Name: Nginx
is named after engine X
.
Utility:
backward proxy (pre-distribute request to application)
make computer clusters each consists of different nodes
cache static resources
some mail service: IMAP/POP3/SMTP
Common Gateway Includes
MS ISS: for asp.net
Weblogic, Jboss: traditional, non-web companies
Tomcat, Jetty: J2EE
Apache, Nginx: static cache, backward proxy
Netty: for chat application
request -> web server -> application server -> webapplication
Examples:
Request: whatever sent in to the server
Webserver (Cache, Proxy): Apache, Nginx
Application Server (link between Webserver and Web Application): Gunicorn, uWSGI
Web Application (Actual Logic and Database): Flask, Django
This video explains the common web architecture really well
sudo apt install nginx
should install and activate nginx for you.
Configuration files:
Path | Purpose | Ref. |
---|---|---|
./conf.d/*.conf | Extra configuration files. | #conf.d, #appincludes |
./fastcgi.conf | Commonly configured directives (nginx packaging team) | #params |
./fastcgi_params | Commonly configured directives (upstream version) | #params |
./koi-utf | Nginx Character Set | #charset |
./koi-win | Nginx Character Set | #charset |
./mime.types | Maps file name extensions to MIME types of responses | #mimetypes |
./nginx.conf | The primary configuration file. | #nginx.conf |
./proxy_params | Commonly configured directives | #params |
./scgi_params | Commonly configured directives | #params |
./sites-available/* | Extra virtual host configuration files | - |
./sites-enabled/* | Symlink to sites-available/ |
- |
./snippets/*.conf | Configuration snippets that can be included in configs | - |
./apps.d/*.conf | Files included by /etc/nginx/sites-available/default | #appincludes |
./uwsgi_params | Commonly configured directives | #params |
./win-utf | Nginx Character Set | #charset |
There are a few files you need to pay attention to:
/var/www/html/ndex.nginx-debian.html
: nginx will generate this testing page when installed
/etc/nginx/nginx.conf
: main config file of nginx program, don't touch it. You should see include /etc/nginx/conf.d/*.conf
and include /etc/nginx/sites-enabled/*
.
/etc/nginx/conf.d/default.conf
or /etc/nginx/sites-enabled/default
: default site generated for testing (direct to /var/www/html/ndex.nginx-debian.html
)
/etc/nginx/sites-avaliable/
: directory of all possible site configurations
/etc/nginx/sites-enabled/
: directory of enabled site configurations
Nginx Commands
nginx version: nginx/1.18.0 (Ubuntu)
Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]
Options:
-?,-h : this help
-v : show version and exit
-V : show version and configure options then exit
-t : test configuration and exit
-T : test configuration, dump it and exit
-q : suppress non-error messages during configuration testing
-s signal : send signal to a master process: stop, quit, reopen, reload
-p prefix : set prefix path (default: /usr/share/nginx/)
-c filename : set configuration file (default: /etc/nginx/nginx.conf)
-g directives : set global directives out of configuration file
Some highlights:
use sudo nginx -t
to check your config file
use sudo nginx -s reload
to reload nginx service
Here is an example of my config file:
We can initialize site config file by sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/xxx.conf
You put your xxx.conf
inside /sites-avaliable/
and link to /sites-enabled/
. sudo ln -s /etc/nginx/sites-available/kokecacao.conf /etc/nginx/sites-enabled/
After you successfully add and reload configuration for your new site, it is safe to run
sudo certbot --nginx
.
/etc/nginx/sites-available/kokecacao.conf
# handel Upgrade request typically present as
# implementation of wss and ws (websocket) protocol
# this sets the variable `$connection_upgrade` we can use later
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
# we are listening to these two sites
server_name kokecacao.me www.kokecacao.me;
# write logs
access_log /var/log/nginx/kokecacao.access.log;
error_log /var/log/nginx/kokecacao.error.log;
# speed up stuff
# ssl_session_timeout 1d;
# ssl_session_tickets off;
ssl_session_cache shared:MozSSL:10m;
# for socket.io endpoint, we add extra settings to
# pass upgrade request to application
location /socket.io {
if ($http_upgrade != "websocket") {
return 404;
}
include proxy_params;
proxy_redirect off; # The off parameter cancels the effect of the proxy_redirect directives inherited from the previous configuration level. So we don't modify the URL.
proxy_cache_bypass $http_upgrade # another method to turn off cache
proxy_http_version 1.1; # socket.io protocol upgrade
proxy_buffering off; # disable caching for socket.io connection
proxy_set_header Upgrade $http_upgrade; # socket.io protocol upgrade
proxy_set_header Connection $connection_upgrade; # socket.io protocol upgrade
# We could pass the request to a linux-based .sock file
# or instead write `proxy_pass http://127.0.0.1:12222;` to a port
proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock;
}
# if not `/socket.io`, then we pass request to other virtual server
location / {
# points to `/etc/nginx/proxy_params`
include proxy_params;
proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock:/socket.io;
}
# ssl certificate managed by letsencrypt.
# These should be generated automatically.
listen 443 ssl; # managed by Certbot
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/kokecacao.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/kokecacao.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Handel http redirection to https for security
server {
if ($host = www.kokecacao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = kokecacao.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name kokecacao.me www.kokecacao.me;
return 404; # managed by Certbot
}
Note that include proxy_params
will add whatever in this file /etc/nginx/proxy_params
to current configuration. The default proxy_params
is the following:
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
$http_host
equals always theHTTP_HOST
request header.$host
equals$http_host
, lowercase and without the port number (if present), except whenHTTP_HOST
is absent or is an empty value. In that case,$host
equals the value of theserver_name
directive of the server which processed the request. (from Stackoverflow)
It is a good practice to generate SSL Certificate automatically. To do so, we first write a simpler config.
server {
listen 80;
server_name kokecacao.me www.kokecacao.me;
access_log /var/log/nginx/kokecacao.access.log;
error_log /var/log/nginx/kokecacao.error.log;
location / {
include proxy_params;
proxy_pass http://unix:/home/ubuntu/ops/kokecacao.me/kokecacao.sock;
}
}
And then install and activate cert-bot
echo "Removing certbot if exists. It will automatically stop service...\n" && \
sudo snap install core && sudo snap refresh core && \
sudo apt-get remove certbot ; \
echo "Removing letsencrypt directory...\n" && \
sudo rm -rf /etc/letsencrypt/ ; \
sudo rm -rf /var/lib/letsencrypt/ ; \
sudo rm -rf /var/log/letsencrypt/
echo "Installing certbot...\n" && \
sudo snap install --classic certbot && \
sudo ln -s /snap/bin/certbot /usr/bin/certbot && \
echo "Registering SSL. Please enter some info below:\n" && \
sudo certbot --nginx && \
echo "Installation Complete. Replacing nginx config\n"
When you run sudo systemctl list-timers
, you should see a snap.certbot.renew.timer
unit that runs snap.certbot.renew.service
. This is for periodic refresh of certificate.
After done, you should configure your cloudflare
and test your settings using SSL Labs to see compatible device and strength of encryption. You should modify your encryption accordingly with the suggestion.
To see all current certificates: sudo certbot certificates
You should see the following structure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: deepvocab.kokecacao.me
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: deepvocab.kokecacao.me
Expiry Date: 2022-11-15 19:06:56+00:00 (VALID: 78 days)
Certificate Path: /etc/letsencrypt/live/deepvocab.kokecacao.me/fullchain.pem
Private Key Path: /etc/letsencrypt/live/deepvocab.kokecacao.me/privkey.pem
Certificate Name: kokecacao.me
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: RSA
Domains: kokecacao.me www.kokecacao.me
Expiry Date: 2022-10-26 03:34:51+00:00 (VALID: 58 days)
Certificate Path: /etc/letsencrypt/live/kokecacao.me/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kokecacao.me/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A certificate can contain multiple domains. Right now you see the certificate above deepvocab.kokecacao.me
only contain one domain (deepvocab.kokecacao.me
). However, the certificate kokecacao.me
contain two domains (kokecacao.me
and www.kokecacao.me
).
To modify (both add and remove) the domains one certificate contains use the command: certbot certonly --cert-name example.com -d example.org,www.example.org
Table of Content