nginx

Nginx (pronounced "engine-x") is an open source reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer, HTTP cache, and a web server (origin server). read more at WikiPedia

  • Nginx-logo

    nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    These are my reusable settings for any Joomla hosting, these are the most secure, and fastest settings to the best of my knowledge.

    Configuration files are provided using Gist&160; and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.

    Joomla.conf for nginx

    Create a new directory nginx/conf to be able to place reusable nginx settings:

    mkdir -p /etc/nginx/conf

    vi /etc/nginx/conf/joomla.conf

    Edit or create joomla.conf, you can find the latest joomla.conf documented version in one of my Gist at https://gist.github.com/1620307

    Adding a new Joomla Site to nginx

    Create required directory anywhere on your disk, here is an example with a domain www.example.com

    mkdir -p /var/www/vhosts/example.com/httpdocs
    mkdir -p /var/www/vhosts/example.com/logs

    Set the right permission to the user and group you have defined in nginx.conf

    chown -fR www-data:www-data /var/www/vhosts/example.com/httpdocs

    Copy the nginx template and adapt to your liking

    cp /etc/nginx/sites-available/default /etc/nginx/sites-available/example
    vi /etc/nginx/sites-available/example

    Edit or create example, you can find the latest file example documented version in one of my Gist at https://gist.github.com/1620307

    this file include Joomla.conf to avoid duplicating nginx settings

    Activate the new domain

    ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example
    service nginx restart
  • Resources such as JavaScript and CSS files can be compressed before being sent to the browser, improving network efficiencies and application load time in certain case. If you are not using Apache with mod_deflate or nginx in front of your web application, you may need to implement resources compression yourself….

    Wait! don’t start writing your own filter to compress files like CSS, html, txt, javascript it is way more difficult than you think to properly handle http response headers and do proper handling of mime type and caching. In one sentence don’t start reinventing the wheel: use ehcache for example.

    Ehcache is an open source, standards-based cache used to boost performance, offload the database and simplify scalability. Ehcache is robust, proven and full-featured and this has made it the most widely-used Java-based cache. It can scale from in-process with one or more nodes through to a mixed in-process/out-of-process configuration with terabyte-sized caches. For applications needing a coherent distributed cache, Ehcache uses the open source Terracotta Sever Array.

    in the pom.xml of your project add the following dependency to ehcache-web

    <dependency>
        <groupId>net.sf.ehcache</groupId>
        <artifactId>ehcache-web</artifactId>
        <version>2.0.4</version>
    </dependency>

    in your web.xml, add a filter and configure it properly

    <filter>
     <filter-name>CompressionFilter</filter-name>
     <filter-class>net.sf.ehcache.constructs.web.filter.GzipFilter</filter-class>
    </filter>
    <filter-mapping>
     <filter-name>CompressionFilter</filter-name>
     <url-pattern>*.css</url-pattern>
    </filter-mapping>
    <filter-mapping>
     <filter-name>CompressionFilter</filter-name>
     <url-pattern>*.html</url-pattern>
    </filter-mapping>
    <filter-mapping>
     <filter-name>CompressionFilter</filter-name>
     <url-pattern>*.js</url-pattern>
    </filter-mapping>
    <filter-mapping>
     <filter-name>CompressionFilter</filter-name>
     <url-pattern>/*</url-pattern>
    </filter-mapping>

    Read more at EhCache Web Caching page.

    As a bonus, I provide you also below the configuration for the famous challenger HTTP server nginx

     ##
     # Gzip Settings
     ##
     gzip  on;
     gzip_http_version 1.1;
     gzip_vary on;
     gzip_comp_level 6;
     gzip_proxied any;
     gzip_types text/plain text/css application/json application/x-javascript \
    text/xml application/xml application/xml+rss text/javascript \
    application/javascript text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    &160;

    or for the number one HTTP server Apache using mod deflate /etc/apache2/conf.d/deflate.conf

    <Location />
    # Insert filter
    SetOutputFilter DEFLATE
    
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/atom_xml
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE text/html
    
    # Netscape 4.x has some problems...
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    
    # Netscape 4.06-4.08 have some more problems
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    
    # MSIE masquerades as Netscape, but it is fine
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    # Don't compress images
    SetEnvIfNoCase Request_URI \
    \.(?:gif|jpe?g|png)$ no-gzip dont-vary
    
    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
    </Location>
  • Google increase security by using only HSTS and it is a good idea to do the same for your server. HTTP Strict Transport Security (HSTS) instructs browsers to communicate with your site only over HTTPS.

    For many years, we’ve worked to increase the use of encryption between our users and Google. Today, the vast majority of these connections are encrypted, and our work continues on this effort.

    To further protect users, we've taken another step to strengthen how we use encryption for data in transit by implementing HTTP Strict Transport Security—HSTS for short—on the www.google.com domain. HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs. Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.

    see Bringing HSTS to www.google.com

    Quoting the Mozilla Developer Network:

    If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types http://www.foo.com/ or even just foo.com. This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page. The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

    An example scenario:

    You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker. Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

    For NGINX add this in the server block for your HTTPS configuration:

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";

    I would also add the X-Frame-Options header to your HTTPS website to make sure it is not embedded in a frame or iframe. This avoids clickjacking, and might be helpfull for HTTPS websites.

    The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

    For NGINX add this in the server block for your HTTPS configuration:

    add_header X-Frame-Options "DENY";

    Don't forget to restart NGINX.

  • As always updating to the latest version of all your developement components is never without any issues, here is what  you need to take into consideration when upgrading Joomla 3.8.7 and WinNMP 18.03

    Install WinNMp 18.03 from https://winnmp.wtriple.com/ in any directory, default is C:\WinNMP\

    Unpack Joomla 3.8.7 to C:\WinNMP\WWW\dev for example

    When starting WinNMP, you can click reload, to see the site appearing

     

     Now edit Nginx virtual server

     

     And cut and paste the following config (you can get it from Joomla-Nginx-configuration">http://winnmp.wtriple.com/nginx.phpJoomla-Nginx-configuration)

     

    You can now install Joomla like you are used to, by opening a browser and pointing to http://dev.test

    After the installation you'll notice that the administrator area is broken, some CSS/Javascript can not be located (Http 404). To solve this, open with your favorite text editor joomla! configuration.php and set the live site property (was in Joomla 1.5, then removed then it appear again)

     

     Now the administrator area should work again... but you can not install any Joomla! extensions, because open_basedir = "c:/winnmp" and do not contains the temporary directory, you can safely deactivate it for development, but NOT on ANY production server.

    ;open_basedir = "c:/winnmp"

     Last but not least, php_uname is used by Joomla, activate it in php.ini to remove some warnings

     

     

     

     

  • nginx (pronounced “engine-x”) is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. It is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows [WikiPedia]

    Instructs proxy servers to cache two versions of the resource: one compressed, and one uncompressed. This helps avoid issues with public proxies that do not detect the presence of a Content-Encoding header properly.

    Configuration files are provided using Gist  https://gist.github.com/1620307 and are CONSTANTLY updated for added security and speed. Gist is a simple way to share snippets and pastes with others. All gists are git repositories, so they are automatically versioned, forkable and usable as a git repository. I recommend you to starred them to stay up to date.

     

    Just Add in /etc/nginx/nginx.conf in the http { … } section the following

     ##
     # Gzip Settings
     ##
     gzip  on;
     gzip_http_version 1.1;
     gzip_vary on;
     gzip_comp_level 6;
     gzip_proxied any;
     gzip_types text/plain text/html text/css application/json \
    application/x-javascript text/xml application/xml \
    application/xml+rss text/javascript application/javascript \
    text/x-js; gzip_buffers 16 8k; gzip_disable "MSIE [1-6]\.(?!.*SV1)";

     

    from LeverageProxyCaching">https://developers.google.com/speed/docs/best-practices/cachingLeverageProxyCaching

  • Official version of nginx for Ubuntu Precise is 1.1.19 but the latest available stable version is 1.2.2 (Changes), In this post I will present you how to update to the latest available version.

    vi /etc/apt/sources.list

    and add depending on your Ubuntu version either

    For Ubuntu 10.04 Lucid:

    deb http://nginx.org/packages/ubuntu/ lucid nginx
    deb-src http://nginx.org/packages/ubuntu/ lucid nginx

    For Ubuntu 12.04 Precise:

    deb http://nginx.org/packages/ubuntu/ precise nginx
    deb-src http://nginx.org/packages/ubuntu/ precise nginx

    Now you can run

    apt-get update

    When using the public nginx repository for Ubuntu, you’ll get this error

    W: GPG error: http://nginx.org lucid Release: The following signatures 
    couldn't be verified because the public key is not available: NO_PUBKEY ABF5BD827BD9BF62

    First of all this is only warning and you can ignore it, if you know what are you doing and in case you prefer to add public key, used for signing packages and repository, just run:

    gpg -a --export 7BD9BF62 |  sudo apt-key add -

    or

    wget http://nginx.org/packages/keys/nginx_signing.key
    cat nginx_signing.key | sudo apt-key add -

    apt-get update should now run fine, however after running an

    apt-get install nginx

    you may still get this kind of error:

    dpkg: error processing /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb (--unpack):
     trying to overwrite '/etc/logrotate.d/nginx', which is also in package nginx-common 1.1.19-1
    dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)
    Errors were encountered while processing:
     /var/cache/apt/archives/nginx_1.2.2-1~precise_amd64.deb

    just remove nginx-common and retry

    apt-get remove nginx-common

    More at http://wiki.nginx.org/Install