/en/docs/ngx_core_module.html#worker_processes

There is a conf.d directory. Better externalize h5bp related configures into a single conf file and put it into conf.d.

I'm using nginx as a web server that hooks up to php-fpm.

I had to copy over the fastcgi_params file from the default nginx conf directory.

Should this be a required step for folks looking to hook nginx to PHP? Can we provide a sensible default set of fastcgi_params, or is that out of the scope of this project's intent?

Google officially announced that they've decided to retire Chrome Frame: http://blog.chromium.org/2013/06/retiring-chrome-frame.html.

@AD7six maybe keep the Chrome Frame HTTP header hint until after version 1.0.0 ?

First. Thank you to all the contributors. My config is better (and existent!) because of you.

Question. Would the no-default config be better if it also protected against header attacks for port 443 as well? I remember seeing a way to listen to both 80 and 443 in one statement, but can't remember the syntax.

on this page:

https://github.com/h5bp/server-configs-nginx/blob/master/doc/usage.md

there is a link at the bottom to the nginx.conf documentation:

https://github.com/h5bp/server-configs-nginx/blob/master/doc/nginx-conf.md

but that link/doc doesn't work/exist

Hi all,

Just installed on a debian 8 box in hopes to use with octoberCMS on an upcoming website. when starting nginx I get "Job for nginx.service failed. See 'systemctl status nginx.service' and 'journalctl -xn' for details."

Here are the results:

$ systemctl status nginx.service
    ● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
   Active: failed (Result: exit-code) since Fri 2015-05-15 23:16:15 EDT; 2min 18s ago
  Process: 16115 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 15542 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
  Process: 16168 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
 Main PID: 4135 (code=exited, status=0/SUCCESS)

not sure where to go from here- will post an update if I find a solution.

It would be nice if you could add phpldapconfig

Thanks

Mozilla created a nice SSL config generator, would be worth adding to the docs.

What is the reason for access_log logs/static.log; in location/expires.conf:14? I don't see why those files should be logged to a static log - especially since these are usually not static files.

According to https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf#L136-L139

It says "This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication)."

Can anyone clarify what exactly that means.

If I have Site A with SSL and Site B without SSL. I would usually add the SSL directives to the site specific configuration. So the Site A would have have those certificate directives, while the Site B won't.

Based on the hierarchical nature of NGINX, if I set the default certificates to site A's certificates, won't that mean when somebody accesses site B they may get site A's certificates? Is that a good thing? In what situation would anybody want to have a default certificate unless it was a multi domain wildcard certificate?

Also the keepalive_timeout should be optimised to 70 for ssl certificates right?

need to add following types in nginx.conf:

application/javascript
application/x-javascript
text/javascript

Hello,

How do you feel about adding some description of timeouts and how to use them in different cases? I.e.:

# conf/timeouts.conf
# Use timeouts to optimize your server's communications with clients.
# Longer time frames are better for slow clients or if a lot of data is being sent (i.e. DDoS)
# Shorter time frames free up the server from waiting on slow clients (and thus serve fast ones better)
#2 (seconds) is short, 60 is default, 3m is long

# After a client opens a connection, wait this much time for their request header (e.g.: GET / HTTP/1.1) 
# before shutting down the connection by returning an HTTP 408 ("Request timed out") 
client_header_timeout  20;

# Wait this long after the first client body "readstep"(not too sure what they mean by this technically)
# before returning a 408
client_body_timeout 20;

# Wait this long between "client-read operations" (again not entirely sure) before returning a 408
send_timeout 20;

There's likely some nuance to setting these that I'm missing / not picking up on. I'm pretty new to this.

-Zach

listen 80 deferred;

What is the advantages of having it and what is the disadvantage?
Please enlighten me :)

Has this new mime.types been tested?

https://github.com/h5bp/server-configs-nginx/blob/master/mime.types

Hello,

I think it would be nice to have some examples about how to configure some programming language like PHP, Python and others with nginx.

For example for PHP5 in FPM :

"Modify your php5-fpm configuration file by listening on sock :
listen = /var/run/php5-fpm.sock
Restart your php5-fpm service

Create a file (for example : conf/php5-fpm.conf) like the following :
upstream php5-fpm {
server unix:/var/run/php5-fpm.sock;
}
...(to continue)"

It would be nice to have 3 steps :

• How to configure your language service to run the most efficiently with nginx
• How to create the conf file
• How to use in a website's configuration

We could have 2 solutions :

• Add conf files in the /conf directory and create a file for each conf in the /doc directory (the problem here is that the /conf directory will have some unused files)
• Or just create a file in the /doc directory for each conf like "php.md" and we'll put all informations in this file. (perhaps the best approach to not surcharge the conf directory).

Please, just tell me what you think about this ?

I would just like to tell that there are many post on the subject in the web (but the most part of them are obsolet or inexact). It could be a very good section to share the best updated pratices for nginx to "run" with the different programming languages.

Ps : I'm sorry for my poor english but I'm just French ^^ & I can do it for PHP if u want and if it's accepted.

It reads direcive-only instead of directive-only.

See: https://github.com/h5bp/server-configs-nginx/search?q=direcive-only&ref=cmdform

Now that nginx 1.9.5 supports http/2 and dumps spdy it would be excellent if there were a default set of http/2 recommended settings.

Hi everyone,

To my dismay, I realized this week that adding the Cache-Control: No-Transform header in the way specified by the included no-transform.conf:

# Prevent mobile network providers from modifying your site
add_header "Cache-Control" "no-transform";

can cause your other cache-control values (or their defaults) to malfunction. The nginx docs state:

Note that for headers other than Last-Modified, it just appends a new header entry to the output header list. So you can't use this directive to rewrite existing headers like Server. Use the headers_more module for it.

This means that the above cache control code actually just adds another Cache-Control line in addition to the default one, which for me was Cache-Control: no-store, no-cache, must-revalidate, etc. Some browsers (Chrome) handled this fine, reading all the values. Others (Safari, Firefox) only read the last line, so ended up seeing no-transform and none of the no-cache directives.

Unfortunately, this seems to mean that if we want full unambiguous control of the cache headers, we must both compile nginx with this custom module AND set our headers in only one place for each location. Has anyone else dealt with this and come up with a better solution?

Any plans of making tags so people can lock down the version when automating server setup?

Using the example site config from latest master version of this repository with nginx 1.4.6 (also tried 1.7) on ubuntu, it does not appear that SVGZ files get served correctly. Firefox gives me an XML Parsing Error: not well-formed (Chrome and Safari give similar errors). It appears that the Content-Encoding gzip header doesn't get added. Adding something like
location ~ \.svgz$ { add_header Content-Encoding gzip;} seems to make it work. Is there a better way to configure this that could be added to the default config or should a note be made in the docs?

Hi all,

How about adding some description of client buffer sizes and how to use them in different cases?

# conf/client-buffers.conf
# Use buffers to optimize your server's communications with clients.
# Larger buffers are better when clients usually send a lot of data (i.e. DDoS, large cookies)
# Smaller buffers allow the server to take less memory per client (and thus serve more clients)
#2 (seconds) is short, 60 is default, 3m is long


# Primary header buffer, nginx will use the large buffer below if this is filled
# 1k is sufficient "For the overwhelming majority of requests", and is default,
# but you could set this up to 3m for a DDoS screen
# client_header_buffer_size 1k;

# The fallback header buffer, first arg is number, second is size
# Nginx returns error 414 "Request URI too large" if the header doesn't fit in these buffers
# Nginx returns error 400 "Bad request" if the longest header line can't fit in one buffer
# Small is 2 1k, default 4 8k, large 4 256k
large_client_header_buffers 2 1k;

# If the client sends a larger body than the below buffer, the remainder is written to disk
# If a client sends a Content-Length header specifying a smaller size, that will be used
# Note that the client body will not be larger than client_max_body_size
# Small 1k, default 2x page size (so 16k or 32k), large 128k
client_body_buffer_size  128k;

I compiled the example large/small sizes from a few different configurations I saw floating around google. Again, I don't have a great understanding of these things but this is my first stab, hopefully it adds something.

http://nginx.org/en/docs/http/request_processing.html

"... nginx tests only the request’s header field “Host” to determine which server the request should be routed to. If its value does not match any server name, or the request does not contain this header field at all, then nginx will route the request to the default server for this port."

So anyone can point his domain to specific target and this is not good. I think by default there should be one default server for resolving unknown server_name:

server {
    listen      80;
    return      444;
}

After installing nginx version 1.10.0, I moved my default nginx directory and replaced it with the one from the h5bp/server-configs-nginx git hub repository. After doing this I can not serve ANY host files at all because no matter how simple the host file, the ports are all closed. The host files should instruct nginx to listen to port 80 for example, but I get nothing. I have tried many fresh installs and I do not have any firewalls up at all. I’ve tried installing a firewall and directing it to open ports 80 and 443 explicitly but even that doesn’t work. No matter what, when I use the h5bp/server-configs-nginx git hub repository nginx, I can not serve any host files. However if I move that nginx directory and replace it with my original nginx directory I can serve host files and ports 80 and 443 are open once again. What am I doing wrong? Any help would be greatly appreciated!

I am on a 4 core vps with 2gigs of ram running ubuntu 14.04.

Please provide a better (more secure) set of cipher suits.