zero-knowledge

minimal nginx configuration

As I was asked today, how I manage the nginx setup, I thought I write it down.

The configuration was inpsired by the blog entry of Zach Orr (looks like the blog post is gone since 2014). The setup consists of one main configuration and multiple domain specific configuration files which get sourced in the main config. If a domain is using certificates, these are pulled in in their respective files.

I will leave out the performance stuff to make the config more readable. As the location of the config files differs per platform, I will use $CONF_DIR as a placeholder.

main configuration

The main configuration $CONF_DIR/nginx.conf first sets some global stuff.

# global settings
user www www;
pid /var/run/nginx.pid;

This will take care of dropping the privileges after the start to the www user group.

Next is the http section, which sets the defaults for all server parts.

http {
  include      mime.types;
  default_type application/octet-stream;
  charset      UTF-8;

  # activate some modules
  gzip on;
  # set some defaults for modules
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

  include sites/*.conf;
}

This part sets some default options for all server sections and helps to make the separate configuration easier. In this example the mime types are included (a large file with mime type definitions), the default charset and mime type is set.

In this section we can also active modules like gzip (see gzip on nginx) or set some options for modules like ssl (see ssl on nginx).

The last option is to include more config files from the sites directory. This is the directive which makes it possible to split up the configs.

server section config

The server section config may look different for each purpose. Here are some smaller config files just to show, what is possible.

static website

For example the file $CONF_DIR/sites/static.zero-knowledge.org.conf looks like this:

server {
  listen 80;
  server_name static.zero-knowledge.org;

  location / {
    root /var/srv/static.zero-knowledge.org/htdocs;
    index index.html;
  }
}

In this case a domain is configured delivering static content from the directory /var/src/static.zero-knowledge.org/htdocs on port 80 for the domain static.zero-knowledge.org`. If the root path is called in the browser, nginx will look for the *index.html to show.

reverse proxy site

For a reverse proxy setup, the config $CONF_DIR/sites/zero-knowledge.org.conf might look like this.

server {
  listen 80;
  server_name zero-knowledge.org;

  location / {
    proxy_pass http://unix:/tmp/reverse.sock;
    include proxy_params;
  }
}

In this case, nginx will also listen on port 80, but for the host zero-knowledge.org. All incoming requests will be forwarded to the local unix socket /tmp/reverse.sock. You can also define IPs and ports here, but for an easy setup, unix sockets might be easier. The parameter include proxy_params; includes the config file proxy_params to set some headers when forwarding the request, for example Host or X-Forwarded-For. There should be a number of config files already included with the nginx package, so best is to tkae a look in $CONF_DIR.

uwsgi setup

As I got my graphite setup running some days ago, I can also provide a very bare uwsgi config, which actually looks like the reverse proxy config.

server {
  listen 80;
  server_name uwsgi.zero-knowledge.org;

  location / {
    uwsgi_pass uwsgi://unix:/tmp/uwsgi_graphite.sock;
    include uwsgi_params;
  }
}

So instead of proxy_pass uwsgi_pass is used to tell nginx, that it has to use the uwsgi format. Nginx will also include the uwsgi parameters, which is like the proxy_params file a collection of headers to set.

conclusion

So this is my pretty minimal configuration for nginx. It helped me automate the configuration, as I just have to drop new config files in the directory and reload the server.

I hope you liked it and have fun.