Created November 23, 2010 15:18
nginx+passenger (real production config)
$ cd /usr/src
$ wget
$ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz
$ wget
$ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz
$ wget
$ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz
$ gem install passenger -v=3.0.12 --no-ri --no-rdoc
$ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module"
$ mkdir /tmp/client_body_temp
user app;
worker_processes 2;
worker_priority -5;
error_log /home/app/logs/nginx.error.log crit;
events {
use epoll;
worker_connections 1024;
http {
client_max_body_size 25m;
client_body_buffer_size 128k;
client_body_temp_path /tmp/client_body_temp;
passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12;
passenger_ruby /usr/local/bin/ruby;
passenger_pool_idle_time 0;
passenger_max_pool_size 15;
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 70;
gzip on;
gzip_http_version 1.1;
gzip_disable "msie6";
gzip_vary on;
gzip_min_length 1100;
gzip_buffers 64 8k;
gzip_comp_level 3;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml;
ssl_certificate /opt/nginx/ssl_certs/cert.crt;
ssl_certificate_key /opt/nginx/ssl_certs/server.key;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
include /opt/nginx/conf/nginx_host.conf;
server {
listen 80;
server_name *;
rewrite ^(.*) https://$host$1 permanent;
location ~ \.(php|html)$ {
deny all;
access_log /dev/null;
error_log /dev/null;
# HTTPS server
server {
ssl on;
listen 443 default ssl;
server_name *;
root /home/app/public_html/host_production/current/public;
try_files $uri /system/maintenance.html @passenger;
location @passenger {
passenger_enabled on;
passenger_min_instances 5;
rails_env production;
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
limit_req zone=one burst=5;
error_page 500 502 504 /500.html;
error_page 503 @503;
location = /50x.html {
root html;
location = /404.html {
root html;
location @503 {
error_page 405 = /system/maintenance.html;
if (-f $document_root/system/maintenance.html) {
rewrite ^(.*)$ /system/maintenance.html break;
rewrite ^(.*)$ /503.html break;
if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){
return 405;
if (-f $document_root/system/maintenance.html) {
return 503;
location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
location = /favicon.ico {
expires max;
add_header Cache-Control public;
location ~ \.(php|html)$ {
return 405;
access_log /dev/null;
error_log /dev/null;
конечно же я читал, но именно * не срабатывает, нужно было перечислить все поддомены

версия nginx и конфиг?

centos 5.5
nginx 0.8.54 + passenger 3.0.4

собственно это единственно что у меня не сработало, остальное сделал по вашему конфигу, спасибо

limit_req has been added to location @Passenger

pmq20 commented Jan 19, 2012

helpful. thank you very much

sjoonk commented May 7, 2012

Would you mind let us know your system spec for this config? CPU. How many core, and RAM, etc??

@sjoonk it's pretty standard, EC2 HighCPU medium instance

  • nginx 1.0.15, passenger 3.0.12
  • block unwanted requests by blocking .html (/phpmyadmin, /mysqladmin..)
  • client_max_body_size moved before passenger initialization, because it works in that way only
  • increase limit per zone to 10r/s
  • SSL cache via ssl_session_cache

ssl_session_cache and increased ssl_session_timeout can save 25% of CPU usage

--with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-0.9.8x - refer to

SSL config updated

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;

SSL BEAST attack fixed, locations optimized

openssl upgraded to 1.0.1c to enable TLSv1.1 and TLSv1.2.
Few headers was added by security reasons:
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;

Hey just found this gist, and I've learned a lot from it. Thanks for sharing.
Can I still use something like the following, if my Rails app is using full page caching to the file system? The files get written out with the .html extension.

location ~ .(php|html)$ {
deny all;

@supairish yes, you can just remove "|html", the main purpose to use that is to prevent search-bots scans

UPDATE: serve static assets fix

UPDATE: nginx 1.2.1 instead of 1.0.15, it allows me to disable Last-Modified headers for assets

pmq20 commented Jun 26, 2012

watching and learnt

We recently moved to Nginx+Unicorn due to some passenger's segmentation faults.
You can try passenger in standalone mode, but compile mod_rails module inside is not recommended now.
Anyway, nginx upstream module help you in both cases: 1) use Unicorn, 2) use Standalone Passenger.

See this config here:

nice config man!

foton commented May 2, 2014

Thank you very much, this config , especially part:

try_files $uri /system/maintenance.html @passenger;

location @passenger {
     passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;

very helped me.
I lost 1 day to finding out how to send HTTP_X_FORWARDED_PROTO to passenger. Proxy configs was useless.

kjakub commented Jun 23, 2014

what location @Passenger means?

You really shouldn't use that ssl_protocols line anymore. SSL is not secure. TLS is the new black.

ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;

can u update it ???

