Serveur HTTP.

• https://www.nginx.com/resources/admin-guide/
  • NGINX Reverse Proxy
    • fastcgi
    • uwsgi
• http://wiki.nginx.org
  • http://wiki.nginx.org/NginxConfiguration

Nginx "how to" - Fast and Secure Web Server

• Module ngx_http_fastcgi_module
• Understanding and Implementing FastCGI Proxying in Nginx
• Php-fpm
  • NGINX + PHP-FPM + APC = Awesome
  • La mise en place de Nginx avec PHP-fpm

• ModSecurity
  • Protecting WordPress with Open Source Web Application Firewall ModSecurity
  • How to implement ModSecurity WAF with NGINX 2019 (Installing ModSecurity v3)
  • How to Install & Configure ModSecurity on Nginx 2018
• NAXSI (Nginx Anti Xss & Sql Injection)
  • https://github.com/nbs-system/naxsi
  • https://github.com/nbs-system/naxsi-rules
  • NAXSI, un WAF open source pour Nginx 2012

Crowdsec

• Bunkerized Nginx
  • https://github.com/bunkerity/bunkerized-nginx
  • |Bunkerized Nginx – L’image Docker Nginx sécurisée 2020

Nginx peut authentifier des requêtes en effectuant une requête intermédiaire auprès d'un service (HTTP subrequest to an external server). C'est le module ngx_http_auth_request_module qui le permet, présent dès nginx-light.

Utile pour servir des fichiers statiques aux seuls utilisateurs connectés ce qui évite de monopoliser un slot du moteur d'application (python, php, …) pour servir un fichier.

• Authentication Based on Subrequest Result
• Tuto avec Laravel

Certbot sur les debian récentes utilisent un systemd timer. Pour reloader nginx après un renouvellement de certificat il faut créer un script du genre :

/etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx :

#!/bin/sh
# set -e
systemctl reload nginx

How To Optimize Nginx Configuration

• NGINX conditional logging and responses (2020-11)

http://articles.slicehost.com/2008/5/15/ubuntu-hardy-nginx-configuration/

user www-data www-data;
# Nginx can have more than one worker process running at the same time.
# To take advantage of SMP and to enable good efficiency I would recommend changing this to read:
worker_processes  4;
events {
    worker_connections  1024;
}
http {
    tcp_nodelay        on;
	include /usr/local/nginx/sites-enabled/*;
}

Sets the number of connections that each worker can handle. This is a good default setting.

You can work out the maximum clients value from this and the worker_processes settings:

max_clients = worker_processes * worker_connections

Sendfile is used when the server (Nginx) can actually ignore the contents of the file it is sending. It uses the kernel sendfile support instead of using it's own resources on the request.

It is generally used for larger files (such as images) which do not need use of a multiple request/confirmation system to be served - thus freeing resources for items that do need that level of 'supervision' from Nginx.

Keep it an on unless you know why you need to turn it off.

configuration nginx pour installer un cache de tuiles OSM par CQuest : https://gist.github.com/cquest/ef82d82e7700e116b340ca3f77532880

# tilecache.conf
# conserver les tuiles dans /var/cache, pendant 24h et au maximum 16Go
proxy_cache_path /var/cache/nginx-tilecache levels=1:2 keys_zone=tilecache:100m inactive=24h max_size=16G;

server {
  server_name	tilecache.mondomaine.tld a.tilecache.mondomaine.tld b.tilecache.mondomaine.tld c.tilecache.mondomaine.tld;
  listen 80;
  
  location / {
    proxy_pass		http://tilecache.openstreetmap.fr;
    proxy_cache		tilecache;
    proxy_cache_valid  	200 302  24h;
    proxy_cache_valid  	404      1m;
    proxy_cache_lock	on;

    # on ajoute l'IP du client dans la requête vers le upstream
    proxy_set_header	X-Forwarded-For $remote_addr;

    # on indique le status du cache dans la réponse au client
    add_header		X-Cache-Status $upstream_cache_status;
    # si upstream down, on envoie la copie qu'on a en cache
    proxy_cache_use_stale 	error timeout http_500 http_502 http_503 http_504;
  }
}