From b3910dce619acd73fd6aa99cc792eb5f37ef1f34 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Tue, 21 Feb 2012 10:25:01 -0500 Subject: [PATCH] Add Nginx post. --- posts/Nginx.mdwn | 205 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) create mode 100644 posts/Nginx.mdwn diff --git a/posts/Nginx.mdwn b/posts/Nginx.mdwn new file mode 100644 index 0000000..ebe37b0 --- /dev/null +++ b/posts/Nginx.mdwn @@ -0,0 +1,205 @@ +I transitioned from [Apache][] to [Nginx][] a week or so ago, since +words like “minimal” and “streamlined” are appealing to me ;). I was +quite happy with Apache, but it's always nice to try something new. +Anyhow here's a quick review my configuration. + +On [[Gentoo]], set the the [modules][] you want to install by adding +the following lines to your `/etc/make.conf`: + + NGINX_MODULES_HTTP="access auth_basic autoindex charset fastcgi gzip gzip_static limit_req map proxy rewrite scgi ssi stub_status" + NGINX_MODULES_MAIL="" + +Then install Nginx with: + + # emerge -av nginx + +Make any adjustments you like to `/etc/nginx/mime.types`. I added: + + types { + … + application/x-python py; + application/x-shell sh; + … + } + +Now it's time to setup `/etc/nginx/nginx.conf`. Poking about online +will give you lots of examples. Here are things that were useful to +me, in the order they appear in the `http` block of my `nginx.conf`. + +Gitweb (and general CGI approach) +================================= + +[[gitweb]] server: + + server { + listen 80; + server_name git.example.com; + + access_log /var/log/nginx/git.example.com.access_log main; + error_log /var/log/nginx/git.example.com.error_log info; + + root /usr/share/gitweb/; + + index gitweb.cgi; + + location /gitweb.cgi { + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.sock-1; + } + } + +Because Nginx lacks built-in [[CGI]] support, we need some tricks to +get `gitweb.cgi` working. We use the [fcgi module][fcgi] to pass the +requests on to a FastCGI server which wraps `gitweb.cgi`. On +[[Gentoo]], I installed the following packages: + +* `www-misc/fcgiwrap`, a [[FastCGI]] server for wrapping [[CGI]] scripts +* `www-servers/spawn-fcgi`, a [[FastCGI]] manager for spawning `fcgiwrap`. + +Configure `spawn-fcgi` to launch `fcgiwrap` with: + + # cp /etc/conf.d/spawn-fcgi /etc/conf.d/spawn-fcgi.fcgiwrap + # emacs /etc/conf.d/spawn-fcgi.fcgiwrap + # cat /etc/conf.d/spawn-fcgi.fcgiwrap + FCGI_SOCKET=/var/run/fcgiwrap.sock + FCGI_ADDRESS= + FCGI_PORT= + FCGI_PROGRAM=/usr/sbin/fcgiwrap + FCGI_USER=nginx + FCGI_GROUP=nginx + FCGI_EXTRA_OPTIONS="-M 0700" + ALLOWED_ENV="PATH" + FCGI_CHILDREN=1 + FCGI_CHROOT= + # cd /etc/init.d/ + # ln -s spawn-fcgi spawn-fcgi.fcgiwrap + +Start `fcgiwrap` with: + + # /etc/init.d/spawn-fcgi.fcgiwrap start + +Add it to the default runlevel with: + + # sudo rc-update add spawn-fcgi.fcgiwrap default + +Wildcard virtual hosts +====================== + +To add support for virual hosts stored under `/var/www/$host`, use: + + server { + listen 80; + #listen 443 ssl; + + server_name star.example.com *.example.com; + + access_log /var/log/nginx/star.example.com.access_log main; + error_log /var/log/nginx/star.example.com.error_log info; + + #ssl_certificate /etc/ssl/nginx/$host.pem; + #ssl_certificate_key /etc/ssl/nginx/$host.key; + + root /var/www/$host/htdocs; + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + } + +Then adding a new host is as simple as creating a new entry in +`/var/www/` and updating your [[DNS]] to get the new name pointed at +your server. Unfortunately, [[SSL/TLS|GnuTLS]] doesn't work with this +approach. It appears that certificates and keys are loaded when Nginx +starts up, but `$host` is only defined after a request is received. +Nginx does support [[SNI]] though, so it will work if you write SSL +entries by hand for hosts that need them. + +Main host +========= + +The configuration for my main host is more complicated, so I'll +intersperse some more comments. I setup both clear-text and SSL in +the same definition using the [SSL module][SSL]. The `_` server name +is a special name that matches any requests which haven't already +matched and been handled by an earlier `server`. + + server { + # catchall virtual host (optional SSL, example.com) + listen 80 default_server; + listen 443 default_server ssl; + server_name _; + + ssl_certificate /etc/ssl/nginx/example.com.pem; + ssl_certificate_key /etc/ssl/nginx/example.com-key.pem; + +Nothing special with the logging or root. + + access_log /var/log/nginx/example.com.access_log main; + error_log /var/log/nginx/example.com.error_log info; + + root /var/www/example.com/htdocs; + +Turn on [[SSI]], and also use `index.shtml` as index pages. + + index index.html index.shtml; + ssi on; + +Use the [proxy module][proxy] to pass requests for `/cookbook/` and +subdirectories on to their [[underlying Django app|cookbook]]. + + location /cookbook/ { + proxy_pass http://localhost:33333/cookbook/; + proxy_set_header X-Real-IP $remote_addr; + } + +Use the [scgi module][scgi] to pass requests for `/gallery/` and +subdirectories on to their [[underlying SCGI app|gallery]]. + + location /gallery/ { + include scgi_params; + scgi_pass localhost:4000; + } + +Turn on autoindexing for `/RAD/` and subdirectories using the +[autoindex module][autoindex]. + + location /RAD/ { + autoindex on; + } + +Force SSL/TLS for `/tree/` and subdirectories, redirecting plain-text +requests to the equivalent HTTPS page. Use the [auth_basic +module][auth_basic] for authentication, the [SSL module][SSL] for +`$ssl_protocol`, and the [rewrite module][rewrite] for the +redirection. + + location /tree/ { + auth_basic "Family Tree"; + auth_basic_user_file /home/jdoe/htpasswd; + if ($ssl_protocol = "") { + rewrite ^ https://example.com$request_uri? permanent; + } + } + +Nothing special with the end of this `server` block. + + # deny access to .htaccess files + location ~ /\.ht { + deny all; + } + } + +[Apache]: http://www.apache.org/ +[Nginx]: http://nginx.org/ +[modules]: http://wiki.nginx.org/Modules +[fcgi]: http://wiki.nginx.org/HttpFcgiModule +[SSL]: http://wiki.nginx.org/HttpSslModule +[proxy]: http://wiki.nginx.org/HttpProxyModule +[scgi]: http://wiki.nginx.org/HttpScgiModule +[autoindex]: http://wiki.nginx.org/HttpAutoindexModule +[auth_basic]: http://wiki.nginx.org/HttpAuthBasicModule +[rewrite]: http://wiki.nginx.org/HttpRewriteModule + +[[!tag tags/tools]] +[[!tag tags/web]] -- 2.26.2