-
-
Save mikhailov/711913 to your computer and use it in GitHub Desktop.
# NOTICE: to get Nginx+Unicorn best-practices configuration see the gist https://gist.github.com/3052776 | |
$ cd /usr/src | |
$ wget http://nginx.org/download/nginx-1.2.1.tar.gz | |
$ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz | |
$ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz | |
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz | |
$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz | |
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz | |
$ gem install passenger -v=3.0.12 --no-ri --no-rdoc | |
$ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module" | |
$ mkdir /tmp/client_body_temp |
user app; | |
worker_processes 2; | |
worker_priority -5; | |
error_log /home/app/logs/nginx.error.log crit; | |
events { | |
use epoll; | |
worker_connections 1024; | |
} | |
http { | |
client_max_body_size 25m; | |
client_body_buffer_size 128k; | |
client_body_temp_path /tmp/client_body_temp; | |
passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12; | |
passenger_ruby /usr/local/bin/ruby; | |
passenger_pool_idle_time 0; | |
passenger_max_pool_size 15; | |
passenger_pre_start http://127.0.0.1/; | |
include mime.types; | |
default_type application/octet-stream; | |
server_tokens off; | |
sendfile on; | |
keepalive_timeout 70; | |
gzip on; | |
gzip_http_version 1.1; | |
gzip_disable "msie6"; | |
gzip_vary on; | |
gzip_min_length 1100; | |
gzip_buffers 64 8k; | |
gzip_comp_level 3; | |
gzip_proxied any; | |
gzip_types text/plain text/css application/x-javascript text/xml application/xml; | |
ssl_certificate /opt/nginx/ssl_certs/cert.crt; | |
ssl_certificate_key /opt/nginx/ssl_certs/server.key; | |
ssl_session_timeout 15m; | |
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers RC4:HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; | |
include /opt/nginx/conf/nginx_host.conf; | |
} |
server { | |
listen 80; | |
server_name *.host.com; | |
rewrite ^(.*) https://$host$1 permanent; | |
location ~ \.(php|html)$ { | |
deny all; | |
} | |
access_log /dev/null; | |
error_log /dev/null; | |
} | |
# HTTPS server | |
server { | |
ssl on; | |
listen 443 default ssl; | |
server_name *.host.com; | |
root /home/app/public_html/host_production/current/public; | |
try_files $uri /system/maintenance.html @passenger; | |
location @passenger { | |
passenger_enabled on; | |
passenger_min_instances 5; | |
rails_env production; | |
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https; | |
limit_req zone=one burst=5; | |
} | |
error_page 500 502 504 /500.html; | |
error_page 503 @503; | |
location = /50x.html { | |
root html; | |
} | |
location = /404.html { | |
root html; | |
} | |
location @503 { | |
error_page 405 = /system/maintenance.html; | |
if (-f $document_root/system/maintenance.html) { | |
rewrite ^(.*)$ /system/maintenance.html break; | |
} | |
rewrite ^(.*)$ /503.html break; | |
} | |
if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){ | |
return 405; | |
} | |
if (-f $document_root/system/maintenance.html) { | |
return 503; | |
} | |
location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ { | |
gzip_static on; | |
expires max; | |
add_header Cache-Control public; | |
add_header Last-Modified ""; | |
add_header ETag ""; | |
break; | |
} | |
location = /favicon.ico { | |
expires max; | |
add_header Cache-Control public; | |
} | |
location ~ \.(php|html)$ { | |
return 405; | |
} | |
access_log /dev/null; | |
error_log /dev/null; | |
} |
theoooo, you suggested that @503 location should be replaced with try_files $uri /system/maintenance.html @Passenger;
while that surely works, it returns maintenance page with HTTP 200, and that means that search bots might index such page (or treat it as a valid site response anyway, if noindex is mentioned in the page code). I also noticed that some browsers ignore no-cache in the page content, and serve locally cached page even when the server content has been updated - thus leaving users with maintenance page instead of a functional service till they do a proper reload of the page.
Using HTTP 503 solves these problems, and also RFC 2616 suggests HTTP 503 code to be used code for servers in maintenance state.
Do you know a way to return 503 without using ifs in nginx config?
ivanku, thanks for bugreport.
nginx_host.conf has been updated, please take a look at the line 67
thanks,
but this:
server_name *.host.com;
dont work for me, need change to:
server_name subdomain1.host.com sub2.host.com etc..;
server_name can include wildcard, just take a look at official documentation here http://nginx.org/en/docs/http/server_names.html
конечно же я читал, но именно *.host.com не срабатывает, нужно было перечислить все поддомены
версия nginx и конфиг?
centos 5.5
nginx 0.8.54 + passenger 3.0.4
собственно это единственно что у меня не сработало, остальное сделал по вашему конфигу, спасибо
limit_req has been added to location @Passenger
helpful. thank you very much
Would you mind let us know your system spec for this config? CPU. How many core, and RAM, etc??
@sjoonk it's pretty standard, EC2 HighCPU medium instance
updates:
- nginx 1.0.15, passenger 3.0.12
- block unwanted requests by blocking .html (/phpmyadmin, /mysqladmin..)
- client_max_body_size moved before passenger initialization, because it works in that way only
- increase limit per zone to 10r/s
- SSL cache via ssl_session_cache
ssl_session_cache and increased ssl_session_timeout can save 25% of CPU usage
--with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-0.9.8x - refer to http://nginx.2469901.n2.nabble.com/nginx-ssl-prefer-server-ciphers-and-MSIE-7-x-core-dump-td3288089.html
SSL config updated
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;
SSL BEAST attack fixed, locations optimized
openssl upgraded to 1.0.1c to enable TLSv1.1 and TLSv1.2.
Few headers was added by security reasons:
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
Hey just found this gist, and I've learned a lot from it. Thanks for sharing.
Can I still use something like the following, if my Rails app is using full page caching to the file system? The files get written out with the .html extension.
location ~ .(php|html)$ {
deny all;
}
@supairish yes, you can just remove "|html", the main purpose to use that is to prevent search-bots scans
UPDATE: serve static assets fix
UPDATE: nginx 1.2.1 instead of 1.0.15, it allows me to disable Last-Modified headers for assets
watching and learnt
We recently moved to Nginx+Unicorn due to some passenger's segmentation faults.
You can try passenger in standalone mode, but compile mod_rails module inside is not recommended now.
Anyway, nginx upstream module help you in both cases: 1) use Unicorn, 2) use Standalone Passenger.
See this config here: https://gist.github.com/3052776.
nice config man!
Thank you very much, this config , especially part:
try_files $uri /system/maintenance.html @passenger;
location @passenger {
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
}
very helped me.
I lost 1 day to finding out how to send HTTP_X_FORWARDED_PROTO to passenger. Proxy configs was useless.
what location @Passenger means?
You really shouldn't use that ssl_protocols
line anymore. SSL is not secure. TLS is the new black.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
can u update it ???
the config files are updated: