Difference between revisions of "Nginx"

From Organic Design wiki
(URL rewriting & location blocks: $uri)
(Nginx not NGiNX)
Line 1: Line 1:
NGiNX by all accounts is much more efficient than Apache, so we will probably start changing the OD server, and our [[install a new server|server installation procedure]] over to NGiNX. Currently (as of June 2013) we're running both Apache and NGiNX with the former on ports 80 and 443 and the latter on 8080 and 8989. This way I can get the entire file structure of all sites running properly on NGiNX without any change to the live sites on the standard ports. When everything is working I can switch NGiNX over to the standard ports and then stop Apache and eventually un-install it completely if NGiNX works out well.
+
Nginx by all accounts is much more efficient than Apache, so we will probably start changing the OD server, and our [[install a new server|server installation procedure]] over to Nginx. Currently (as of June 2013) we're running both Apache and Nginx with the former on ports 80 and 443 and the latter on 8080 and 8989. This way I can get the entire file structure of all sites running properly on Nginx without any change to the live sites on the standard ports. When everything is working I can switch Nginx over to the standard ports and then stop Apache and eventually un-install it completely if Nginx works out well.
  
NGiNX uses an asynchronous event-driven approach to handling requests, instead of the Apache model that defaults to a threaded or process-oriented approach. NGiNX's event-driven approach can provide more predictable performance under high loads.
+
Nginx uses an asynchronous event-driven approach to handling requests, instead of the Apache model that defaults to a threaded or process-oriented approach. Nginx's event-driven approach can provide more predictable performance under high loads.
  
Another reason we're moving over to NGiNX is due to the recent interest in [[w:Perfect forward secrecy|Perfect forward secrecy]] (PFS) coming from articles such as [http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html this]. PFS is an obscure feature of SSL/TLS and requires at least OpenSSL version 1 and Apache version 2.3.3, but NGiNX has supported it for quite some time now.
+
Another reason we're moving over to Nginx is due to the recent interest in [[w:Perfect forward secrecy|Perfect forward secrecy]] (PFS) coming from articles such as [http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html this]. PFS is an obscure feature of SSL/TLS and requires at least OpenSSL version 1 and Apache version 2.3.3, but Nginx has supported it for quite some time now.
  
 
== Installation ==
 
== Installation ==
Line 19: Line 19:
  
 
== Fixing PATH_INFO ==
 
== Fixing PATH_INFO ==
There seems to be a problem with the ''PATH_INFO'' system where NGiNX can't handle URLs that request a script with a continues path such as ''/foo.php/bar?biz''. I used [http://kbeezie.com/php-self-path-nginx/ KBeezie]'s solution which almost works, but it uses the [http://wiki.nginx.org/HttpFastcgiModule#fastcgi_split_path_info fastcgi_split_path_info] function which also seems to have a problem. It's supposed to accept a regular expression containing two captures, one gets assigned to the ''$fastcgi_script_name'' variable, and the other to ''$fastcgi_path_info'', but for some reason the former doesn't contain the path portion of the script even if the regular expression states that it should. So in our version of KBeezie's PHP configuration I've used the following custom variables instead of ''$fastcgi_script_name'' and ''$fastcgi_path_info''.
+
There seems to be a problem with the ''PATH_INFO'' system where Nginx can't handle URLs that request a script with a continues path such as ''/foo.php/bar?biz''. I used [http://kbeezie.com/php-self-path-nginx/ KBeezie]'s solution which almost works, but it uses the [http://wiki.nginx.org/HttpFastcgiModule#fastcgi_split_path_info fastcgi_split_path_info] function which also seems to have a problem. It's supposed to accept a regular expression containing two captures, one gets assigned to the ''$fastcgi_script_name'' variable, and the other to ''$fastcgi_path_info'', but for some reason the former doesn't contain the path portion of the script even if the regular expression states that it should. So in our version of KBeezie's PHP configuration I've used the following custom variables instead of ''$fastcgi_script_name'' and ''$fastcgi_path_info''.
 
{{code|<pre>
 
{{code|<pre>
 
if ($request_uri ~ ^(.+\.php)(/?.*)$) {
 
if ($request_uri ~ ^(.+\.php)(/?.*)$) {
Line 41: Line 41:
 
*[http://articles.slicehost.com/2007/12/19/ubuntu-gutsy-self-signed-ssl-certificates-and-nginx Self-signed certs in Nginx]
 
*[http://articles.slicehost.com/2007/12/19/ubuntu-gutsy-self-signed-ssl-certificates-and-nginx Self-signed certs in Nginx]
 
*[http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/ StartSSL & Nginx]
 
*[http://www.westphahl.net/blog/2012/01/03/setting-up-https-with-nginx-and-startssl/ StartSSL & Nginx]
*[http://serverfault.com/questions/18994/nginx-best-practices NGiNX best practices]
+
*[http://serverfault.com/questions/18994/nginx-best-practices Nginx best practices]
*[http://wiki.nginx.org/Pitfalls NGiNX pitfalls]
+
*[http://wiki.nginx.org/Pitfalls Nginx pitfalls]
 
*[http://nginx.org/en/docs/http/configuring_https_servers.html Configuring Nginx HTTPS servers]
 
*[http://nginx.org/en/docs/http/configuring_https_servers.html Configuring Nginx HTTPS servers]
 
*[http://www.webhostingtalk.com/showthread.php?t=1025286 Installation on Debian]
 
*[http://www.webhostingtalk.com/showthread.php?t=1025286 Installation on Debian]
*[http://wiki.nginx.org/HttpCoreModule#Variables NGiNX variables]
+
*[http://wiki.nginx.org/HttpCoreModule#Variables Nginx variables]
 
*[http://wiki.nginx.org/HttpCoreModule#location The "location" directive]
 
*[http://wiki.nginx.org/HttpCoreModule#location The "location" directive]
 
*[http://nginx.org/en/docs/http/ngx_http_rewrite_module.html Conditions and their oeprators]
 
*[http://nginx.org/en/docs/http/ngx_http_rewrite_module.html Conditions and their oeprators]
*[http://wiki.nginx.org/HttpRewriteModule NGiNX rewrite module]
+
*[http://wiki.nginx.org/HttpRewriteModule Nginx rewrite module]
 
[[Category:Libre software]]
 
[[Category:Libre software]]

Revision as of 21:12, 29 June 2013

Nginx by all accounts is much more efficient than Apache, so we will probably start changing the OD server, and our server installation procedure over to Nginx. Currently (as of June 2013) we're running both Apache and Nginx with the former on ports 80 and 443 and the latter on 8080 and 8989. This way I can get the entire file structure of all sites running properly on Nginx without any change to the live sites on the standard ports. When everything is working I can switch Nginx over to the standard ports and then stop Apache and eventually un-install it completely if Nginx works out well.

Nginx uses an asynchronous event-driven approach to handling requests, instead of the Apache model that defaults to a threaded or process-oriented approach. Nginx's event-driven approach can provide more predictable performance under high loads.

Another reason we're moving over to Nginx is due to the recent interest in Perfect forward secrecy (PFS) coming from articles such as this. PFS is an obscure feature of SSL/TLS and requires at least OpenSSL version 1 and Apache version 2.3.3, but Nginx has supported it for quite some time now.

Installation

All our local installation documentation is in the install a new server procedure. The selecting a good set of ciphers section covers more detail about the perfect forward secrecy issues and installation.

URL rewriting & location blocks

  • Only one location block will match and be processed
  • The first exact match (using =) will return immediately
  • Next strings will be matched, the most specific match being chosen
  • Then regex matches will be chosen the first match overriding any string matches (strings can use ^~ to block the regex tests after a match)
  • Rewrites at server level are evaluated before the location directives are evaluated
  • Rewrites within location blocks are thenn evaluated
  • If rewrites within a location block change the URI, then the locations is evaluated again
  • $request_uri is the original request, $uri is updated after rewrites

Fixing PATH_INFO

There seems to be a problem with the PATH_INFO system where Nginx can't handle URLs that request a script with a continues path such as /foo.php/bar?biz. I used KBeezie's solution which almost works, but it uses the fastcgi_split_path_info function which also seems to have a problem. It's supposed to accept a regular expression containing two captures, one gets assigned to the $fastcgi_script_name variable, and the other to $fastcgi_path_info, but for some reason the former doesn't contain the path portion of the script even if the regular expression states that it should. So in our version of KBeezie's PHP configuration I've used the following custom variables instead of $fastcgi_script_name and $fastcgi_path_info. 

if ($request_uri ~ ^(.+\.php)(/?.*)$) {
    set $new_script_name $1;
    set $new_path_info $2;
}


The minimum fastcgi parameters required are: 

fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  SCRIPT_FILENAME    $document_root/$fastcgi_script_name;

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Nginx&oldid=114862"