Nginx

This page describes installation and configuration of Nginx.

Installation

Debian Squeeze is shipped with Nginx version 0.7.67. If a newer version is required use backports or add repository from nginx.org.

$ apt-get install nginx

Configuration

Hide server version

To hide nginx version in server's response header add to http section in /etc/nginx/nginx.conf:

server_tokens off;

Site configuration for serving static resources

Create a file /etc/nginx/sites-available/www-example-com and link it to /etc/nginx/sites-enabled:

server {
  server_name  www.example.com;
  server_name_in_redirect off;
  access_log   /var/log/nginx/www-example-com.access.log;
  root         /srv/www/www-example-com;
  index        index.html;
  error_page   404 /404.html;
  try_files    $uri $uri.html $uri/index.html =404;
  location /file/page/ {
    rewrite ^/file/page/(.*) /media/$1 permanent; 
  }
}
server {
  server_name  example.com;
  rewrite ^ http://www.example.com$uri redirect;
}

Create docroot and dummy pages:

$ mkdir -p /srv/www/www-example-com
$ echo "It works." > /srv/www/www-example-com/index.html
$ echo "404 Not Found" > /srv/www/www-example-com/404.html

Catch-all site configuration

Catch-all for other domains and subdomains that point to the server's IP just get a "Nothing here" message.

server {
  listen       80 default;
  server_name  _;
  server_name_in_redirect off;
  root         /srv/www/catchall;
  index        index.html;
  error_page   404 /index.html;
}

Reverse proxy

To forward requests to another server do:

server {
  listen 80;
  server_name  www.example.com;
  access_log   /var/log/nginx/www-example-com.access.log;
  location / {
    proxy_pass        http://myapp:8080;
    proxy_set_header  X-Real-IP       $remote_addr;
    proxy_set_header  Host            $host;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

If the other server is also a Nginx it is possible to add the following configuration to get the real IP in the access logs.

server {
  ..
  set_real_ip_from 10.10.10.254;
  real_ip_header X-Real-IP;
  ..
}

Reverse proxy for Apache

To use the real remote IP in Apache the rpaf module is required:

$ apt-get install libapache2-mod-rpaf
$ a2enmod rpaf

Eventually the IP addresses of the reverse proxy must be configured in /etc/apache2/mods-enabled/rpaf.conf:

RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 12.34.56.78

SSL

server {
  listen                  443;
  server_name             ssl.example.com;
  server_name_in_redirect off;
  ssl                     on;
  ssl_certificate         /etc/ssl/certs/ssl-example-com.pem;
  ssl_certificate_key     /etc/ssl/private/ssl-example-com.pem;
  access_log              /var/log/nginx/ssl-example-com.access.log;
  error_log               /var/log/nginx/ssl-example-com.error.log;
  root                    /srv/www/ssl-example-com;
  index                   index.html;
  error_page              404 /index.html;
}

To redirect non-ssl request:

server {
  listen       80;
  server_name  ssl.example.com;
  rewrite      ^ https://$server_name$request_uri?;
}

Sources: