Showing preview only (1,110K chars total). Download the full file or copy to clipboard to get everything.
Repository: trimstray/nginx-admins-handbook
Branch: master
Commit: 5aea1f81a2fd
Files: 83
Total size: 1.0 MB
Directory structure:
gitextract_b_tfkvj5/
├── .github/
│ ├── CODE_OF_CONDUCT.md
│ ├── CONTRIBUTING.md
│ └── FUNDING.yml
├── LICENSE.md
├── README.md
├── doc/
│ ├── EXAMPLES.md
│ ├── HELPERS.md
│ ├── HTTP_BASICS.md
│ ├── NGINX_BASICS.md
│ ├── RULES.md
│ └── SSL_TLS_BASICS.md
├── lib/
│ ├── nginx/
│ │ ├── dhparam_4096-with-ds.pem
│ │ ├── dhparam_4096.pem
│ │ ├── html/
│ │ │ ├── 50x.html
│ │ │ └── index.html
│ │ ├── master/
│ │ │ ├── _acls/
│ │ │ │ ├── external.geo.acl
│ │ │ │ ├── external.map.acl
│ │ │ │ ├── internal.geo.acl
│ │ │ │ └── internal.map.acl
│ │ │ ├── _basic/
│ │ │ │ ├── logging.conf
│ │ │ │ ├── main.conf
│ │ │ │ ├── proxy-params.conf
│ │ │ │ ├── rate-limiting.conf
│ │ │ │ └── redirects-map.conf
│ │ │ ├── _listen/
│ │ │ │ ├── 192.168.250.2/
│ │ │ │ │ ├── http.conf
│ │ │ │ │ └── https.conf
│ │ │ │ └── localhost/
│ │ │ │ ├── http.conf
│ │ │ │ └── https.conf
│ │ │ ├── _server/
│ │ │ │ ├── _helpers/
│ │ │ │ │ └── global.conf
│ │ │ │ ├── blkcipher.info/
│ │ │ │ │ ├── acls/
│ │ │ │ │ │ └── demo.conf
│ │ │ │ │ ├── backends.conf
│ │ │ │ │ ├── certs/
│ │ │ │ │ │ ├── blkcipher.info.conf
│ │ │ │ │ │ ├── blkcipher.info.key
│ │ │ │ │ │ └── nginx_blkcipher.info_bundle.crt
│ │ │ │ │ ├── credentials/
│ │ │ │ │ │ └── demo.txt
│ │ │ │ │ └── servers.conf
│ │ │ │ ├── defaults/
│ │ │ │ │ ├── backends.conf
│ │ │ │ │ ├── certs/
│ │ │ │ │ │ ├── defaults.conf
│ │ │ │ │ │ ├── defaults.key
│ │ │ │ │ │ └── nginx_defaults_bundle.crt
│ │ │ │ │ └── servers.conf
│ │ │ │ └── localhost/
│ │ │ │ ├── backends.conf
│ │ │ │ ├── certs/
│ │ │ │ │ ├── localhost.conf
│ │ │ │ │ ├── localhost.key
│ │ │ │ │ └── nginx_localhost_bundle.crt
│ │ │ │ └── servers.conf
│ │ │ └── _static/
│ │ │ └── errors.conf
│ │ ├── mime.types
│ │ ├── modules.conf
│ │ ├── nginx.conf
│ │ ├── snippets/
│ │ │ ├── gdb/
│ │ │ │ └── nginx-config.gdb
│ │ │ ├── http-error-pages/
│ │ │ │ ├── README.md
│ │ │ │ ├── httpgen
│ │ │ │ ├── sites/
│ │ │ │ │ └── .gitkeep
│ │ │ │ ├── src/
│ │ │ │ │ ├── 4xx.json
│ │ │ │ │ ├── 5xx.json
│ │ │ │ │ ├── index.html
│ │ │ │ │ ├── main.css
│ │ │ │ │ └── other.json
│ │ │ │ └── templates/
│ │ │ │ ├── _template.html
│ │ │ │ └── nginx/
│ │ │ │ └── errors.conf
│ │ │ ├── logrotate.d/
│ │ │ │ ├── nginx.bsd
│ │ │ │ └── nginx.linux
│ │ │ ├── scripts/
│ │ │ │ ├── git-status.sh
│ │ │ │ └── show-memory.sh
│ │ │ ├── server-name-parser/
│ │ │ │ ├── check-server-name.sh
│ │ │ │ └── server-name-parser.py
│ │ │ ├── skel/
│ │ │ │ ├── .bashrc-bsd
│ │ │ │ ├── .bashrc-linux
│ │ │ │ ├── .cshrc-bsd
│ │ │ │ ├── .exrc
│ │ │ │ ├── .goprofile
│ │ │ │ ├── .profile-bsd
│ │ │ │ ├── .vimrc
│ │ │ │ ├── global-aliases.bash
│ │ │ │ └── global-aliases.csh
│ │ │ └── systemd/
│ │ │ └── nginx.service
│ │ └── win-utf
│ ├── ngx_installer.conf
│ ├── ngx_installer.sh
│ └── ngx_installer.vars
└── static/
└── img/
└── cheatsheets/
├── nginx-hardening-cheatsheet-tls12-100p.xcf
└── nginx-hardening-cheatsheet-tls13.xcf
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at trimstray@gmail.com. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
================================================
FILE: .github/CONTRIBUTING.md
================================================
# Contributing
> _A real community, however, exists only when its members interact in a meaningful way that deepens their understanding of each other and leads to learning._
If you would like to support this project, have an interesting idea how to improve the operation of this tool, or if you found some errors - fork this, add your fixes, and add a pull request of your branch to the **master branch**.
## Using the issue tracker
The [issue tracker](https://github.com/trimstray/nginx-admins-handbook/issues) is
the preferred channel for bug reports, features requests and submitting pull requests, but please respect the following restrictions:
* Please **do not** use the issue tracker for personal support requests (use
[Stack Overflow](https://stackoverflow.com) or IRC)
* Please **do not** derail or troll issues. Keep the discussion on topic and
respect the opinions of others
## Signature of commit
Moving forward all commits to this project must include a "signed-off-by" line indicating the name and email address of the contributor signing off on the change. To enable signatures add the following lines to `.git/hooks/prepare-commit-msg` :
```
SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/- signed-off-by: \1/p')
grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
```
## Pull requests
When creating a pull request, please heed the following:
- Base your code on the latest master branch to avoid manual merges
- Code review may ensue in order to help shape your proposal
- Explain the problem and your proposed solution
================================================
FILE: .github/FUNDING.yml
================================================
open_collective: trimstray
github: trimstray
================================================
FILE: LICENSE.md
================================================
MIT License
Copyright (c) 2017 trimstray
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
<div align="center">
<h1>Nginx Admin's Handbook</h1>
</div>
<div align="center">
<b><code>My notes on NGINX administration basics, tips & tricks, caveats, and gotchas.</code></b>
</div>
<br>
<p align="center">
<a href="https://www.hostingadvice.com/how-to/nginx-vs-apache/">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_meme.png" alt="Meme">
</a>
</p>
<br>
<p align="center">
<sup>
<i>
Hi-diddle-diddle, he played on his<br>
fiddle and danced with lady pigs.<br>
Number three said, "Nicks on tricks!<br>
I'll build my house with <b>EN-jin-EKS</b>!".<br>
<a href="https://g.co/kgs/HCcQVz">The Three Little Pigs: Who's Afraid of the Big Bad Wolf?</a>
</i>
</sup>
</p>
<br>
<p align="center">
<a href="https://github.com/trimstray/nginx-admins-handbook/pulls">
<img src="https://img.shields.io/badge/PRs-welcome-brightgreen.svg?longCache=true" alt="Pull Requests">
</a>
<a href="LICENSE.md">
<img src="https://img.shields.io/badge/License-MIT-lightgrey.svg?longCache=true" alt="MIT License">
</a>
</p>
<br>
****
# Table of Contents
- **[Introduction](#introduction)**<a id="toc-introduction"></a>
* [Prologue](#prologue)
* [Why I created this handbook](#why-i-created-this-handbook)
* [Who this handbook is for](#who-this-handbook-is-for)
* [Before you start](#before-you-start)
* [Contributing & Support](#contributing--support)
* [RSS Feed & Updates](#rss-feed--updates)
* [Checklist to rule them all](#checklist-to-rule-them-all)
- **[Bonus Stuff](#bonus-stuff)**<a id="toc-bonus-stuff"></a>
* [Configuration reports](#configuration-reports)
* [SSL Labs](#ssl-labs)
* [Mozilla Observatory](#mozilla-observatory)
* [Printable hardening cheatsheets](#printable-hardening-cheatsheets)
* [Fully automatic installation](#fully-automatic-installation)
* [Static error pages generator](#static-error-pages-generator)
* [Server names parser](#server-names-parser)
- **[Books](#books)**<a id="toc-books"></a>
* [Nginx Essentials](#nginx-essentials)
* [Nginx Cookbook](#nginx-cookbook)
* [Nginx HTTP Server](#nginx-http-server)
* [Nginx High Performance](#nginx-high-performance)
* [Mastering Nginx](#mastering-nginx)
* [ModSecurity 3.0 and NGINX: Quick Start Guide](#modsecurity-30-and-nginx-quick-start-guide)
* [Cisco ACE to NGINX: Migration Guide](#cisco-ace-to-nginx-migration-guide)
- **[External Resources](#external-resources)**<a id="toc-external-resources"></a>
* [Nginx official](#nginx-official)
* [Nginx distributions](#nginx-distributions)
* [Comparison reviews](#comparison-reviews)
* [Cheatsheets & References](#cheatsheets--references)
* [Performance & Hardening](#performance--hardening)
* [Presentations & Videos](#presentations--videos)
* [Playgrounds](#playgrounds)
* [Config generators](#config-generators)
* [Config parsers](#config-parsers)
* [Config managers](#config-managers)
* [Static analyzers](#static-analyzers)
* [Log analyzers](#log-analyzers)
* [Performance analyzers](#performance-analyzers)
* [Builder tools](#builder-tools)
* [Benchmarking tools](#benchmarking-tools)
* [Debugging tools](#debugging-tools)
* [Security & Web testing tools](#security--web-testing-tools)
* [Development](#development)
* [Online & Web tools](#online--web-tools)
* [Other stuff](#other-stuff)
- **[What's next?](#whats-next)**
<details>
<summary><b>Other chapters</b></summary><br>
- **[HTTP Basics](doc/HTTP_BASICS.md#http-basics)**<a id="toc-http-basics"></a>
* [Introduction](doc/HTTP_BASICS.md#introduction-1)
* [Features and architecture](doc/HTTP_BASICS.md#features-and-architecture)
* [HTTP/2](doc/HTTP_BASICS.md#http2)
* [How to debug HTTP/2?](doc/HTTP_BASICS.md#how-to-debug-http2)
* [HTTP/3](doc/HTTP_BASICS.md#http3)
* [URI vs URL](doc/HTTP_BASICS.md#uri-vs-url)
* [Connection vs request](doc/HTTP_BASICS.md#connection-vs-request)
* [HTTP Headers](doc/HTTP_BASICS.md#http-headers)
* [Header compression](#header-compression)
* [HTTP Methods](doc/HTTP_BASICS.md#http-methods)
* [Request](doc/HTTP_BASICS.md#request)
* [Request line](doc/HTTP_BASICS.md#request-line)
* [Methods](doc/HTTP_BASICS.md#methods)
* [Request URI](doc/HTTP_BASICS.md#request-uri)
* [HTTP version](doc/HTTP_BASICS.md#http-version)
* [Request header fields](doc/HTTP_BASICS.md#request-header-fields)
* [Message body](doc/HTTP_BASICS.md#message-body)
* [Generate requests](doc/HTTP_BASICS.md#generate-requests)
* [Response](doc/HTTP_BASICS.md#response)
* [Status line](doc/HTTP_BASICS.md#status-line)
* [HTTP version](doc/HTTP_BASICS.md#http-version-1)
* [Status codes and reason phrase](doc/HTTP_BASICS.md#status-codes-and-reason-phrase)
* [Response header fields](doc/HTTP_BASICS.md#response-header-fields)
* [Message body](doc/HTTP_BASICS.md#message-body-1)
* [HTTP client](doc/HTTP_BASICS.md#http-client)
* [IP address shortcuts](doc/HTTP_BASICS.md#ip-address-shortcuts)
* [Back-End web architecture](doc/HTTP_BASICS.md#back-end-web-architecture)
* [Useful video resources](doc/HTTP_BASICS.md#useful-video-resources)
- **[SSL/TLS Basics](doc/SSL_TLS_BASICS.md#ssltls-basics)**<a id="toc-ssltls-basics"></a>
* [Introduction](doc/SSL_TLS_BASICS.md#introduction-2)
* [TLS versions](doc/SSL_TLS_BASICS.md#tls-versions)
* [TLS handshake](doc/SSL_TLS_BASICS.md#tls-handshake)
* [In which layer is TLS situated within the TCP/IP stack?](doc/SSL_TLS_BASICS.md#in-which-layer-is-tls-situated-within-the-tcpip-stack)
* [RSA and ECC keys/certificates](doc/SSL_TLS_BASICS.md#rsa-and-ecc-keyscertificates)
* [Cipher suites](doc/SSL_TLS_BASICS.md#cipher-suites)
* [Authenticated encryption (AEAD) cipher suites](doc/SSL_TLS_BASICS.md#authenticated-encryption-aead-cipher-suites)
* [Why cipher suites are important?](doc/SSL_TLS_BASICS.md#why-cipher-suites-are-important)
* [What does insecure, weak, secure and recommended mean?](doc/SSL_TLS_BASICS.md#what-does-insecure-weak-secure-and-recommended-mean)
* [NGINX and TLS 1.3 Cipher Suites](doc/SSL_TLS_BASICS.md#nginx-and-tls-13-cipher-suites)
* [Diffie-Hellman key exchange](doc/SSL_TLS_BASICS.md#diffie-hellman-key-exchange)
* [What exactly is the purpose of these DH Parameters?](doc/SSL_TLS_BASICS.md#what-exactly-is-the-purpose-of-these-dh-parameters)
* [Certificates](doc/SSL_TLS_BASICS.md#certificates)
* [Chain of Trust](doc/SSL_TLS_BASICS.md#chain-of-trust)
* [What is the main purpose of the Intermediate CA?](doc/SSL_TLS_BASICS.md#what-is-the-main-purpose-of-the-intermediate-ca)
* [Single-domain](doc/SSL_TLS_BASICS.md#single-domain)
* [Multi-domain](doc/SSL_TLS_BASICS.md#multi-domain)
* [Wildcard](doc/SSL_TLS_BASICS.md#wildcard)
* [Wildcard SSL doesn't handle root domain?](doc/SSL_TLS_BASICS.md#wildcard-ssl-doesnt-handle-root-domain)
* [HTTPS with self-signed certificate vs HTTP](doc/SSL_TLS_BASICS.md#https-with-self-signed-certificate-vs-http)
* [TLS Server Name Indication](doc/SSL_TLS_BASICS.md#tls-server-name-indication)
* [Verify your SSL, TLS & Ciphers implementation](doc/SSL_TLS_BASICS.md#verify-your-ssl-tls--ciphers-implementation)
* [Useful video resources](doc/SSL_TLS_BASICS.md#useful-video-resources)
- **[NGINX Basics](doc/NGINX_BASICS.md#nginx-basics)**<a id="toc-nginx-basics"></a>
* [Directories and files](doc/NGINX_BASICS.md#directories-and-files)
* [Commands](doc/NGINX_BASICS.md#commands)
* [Processes](doc/NGINX_BASICS.md#processes)
* [CPU pinning](doc/NGINX_BASICS.md#cpu-pinning)
* [Shutdown of worker processes](doc/NGINX_BASICS.md#shutdown-of-worker-processes)
* [Configuration syntax](doc/NGINX_BASICS.md#configuration-syntax)
* [Comments](doc/NGINX_BASICS.md#comments)
* [End of lines](doc/NGINX_BASICS.md#end-of-lines)
* [Variables, Strings, and Quotes](doc/NGINX_BASICS.md#variables-strings-and-quotes)
* [Directives, Blocks, and Contexts](doc/NGINX_BASICS.md#directives-blocks-and-contexts)
* [External files](doc/NGINX_BASICS.md#external-files)
* [Measurement units](doc/NGINX_BASICS.md#measurement-units)
* [Regular expressions with PCRE](doc/NGINX_BASICS.md#regular-expressions-with-pcre)
* [Enable syntax highlighting](doc/NGINX_BASICS.md#enable-syntax-highlighting)
* [Connection processing](doc/NGINX_BASICS.md#connection-processing)
* [Event-Driven architecture](doc/NGINX_BASICS.md#event-driven-architecture)
* [Multiple processes](doc/NGINX_BASICS.md#multiple-processes)
* [Simultaneous connections](doc/NGINX_BASICS.md#simultaneous-connections)
* [HTTP Keep-Alive connections](doc/NGINX_BASICS.md#http-keep-alive-connections)
* [sendfile, tcp_nodelay, and tcp_nopush](doc/NGINX_BASICS.md#sendfile-tcp_nodelay-and-tcp_nopush)
* [Request processing stages](doc/NGINX_BASICS.md#request-processing-stages)
* [Server blocks logic](doc/NGINX_BASICS.md#server-blocks-logic)
* [Handle incoming connections](doc/NGINX_BASICS.md#handle-incoming-connections)
* [Matching location](doc/NGINX_BASICS.md#matching-location)
* [rewrite vs return](doc/NGINX_BASICS.md#rewrite-vs-return)
* [URL redirections](doc/NGINX_BASICS.md#url-redirections)
* [try_files directive](doc/NGINX_BASICS.md#try_files-directive)
* [if, break, and set](doc/NGINX_BASICS.md#if-break-and-set)
* [root vs alias](doc/NGINX_BASICS.md#root-vs-alias)
* [internal directive](doc/NGINX_BASICS.md#internal-directive)
* [External and internal redirects](doc/NGINX_BASICS.md#external-and-internal-redirects)
* [allow and deny](doc/NGINX_BASICS.md#allow-and-deny)
* [uri vs request_uri](doc/NGINX_BASICS.md#uri-vs-request_uri)
* [Compression and decompression](doc/NGINX_BASICS.md#compression-and-decompression)
* [What is the best NGINX compression gzip level?](doc/NGINX_BASICS.md#what-is-the-best-nginx-compression-gzip-level)
* [Hash tables](doc/NGINX_BASICS.md#hash-tables)
* [Server names hash table](doc/NGINX_BASICS.md#server-names-hash-table)
* [Log files](doc/NGINX_BASICS.md#log-files)
* [Conditional logging](doc/NGINX_BASICS.md#conditional-logging)
* [Manually log rotation](doc/NGINX_BASICS.md#manually-log-rotation)
* [Error log severity levels](doc/NGINX_BASICS.md#error-log-severity-levels)
* [How to log the start time of a request?](doc/NGINX_BASICS.md#how-to-log-the-start-time-of-a-request)
* [How to log the HTTP request body?](doc/NGINX_BASICS.md#how-to-log-the-http-request-body)
* [NGINX upstream variables returns 2 values](doc/NGINX_BASICS.md#nginx-upstream-variables-returns-2-values)
* [Reverse proxy](doc/NGINX_BASICS.md#reverse-proxy)
* [Passing requests](doc/NGINX_BASICS.md#passing-requests)
* [Trailing slashes](doc/NGINX_BASICS.md#trailing-slashes)
* [Passing headers to the backend](doc/NGINX_BASICS.md#passing-headers-to-the-backend)
* [Importance of the Host header](doc/NGINX_BASICS.md#importance-of-the-host-header)
* [Redirects and X-Forwarded-Proto](doc/NGINX_BASICS.md#redirects-and-x-forwarded-proto)
* [A warning about the X-Forwarded-For](doc/NGINX_BASICS.md#a-warning-about-the-x-forwarded-for)
* [Improve extensibility with Forwarded](doc/NGINX_BASICS.md#improve-extensibility-with-forwarded)
* [Response headers](doc/NGINX_BASICS.md#response-headers)
* [Load balancing algorithms](doc/NGINX_BASICS.md#load-balancing-algorithms)
* [Backend parameters](doc/NGINX_BASICS.md#backend-parameters)
* [Upstream servers with SSL](doc/NGINX_BASICS.md#upstream-servers-with-ssl)
* [Round Robin](doc/NGINX_BASICS.md#round-robin)
* [Weighted Round Robin](doc/NGINX_BASICS.md#weighted-round-robin)
* [Least Connections](doc/NGINX_BASICS.md#least-connections)
* [Weighted Least Connections](doc/NGINX_BASICS.md#weighted-least-connections)
* [IP Hash](doc/NGINX_BASICS.md#ip-hash)
* [Generic Hash](doc/NGINX_BASICS.md#generic-hash)
* [Other methods](doc/NGINX_BASICS.md#other-methods)
* [Rate limiting](doc/NGINX_BASICS.md#rate-limiting)
* [Variables](doc/NGINX_BASICS.md#variables)
* [Directives, keys, and zones](doc/NGINX_BASICS.md#directives-keys-and-zones)
* [Burst and nodelay parameters](doc/NGINX_BASICS.md#burst-and-nodelay-parameters)
* [NAXSI Web Application Firewall](doc/NGINX_BASICS.md#naxsi-web-application-firewall)
* [OWASP ModSecurity Core Rule Set (CRS)](doc/NGINX_BASICS.md#owasp-modsecurity-core-rule-set-crs)
* [Core modules](doc/NGINX_BASICS.md#core-modules)
* [ngx_http_geo_module](doc/NGINX_BASICS.md#ngx_http_geo_module)
* [3rd party modules](doc/NGINX_BASICS.md#3rd-party-modules)
* [ngx_set_misc](doc/NGINX_BASICS.md#ngx_set_misc)
* [ngx_http_geoip_module](doc/NGINX_BASICS.md#ngx_http_geoip_module)
- **[Helpers](doc/HELPERS.md#helpers)**<a id="toc-helpers"></a>
* [Installing from prebuilt packages](doc/HELPERS.md#installing-from-prebuilt-packages)
* [RHEL7 or CentOS 7](doc/HELPERS.md#rhel7-or-centos-7)
* [Debian or Ubuntu](doc/HELPERS.md#debian-or-ubuntu)
* [FreeBSD](doc/HELPERS.md#freebsd)
* [Installing from source](doc/HELPERS.md#installing-from-source)
* [Automatic installation on RHEL/Debian/BSD](doc/HELPERS.md#automatic-installation-on-rheldebianbsd)
* [Nginx package](doc/HELPERS.md#nginx-package)
* [Dependencies](doc/HELPERS.md#dependencies)
* [Patches](doc/HELPERS.md#patches)
* [3rd party modules](doc/HELPERS.md#3rd-party-modules)
* [Configure options](doc/HELPERS.md#cconfigure-options)
* [Compiler and linker](doc/HELPERS.md#compiler-and-linker)
* [Debugging Symbols](doc/HELPERS.md#debugging-symbols)
* [SystemTap](doc/HELPERS.md#systemtap)
* [stapxx](doc/HELPERS.md#stapxx)
* [Installation Nginx on CentOS 7](doc/HELPERS.md#installation-nginx-on-centos-7)
* [Pre installation tasks](doc/HELPERS.md#pre-installation-tasks)
* [Dependencies](doc/HELPERS.md#dependencies)
* [Get Nginx sources](doc/HELPERS.md#get-nginx-sources)
* [Download 3rd party modules](doc/HELPERS.md#download-3rd-party-modules)
* [Build Nginx](doc/HELPERS.md#build-nginx)
* [Post installation tasks](doc/HELPERS.md#post-installation-tasks)
* [Installation OpenResty on CentOS 7](doc/HELPERS.md#installation-openresty-on-centos-7)
* [Installation Tengine on Ubuntu 18.04](doc/HELPERS.md#installation-tengine-on-ubuntu-1804)
* [Installation Nginx on FreeBSD 11.3](doc/HELPERS.md#installation-nginx-on-freebsd-113)
* [Installation Nginx on FreeBSD 11.3 (from ports)](doc/HELPERS.md#installation-nginx-on-freebsd-113-from-ports)
* [Analyse configuration](doc/HELPERS.md#analyse-configuration)
* [Monitoring](doc/HELPERS.md#monitoring)
* [GoAccess](doc/HELPERS.md#goaccess)
* [Build and install](doc/HELPERS.md#build-and-install)
* [Analyse log file and enable all recorded statistics](doc/HELPERS.md#analyse-log-file-and-enable-all-recorded-statistics)
* [Analyse compressed log file](doc/HELPERS.md#analyse-compressed-log-file)
* [Analyse log file remotely](doc/HELPERS.md#analyse-log-file-remotely)
* [Analyse log file and generate html report](doc/HELPERS.md#analyse-log-file-and-generate-html-report)
* [Ngxtop](doc/HELPERS.md#ngxtop)
* [Analyse log file](doc/HELPERS.md#analyse-log-file)
* [Analyse log file and print requests with 4xx and 5xx](doc/HELPERS.md#analyse-log-file-and-print-requests-with-4xx-and-5xx)
* [Analyse log file remotely](doc/HELPERS.md#analyse-log-file-remotely-1)
* [Testing](doc/HELPERS.md#testing)
* [Build OpenSSL 1.0.2-chacha version](doc/HELPERS.md#build-openssl-102-chacha-version)
* [Send request and show response headers](doc/HELPERS.md#send-request-and-show-response-headers)
* [Send request with http method, user-agent, follow redirects and show response headers](doc/HELPERS.md#send-request-with-http-method-user-agent-follow-redirects-and-show-response-headers)
* [Send multiple requests](doc/HELPERS.md#send-multiple-requests)
* [Testing SSL connection](doc/HELPERS.md#testing-ssl-connection)
* [Testing SSL connection (debug mode)](doc/HELPERS.md#testing-ssl-connection-debug-mode)
* [Testing SSL connection with SNI support](doc/HELPERS.md#testing-ssl-connection-with-sni-support)
* [Testing SSL connection with specific SSL version](doc/HELPERS.md#testing-ssl-connection-with-specific-ssl-version)
* [Testing SSL connection with specific cipher](doc/HELPERS.md#testing-ssl-connection-with-specific-cipher)
* [Testing OCSP Stapling](doc/HELPERS.md#testing-ocsp-stapling)
* [Verify 0-RTT](doc/HELPERS.md#verify-0-rtt)
* [Testing SCSV](doc/HELPERS.md#testing-scsv)
* [Load testing with ApacheBench (ab)](doc/HELPERS.md#load-testing-with-apachebench-ab)
* [Standard test](doc/HELPERS.md#standard-test)
* [Test with Keep-Alive header](doc/HELPERS.md#test-with-keep-alive-header)
* [Load testing with wrk2](doc/HELPERS.md#load-testing-with-wrk2)
* [Standard scenarios](doc/HELPERS.md#standard-scenarios)
* [POST call (with Lua)](doc/HELPERS.md#post-call-with-lua)
* [Random paths (with Lua)](doc/HELPERS.md#random-paths-with-lua)
* [Multiple paths (with Lua)](doc/HELPERS.md#multiple-paths-with-lua)
* [Random server address to each thread (with Lua)](doc/HELPERS.md#random-server-address-to-each-thread-with-lua)
* [Multiple json requests (with Lua)](doc/HELPERS.md#multiple-json-requests-with-lua)
* [Debug mode (with Lua)](doc/HELPERS.md#debug-mode-with-lua)
* [Analyse data pass to and from the threads](doc/HELPERS.md#analyse-data-pass-to-and-from-the-threads)
* [Parsing wrk result and generate report](doc/HELPERS.md#parsing-wrk-result-and-generate-report)
* [Load testing with locust](doc/HELPERS.md#load-testing-with-locust)
* [Multiple paths](doc/HELPERS.md#multiple-paths)
* [Multiple paths with different user sessions](doc/HELPERS.md#multiple-paths-with-different-user-sessions)
* [TCP SYN flood Denial of Service attack](doc/HELPERS.md#tcp-syn-flood-denial-of-service-attack)
* [HTTP Denial of Service attack](doc/HELPERS.md#tcp-syn-flood-denial-of-service-attack)
* [Debugging](doc/HELPERS.md#debugging)
* [Show information about processes](doc/HELPERS.md#show-information-about-nginx-processes)
* [Check memory usage](doc/HELPERS.md#check-memoryusage)
* [Show open files](doc/HELPERS.md#show-open-files)
* [Check segmentation fault messages](doc/HELPERS.md#check-segmentation-fault-messages)
* [Dump configuration](doc/HELPERS.md#dump-configuration)
* [Get the list of configure arguments](doc/HELPERS.md#get-the-list-of-configure-arguments)
* [Check if the module has been compiled](doc/HELPERS.md#check-if-the-module-has-been-compiled)
* [Show the most accessed IP addresses](doc/HELPERS.md#show-the-most-accessed-ip-addresses)
* [Show the most accessed IP addresses (ip and url)](doc/HELPERS.md#show-the-most-accessed-ip-addresses-ip-and-url)
* [Show the most accessed IP addresses (method, code, ip, and url)](doc/HELPERS.md#show-the-most-accessed-ip-addresses-method-code-ip-and-url)
* [Show the top 5 visitors (IP addresses)](doc/HELPERS.md#show-the-top-5-visitors-ip-addresses)
* [Show the most requested urls](doc/HELPERS.md#show-the-most-requested-urls)
* [Show the most requested urls containing 'string'](doc/HELPERS.md#show-the-most-requested-urls-containing-string)
* [Show the most requested urls with http methods](doc/HELPERS.md#show-the-most-requested-urls-with-http-methods)
* [Show the most accessed response codes](doc/HELPERS.md#show-the-most-accessed-response-codes)
* [Analyse web server log and show only 2xx http codes](doc/HELPERS.md#analyse-web-server-log-and-show-only-2xx-http-codes)
* [Analyse web server log and show only 5xx http codes](doc/HELPERS.md#analyse-web-server-log-and-show-only-5xx-http-codes)
* [Show requests which result 502 and sort them by number per requests by url](doc/HELPERS.md#show-requests-which-result-502-and-sort-them-by-number-per-requests-by-url)
* [Show requests which result 404 for php files and sort them by number per requests by url](doc/HELPERS.md#show-requests-which-result-404-for-php-files-and-sort-them-by-number-per-requests-by-url)
* [Calculating amount of http response codes](doc/HELPERS.md#calculating-amount-of-http-response-codes)
* [Calculating requests per second](doc/HELPERS.md#calculating-requests-per-second)
* [Calculating requests per second with IP addresses](doc/HELPERS.md#calculating-requests-per-second-with-ip-addresses)
* [Calculating requests per second with IP addresses and urls](doc/HELPERS.md#calculating-requests-per-second-with-ip-addresses-and-urls)
* [Get entries within last n hours](doc/HELPERS.md#get-entries-within-last-n-hours)
* [Get entries between two timestamps (range of dates)](doc/HELPERS.md#get-entries-between-two-timestamps-range-of-dates)
* [Get line rates from web server log](doc/HELPERS.md#get-line-rates-from-web-server-log)
* [Trace network traffic for all processes](doc/HELPERS.md#trace-network-traffic-for-all-nginx-processes)
* [List all files accessed by a NGINX](doc/HELPERS.md#list-all-files-accessed-by-a-nginx)
* [Check that the gzip_static module is working](doc/HELPERS.md#check-that-the-gzip_static-module-is-working)
* [Which worker processing current request](doc/HELPERS.md#which-worker-processing-current-request)
* [Capture only http packets](doc/HELPERS.md#capture-only-http-packets)
* [Extract User Agent from the http packets](doc/HELPERS.md#extract-user-agent-from-the-http-packets)
* [Capture only http GET and POST packets](doc/HELPERS.md#capture-only-http-get-and-post-packets)
* [Capture requests and filter by source ip and destination port](doc/HELPERS.md#capture-requests-and-filter-by-source-ip-and-destination-port)
* [Capture HTTP requests/responses in real time, filter by GET, HEAD and save to a file](doc/HELPERS.md#capture-http-requests--responses-in-real-time-filter-by-get-head-and-save-to-a-file)
* [Dump a process's memory](doc/HELPERS.md#dump-a-processs-memory)
* [GNU Debugger (gdb)](doc/HELPERS.md#gnu-debugger-gdb)
* [Dump configuration from a running process](doc/HELPERS.md#dump-configuration-from-a-running-process)
* [Show debug log in memory](doc/HELPERS.md#show-debug-log-in-memory)
* [Core dump backtrace](doc/HELPERS.md#core-dump-backtrace)
* [Debugging socket leaks](doc/HELPERS.md#debugging-socket-leaks)
* [Shell aliases](doc/HELPERS.md#shell-aliases)
* [Configuration snippets](doc/HELPERS.md#configuration-snippets)
* [Nginx server header removal](doc/HELPERS.md#nginx-server-header-removal)
* [Custom log formats](doc/HELPERS.md#custom-log-formats)
* [Log only 4xx/5xx](doc/HELPERS.md#log-only-4xx5xx)
* [Restricting access with basic authentication](doc/HELPERS.md#restricting-access-with-basic-authentication)
* [Restricting access with client certificate](doc/HELPERS.md#restricting-access-with-client-certificate)
* [Restricting access by geographical location](doc/HELPERS.md#restricting-access-by-geographical-location)
* [GeoIP 2 database](doc/HELPERS.md#geoip-2-database)
* [Dynamic error pages with SSI](doc/HELPERS.md#dynamic-error-pages-with-ssi)
* [Blocking/allowing IP addresses](doc/HELPERS.md#blockingallowing-ip-addresses)
* [Blocking referrer spam](doc/HELPERS.md#blocking-referrer-spam)
* [Limiting referrer spam](doc/HELPERS.md#limiting-referrer-spam)
* [Blocking User-Agent](doc/HELPERS.md#blocking-user-agent)
* [Limiting User-Agent](doc/HELPERS.md#limiting-user-agent)
* [Limiting the rate of requests with burst mode](doc/HELPERS.md#limiting-the-rate-of-requests-with-burst-mode)
* [Limiting the rate of requests with burst mode and nodelay](doc/HELPERS.md#limiting-the-rate-of-requests-with-burst-mode-and-nodelay)
* [Limiting the rate of requests per IP with geo and map](doc/HELPERS.md#limiting-the-rate-of-requests-per-ip-with-geo-and-map)
* [Limiting the number of connections](doc/HELPERS.md#limiting-the-number-of-connections)
* [Using trailing slashes](doc/HELPERS.md#using-trailing-slashes)
* [Properly redirect all HTTP requests to HTTPS](doc/HELPERS.md#properly-redirect-all-http-requests-to-https)
* [Adding and removing the www prefix](doc/HELPERS.md#adding-and-removing-the-www-prefix)
* [Proxy/rewrite and keep the original URL](doc/HELPERS.md#proxyrewrite-and-keep-the-original-url)
* [Proxy/rewrite and keep the part of original URL](doc/HELPERS.md#proxyrewrite-and-keep-the-part-of-original-url)
* [Proxy/rewrite without changing the original URL (in browser)](doc/HELPERS.md#proxyrewrite-without-changing-the-original-url-in-browser)
* [Modify 301/302 response body](doc/HELPERS.md#modify-301302-response-body)
* [Redirect POST request with payload to external endpoint](doc/HELPERS.md#redirect-post-request-with-payload-to-external-endpoint)
* [Route to different backends based on HTTP method](doc/HELPERS.md#route-to-different-backends-based-on-HTTP-method)
* [Allow multiple cross-domains using the CORS headers](doc/HELPERS.md#allow-multiple-cross-domains-using-the-cors-headers)
* [Set correct scheme passed in X-Forwarded-Proto](doc/HELPERS.md#set-correct-scheme-passed-in-x-forwarded-proto)
* [Other snippets](doc/HELPERS.md#other-snippets)
* [Recreate base directory](doc/HELPERS.md#recreate-base-directory)
* [Create a temporary static backend](doc/HELPERS.md#create-a-temporary-static-backend)
* [Create a temporary static backend with SSL support](doc/HELPERS.md#create-a-temporary-static-backend-with-ssl-support)
* [Generate password file with htpasswd command](doc/HELPERS.md#generate-password-file-with-htpasswd-command)
* [Generate private key without passphrase](doc/HELPERS.md#generate-private-key-without-passphrase)
* [Generate private key with passphrase](doc/HELPERS.md#generate-private-key-with-passphrase)
* [Remove passphrase from private key](doc/HELPERS.md#remove-passphrase-from-private-key)
* [Encrypt existing private key with a passphrase](doc/HELPERS.md#encrypt-existing-private-key-with-a-passphrase)
* [Generate CSR](doc/HELPERS.md#generate-csr)
* [Generate CSR (metadata from existing certificate)](doc/HELPERS.md#generate-csr-metadata-from-existing-certificate)
* [Generate CSR with -config param](doc/HELPERS.md#generate-csr-with--config-param)
* [Generate private key and CSR](doc/HELPERS.md#generate-private-key-and-csr)
* [List available EC curves](doc/HELPERS.md#list-available-ec-curves)
* [Print ECDSA private and public keys](doc/HELPERS.md#print-ecdsa-private-and-public-keys)
* [Generate ECDSA private key](doc/HELPERS.md#generate-ecdsa-private-key)
* [Generate private key and CSR (ECC)](doc/HELPERS.md#generate-private-key-and-csr-ecc)
* [Generate self-signed certificate](doc/HELPERS.md#generate-self-signed-certificate)
* [Generate self-signed certificate from existing private key](doc/HELPERS.md#generate-self-signed-certificate-from-existing-private-key)
* [Generate self-signed certificate from existing private key and csr](doc/HELPERS.md#generate-self-signed-certificate-from-existing-private-key-and-csr)
* [Generate multidomain certificate (Certbot)](doc/HELPERS.md#generate-multidomain-certificate-certbot)
* [Generate wildcard certificate (Certbot)](doc/HELPERS.md#generate-wildcard-certificate-certbot)
* [Generate certificate with 4096 bit private key (Certbot)](doc/HELPERS.md#generate-certificate-with-4096-bit-private-key-certbot)
* [Generate DH public parameters](doc/HELPERS.md#generate-dh-public-parameters)
* [Display DH public parameters](doc/HELPERS.md#display-dh-public-parameters)
* [Extract private key from pfx](doc/HELPERS.md#extract-private-key-from-pfx)
* [Extract private key and certs from pfx](doc/HELPERS.md#extract-private-key-and-certs-from-pfx)
* [Extract certs from p7b](doc/HELPERS.md#extract-certs-from-p7b)
* [Convert DER to PEM](doc/HELPERS.md#convert-der-to-pem)
* [Convert PEM to DER](doc/HELPERS.md#convert-pem-to-der)
* [Verification of the certificate's supported purposes](doc/HELPERS.md#verification-of-the-certificates-supported-purposes)
* [Check private key](doc/HELPERS.md#check-private-key)
* [Verification of the private key](doc/HELPERS.md#verification-of-the-private-key)
* [Get public key from private key](doc/HELPERS.md#get-public-key-from-private-key)
* [Verification of the public key](doc/HELPERS.md#verification-of-the-public-key)
* [Verification of the certificate](doc/HELPERS.md#verification-of-the-certificate)
* [Verification of the CSR](doc/HELPERS.md#verification-of-the-csr)
* [Check the private key and the certificate are match](doc/HELPERS.md#check-the-private-key-and-the-certificate-are-match)
* [Check the private key and the CSR are match](doc/HELPERS.md#check-the-private-key-and-the-csr-are-match)
[TLSv1.3 and CCM ciphers](doc/HELPERS.md#tlsv13-and-ccm-ciphers)
- **[Base Rules (16)](doc/RULES.md#base-rules)**<a id="toc-base-rules"></a>
* [Organising Nginx configuration](doc/RULES.md#beginner-organising-nginx-configuration)
* [Format, prettify and indent your Nginx code](doc/RULES.md#beginner-format-prettify-and-indent-your-nginx-code)
* [Use reload option to change configurations on the fly](doc/RULES.md#beginner-use-reload-option-to-change-configurations-on-the-fly)
* [Separate listen directives for 80 and 443 ports](doc/RULES.md#beginner-separate-listen-directives-for-80-and-443-ports)
* [Define the listen directives with address:port pair](doc/RULES.md#beginner-define-the-listen-directives-with-addressport-pair)
* [Prevent processing requests with undefined server names](doc/RULES.md#beginner-prevent-processing-requests-with-undefined-server-names)
* [Never use a hostname in a listen or upstream directives](doc/RULES.md#beginner-never-use-a-hostname-in-a-listen-or-upstream-directives)
* [Set the HTTP headers with add_header and proxy_*_header directives properly](doc/RULES.md#beginner-set-the-http-headers-with-add_header-and-proxy__header-directives-properly)
* [Use only one SSL config for the listen directive](doc/RULES.md#beginner-use-only-one-ssl-config-for-the-listen-directive)
* [Use geo/map modules instead of allow/deny](doc/RULES.md#beginner-use-geomap-modules-instead-of-allowdeny)
* [Map all the things...](doc/RULES.md#beginner-map-all-the-things)
* [Set global root directory for unmatched locations](doc/RULES.md#beginner-set-global-root-directory-for-unmatched-locations)
* [Use return directive for URL redirection (301, 302)](doc/RULES.md#beginner-use-return-directive-for-url-redirection-301-302)
* [Configure log rotation policy](doc/RULES.md#beginner-configure-log-rotation-policy)
* [Use simple custom error pages](doc/RULES.md#beginner-use-simple-custom-error-pages)
* [Don't duplicate index directive, use it only in the http block](doc/RULES.md#beginner-dont-duplicate-index-directive-use-it-only-in-the-http-block)
- **[Debugging (5)](doc/RULES.md#debugging)**<a id="toc-debugging"></a>
* [Use custom log formats](doc/RULES.md#beginner-use-custom-log-formats)
* [Use debug mode to track down unexpected behaviour](doc/RULES.md#beginner-use-debug-mode-to-track-down-unexpected-behaviour)
* [Improve debugging by disable daemon, master process, and all workers except one](doc/RULES.md#beginner-improve-debugging-by-disable-daemon-master-process-and-all-workers-except-one)
* [Use core dumps to figure out why NGINX keep crashing](doc/RULES.md#beginner-use-core-dumps-to-figure-out-why-nginx-keep-crashing)
* [Use mirror module to copy requests to another backend](doc/RULES.md#beginner-use-mirror-module-to-copy-requests-to-another-backend)
- **[Performance (13)](doc/RULES.md#performance)**<a id="toc-performance"></a>
* [Adjust worker processes](doc/RULES.md#beginner-adjust-worker-processes)
* [Use HTTP/2](doc/RULES.md#beginner-use-http2)
* [Maintaining SSL sessions](doc/RULES.md#beginner-maintaining-ssl-sessions)
* [Enable OCSP Stapling](doc/RULES.md#beginner-enable-ocsp-stapling)
* [Use exact names in a server_name directive if possible](doc/RULES.md#beginner-use-exact-names-in-a-server_name-directive-if-possible)
* [Avoid checks server_name with if directive](doc/RULES.md#beginner-avoid-checks-server_name-with-if-directive)
* [Use $request_uri to avoid using regular expressions](doc/RULES.md#beginner-use-request_uri-to-avoid-using-regular-expressions)
* [Use try_files directive to ensure a file exists](doc/RULES.md#beginner-use-try_files-directive-to-ensure-a-file-exists)
* [Use return directive instead of rewrite for redirects](doc/RULES.md#beginner-use-return-directive-instead-of-rewrite-for-redirects)
* [Enable PCRE JIT to speed up processing of regular expressions](doc/RULES.md#beginner-enable-pcre-jit-to-speed-up-processing-of-regular-expressions)
* [Activate the cache for connections to upstream servers](doc/RULES.md#beginner-activate-the-cache-for-connections-to-upstream-servers)
* [Make an exact location match to speed up the selection process](doc/RULES.md#beginner-make-an-exact-location-match-to-speed-up-the-selection-process)
* [Use limit_conn to improve limiting the download speed](doc/RULES.md#beginner-use-limit_conn-to-improve-limiting-the-download-speed)
- **[Hardening (31)](doc/RULES.md#hardening)**<a id="toc-hardening"></a>
* [Always keep NGINX up-to-date](doc/RULES.md#beginner-always-keep-nginx-up-to-date)
* [Run as an unprivileged user](doc/RULES.md#beginner-run-as-an-unprivileged-user)
* [Disable unnecessary modules](doc/RULES.md#beginner-disable-unnecessary-modules)
* [Protect sensitive resources](doc/RULES.md#beginner-protect-sensitive-resources)
* [Take care about your ACL rules](doc/RULES.md#beginner-take-care-about-your-acl-rules)
* [Hide Nginx version number](doc/RULES.md#beginner-hide-nginx-version-number)
* [Hide Nginx server signature](doc/RULES.md#beginner-hide-nginx-server-signature)
* [Hide upstream proxy headers](doc/RULES.md#beginner-hide-upstream-proxy-headers)
* [Remove support for legacy and risky HTTP request headers](doc/RULES.md#beginner-remove-support-for-legacy-and-risky-http-request-headers)
* [Use only the latest supported OpenSSL version](doc/RULES.md#beginner-use-only-the-latest-supported-openssl-version)
* [Force all connections over TLS](doc/RULES.md#beginner-force-all-connections-over-tls)
* [Use min. 2048-bit for RSA and 256-bit for ECC](doc/RULES.md#beginner-use-min-2048-bit-for-rsa-and-256-bit-for-ecc)
* [Keep only TLS 1.3 and TLS 1.2](doc/RULES.md#beginner-keep-only-tls-13-and-tls-12)
* [Use only strong ciphers](doc/RULES.md#beginner-use-only-strong-ciphers)
* [Use more secure ECDH Curve](doc/RULES.md#beginner-use-more-secure-ecdh-curve)
* [Use strong Key Exchange with Perfect Forward Secrecy](doc/RULES.md#beginner-use-strong-key-exchange-with-perfect-forward-secrecy)
* [Prevent Replay Attacks on Zero Round-Trip Time](doc/RULES.md#beginner-prevent-replay-attacks-on-zero-round-trip-time)
* [Defend against the BEAST attack](doc/RULES.md#beginner-defend-against-the-beast-attack)
* [Mitigation of CRIME/BREACH attacks](doc/RULES.md#beginner-mitigation-of-crimebreach-attacks)
* [Enable HTTP Strict Transport Security](doc/RULES.md#beginner-enable-http-strict-transport-security)
* [Reduce XSS risks (Content-Security-Policy)](doc/RULES.md#beginner-reduce-xss-risks-content-security-policy)
* [Control the behaviour of the Referer header (Referrer-Policy)](doc/RULES.md#beginner-control-the-behaviour-of-the-referer-header-referrer-policy)
* [Provide clickjacking protection (X-Frame-Options)](doc/RULES.md#beginner-provide-clickjacking-protection-x-frame-options)
* [Prevent some categories of XSS attacks (X-XSS-Protection)](doc/RULES.md#beginner-prevent-some-categories-of-xss-attacks-x-xss-protection)
* [Prevent Sniff Mimetype middleware (X-Content-Type-Options)](doc/RULES.md#beginner-prevent-sniff-mimetype-middleware-x-content-type-options)
* [Deny the use of browser features (Feature-Policy)](doc/RULES.md#beginner-deny-the-use-of-browser-features-feature-policy)
* [Reject unsafe HTTP methods](doc/RULES.md#beginner-reject-unsafe-http-methods)
* [Prevent caching of sensitive data](doc/RULES.md#beginner-prevent-caching-of-sensitive-data)
* [Limit concurrent connections](doc/RULES.md#beginner-limit-concurrent-connections)
* [Control Buffer Overflow attacks](doc/RULES.md#beginner-control-buffer-overflow-attacks)
* [Mitigating Slow HTTP DoS attacks (Closing Slow Connections)](doc/RULES.md#beginner-mitigating-slow-http-dos-attacks-closing-slow-connections)
- **[Reverse Proxy (8)](doc/RULES.md#reverse-proxy)**<a id="toc-reverse-proxy"></a>
* [Use pass directive compatible with backend protocol](doc/RULES.md#beginner-use-pass-directive-compatible-with-backend-protocol)
* [Be careful with trailing slashes in proxy_pass directive](doc/RULES.md#beginner-be-careful-with-trailing-slashes-in-proxy_pass-directive)
* [Set and pass Host header only with $host variable](doc/RULES.md#beginner-set-and-pass-host-header-only-with-host-variable)
* [Set properly values of the X-Forwarded-For header](doc/RULES.md#beginner-set-properly-values-of-the-x-forwarded-for-header)
* [Don't use X-Forwarded-Proto with $scheme behind reverse proxy](doc/RULES.md#beginner-dont-use-x-forwarded-proto-with-scheme-behind-reverse-proxy)
* [Always pass Host, X-Real-IP, and X-Forwarded headers to the backend](doc/RULES.md#beginner-always-pass-host-x-real-ip-and-x-forwarded-headers-to-the-backend)
* [Use custom headers without X- prefix](doc/RULES.md#beginner-use-custom-headers-without-x--prefix)
* [Always use $request_uri instead of $uri in proxy_pass](doc/RULES.md#beginner-always-use-request_uri-instead-of-uri-in-proxy_pass)
- **[Load Balancing (2)](doc/RULES.md#load-balancing)**<a id="toc-load-balancing"></a>
* [Tweak passive health checks](doc/RULES.md#beginner-tweak-passive-health-checks)
* [Don't disable backends by comments, use down parameter](doc/RULES.md#beginner-dont-disable-backends-by-comments-use-down-parameter)
- **[Others (4)](doc/RULES.md#others)**<a id="toc-others"></a>
* [Set the certificate chain correctly](doc/RULES.md#beginner-set-the-certificate-chain-correctly)
* [Enable DNS CAA Policy](doc/RULES.md#beginner-enable-dns-caa-policy)
* [Define security policies with security.txt](doc/RULES.md#beginner-define-security-policies-with-securitytxt)
* [Use tcpdump to diagnose and troubleshoot the HTTP issues](doc/RULES.md#beginner-use-tcpdump-to-monitor-http-traffic)
- **[Configuration Examples](doc/EXAMPLES.md#configuration-examples)**<a id="toc-configuration-examples"></a>
* [Reverse Proxy](doc/EXAMPLES.md#reverse-proxy)
* [Installation](doc/EXAMPLES.md#installation)
* [Configuration](doc/EXAMPLES.md#configuration)
* [Import configuration](doc/EXAMPLES.md#import-configuration)
* [Set bind IP address](doc/EXAMPLES.md#set-bind-ip-address)
* [Set your domain name](doc/EXAMPLES.md#set-your-domain-name)
* [Regenerate private keys and certs](doc/EXAMPLES.md#regenerate-private-keys-and-certs)
* [Update modules list](doc/EXAMPLES.md#update-modules-list)
* [Generating the necessary error pages](doc/EXAMPLES.md#generating-the-necessary-error-pages)
* [Add new domain](doc/EXAMPLES.md#add-new-domain)
* [Test your configuration](doc/EXAMPLES.md#test-your-configuration)
</details>
# Introduction
<br>
<p align="center">
<a href="https://www.nginx.com/">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_admins_handbook_logo.png">
</a>
</p>
<br>
> Before you start playing with NGINX please read an official **[Beginner’s Guide](http://nginx.org/en/docs/beginners_guide.html)**. It's a great introduction for everyone.
**Nginx** (_/ˌɛndʒɪnˈɛks/ EN-jin-EKS_, stylized as NGINX or nginx) is an open source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server with a strong focus on high concurrency, performance and low memory usage. It is originally written by [Igor Sysoev](http://sysoev.ru/en/).
For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. At this moment some high-profile companies using NGINX include Cisco, DuckDuckGo, Facebook, GitLab, Google, Twitter, Apple, Intel, and many more. In the September 2019 it was the most commonly used HTTP server (see [Netcraft survey](https://news.netcraft.com/archives/category/web-server-survey/)).
NGINX is a fast, light-weight and powerful web server that can also be used as a:
- fast HTTP reverse proxy
- reliable load balancer
- high performance caching server
- full-fledged web platform
So, to be brief, it provides the core of complete web stacks and is designed to help build scalable web applications. When it comes to performance, NGINX can easily handle a huge amount of traffic. The other main advantage of the NGINX is that allows you to do the same thing in different ways.
Unlike traditional HTTP servers, NGINX doesn't rely on threads to handle requests and it was written with a different architecture in mind - one which is much more suitable for nonlinear scalability in both the number of simultaneous connections and requests per second.
NGINX is also known as a _Apache Killer_ (mainly because of its lightness and much less RAM consumption). It is event-based, so it does not follow Apache's style of spawning new processes or threads for each web page request. Generally, it was created to solve the [C10K problem](http://www.kegel.com/c10k.html).
For me, it is a one of the best and most important service that I used in my SysAdmin career.
----
These essential documents should be the main source of knowledge for you:
- **[Getting Started](https://www.nginx.com/resources/wiki/start/)**
- **[NGINX Documentation](https://nginx.org/en/docs/)**
- **[Development guide](http://nginx.org/en/docs/dev/development_guide.html)**
- **[Security Controls](https://docs.nginx.com/nginx/admin-guide/security-controls/)**
In addition, I would like to recommend three great docs focuses on the concept of the HTTP protocol:
- **[HTTP Made Really Easy](https://www.jmarshall.com/easy/http/)**
- **[Hypertext Transfer Protocol Specification](https://www.w3.org/Protocols/)**
- **[Web technology for developers - HTTP](https://developer.mozilla.org/en-US/docs/Web/HTTP)**
If you love security keep your eye on this one: [Cryptology ePrint Archive](https://eprint.iacr.org/). It provides access to recent research in cryptology and explores many subjects of security (e.g. Ciphers, Algorithms, SSL/TLS protocols). A great introduction that covers core concepts of cryptography is [Practical Cryptography for Developers](https://cryptobook.nakov.com/). I also recommend to read the [Bulletproof SSL and TLS](https://www.feistyduck.com/books/bulletproof-ssl-and-tls/). Yep, it's definitely the most comprehensive book about deploying TLS for me.
An obligatory source of knowledge is also the [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/). You should ought treat it as an excellent security guidance. [Burp Scanner - Issue Definitions](https://portswigger.net/kb/issues) introduces you to the web apps and security vulnerabilities. Finally, [The Web Security Academy](https://portswigger.net/web-security) is a free online training center for web application security with high-quality reading materials and interactive labs of varying levels of difficulty. All are really good source to start learning about web application security.
And, of course, always browse official [Nginx Security Advisories](http://nginx.org/en/security_advisories.html) and CVE databases like [CVE Details](https://www.cvedetails.com/vendor/10048/Nginx.html) or [CVE - The MITRE Corporation](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=NGINX) - to stay Up-to-Date on NGINX vulnerabilities.
## Prologue
When I was studying architecture of HTTP servers I became interested in NGINX. As I was going through research, I kept notes. I found a lot of information about it, e.g. forum posts on the web about every conceivable problem was great. However, I've never found one guide that covers the most important things in a suitable form. I was a little disappointed.
I was interested in everything: NGINX internals, functions, security best practices, performance optimisations, tips & tricks, hacks and rules, but for me some of the documents treated the subject lightly.
Of course, [NGINX Official Documentation](https://nginx.org/en/docs/) is the best place but I know that we also have other great resources:
- [agentzh's Nginx Tutorials](https://openresty.org/download/agentzh-nginx-tutorials-en.html)
- [Nginx Guts](http://www.nginxguts.com/)
- [Nginx discovery journey](http://www.nginx-discovery.com/)
- [Nginx Secure Web Server](https://calomel.org/nginx.html)
- [Emiller’s Guide To Nginx Module Development](https://www.evanmiller.org/nginx-modules-guide.html)
- [Emiller’s Advanced Topics In Nginx Module Development](https://www.evanmiller.org/nginx-modules-guide-advanced.html)
These are definitely the best assets for us and in the first place you should seek help there. Moreover, in order to improve your knowledge, please see [Books](#books) chapter - it contains top literature on NGINX.
## Why I created this handbook
For me, however, there hasn't been a truly in-depth and reasonably simple cheatsheet which describe a variety of configurations and important cross-cutting topics for HTTP servers. Configuration of the NGINX can be tricky sometimes and you really need to get into the syntax and concepts to get an understanding tricks, loopholes, and mechanisms. The documentation isn't as pretty as other projects and should certainly include more robust examples.
> This handbook is a set of rules and recommendations for the NGINX Open Source HTTP server. It also contains the best practices, notes, and helpers with countless examples. Many of them refer to external resources.
There are a lot of things you can do to improve in your NGINX instance and this guide will attempt to cover as many of them as possible. For the most part, it contains the most important things about NGINX for me. I think the configuration you provided should work without any talisman. That's why I created this repository.
With this handbook you will explore the many features and capabilities of the NGINX. You'll find out, for example, how to testing the performance or how to resolve debugging problems. You will learn configuration guidelines, security design patterns, ways to handle common issues and how to stay out of them. I explained here a few best tips to avoid pitfalls and configuration mistakes.
I added set of guidelines and examples has also been produced to help you administer of the NGINX. They give us insight into NGINX internals also.
Mostly, I apply the rules presented here on the NGINX working as a reverse proxy. However, does not to prevent them being implemented for NGINX as a standalone server.
## Who this handbook is for
If you do not have the time to read hundreds of articles (just like me) this multipurpose handbook may be useful. I created it in the hope that it will be useful especially for System Administrators and Experts of Web-based applications.
This handbook does not get into all aspects of NGINX. What's more, some of the things described in this guide may be rather basic because most of us do not configure NGINX every day and it is easy to forget about basic/trivial things. On the other hand, also discusses heavyweight topics so there is something for advanced users. I tried to put external resources in many places in this handbook in order to dispel any suspicion that may exist.
I did my best to make this handbook a single and consistent (but now I know that is really hard). It's organized in an order that makes logical sense to me. I think it can also be a good complement to official documentation and other great documents. Many of the topics described here can certainly be done better or different. Of course, I still have a lot [to improve and to do](#contributing--support). I hope you enjoy and have fun with it.
Do not treat this handbook and notes written here as revealed knowledge. You should take a scientific approach when reading this document. If you have any doubts and disagree with me, please point out my mistakes. You should to discover cause and effect relationships by asking questions, carefully gathering and examining the evidence, and seeing if all the available information can be combined in to a logical answer.
I create this handbook for one more reason. Rather than starting from scratch in, I putting together a plan for answering your questions to help you find the best way to do things and ensure that you don't repeat my mistakes from the past.
So, what's most important:
- ask a questions about something that you observe
- do background research
- do tests with an experiments
- analyze and draw conclusions
- communicate results (for us!)
Finally, you should know I'm not a NGINX expert but I love to know how stuff works and why work the way they do. [I’m not a crypto expert... but I do know the term "elliptic curve"](https://twitter.com/ErikVoorhees/status/1004313761224757248) (I really like this quote!). Don't need to be an expert to figure out the reason just got to have used this and not this or why something works this way and not another. It feels good to understand the recommendations and nuances of a topic you’re passionate about.
## Before you start
Remember about the following most important things:
> **`Blindly deploying of the rules described here can damage your web application!`**
> **`Do not follow guides just to get 100% of something. Think about what you actually do at your server!`**
> **`Copy-and-paste is not the best way to learn. Think twice before adopting rules from this handbook.`**
> **`There are no settings that are perfect for everyone.`**
> **`Always think about what is better and more important for you: security vs usability/compatibility.`**
> **`Security mainly refers to minimise the risk.`**
> **`Change one thing may open a whole new set of problems.`**
> **`Read about how things work and what values are considered secure enough (and for what purposes).`**
> **`The only correct approach is to understand your exposure, measure and tune.`**
```diff
+ Security is important for ethical reasons. Compliance is important for legal reasons.
+ The key to workplace contentment is understanding they are unrelated to each other.
+ Both are important, but one does not lead to the other (compliance != security).
author: unknown
+ Security is always needed, no matter what type of website it is. It can be static HTML
+ or fully dynamic, an attacker can still inject hostile content into the page in transit
+ to attack the user.
author: Scott Helme
+ Don’t enable older deprecated protocols just because Karen in Florida is still using
+ a PC that she bought back in 2001.
author: thisinterestsmeblog
```
I think, in the age of phishing, cyber attacks, ransomware, etc., you should take care of security of your infrastructure as hard as possible but don't ever forget about this one...
<br>
<p align="center">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/crypto_nerds.png">
</p>
Lastly, I would like to quote two very important comments found on the web about compliance with the standards and regulations, and essence of a human factor in security:
> _Regulations that make sense are often not descriptive - capturing the intent and scope of a rule often requires technical expertise. More than that, it's the type of expertise most organisations do not have. And instead of improving themselves, these companies, who may form the grand majority of the industry, petition the regulators to provide a safe checklist of technical mitigations that can be implemented to remain compliant. [...] Instead of doing the right thing and meeting the planned intent, companies are instead ticking nonsensical boxes that the regulators and their auditors demand. Blindly. Mindlessly. Divorced from reality._ - by [bostik](https://news.ycombinator.com/user?id=bostik)
> _Whenever considering security, the human factor is nearly always as important or more important than just the technical aspects. Policy and procedures need to consider the human element and try to ensure that these policies and procedures are structured in such a way as to help enable staff to do the right thing, even when they may not fully understand why they need to do it._ - by [Tim X](https://security.stackexchange.com/users/13958/tim-x)
## Contributing & Support
> _A real community, however, exists only when its members interact in a meaningful way that deepens their understanding of each other and leads to learning._
If you find something which doesn't make sense, or something doesn't seem right, please make a pull request and please add valid and well-reasoned explanations about your changes or comments.
Before adding a pull request, please see the **[contributing guidelines](.github/CONTRIBUTING.md)**.
## Code Contributors
This project exists thanks to all the people who contribute.
<a href="https://github.com/trimstray/nginx-admins-handbook/graphs/contributors"><img src="https://opencollective.com/nginx-admins-handbook/contributors.svg?width=890&button=false"></a>
### ToDo
What needs to be done? Look at the following ToDo list:
New chapters:
- [x] **Bonus Stuff**
- [x] **HTTP Basics**
- [x] **SSL/TLS Basics**
- [x] **Reverse Proxy**
- [ ] **Caching**
- [x] **Core modules**
- [x] **3rd party modules**
- [ ] **Web Application Firewall**
- [ ] **ModSecurity**
- [x] **Debugging**
Existing chapters:
<details>
<summary><b>Introduction</b></summary><br>
- [x] _Prologue_
- [x] _Why I created this handbook_
- [x] _Who this handbook is for_
- [x] _Before you start_
- [x] _Contributing & Support_
- [x] _RSS Feed & Updates
- [x] _Checklist to rule them all_
</details>
<details>
<summary><b>Bonus Stuff</b></summary><br>
- [x] _Fully automatic installation_
- [x] _Static error pages generator_
- [x] _Server names parser_
</details>
<details>
<summary><b>Books</b></summary><br>
- [x] _ModSecurity 3.0 and NGINX: Quick Start Guide_
- [x] _Cisco ACE to NGINX: Migration Guide_
</details>
<details>
<summary><b>External Resources</b></summary><br>
- _Nginx official_
- [x] _Nginx Forum_
- [x] _Nginx Mailing List_
- [x] _NGINX-Demos_
- _Presentations & Videos_
- [x] _NGINX: Basics and Best Practices_
- [x] _NGINX Installation and Tuning_
- [x] _Nginx Internals (by Joshua Zhu)_
- [x] _Nginx internals (by Liqiang Xu)_
- [x] _How to secure your web applications with NGINX_
- [x] _Tuning TCP and NGINX on EC2_
- [x] _Extending functionality in nginx, with modules!_
- [x] _Nginx - Tips and Tricks._
- [x] _Nginx Scripting - Extending Nginx Functionalities with Lua_
- [x] _How to handle over 1,200,000 HTTPS Reqs/Min_
- [x] _Using ngx_lua / lua-nginx-module in pixiv_
- _Cheatsheets & References_
- [x] _Nginx configurations for most popular CMS/CMF/Frameworks based on PHP_
- _Performance & Hardening_
- [x] _Memorable site for testing clients against bad SSL configs_
- _Config parsers_
- [x] _Quick and reliable way to convert NGINX configurations into JSON and back_
- [x] _Parses nginx configuration with Pyparsing_
- _Config managers_
- [x] _Ansible role to install and manage nginx configuration_
- [x] _Ansible Role - Nginx_
- [x] _Ansible role for NGINX_
- [x] _Puppet Module to manage NGINX on various UNIXes_
- _Static analyzers_
- [x] _nginx-minify-conf_
- _Comparison reviews_
- [x] _NGINX vs. Apache (Pro/Con Review, Uses, & Hosting for Each)_
- [x] _Web cache server performance benchmark: nuster vs nginx vs varnish vs squid_
- _Builder tools_
- [x] _Nginx-builder_
- _Benchmarking tools_
- [x] _wrk2_
- [x] _httperf_
- [x] _slowloris_
- [x] _slowhttptest_
- [x] _GoldenEye_
- _Debugging tools_
- [x] _strace_
- [x] _GDB_
- [x] _SystemTap_
- [x] _stapxx_
- [x] _htrace.sh_
- _Security & Web testing tools_
- [x] _Burp Suite_
- [x] _w3af_
- [x] _nikto_
- [x] _ssllabs-scan_
- [x] _http-observatory_
- [x] _testssl.sh_
- [x] _sslyze_
- [x] _cipherscan_
- [x] _O-Saft_
- [x] _Nghttp2_
- [x] _h2spec_
- [x] _http2fuzz_
- [x] _Arjun_
- [x] _Corsy_
- [x] _XSStrike_
- _Online & Web tools_
- [x] _ssltools_
- _Other stuff_
- [x] _OWASP Cheat Sheet Series_
- [x] _Mozilla Web Security_
- [x] _Application Security Wiki_
- [x] _OWASP ASVS 4.0_
- [x] _The System Design Primer_
- [x] _awesome-scalability_
- [x] _Web Architecture 101_
</details>
<details>
<summary><b>HTTP Basics</b></summary><br>
- [x] _Features and architecture_
- [x] _HTTP/2_
- [x] _How to debug HTTP/2?_
- [x] _HTTP/3_
- [x] _URI vs URL_
- [x] _Connection vs request_
- [x] _HTTP Headers_
- [x] _Header compression_
- [x] _HTTP Methods_
- [x] _Request_
- [x] _Request line_
- [x] _Methods_
- [x] _Request URI_
- [x] _HTTP version_
- [x] _Request header fields_
- [x] _Message body_
- [x] _Generate requests_
- [x] _Response_
- [x] _Status line_
- [x] _HTTP version_
- [x] _Status codes and reason phrase_
- [x] _Response header fields_
- [x] _Message body_
- [x] _HTTP client_
- [x] _IP address shortcuts_
- [x] _Back-End web architecture_
- [x] _Useful video resources_
</details>
<details>
<summary><b>SSL/TLS Basics</b></summary><br>
- [x] _TLS versions_
- [x] _TLS handshake_
- [x] _In which layer is TLS situated within the TCP/IP stack?_
- [x] _RSA and ECC keys/certificates_
- [x] _Cipher suites_
- [x] _Authenticated encryption (AEAD) cipher suites_
- [x] _Why cipher suites are important?_
- [x] _NGINX and TLS 1.3 Cipher Suites_
- [x] _Diffie-Hellman key exchange_
- [x] _Certificates_
- [x] _Chain of Trust_
- [x] _What is the main purpose of the Intermediate CA?_
- [x] _Single-domain_
- [x] _Multi-domain_
- [x] _Wildcard_
- [x] _Wildcard SSL doesn't handle root domain?_
- [x] _TLS Server Name Indication_
- [x] _Verify your SSL, TLS & Ciphers implementation_
- [x] _Useful video resources_
</details>
<details>
<summary><b>NGINX Basics</b></summary><br>
- _Processes_
- [x] _CPU pinning_
- [x] _Shutdown of worker processes_
- _Configuration syntax_
- [x] _Comments_
- [x] _End of lines_
- [x] _Variables, Strings, and Quotes_
- [x] _Directives, Blocks, and Contexts_
- [x] _External files_
- [x] _Measurement units_
- [x] _Regular expressions with PCRE_
- [x] _Enable syntax highlighting_
- _Connection processing_
- [x] _Event-Driven architecture_
- [x] _Multiple processes_
- [x] _Simultaneous connections_
- [x] _HTTP Keep-Alive connections_
- [x] _sendfile, tcp_nodelay, and tcp_nopush_
- _Server blocks logic_
- [x] _Matching location_
- [ ] _if in location_
- [ ] _Nested locations_
- [x] _rewrite vs return_
- [x] _try_files directive_
- [x] _if, break and set_
- [x] _root vs alias_
- [x] _internal directive_
- [x] _External and internal redirects_
- [x] _allow and deny_
- [x] _uri vs request_uri_
- _Compression and decompression_
- [x] _What is the best NGINX compression gzip level?_
- _Hash tables_
- [x] _Server names hash table_
- _Log files_
- [x] _Conditional logging_
- [x] _Manually log rotation_
- [x] _NGINX upstream variables returns 2 values_
- _Reverse proxy_
- [x] _Passing requests_
- [x] _Trailing slashes_
- [ ] _Processing headers_
- [x] _Passing headers_
- [x] _Importance of the Host header_
- [x] _Redirects and X-Forwarded-Proto_
- [x] _A warning about the X-Forwarded-For_
- [x] _Improve extensibility with Forwarded_
- [x] _Response headers_
- _Load balancing algorithms_
- [x] _Backend parameters_
- [x] _Upstream servers with SSL_
- [x] _Round Robin_
- [x] _Weighted Round Robin_
- [x] _Least Connections_
- [x] _Weighted Least Connections_
- [x] _IP Hash_
- [x] _Generic Hash_
- [ ] _Fair module_
- [x] _Other methods_
- _Rate Limiting_
- [x] _Variables_
- [x] _Directives, keys, and zones_
- [x] _Burst and nodelay parameters_
- _NAXSI Web Application Firewall_
- _OWASP ModSecurity Core Rule Set (CRS)_
- _Other subjects_
- [ ] _Secure Distribution of SSL Private Keys with NGINX_
- _Core modules_
- [x] _ngx_http_geo_module_
- _3rd party modules_
- [x] _ngx_set_misc_
- [x] _ngx_http_geoip_module_
</details>
<details>
<summary><b>Helpers</b></summary><br>
- _Installing from source_
- [x] _Automatic installation on RHEL/Debian/BSD_
- [x] _Compiler and linker_
- [x] _Debugging Symbols_
- [x] _SystemTap_
- [x] _stapxx_
- [x] _Separation and improvement of installation methods_
- [x] _Installation Nginx on CentOS 7_
- [x] _Installation OpenResty on CentOS 7_
- [x] _Installation Tengine on Ubuntu 18.04_
- [x] _Installation Nginx on FreeBSD 11.3_
- [x] _Installation Nginx on FreeBSD 11.3 (from ports)_
- _Monitoring_
- [ ] _CollectD, Prometheus, and Grafana_
- [ ] _nginx-vts-exporter_
- [ ] _CollectD, InfluxDB, and Grafana_
- [ ] _Telegraf, InfluxDB, and Grafana_
- _Testing_
- [x] _Build OpenSSL 1.0.2-chacha version_
- [x] _Send request and show response headers_
- [x] _Send request with http method, user-agent, follow redirects and show response headers_
- [x] _Send multiple requests_
- [x] _Testing SSL connection_
- [x] _Testing SSL connection (debug mode)_
- [x] _Testing SSL connection with SNI support_
- [x] _Testing SSL connection with specific SSL version_
- [x] _Testing SSL connection with specific cipher_
- [x] _Verify 0-RTT_
- [x] _Testing SCSV_
- _Load testing with ApacheBench (ab)_
- [x] _Standard test_
- [x] _Test with Keep-Alive header_
- _Load testing with wrk2_
- [x] _Standard scenarios_
- [x] _POST call (with Lua)_
- [x] _Random paths (with Lua)_
- [x] _Multiple paths (with Lua)_
- [x] _Random server address to each thread (with Lua)_
- [x] _Multiple json requests (with Lua)_
- [x] _Debug mode (with Lua)_
- [x] _Analyse data pass to and from the threads_
- [x] _Parsing wrk result and generate report_
- _Load testing with locust_
- [x] _Multiple paths_
- [x] _Multiple paths with different user sessions_
- [x] _TCP SYN flood Denial of Service attack_
- [x] _HTTP Denial of Service attack_
- _Debugging_
- [x] _Show information about processes_
- [x] _Check memory usage_
- [x] _Show open files_
- [x] _Check segmentation fault messages_
- [x] _Dump configuration_
- [x] _Get the list of configure arguments_
- [x] _Check if the module has been compiled_
- [x] _Show the most accessed IP addresses (ip and url)_
- [x] _Show the most requested urls with http methods_
- [x] _Show the most accessed response codes_
- [x] _Calculating requests per second with IP addresses and urls_
- [x] _Check that the gzip_static module is working_
- [x] _Which worker processing current request_
- [x] _Capture only http packets_
- [x] _Extract User Agent from the http packets_
- [x] _Capture only http GET and POST packets_
- [x] _Capture requests and filter by source ip and destination port_
- [x] _Capture HTTP requests/responses in real time, filter by GET, HEAD and save to a file_
- [ ] _Server Side Include (SSI) debugging_
- [x] _Dump a process's memory_
- _GNU Debugger (gdb)_
- [x] _Dump configuration from a running process_
- [x] _Show debug log in memory_
- [x] _Core dump backtrace_
- [x] _Debugging socket leaks_
- _SystemTap cheatsheet_
- [x] _stapxx_
- _Errors & Issues_
- [ ] _Common errors_
- _Configuration snippets_
- [x] _Nginx server header removal_
- [x] _Custom log formats_
- [x] _Log only 4xx/5xx_
- [x] _Restricting access with client certificate_
- [x] _Restricting access by geographical location_
- [x] _GeoIP 2 database_
- [ ] _Custom error pages_
- [x] _Dynamic error pages with SSI_
- [x] _Limiting the rate of requests per IP with geo and map_
- [x] _Using trailing slashes_
- [x] _Properly redirect all HTTP requests to HTTPS_
- [x] _Adding and removing the www prefix_
- [x] _Proxy/rewrite and keep the original URL_
- [x] _Proxy/rewrite and keep the part of original URL_
- [x] _Proxy/rewrite without changing the original URL (in browser)_
- [x] _Modify 301/302 response body_
- [x] _Redirect POST request with payload to external endpoint_
- [x] _Route to different backends based on HTTP method_
- [ ] _Redirect users with certain IP to special location_
- [x] _Allow multiple cross-domains using the CORS headers_
- [x] _Set correct scheme passed in X-Forwarded-Proto_
- [ ] _Securing URLs with the Secure Link Module_
- [ ] _Tips and methods for high load traffic testing (cheatsheet)_
- [ ] _Location matching examples_
- [ ] _Passing requests to the backend_
- [ ] _The HTTP backend server_
- [ ] _The uWSGI backend server_
- [ ] _The FastCGI backend server_
- [ ] _The memcached backend server_
- [ ] _The Redis backend server_
- [ ] _HTTPS traffic to upstream servers_
- [ ] _TCP and UDP load balancing_
- [ ] _Lua snippets_
- [ ] _nginscripts snippets_
- _Other snippets_
- [x] _Recreate base directory_
- [x] _Create a temporary static backend_
- [x] _Create a temporary static backend with SSL support_
- [x] _Generate password file with htpasswd command_
- [x] _Generate private key without passphrase_
- [x] _Generate private key with passphrase_
- [x] _Remove passphrase from private key_
- [x] _Encrypt existing private key with a passphrase_
- [x] _Generate CSR_
- [x] _Generate CSR (metadata from existing certificate)_
- [x] _Generate CSR with -config param_
- [x] _Generate private key and CSR_
- [x] _List available EC curves_
- [x] _Generate ECDSA private key_
- [x] _Generate private key and CSR (ECC)_
- [x] _Generate self-signed certificate_
- [x] _Generate self-signed certificate from existing private key_
- [x] _Generate self-signed certificate from existing private key and csr_
- [x] _Generate multidomain certificate (Certbot)_
- [x] _Generate wildcard certificate (Certbot)_
- [x] _Generate certificate with 4096 bit private key (Certbot)_
- [x] _Generate DH public parameters_
- [x] _Display DH public parameters_
- [x] _Extract certs from p7b_
- [x] _Convert DER to PEM_
- [x] _Convert PEM to DER_
- [x] _Verification of the certificate's supported purposes_
- [x] _Verification of the private key_
- [x] _Check private key_
- [x] _Get public key from private key_
- [x] _Verification of the public key_
- [x] _Verification of the certificate_
- [x] _Verification of the CSR_
- [x] _Check the private key and the certificate are match_
- [x] _TLSv1.3 and CCM ciphers_
</details>
<details>
<summary><b>Base Rules</b></summary><br>
- [x] _Format, prettify and indent your Nginx code_
- [x] _Never use a hostname in a listen or upstream directives_
- [x] _Set the HTTP headers with add_header and proxy_*_header directives properly_
- [ ] _Making a rewrite absolute (with scheme)_
- [x] _Use return directive for URL redirection (301, 302)_
- [x] _Use simple custom error pages_
- [x] _Configure log rotation policy_
- [x] _Don't duplicate index directive, use it only in the http block_
</details>
<details>
<summary><b>Debugging</b></summary><br>
- [x] _Improve debugging by disable daemon, master process, and all workers except one_
- [x] _Use core dumps to figure out why NGINX keep crashing_
- [x] _Use mirror module to copy requests to another backend_
- [ ] _Dynamic debugging with echo module_
- [ ] _Dynamic debugging with SSI_
</details>
<details>
<summary><b>Performance</b></summary><br>
- [x] _Enable OCSP Stapling_
- [ ] _Avoid multiple index directives_
- [x] _Use $request_uri to avoid using regular expressions_
- [x] _Use try_files directive to ensure a file exists_
- [ ] _Don't pass all requests to the backend - use try_files_
- [x] _Use return directive instead of rewrite for redirects_
- [x] _Enable PCRE JIT to speed up processing of regular expressions_
- [ ] _Set proxy timeouts for normal load and under heavy load_
- [ ] _Configure kernel parameters for high load traffic_
- [x] _Activate the cache for connections to upstream servers_
</details>
<details>
<summary><b>Hardening</b></summary><br>
- [x] _Keep NGINX up-to-date_
- [x] _Take care about your ACL rules_
- [x] _Use only the latest supported OpenSSL version_
- [x] _Remove support for legacy and risky HTTP request headers_
- [x] _Prevent Replay Attacks on Zero Round-Trip Time_
- [x] _Prevent caching of sensitive data_
- [x] _Limit concurrent connections_
- [ ] _Set properly files and directories permissions (also with acls) on a paths_
- [ ] _Implement HTTPOnly and secure attributes on cookies_
</details>
<details>
<summary><b>Reverse Proxy</b></summary><br>
- [x] _Use pass directive compatible with backend protocol_
- [x] _Be careful with trailing slashes in proxy_pass directive_
- [x] _Set and pass Host header only with $host variable_
- [x] _Set properly values of the X-Forwarded-For header_
- [x] _Don't use X-Forwarded-Proto with $scheme behind reverse proxy_
- [x] _Always pass Host, X-Real-IP, and X-Forwarded headers to the backend_
- [x] _Use custom headers without X- prefix_
- [x] _Always use $request_uri instead of $uri in proxy_pass_
- [ ] _Set proxy buffers and timeouts_
</details>
<details>
<summary><b>Others</b></summary><br>
- [x] _Set the certificate chain correctly_
- [x] _Define security policies with security.txt_
- [x] _Use tcpdump to diagnose and troubleshoot the HTTP issues_
</details>
If you have any idea, send it back to me or add a pull request.
## RSS Feed & Updates
GitHub exposes an [RSS/Atom](https://github.com/trimstray/nginx-admins-handbook/commits.atom) feed of the commits, which may also be useful if you want to be kept informed about all changes.
## Checklist to rule them all
This checklist was the primary aim of the _nginx-admins-handbook_. It contains a set of best practices and recommendations on how to configure and maintain the NGINX properly.
> This checklist contains [all rules (79)](doc/RULES.md) from this handbook.
Generally, I think that each of these principles is important and should be considered. I separated them into four levels of priority to help guide your decision.
| <b>PRIORITY</b> | <b>NAME</b> | <b>AMOUNT</b> | <b>DESCRIPTION</b> |
| :---: | :--- | :---: | :--- |
|  | <i>critical</i> | 33 | definitely use this rule, otherwise it will introduce high risks of your NGINX security, performance, and other |
|  | <i>major</i> | 26 | it's also very important but not critical, and should still be addressed at the earliest possible opportunity |
|  | <i>normal</i> | 12 | there is no need to implement but it is worth considering because it can improve the NGINX working and functions |
|  | <i>minor</i> | 8 | as an option to implement or use (not required) |
Remember, these are only guidelines. My point of view may be different from yours so if you feel these priority levels do not reflect your configurations commitment to security, performance or whatever else, you should adjust them as you see fit.
| <b>RULE</b> | <b>CHAPTER</b> | <b>PRIORITY</b> |
| :--- | :--- | :---: |
| [Define the listen directives with address:port pair](doc/RULES.md#beginner-define-the-listen-directives-with-addressport-pair)<br><sup>Prevents soft mistakes which may be difficult to debug.</sup> | Base Rules |  |
| [Prevent processing requests with undefined server names](doc/RULES.md#beginner-prevent-processing-requests-with-undefined-server-names)<br><sup>It protects against configuration errors, e.g. traffic forwarding to incorrect backends.</sup> | Base Rules |  |
| [Never use a hostname in a listen or upstream directives](doc/RULES.md#beginner-never-use-a-hostname-in-a-listen-or-upstream-directives)<br><sup>While this may work, it will comes with a large number of issues.</sup> | Base Rules |  |
| [Set the HTTP headers with add_header and proxy_*_header directives properly](doc/RULES.md#beginner-set-the-http-headers-with-add_header-and-proxy__header-directives-properly)<br><sup>Set the right security headers for all contexts.</sup> | Base Rules |  |
| [Configure log rotation policy](doc/RULES.md#beginner-configure-log-rotation-policy)<br><sup>Save yourself trouble with your web server: configure appropriate logging policy.</sup> | Base Rules |  |
| [Use simple custom error pages](doc/RULES.md#beginner-use-simple-custom-error-pages)<br><sup>Default error pages reveals information which leads to information leakage vulnerability.</sup> | Base Rules |  |
| [Use HTTP/2](doc/RULES.md#beginner-use-http2)<br><sup>HTTP/2 will make our applications faster, simpler, and more robust.</sup> | Performance |  |
| [Always keep NGINX up-to-date](doc/RULES.md#beginner-always-keep-nginx-up-to-date)<br><sup>Use newest NGINX package to fix vulnerabilities, bugs, and to use new features.</sup> | Hardening |  |
| [Run as an unprivileged user](doc/RULES.md#beginner-run-as-an-unprivileged-user)<br><sup>Use the principle of least privilege. This way only master process runs as root.</sup> | Hardening |  |
| [Protect sensitive resources](doc/RULES.md#beginner-protect-sensitive-resources)<br><sup>Hidden directories and files should never be web accessible.</sup> | Hardening |  |
| [Take care about your ACL rules](doc/RULES.md#beginner-take-care-about-your-acl-rules)<br><sup>Test your access-control lists and to stay secure.</sup> | Hardening |  |
| [Hide upstream proxy headers](doc/RULES.md#beginner-hide-upstream-proxy-headers)<br><sup>Don't expose what version of software is running on the server.</sup> | Hardening |  |
| [Remove support for legacy and risky HTTP request headers](doc/RULES.md#beginner-remove-support-for-legacy-and-risky-http-request-headers)<br><sup>Supports for the offending headers should be removed.</sup> | Hardening |  |
| [Force all connections over TLS](doc/RULES.md#beginner-force-all-connections-over-tls)<br><sup>Protects your website for handle sensitive communications.</sup> | Hardening |  |
| [Use min. 2048-bit for RSA and 256-bit for ECC](doc/RULES.md#beginner-use-min-2048-bit-for-rsa-and-256-bit-for-ecc)<br><sup>2048 bit (RSA) or 256 bit (ECC) keys are sufficient for commercial use.</sup> | Hardening |  |
| [Keep only TLS 1.3 and TLS 1.2](doc/RULES.md#beginner-keep-only-tls-13-and-tls-12)<br><sup>Use TLS with modern cryptographic algorithms and without protocol weaknesses.</sup> | Hardening |  |
| [Use only strong ciphers](doc/RULES.md#beginner-use-only-strong-ciphers)<br><sup>Use only strong and not vulnerable cipher suites.</sup> | Hardening |  |
| [Use more secure ECDH Curve](doc/RULES.md#beginner-use-more-secure-ecdh-curve)<br><sup>Use ECDH Curves with according to NIST recommendations.</sup> | Hardening |  |
| [Use strong Key Exchange with Perfect Forward Secrecy](doc/RULES.md#beginner-use-strong-key-exchange-with-perfect-forward-secrecy)<br><sup>Establishes a shared secret between two parties that can be used for secret communication.</sup> | Hardening |  |
| [Defend against the BEAST attack](doc/RULES.md#beginner-defend-against-the-beast-attack)<br><sup>The server ciphers should be preferred over the client ciphers.</sup> | Hardening |  |
| [Enable HTTP Strict Transport Security](doc/RULES.md#beginner-enable-http-strict-transport-security)<br><sup>Tells browsers that it should only be accessed using HTTPS, instead of using HTTP.</sup> | Hardening |  |
| [Reduce XSS risks (Content-Security-Policy)](doc/RULES.md#beginner-reduce-xss-risks-content-security-policy)<br><sup>CSP is best used as defence-in-depth. It reduces the harm that a malicious injection can cause.</sup> | Hardening |  |
| [Control the behaviour of the Referer header (Referrer-Policy)](doc/RULES.md#beginner-control-the-behaviour-of-the-referer-header-referrer-policy)<br><sup>The default behaviour of referrer leaking puts websites at risk of privacy and security breaches.</sup> | Hardening |  |
| [Provide clickjacking protection (X-Frame-Options)](doc/RULES.md#beginner-provide-clickjacking-protection-x-frame-options)<br><sup>Defends against clickjacking attack.</sup> | Hardening |  |
| [Prevent some categories of XSS attacks (X-XSS-Protection)](doc/RULES.md#beginner-prevent-some-categories-of-xss-attacks-x-xss-protection)<br><sup>Prevents to render pages if a potential XSS reflection attack is detected.</sup> | Hardening |  |
| [Prevent Sniff Mimetype middleware (X-Content-Type-Options)](doc/RULES.md#beginner-prevent-sniff-mimetype-middleware-x-content-type-options)<br><sup>Tells browsers not to sniff MIME types.</sup> | Hardening |  |
| [Reject unsafe HTTP methods](doc/RULES.md#beginner-reject-unsafe-http-methods)<br><sup>Only allow the HTTP methods for which you, in fact, provide services.</sup> | Hardening |  |
| [Prevent caching of sensitive data](doc/RULES.md#beginner-prevent-caching-of-sensitive-data)<br><sup>It helps to prevent critical data (e.g. credit card details, or username) leaked.</sup> | Hardening |  |
| [Limit concurrent connections](doc/RULES.md#beginner-limit-concurrent-connections)<br><sup>Limit concurrent connections to prevent a rogue guys from repeatedly connecting to and monopolizing NGINX.</sup> | Hardening |  |
| [Use pass directive compatible with backend protocol](doc/RULES.md#beginner-use-pass-directive-compatible-with-backend-protocol)<br><sup>Set pass directive only to working with compatible backend layer protocol.</sup> | Reverse Proxy |  |
| [Set properly values of the X-Forwarded-For header](doc/RULES.md#beginner-set-properly-values-of-the-x-forwarded-for-header)<br><sup>Identify clients communicating with servers located behind the proxy.</sup> | Reverse Proxy |  |
| [Don't use X-Forwarded-Proto with $scheme behind reverse proxy](doc/RULES.md#beginner-dont-use-x-forwarded-proto-with-scheme-behind-reverse-proxy)<br><sup>Prevent pass incorrect value of this header.</sup> | Reverse Proxy |  |
| [Always use $request_uri instead of $uri in proxy_pass](doc/RULES.md#beginner-always-use-request_uri-instead-of-uri-in-proxy_pass)<br><sup>You should always pass unchanged URI to the backend layer.</sup> | Reverse Proxy |  |
| [Organising Nginx configuration](doc/RULES.md#beginner-organising-nginx-configuration)<br><sup>Well organised code is easier to understand and maintain.</sup> | Base Rules |  |
| [Format, prettify and indent your Nginx code](doc/RULES.md#beginner-format-prettify-and-indent-your-nginx-code)<br><sup>Formatted code is easier to maintain, debug, and can be read and understood in a short amount of time.</sup> | Base Rules |  |
| [Use reload option to change configurations on the fly](doc/RULES.md#beginner-use-reload-option-to-change-configurations-on-the-fly)<br><sup>Graceful reload of the configuration without stopping the server and dropping any packets.</sup> | Base Rules |  |
| [Use return directive for URL redirection (301, 302)](doc/RULES.md#beginner-use-return-directive-for-url-redirection-301-302)<br><sup>The by far simplest and fastest because there is no regexp that has to be evaluated.</sup> | Base Rules |  |
| [Maintaining SSL sessions](doc/RULES.md#beginner-maintaining-ssl-sessions)<br><sup>Improves performance from the clients’ perspective.</sup> | Performance |  |
| [Enable OCSP Stapling](doc/RULES.md#beginner-enable-ocsp-stapling)<br><sup>Enable to reduce the cost of an OCSP validation.</sup> | Performance |  |
| [Use exact names in a server_name directive if possible](doc/RULES.md#beginner-use-exact-names-in-a-server_name-directive-if-possible)<br><sup>Helps speed up searching using exact names.</sup> | Performance |  |
| [Avoid checks server_name with if directive](doc/RULES.md#beginner-avoid-checks-server_name-with-if-directive)<br><sup>It decreases NGINX processing requirements.</sup> | Performance |  |
| [Use $request_uri to avoid using regular expressions](doc/RULES.md#beginner-use-request_uri-to-avoid-using-regular-expressions)<br><sup>By default, the regex is costly and will slow down the performance.</sup> | Performance |  |
| [Use try_files directive to ensure a file exists](doc/RULES.md#beginner-use-try_files-directive-to-ensure-a-file-exists)<br><sup>Use it if you need to search for a file, it saving duplication of code also.</sup> | Performance |  |
| [Use return directive instead of rewrite for redirects](doc/RULES.md#beginner-use-return-directive-instead-of-rewrite-for-redirects)<br><sup>Use return directive to more speedy response than rewrite.</sup> | Performance |  |
| [Enable PCRE JIT to speed up processing of regular expressions](doc/RULES.md#beginner-enable-pcre-jit-to-speed-up-processing-of-regular-expressions)<br><sup>NGINX with PCRE JIT is much faster than without it.</sup> | Performance |  |
| [Activate the cache for connections to upstream servers](doc/RULES.md#beginner-activate-the-cache-for-connections-to-upstream-servers)<br><sup> Nginx can now reuse its existing connections (keepalive) per upstream.</sup> | Performance |  |
| [Disable unnecessary modules](doc/RULES.md#beginner-disable-unnecessary-modules)<br><sup>Limits vulnerabilities, improve performance and memory efficiency.</sup> | Hardening |  |
| [Hide Nginx version number](doc/RULES.md#beginner-hide-nginx-version-number)<br><sup>Don't disclose sensitive information about NGINX.</sup> | Hardening |  |
| [Hide Nginx server signature](doc/RULES.md#beginner-hide-nginx-server-signature)<br><sup>Don't disclose sensitive information about NGINX.</sup> | Hardening |  |
| [Use only the latest supported OpenSSL version](doc/RULES.md#beginner-use-only-the-latest-supported-openssl-version)<br><sup>Stay protected from SSL security threats and don't miss out of new features.</sup> | Hardening |  |
| [Prevent Replay Attacks on Zero Round-Trip Time](doc/RULES.md#beginner-prevent-replay-attacks-on-zero-round-trip-time)<br><sup>0-RTT is disabled by default but you should know that enabling this option creates a significant security risks.</sup> | Hardening |  |
| [Mitigation of CRIME/BREACH attacks](doc/RULES.md#beginner-mitigation-of-crimebreach-attacks)<br><sup>Disable HTTP compression or compress only zero sensitive content.</sup> | Hardening |  |
| [Deny the use of browser features (Feature-Policy)](doc/RULES.md#beginner-deny-the-use-of-browser-features-feature-policy)<br><sup>A mechanism to allow and deny the use of browser features.</sup> | Hardening |  |
| [Control Buffer Overflow attacks](doc/RULES.md#beginner-control-buffer-overflow-attacks)<br><sup>Prevents errors are characterised by the overwriting of memory fragments of the NGINX process.</sup> | Hardening |  |
| [Mitigating Slow HTTP DoS attacks (Closing Slow Connections)](doc/RULES.md#beginner-mitigating-slow-http-dos-attack-closing-slow-connections)<br><sup>Prevents attacks in which the attacker sends HTTP requests in pieces slowly.</sup> | Hardening |  |
| [Set and pass Host header only with $host variable](doc/RULES.md#beginner-set-and-pass-host-header-only-with-host-variable)<br><sup>Use of the $host is the only one guaranteed to have something sensible.</sup> | Reverse Proxy |  |
| [Always pass Host, X-Real-IP, and X-Forwarded headers to the backend](doc/RULES.md#beginner-always-pass-host-x-real-ip-and-x-forwarded-headers-to-the-backend)<br><sup>It gives you more control of forwarded headers.</sup> | Reverse Proxy |  |
| [Set the certificate chain correctly](doc/RULES.md#beginner-set-the-certificate-chain-correctly)<br><sup>Send the complete chain to the client.</sup> | Others |  |
| [Enable DNS CAA Policy](doc/RULES.md#beginner-enable-dns-caa-policy)<br><sup>Allows domain name holders to indicate to CA whether they are authorized to issue digital certificates.</sup> | Others |  |
| [Separate listen directives for 80 and 443 ports](doc/RULES.md#beginner-separate-listen-directives-for-80-and-443-ports)<br><sup>Help you maintain and modify your configuration.</sup> | Base Rules |  |
| [Use only one SSL config for the listen directive](doc/RULES.md#beginner-use-only-one-ssl-config-for-the-listen-directive)<br><sup>Prevents multiple configurations on the same listening address.</sup> | Base Rules |  |
| [Use geo/map modules instead of allow/deny](doc/RULES.md#beginner-use-geomap-modules-instead-of-allowdeny)<br><sup>Provides the perfect way to block invalid visitors.</sup> | Base Rules |  |
| [Set global root directory for unmatched locations](doc/RULES.md#beginner-set-global-root-directory-for-unmatched-locations)<br><sup>Specifies the root directory for an undefined locations.</sup> | Base Rules |  |
| [Don't duplicate index directive, use it only in the http block](doc/RULES.md#beginner-dont-duplicate-index-directive-use-it-only-in-the-http-block)<br><sup>Watch out for duplicating the same rules.</sup> | Base Rules |  |
| [Adjust worker processes](doc/RULES.md#beginner-adjust-worker-processes)<br><sup>You can adjust this value to maximum throughput under high concurrency.</sup> | Performance |  |
| [Make an exact location match to speed up the selection process](doc/RULES.md#beginner-make-an-exact-location-match-to-speed-up-the-selection-process)<br><sup>Exact location matches are often used to speed up the selection process.</sup> | Performance |  |
| [Use limit_conn to improve limiting the download speed](doc/RULES.md#beginner-use-limit_conn-to-improve-limiting-the-download-speed)<br><sup>Limits NGINX download speed per connection.</sup> | Performance |  |
| [Be careful with trailing slashes in proxy_pass directive](doc/RULES.md#beginner-be-careful-with-trailing-slashes-in-proxy_pass-directive)<br><sup>Incorrect setting could end up with some strange url.</sup> | Reverse Proxy |  |
| [Use custom headers without X- prefix](doc/RULES.md#beginner-use-custom-headers-without-x--prefix)<br><sup>The use of custom headers with X- prefix is discouraged.</sup> | Reverse Proxy |  |
| [Tweak passive health checks](doc/RULES.md#beginner-tweak-passive-health-checks)<br><sup>Improve behaviour of the passive health checks.</sup> | Load Balancing |  |
| [Define security policies with security.txt](doc/RULES.md#beginner-define-security-policies-with-securitytxt)<br><sup>Helps make things easier for companies and security researchers.</sup> | Others |  |
| [Map all the things...](doc/RULES.md#beginner-map-all-the-things)<br><sup>Map module provides a more elegant solution for clearly parsing a big list of regexes.</sup> | Base Rules |  |
| [Use custom log formats](doc/RULES.md#beginner-use-custom-log-formats)<br><sup>This is extremely helpful for debugging specific location directives.</sup> | Debugging |  |
| [Use debug mode to track down unexpected behaviour](doc/RULES.md#beginner-use-debug-mode-to-track-down-unexpected-behaviour)<br><sup>There's probably more detail than you want, but that can sometimes be a lifesaver.</sup> | Debugging |  |
| [Improve debugging by disable daemon, master process, and all workers except one](doc/RULES.md#beginner-improve-debugging-by-disable-daemon-master-process-and-all-workers-except-one)<br><sup>This simplifies the debugging and lets test configurations rapidly.</sup> | Debugging |  |
| [Use core dumps to figure out why NGINX keep crashing](doc/RULES.md#beginner-use-core-dumps-to-figure-out-why-nginx-keep-crashing)<br><sup>Enable core dumps when your NGINX instance receive an unexpected error or when it crashed.</sup> | Debugging |  |
| [Use mirror module to copy requests to another backend](doc/RULES.md#beginner-use-mirror-module-to-copy-requests-to-another-backend)<br><sup>Use mirroring for investigation and debugging of any original request.</sup> | Debugging |  |
| [Don't disable backends by comments, use down parameter](doc/RULES.md#beginner-dont-disable-backends-by-comments-use-down-parameter)<br><sup>Is a good solution to marks the server as permanently unavailable.</sup> | Load Balancing |  |
| [Use tcpdump to diagnose and troubleshoot the HTTP issues](doc/RULES.md#beginner-use-tcpdump-to-diagnose-and-troubleshoot-the-http-issues)<br><sup>Use tcpdump to monitor HTTP.</sup> | Others |  |
# Bonus Stuff
You can find here a few of the different things I've worked and included to this repository. I hope that these extras will be useful.
## Configuration reports
Many of these recipes have been applied to the configuration of my old private website.
> An example configuration is in the [configuration examples](#configuration-examples) chapter. It's also based on [this](https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/cheatsheets/nginx-hardening-cheatsheet-tls13.png) version of printable high-res hardening cheatsheets.
### SSL Labs
> Read about SSL Labs grading [here](https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018) (SSL Labs Grading 2018).
Short SSL Labs grades explanation:
> _A+ is clearly the desired grade, both A and B grades are acceptable and result in adequate commercial security. The B grade, in particular, may be applied to configurations designed to support very wide audiences (for old clients)_.
I finally got **A+** grade and following scores:
- Certificate = **100%**
- Protocol Support = **100%**
- Key Exchange = **90%**
- Cipher Strength = **90%**
Look also at the following recommendations. I believe the right configuration of NGINX should give the following SSL Labs scores and provides the best security for the most cases:
- **Recommended**
- A/A+
- Certificate: 100/100
- Protocol Support: 95/100
- Key Exchange: 90/100
- Cipher Strength: 90/100
- **Perfect but restrictive**
- A+
- Certificate: 100/100
- Protocol Support: 100/100
- Key Exchange: 100/100
- Cipher Strength: 100/100
<p align="center">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/blkcipher_ssllabs_preview.png" alt="blkcipher_ssllabs_preview">
</p>
Something about SSL Labs grading mechanism (that's an interesting point of view):
> _The whole grading mechanism is more propaganda and public relations than actual security. If you want good security, then you must mind the details and understand how things work internally. If you want a good grade then you should do whatever it takes to have a good grade. An "A+" from SSL Labs is a very nifty thing to add at the end of a report, but it does not really equate with having rock solid security. Having an "A+" equates with being able to say "I have an A+"._ - from [this](https://security.stackexchange.com/a/112539) answer by [Tom Leek](https://security.stackexchange.com/users/5411/tom-leek).
### Mozilla Observatory
> Read about Mozilla Observatory [here](https://observatory.mozilla.org/faq/) and about [Observatory Scoring Methodology](https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/scoring.md).
I also got the highest summary note (**A+**) on the Observatory with a very high test score (120/100, max. 135/100):
<p align="center">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/blkcipher_mozilla_observatory_preview.png" alt="blkcipher_mozilla_observatory_preview">
</p>
## Printable hardening cheatsheets
I created two versions of printable posters with hardening cheatsheets (High-Res 5000x8800) based on recipes from this handbook:
> For `xcf` and `pdf` formats please see [this](https://github.com/trimstray/nginx-admins-handbook/tree/master/static/img) directory.
- **A+** with all **100%’s** on @ssllabs and **120/100** on @mozilla observatory:
> It provides the highest scores of the SSL Labs test. Setup is very restrictive with 4096-bit private key, only TLS 1.2, and also modern strict TLS cipher suites (non 128-bits). Think carefully about its use (no TLS 1.3, restrictive cipher suites), in my opinion, it is only suitable for obtaining the highest possible rating and seems a little impractical.
<p align="center">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/cheatsheets/nginx-hardening-cheatsheet-tls12-100p.png" alt="nginx-hardening-cheatsheet-100p" width="92%" height="92%">
</p>
- **A+** on @ssllabs and **120/100** on @mozilla observatory with TLS 1.3 support:
> It provides less restrictive setup with 2048-bit key for `RSA` or 256-bit key for `ECC`, TLS 1.3 and 1.2, modern strict TLS cipher suites (128/256-bits), and 2048-bit predefined `DH` groups recommended by Mozilla. The final grade is also in line with the industry standards and guidance. Recommend using this, for me, it is very reasonable configuration.
<p align="center">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/cheatsheets/nginx-hardening-cheatsheet-tls13.png" alt="nginx-hardening-cheatsheet-tls13" width="92%" height="92%">
</p>
## Fully automatic installation
I created a set of scripts for unattended installation of NGINX from the raw, uncompiled code. It allows you to easily install, create a setup for dependencies (like `zlib` or `openssl`), and customized with installation parameters.
For more information please see [Installing from source - Automatic installation](https://github.com/trimstray/nginx-admins-handbook/tree/master/lib) chapter which describes the installation of NGINX on systems/distros such as Ubuntu, Debian, CentOS, and FreeBSD.
## Static error pages generator
I created a simple to use generator for static pages to replace the default error pages that comes with any web server like NGINX.
For more information please see [HTTP Static Error Pages Generator](https://github.com/trimstray/nginx-admins-handbook/tree/master/lib/nginx/snippets/http-error-pages#http-static-error-pages-generator).
## Server names parser
I added scripts for fast multiple domain searching in the configuration. These tools get specific `server_name` matches and print them on the screen as a `server { ... }` blocks. Both are very helpful if you really have tons of domains or if you want to list specific vhosts from file or the active configuration.
You must follow one important rule to be able to use it. Your server block must have the following structure:
```nginx
server {
server_name example.com example.org;
... # other directives
}
```
Example of use:
```
./snippets/server-name-parser/check-server-name.sh example.com
Searching 'example.com' in '/usr/local/etc/nginx' (from disk)
/usr/local/etc/nginx/domains/example.com/servers.conf:79: return 301 https://example.com$request_uri;
/usr/local/etc/nginx/domains/example.com/servers.conf:252: return 301 https://example.com$request_uri;
/usr/local/etc/nginx/domains/example.com/servers.conf:3825: server_name example.com;
Searching 'example.com' in server contexts (from a running process)
>>>>>>>>>> BEG >>>>>>>>>>
server {
include listen/192.168.252.10/https.example.com.conf;
server_name example.com;
location / {
return 204 "RFC 792";
}
access_log /var/log/nginx/example.com/access.log standard;
error_log /var/log/nginx/example.com/error.log warn;
}
<<<<<<<<<< END <<<<<<<<<<
```
For more information please see [snippets/server-name-parser](https://github.com/trimstray/nginx-admins-handbook/tree/master/lib/nginx/snippets/server-name-parser) directory.
# Books
#### [Nginx Essentials](https://www.amazon.com/Nginx-Essentials-Valery-Kholodkov/dp/1785289535)
Authors: **Valery Kholodkov**
_Excel in Nginx quickly by learning to use its most essential features in real-life applications._
- _Learn how to set up, configure, and operate an Nginx installation for day-to-day use_
- _Explore the vast features of Nginx to manage it like a pro, and use them successfully to run your website_
- _Example-based guide to get the best out of Nginx to reduce resource usage footprint_
<sup><i>This short review comes from this book or the store.</i></sup>
#### [Nginx Cookbook](https://www.oreilly.com/library/view/nginx-cookbook/9781492049098/)
Authors: **Derek DeJonghe**
_You’ll find recipes for:_
- _Traffic management and A/B testing_
- _Managing programmability and automation with dynamic templating and the NGINX Plus API_
- _Securing access through encrypted traffic, secure links, HTTP authentication subrequests, and more_
- _Deploying NGINX to AWS, Azure, and Google cloud-computing services_
- _Using Docker to deploy containers and microservices_
- _Debugging and troubleshooting, performance tuning, and practical ops tips_
<sup><i>This short review comes from this book or the store.</i></sup>
#### [Nginx HTTP Server](https://www.amazon.com/Nginx-HTTP-Server-Harness-infrastructure/dp/178862355X)
Authors: **Martin Fjordvald**, **Clement Nedelcu**
_Harness the power of Nginx to make the most of your infrastructure and serve pages faster than ever._
- _Discover possible interactions between Nginx and Apache to get the best of both worlds_
- _Learn to exploit the features offered by Nginx for your web applications_
- _Get your hands on the most updated version of Nginx (1.13.2) to support all your web administration requirements_
<sup><i>This short review comes from this book or the store.</i></sup>
#### [Nginx High Performance](https://www.amazon.com/Nginx-High-Performance-Rahul-Sharma/dp/1785281836)
Authors: **Rahul Sharma**
_Optimize NGINX for high-performance, scalable web applications._
- _Configure Nginx for best performance, with configuration examples and explanations_
- _Step-by-step tutorials for performance testing using open source software_
- _Tune the TCP stack to make the most of the available infrastructure_
<sup><i>This short review comes from this book or the store.</i></sup>
#### [Mastering Nginx](https://www.amazon.com/Mastering-Nginx-Dimitri-Aivaliotis/dp/1849517444)
Authors: **Dimitri Aivaliotis**
_Written for experienced systems administrators and engineers, this book teaches you from scratch how to configure Nginx for any situation. Step-by-step instructions and real-world code snippets clarify even the most complex areas._
<sup><i>This short review comes from this book or the store.</i></sup>
#### [ModSecurity 3.0 and NGINX: Quick Start Guide](https://www.nginx.com/resources/library/modsecurity-3-nginx-quick-start-guide/)
Authors: **Faisal Memon**, **Owen Garrett**, **Michael Pleshakov**
_Learn in this ebook how to get started with ModSecurity, the world’s most widely deployed web application firewall (WAF), now available for NGINX and NGINX Plus._
<sup><i>This short review comes from this book or the store.</i></sup>
#### [Cisco ACE to NGINX: Migration Guide](https://www.nginx.com/resources/library/cisco-ace-nginx-migration-guide/)
Authors: **Faisal Memon**
_This ebook provides step-by-step instructions on replacing Cisco ACE with NGINX and off-the-shelf servers. NGINX helps you cut costs and modernize._
_In this ebook you will learn:_
- _How to migrate Cisco ACE configuration to NGINX, with detailed examples_
- _Why you should go with a software load balancer, and not hardware_
<sup><i>This short review comes from this book or the store.</i></sup>
# External Resources
##### Nginx official
<p>
:black_small_square: <a href="https://www.nginx.com/"><b>Nginx Project</b></a><br>
:black_small_square: <a href="https://nginx.org/en/docs/"><b>Nginx Documentation</b></a><br>
:black_small_square: <a href="https://www.nginx.com/resources/wiki/"><b>Nginx Wiki</b></a><br>
:black_small_square: <a href="https://docs.nginx.com/nginx/admin-guide/"><b>Nginx Admin's Guide</b></a><br>
:black_small_square: <a href="https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/"><b>Nginx Pitfalls and Common Mistakes</b></a><br>
:black_small_square: <a href="http://nginx.org/en/docs/dev/development_guide.html"><b>Development Guide</b></a><br>
:black_small_square: <a href="https://forum.nginx.org/"><b>Nginx Forum</b></a><br>
:black_small_square: <a href="http://nginx.org/en/security_advisories.html"><b>Nginx Security Advisories</b></a><br>
:black_small_square: <a href="https://docs.nginx.com/nginx/admin-guide/security-controls/"><b>Nginx Security Controls</b></a><br>
:black_small_square: <a href="https://mailman.nginx.org/mailman/listinfo/nginx"><b>Nginx Mailing List</b></a><br>
:black_small_square: <a href="https://github.com/nginx/nginx"><b>Nginx Read-only Mirror</b></a><br>
:black_small_square: <a href="https://github.com/nginxinc/NGINX-Demos"><b>NGINX-Demos
</b></a><br>
:black_small_square: <a href="https://www.nginx.com/blog/thread-pools-boost-performance-9x/"><b>Thread Pools in NGINX Boost Performance 9x!</b></a><br>
</p>
##### Nginx distributions
<p>
:black_small_square: <a href="https://openresty.org/"><b>OpenResty</b></a><br>
:black_small_square: <a href="https://tengine.taobao.org/"><b>The Tengine Web Server</b></a><br>
</p>
##### Comparison reviews
<p>
:black_small_square: <a href="https://www.hostingadvice.com/how-to/nginx-vs-apache/"><b>NGINX vs. Apache (Pro/Con Review, Uses, & Hosting for Each)</b></a><br>
:black_small_square: <a href="https://github.com/jiangwenyuan/nuster/wiki/Web-cache-server-performance-benchmark:-nuster-vs-nginx-vs-varnish-vs-squid"><b>Web cache server performance benchmark: nuster vs nginx vs varnish vs squid</b></a><br>
</p>
##### Cheatsheets & References
<p>
:black_small_square: <a href="https://openresty.org/download/agentzh-nginx-tutorials-en.html"><b>agentzh's Nginx Tutorials</b></a><br>
:black_small_square: <a href="http://agentzh.org/misc/slides/nginx-conf-scripting/nginx-conf-scripting.html#1"><b>Introduction to nginx.conf scripting</b></a><br>
:black_small_square: <a href="http://www.nginx-discovery.com/"><b>Nginx discovery journey</b></a><br>
:black_small_square: <a href="http://www.nginxguts.com/"><b>Nginx Guts</b></a><br>
:black_small_square: <a href="https://gist.github.com/carlessanagustin/9509d0d31414804da03b"><b>Nginx Cheatsheet</b></a><br>
:black_small_square: <a href="http://www.scalescale.com/tips/nginx/"><b>Nginx Tutorials, Linux Sysadmin Configuration & Optimizing Tips and Tricks</b></a><br>
:black_small_square: <a href="https://github.com/h5bp/server-configs-nginx"><b>Nginx boilerplate configs</b></a><br>
:black_small_square: <a href="https://github.com/nginx-boilerplate/nginx-boilerplate"><b>Awesome Nginx configuration template</b></a><br>
:black_small_square: <a href="https://github.com/SimulatedGREG/nginx-cheatsheet"><b>Nginx Quick Reference</b></a><br>
:black_small_square: <a href="https://github.com/fcambus/nginx-resources"><b>A collection of resources covering Nginx and more</b></a><br>
:black_small_square: <a href="https://github.com/lebinh/nginx-conf"><b>A collection of useful Nginx configuration snippets</b></a><br>
:black_small_square: <a href="https://github.com/elasticweb/nginx-configs"><b>Nginx configurations for most popular CMS/CMF/Frameworks based on PHP</b></a><br>
:black_small_square: <a href="https://github.com/wmnnd/nginx-certbot"><b>Boilerplate configuration for nginx and certbot with docker-compose</b></a><br>
</p>
##### Performance & Hardening
<p>
:black_small_square: <a href="https://github.com/denji/nginx-tuning"><b>Nginx Tuning For Best Performance by Denji</b></a><br>
:black_small_square: <a href="https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765"><b>Nginx Optimization: understanding sendfile, tcp_nodelay and tcp_nopush</b></a><br>
:black_small_square: <a href="https://blog.cloudflare.com/how-we-scaled-nginx-and-saved-the-world-54-years-every-day/"><b>How we scaled nginx and saved the world 54 years every day</b></a><br>
:black_small_square: <a href="https://istlsfastyet.com/"><b>TLS has exactly one performance problem: it is not used widely enough</b></a><br>
:black_small_square: <a href="https://www.ssllabs.com/projects/best-practices/"><b>SSL/TLS Deployment Best Practices</b></a><br>
:black_small_square: <a href="https://www.ssllabs.com/projects/rating-guide/index.html"><b>SSL Server Rating Guide</b></a><br>
:black_small_square: <a href="https://www.ssllabs.com/ssl-pulse/"><b>SSL Pulse</b></a><br>
:black_small_square: <a href="https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps"><b>How to Build a Tough NGINX Server in 15 Steps</b></a><br>
:black_small_square: <a href="https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html"><b>Top 25 Nginx Web Server Best Security Practices</b></a><br>
:black_small_square: <a href="https://calomel.org/nginx.html"><b>Nginx Secure Web Server</b></a><br>
:black_small_square: <a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html"><b>Strong SSL Security on Nginx</b></a><br>
:black_small_square: <a href="https://enable-cors.org/index.html"><b>Enable cross-origin resource sharing (CORS)</b></a><br>
:black_small_square: <a href="https://github.com/nbs-system/naxsi"><b>NAXSI - WAF for Nginx</b></a><br>
:black_small_square: <a href="https://geekflare.com/install-modsecurity-on-nginx/"><b>ModSecurity for Nginx</b></a><br>
</p>
##### Presentations & Videos
<p>
:black_small_square: <a href="https://www.slideshare.net/Nginx/nginx-basics-and-best-practices"><b>NGINX: Basics and Best Practices</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/Nginx/nginx-installation-and-tuning"><b>NGINX Installation and Tuning</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/joshzhu/nginx-internals"><b>Nginx Internals (by Joshua Zhu)</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/feifengxlq/nginx-internals-10514355"><b>Nginx internals (by Liqiang Xu)</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/wallarm/how-to-secure-your-web-applications-with-nginx"><b>How to secure your web applications with NGINX</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/chartbeat/tuning-tcp-and-nginx-on-ec2"><b>Tuning TCP and NGINX on EC2</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/trygvevea/extending-functionality-in-nginx-with-modules"><b>Extending functionality in nginx, with modules!</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/tuxtoti/nginx-tips-and-tricks-13087831"><b>Nginx - Tips and Tricks.</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/TonyFabeen/nginx-scripting-extending-nginx-functionalities-with-lua"><b>Nginx Scripting - Extending Nginx Functionalities with Lua</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/kazeburo/advanced-nginx-in-mercari-how-to-handle-over-1200000-https-reqsmin"><b>How to handle over 1,200,000 HTTPS Reqs/Min</b></a><br>
:black_small_square: <a href="https://www.slideshare.net/harukayon/ngx-lua-public"><b>Using ngx_lua / lua-nginx-module in pixiv</b></a><br>
:black_small_square: <a href="https://mdounin.ru/files/mdounin-nginx-whatsnew-nginxconf2018.pdf"><b>Reading nginx CHANGES together</b></a><br>
:black_small_square: <a href="https://mdounin.ru/files/mdounin-dynamic-modules-nginxconf2016.pdf"><b>Dynamic modules:how it works</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXewvc6tjIGGFZ6DBKHEld3k"><b>NGINX Conf 2014</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXdED9BR6GQ61A6d3fBzjpbn"><b>NGINX Conf 2015</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXcOsB_dT26iu0BvbSxWYG1g"><b>NGINX Conf 2016</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXeT-z_rcZ9yF0kV5SENZ-yt"><b>NGINX Conf 2017</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXeHhKRX6ZS7vmFKN12iYOw9"><b>NGINX Conf 2018 | Deep Dive Track</b></a><br>
:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXe_Vc708VKvr5KJ4gnf1WxS"><b>NGINX Conf 2018 | Keynotes and Sessions</b></a><br>
:black_small_square: <a href="https://www.youtube.com/watch?v=iHxD-G0YjiU"><b>Making HTTPS Fast(er): Ilya Grigorik @ nginx.conf 2014</b></a><br>
</p>
##### Playgrounds
<p>
:black_small_square: <a href="https://github.com/sportebois/nginx-rate-limit-sandbox"><b>NGINX Rate Limit, Burst and nodelay sandbox</b></a><br>
</p>
##### Config generators
<p>
:black_small_square: <a href="https://nginxconfig.io/"><b>nginxconfig</b></a> - Nginx config generator on steroids.</a><br>
:black_small_square: <a href="https://github.com/mozilla/ssl-config-generator"><b>ssl-config-generator</b></a> - Mozilla SSL Configuration Generator.</a><br>
:black_small_square: <a href="https://github.com/linkedin/nginx-config-builder"><b>nginx-config-builder</b></a> - is a python library for building nginx configuration files programatically.</a><br>
</p>
##### Config parsers
<p>
:black_small_square: <a href="https://github.com/nginxinc/crossplane"><b>crossplane</b></a> - quick and reliable way to convert NGINX configurations into JSON and back.</a><br>
:black_small_square: <a href="https://github.com/fatiherikli/nginxparser"><b>nginxparser</b></a> - parses nginx configuration with Pyparsing.</a><br>
</p>
##### Config managers
<p>
:black_small_square: <a href="https://github.com/jdauphant/ansible-role-nginx"><b>ansible-role-nginx</b></a> - asible role to install and manage nginx configuration.</a><br>
:black_small_square: <a href="https://github.com/geerlingguy/ansible-role-nginx"><b>ansible-role-nginx</b></a> - installs and configures the latest version of Nginx.</a><br>
:black_small_square: <a href="https://github.com/nginxinc/ansible-role-nginx"><b>ansible-role-nginx</b></a> - installs NGINX, NGINX Plus, the NGINX Amplify agent, and more.</a><br>
:black_small_square: <a href="https://github.com/voxpupuli/puppet-nginx"><b>puppet-nginx</b></a> - puppet module to manage NGINX on various UNIXes.</a><br>
</p>
##### Static analyzers
<p>
:black_small_square: <a href="https://github.com/yandex/gixy"><b>gixy</b></a> - is a tool to analyze Nginx configuration to prevent security misconfiguration and automate flaw detection.<br>
:black_small_square: <a href="https://github.com/1connect/nginx-config-formatter"><b>nginx-config-formatter</b></a> - Nginx config file formatter/beautifier written in Python.<br>
:black_small_square: <a href="https://github.com/vasilevich/nginxbeautifier"><b>nginxbeautifier</b></a> - format and beautify Nginx config files.<br>
:black_small_square: <a href="https://github.com/lovette/nginx-tools/tree/master/nginx-minify-conf"><b>nginx-minify-conf</b></a> - creates a minified version of a Nginx configuration.<br>
</p>
##### Log analyzers
<p>
:black_small_square: <a href="https://goaccess.io/"><b>GoAccess</b></a> - is a fast, terminal-based log analyzer (quickly analyze and view web server statistics in real time).<br>
:black_small_square: <a href="https://www.graylog.org/"><b>Graylog</b></a> - is a leading centralized log management for capturing, storing, and enabling real-time analysis.<br>
:black_small_square: <a href="https://www.elastic.co/products/logstash"><b>Logstash</b></a> - is an open source, server-side data processing pipeline.<br>
</p>
##### Performance analyzers
<p>
:black_small_square: <a href="https://github.com/lebinh/ngxtop"><b>ngxtop</b></a> - parses your Nginx access log and outputs useful, top-like, metrics of your Nginx server.<br>
</p>
##### Builder tools
<p>
:black_small_square: <a href="https://github.com/TinkoffCreditSystems/Nginx-builder"><b>Nginx-builder</b></a> - is a tool for building deb or rpm package NGINX from the source code.<br>
</p>
##### Benchmarking tools
<p>
:black_small_square: <a href="https://httpd.apache.org/docs/2.4/programs/ab.html"><b>ab</b></a> - is a single-threaded command line tool for measuring the performance of HTTP web servers.<br>
:black_small_square: <a href="https://www.joedog.org/siege-home/"><b>siege</b></a> - is an http load testing and benchmarking utility.<br>
:black_small_square: <a href="https://github.com/wg/wrk"><b>wrk</b></a> - is a modern HTTP benchmarking tool capable of generating significant load.<br>
:black_small_square: <a href="https://github.com/giltene/wrk2"><b>wrk2</b></a> - is a constant throughput, correct latency recording variant of wrk.<br>
:black_small_square: <a href="https://github.com/tsenart/vegeta"><b>vegeta</b></a> - HTTP load testing tool and library.<br>
:black_small_square: <a href="https://github.com/codesenberg/bombardier"><b>bombardier</b></a> - is a HTTP(S) benchmarking tool.<br>
:black_small_square: <a href="https://github.com/cmpxchg16/gobench"><b>gobench</b></a> - is a HTTP/HTTPS load testing and benchmarking tool.<br>
:black_small_square: <a href="https://github.com/rakyll/hey"><b>hey</b></a> - is a HTTP load generator, ApacheBench (ab) replacement, formerly known as rakyll/boom.<br>
:black_small_square: <a href="https://github.com/tarekziade/boom"><b>boom</b></a> - is a script you can use to quickly smoke-test your web app deployment.<br>
:black_small_square: <a href="https://github.com/tarekziade/httperf"><b>httperf</b></a> - the httperf HTTP load generator.<br>
:black_small_square: <a href="https://jmeter.apache.org/"><b>JMeter™</b></a> - is designed to load test functional behavior and measure performance.<br>
:black_small_square: <a href="https://gatling.io/"><b>Gatling</b></a> - is a powerful open-source load and performance testing tool for web applications.<br>
:black_small_square: <a href="https://github.com/locustio/locust"><b>locust</b></a> - is an easy-to-use, distributed, user load testing tool.<br>
:black_small_square: <a href="https://github.com/gkbrk/slowloris"><b>slowloris</b></a> - low bandwidth DoS tool. Slowloris rewrite in Python.<br>
:black_small_square: <a href="https://github.com/shekyan/slowhttptest"><b>slowhttptest</b></a> - application layer DoS attack simulator.<br>
:black_small_square: <a href="https://github.com/jseidl/GoldenEye"><b>GoldenEye</b></a> - GoldenEye Layer 7 (KeepAlive+NoCache) DoS test tool.<br>
</p>
##### Debugging tools
<p>
:black_small_square: <a href="https://strace.io/"><b>strace</b></a> - is a diagnostic, debugging and instructional userspace utility (linux syscall tracer) for Linux.<br>
:black_small_square: <a href="https://www.gnu.org/software/gdb/"><b>GDB</b></a> - allows you to see what is going on `inside' another program while it executes.<br>
:black_small_square: <a href="https://sourceware.org/systemtap/"><b>SystemTap</b></a> - provides infrastructure to simplify the gathering of information about the running Linux system.<br>
:black_small_square: <a href="https://github.com/openresty/stapxx"><b>stapxx</b></a> - simple macro language extensions to SystemTap.<br>
:black_small_square: <a href="https://github.com/trimstray/htrace.sh"><b>htrace.sh</b></a> - is a simple Swiss Army knife for http/https troubleshooting and profiling.<br>
</p>
##### Security & Web testing tools
<p>
:black_small_square: <a href="https://portswigger.net/burp"><b>Burp Suite</b></a> - is a graphical tool for testing Web application security.<br>
:black_small_square: <a href="http://w3af.org/"><b>w3af</b></a> - is a Web Application Attack and Audit Framework.<br>
:black_small_square: <a href="https://github.com/sullo/nikto"><b>nikto</b></a> - web server scanner which performs comprehensive tests.<br>
:black_small_square: <a href="https://github.com/ssllabs/ssllabs-scan"><b>ssllabs-scan</b></a> - client for SSL Labs APIs, designed for automated and/or bulk testing.<br>
:black_small_square: <a href="https://github.com/mozilla/http-observatory"><b>http-observatory</b></a> - Mozilla HTTP Observatory.<br>
:black_small_square: <a href="https://testssl.sh/"><b>testssl.sh</b></a> - checks a server's service on any port for the support of TLS/SSL ciphers.<br>
:black_small_square: <a href="https://github.com/nabla-c0d3/sslyze"><b>sslyze</b></a> - is a fast and powerful SSL/TLS server scanning library.<br>
:black_small_square: <a href="https://github.com/mozilla/cipherscan"><b>cipherscan</b></a> - is a very simple way to find out which SSL ciphersuites are supported by a target.<br>
:black_small_square: <a href="https://github.com/OWASP/O-Saft"><b>O-Saft</b></a> - OWASP SSL advanced forensic tool.<br>
:black_small_square: <a href="https://nghttp2.org/"><b>Nghttp2</b></a> - is an implementation of HTTP/2 and its header compression algorithm HPACK in C.<br>
:black_small_square: <a href="https://github.com/summerwind/h2spec"><b>h2spec</b></a> - is a conformance testing tool for HTTP/2 implementation.<br>
:black_small_square: <a href="https://github.com/gildasio/h2t"><b>h2t</b></a> - is a simple tool to help sysadmins to hardening their websites.<br>
:black_small_square: <a href="https://github.com/c0nrad/http2fuzz"><b>http2fuzz</b></a> - HTTP/2 fuzzer written in Golang.<br>
:black_small_square: <a href="https://github.com/s0md3v/Arjun"><b>Arjun</b></a> - HTTP parameter discovery suite.<br>
:black_small_square: <a href="https://github.com/s0md3v/Corsy"><b>Corsy</b></a> - CORS misconfiguration scanner.<br>
:black_small_square: <a href="https://github.com/s0md3v/XSStrike"><b>XSStrike</b></a> - most advanced XSS scanner.<br>
</p>
##### Development
<p>
:black_small_square: <a href="http://agentzh.org/misc/code/nginx/"><b>Sample ebook generated from NGINX source code.</b></a><br>
:black_small_square: <a href="https://www.lua.org/pil/contents.html"><b>Programming in Lua (first edition)</b></a><br>
:black_small_square: <a href="http://www.londonlua.org/scripting_nginx_with_lua/"><b>Scripting Nginx with Lua</b></a><br>
:black_small_square: <a href="https://www.evanmiller.org/nginx-modules-guide.html"><b>Emiller’s Guide To Nginx Module Development</b></a><br>
:black_small_square: <a href="http://www.evanmiller.org/nginx-modules-guide-advanced.html"><b>Emiller’s Advanced Topics In Nginx Module Development</b></a><br>
:black_small_square: <a href="https://www.airpair.com/nginx/extending-nginx-tutorial"><b>NGINX Tutorial: Developing Modules</b></a><br>
:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Nginx-Lua/"><b>An Introduction To OpenResty (nginx + lua) - Part 1</b></a><br>
:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Part-2/"><b>An Introduction To OpenResty - Part 2 - Concepts</b></a><br>
:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Part-3/"><b>An Introduction To OpenResty - Part 3</b></a><br>
:black_small_square: <a href="https://blog.dutchcoders.io/openresty-with-dynamic-generated-certificates/"><b>OpenResty (Nginx) with dynamically generated certificates</b></a><br>
:black_small_square: <a href="https://github.com/openresty/programming-openresty"><b>Programming OpenResty</b></a><br>
</p>
##### Online & Web tools
<p>
:black_small_square: <a href="https://www.ssllabs.com/ssltest/"><b>SSL Server Test by SSL Labs</b></a><br>
:black_small_square: <a href="https://www.htbridge.com/ssl/"><b>Test SSL/TLS (PCI DSS, HIPAA and NIST)</b></a><br>
:black_small_square: <a href="https://sslanalyzer.comodoca.com/"><b>SSL analyzer and certificate checker</b></a><br>
:black_small_square: <a href="https://decoder.link"><b>Tools for testing SSL configuration</b></a><br>
:black_small_square: <a href="https://tls.imirhil.fr/"><b>Test your TLS server configuration (e.g. ciphers)</b></a><br>
:black_small_square: <a href="https://www.jitbit.com/sslcheck/"><b>Scan your website for non-secure content</b></a><br>
:black_small_square: <a href="http://www.ssltools.com"><b>Analyze website security</b></a><br>
:black_small_square: <a href="https://ciphersuite.info/"><b>TLS Cipher Suite Search</b></a><br>
:black_small_square: <a href="https://www.ssllabs.com/ssltest/viewMyClient.html"><b>SSL/TLS Capabilities of Your Browser</b></a><br>
:black_small_square: <a href="https://suche.org/sslClientInfo"><b>SSL-Client Info's</b></a><br>
:black_small_square: <a href="https://2ton.com.au/dhtool/"><b>Public Diffie-Hellman Parameter Service/Tool</b></a><br>
:black_small_square: <a href="https://securityheaders.com/"><b>Analyse the HTTP response headers by Security Headers</b></a><br>
:black_small_square: <a href="https://observatory.mozilla.org/"><b>Analyze your website by Mozilla Observatory</b></a><br>
:black_small_square: <a href="https://sslmate.com/caa/"><b>CAA Record Helper</b></a><br>
:black_small_square: <a href="https://webhint.io/"><b>Linting tool that will help you with your site's accessibility, speed, security and more</b></a><br>
:black_small_square: <a href="https://urlscan.io/"><b>Service to scan and analyse websites</b></a><br>
:black_small_square: <a href="https://www.url-encode-decode.com/"><b>Tool from above to either encode or decode a string of text</b></a><br>
:black_small_square: <a href="https://uncoder.io/"><b>Online translator for search queries on log data</b></a><br>
:black_small_square: <a href="https://regex101.com/"><b>Online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript</b></a><br>
:black_small_square: <a href="https://regexr.com/"><b>Online tool to learn, build, & test Regular Expressions</b></a><br>
:black_small_square: <a href="https://www.regextester.com/"><b>Online Regex Tester & Debugger</b></a><br>
:black_small_square: <a href="https://github.com/nginxinc/NGINX-Demos/tree/master/nginx-regex-tester"><b>Tool for testing regular expressions directly within an NGINX configuration</b></a><br>
:black_small_square: <a href="https://gchq.github.io/CyberChef/"><b>A web app for encryption, encoding, compression and data analysis</b></a><br>
:black_small_square: <a href="https://nginx.viraptor.info/"><b>Nginx location match tester</b></a><br>
:black_small_square: <a href="https://detailyang.github.io/nginx-location-match-visible/"><b>Nginx location match visible</b></a><br>
</p>
##### Other stuff
<p>
:black_small_square: <a href="https://developer.mozilla.org/en-US/docs/Web"><b>Web technology for developers</b></a><br>
:black_small_square: <a href="https://infosec.mozilla.org/guidelines/web_security.html"><b>Mozilla Web Security</b></a><br>
:black_small_square: <a href="https://appsecwiki.com/#/"><b>Application Security Wiki</b></a><br>
:black_small_square: <a href="https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project"><b>OWASP ASVS 3.0.1</b></a><br>
:black_small_square: <a href="https://github.com/Santandersecurityresearch/asvs"><b>OWASP ASVS 3.0.1 Web App</b></a><br>
:black_small_square: <a href="https://github.com/OWASP/ASVS/tree/master/4.0"><b>OWASP ASVS 4.0</b></a><br>
:black_small_square: <a href="https://www.owasp.org/index.php/OWASP_Proactive_Controls"><b>OWASP Top 10 Proactive Controls 2018.</b></a><br>
:black_small_square: <a href="https://www.owasp.org/index.php/OWASP_Testing_Project"><b>OWASP Testing Guide v4</b></a><br>
:black_small_square: <a href="https://github.com/OWASP/DevGuide"><b>OWASP Dev Guide</b></a><br>
:black_small_square: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html"><b>Transport Layer Protection Cheat Sheet by OWASP</b></a><br>
:black_small_square: <a href="https://github.com/OWASP/wstg"><b>OWASP WSTG</b></a><br>
:black_small_square: <a href="https://wiki.mozilla.org/Security/Server_Side_TLS"><b>Security/Server Side TLS by Mozilla</b></a><br>
:black_small_square: <a href="https://bettercrypto.org/"><b>Applied Crypto Hardening</b></a><br>
:black_small_square: <a href="https://caniuse.com/#home"><b>Browser support tables for modern web technologies</b></a><br>
:black_small_square: <a href="https://badssl.com/"><b>Memorable site for testing clients against bad SSL configs</b></a><br>
:black_small_square: <a href="https://https.cio.gov/"><b>The HTTPS-Only Standard</b></a><br>
:black_small_square: <a href="https://portswigger.net/web-security"><b>The Web Security Academy</b></a><br>
:black_small_square: <a href="https://portswigger.net/kb/issues"><b>Burp Scanner - Issue Definitions</b></a><br>
:black_small_square: <a href="https://odino.org/wasec-web-application-security-what-to-do-when-dot-dot-dot/"><b>Web application security: what to do when...</b></a><br>
:black_small_square: <a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml"><b>Transport Layer Security (TLS) Parameters</b></a><br>
:black_small_square: <a href="https://github.com/GrrrDog/TLS-Redirection#technical-details"><b>TLS Redirection (and Virtual Host Confusion)</b></a><br>
:black_small_square: <a href="https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/"><b>TLS Security 6: Examples of TLS Vulnerabilities and Attacks</b></a><br>
:black_small_square: <a href="https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers"><b>Guidelines for Setting Security Headers</b></a><br>
:black_small_square: <a href="https://infosec.mozilla.org/guidelines/web_security.html"><b>Mozilla Guidelines - Web Security</b></a><br>
:black_small_square: <a href="https://medium.freecodecamp.org/secure-your-web-application-with-these-http-headers-fd66e0367628"><b>Secure your web application with these HTTP headers</b></a><br>
:black_small_square: <a href="https://zinoui.com/blog/security-http-headers"><b>Security HTTP Headers</b></a><br>
:black_small_square: <a href="https://github.com/GrrrDog/weird_proxies/wiki"><b>Analysis of various reverse proxies, cache proxies, load balancers, etc.</b></a><br>
:black_small_square: <a href="https://howhttps.works/"><b>How HTTPS works ...in a comic!</b></a><br>
:black_small_square: <a href="https://www.regular-expressions.info/"><b>Regular-Expressions</b></a><br>
:black_small_square: <a href="https://github.com/attackercan/REGEXP-SECURITY-CHEATSHEET"><b>Regexp Security Cheatsheet</b></a><br>
:black_small_square: <a href="https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/#the-beginning"><b>HTTPS on Stack Overflow: The End of a Long Road</b></a><br>
:black_small_square: <a href="https://www.aosabook.org/en/nginx.html"><b>The Architecture of Open Source Applications - Nginx</b></a><br>
:black_small_square: <a href="http://www.bbc.co.uk/blogs/internet/entries/17d22fb8-cea2-49d5-be14-86e7a1dcde04"><b>BBC Digital Media Distribution: How we improved throughput by 4x</b></a><br>
:black_small_square: <a href="http://www.kegel.com/c10k.html"><b>The C10K problem by Dan Kegel</b></a><br>
:black_small_square: <a href="http://highscalability.com/blog/2013/5/13/the-secret-to-10-million-concurrent-connections-the-kernel-i.html"><b>The Secret To 10 Million Concurrent Connections</b></a><br>
:black_small_square: <a href="https://hpbn.co/"><b>High Performance Browser Networking</b></a><br>
:black_small_square: <a href="https://github.com/donnemartin/system-design-primer"><b>The System Design Primer</b></a><br>
:black_small_square: <a href="https://github.com/binhnguyennus/awesome-scalability"><b>awesome-scalability</b></a><br>
:black_small_square: <a href="https://engineering.videoblocks.com/web-architecture-101-a3224e126947"><b>Web Architecture 101</b></a><br>
:black_small_square: <a href="https://github.com/leandromoreira/linux-network-performance-parameters"><b>Learn where some of the network sysctl variables fit into the Linux/Kernel network flow</b></a><br>
:black_small_square: <a href="https://suniphrase.wordpress.com/2015/10/27/jemalloc-vs-tcmalloc-vs-dlmalloc/"><b>jemalloc vs tcmalloc vs dlmalloc</b></a><br>
:black_small_square: <a href="https://arxiv.org/pdf/1905.01135.pdf"><b>On the Impact of Memory Allocation on High-Performance Query Processing</b></a><br>
:black_small_square: <a href="https://github.blog/2018-08-08-glb-director-open-source-load-balancer/"><b>GLB: GitHub’s open source load balancer</b></a><br>
</p>
# What's next?
Go back to the [Table of Contents](#table-of-contents) or read the next chapters:
- **[HTTP Basics](doc/HTTP_BASICS.md#http-basics)**<a id="toc-http-basics-2"></a>
> Introduction to HTTP.
- **[SSL/TLS Basics](doc/SSL_TLS_BASICS.md#ssltls-basics)**<a id="toc-ssltls-basics-2"></a>
> Introduction to SSL/TLS.
- **[NGINX Basics](doc/NGINX_BASICS.md#nginx-basics)**<a id="toc-nginx-basics-2"></a>
> Introduction and explanation of the NGINX mechanisms.
- **[Helpers](doc/HELPERS.md#helpers)**<a id="toc-helpers-2"></a>
> One-liners, commands, utilities for building NGINX, and more.
- **[Base Rules (16)](doc/RULES.md#base-rules)**<a id="toc-base-rules-2"></a>
> The basic set of rules to keep NGINX in a good condition.
- **[Debugging (5)](doc/RULES.md#debugging)**<a id="toc-debugging-2"></a>
> A few things for troubleshooting configuration problems.
- **[Performance (13)](doc/RULES.md#performance)**<a id="toc-performance-2"></a>
> Many methods to make sure the NGINX as fast as possible.
- **[Hardening (31)](doc/RULES.md#hardening)**<a id="toc-hardening-2"></a>
> Security and hardening methods in line with best practices.
- **[Reverse Proxy (8)](doc/RULES.md#reverse-proxy)**<a id="toc-reverse-proxy-2"></a>
> A few rules about the NGINX proxy server.
- **[Load Balancing (2)](doc/RULES.md#load-balancing)**<a id="toc-load-balancing-2"></a>
> Some rules to improve NGINX as a load balancer.
- **[Others (4)](doc/RULES.md#others)**<a id="toc-others-2"></a>
> Other interesting rules, not necessarily linked to NGINX.
- **[Configuration Examples](doc/EXAMPLES.md#configuration-examples)**<a id="toc-configuration-examples-2"></a>
> Here are some configuration examples.
----
<br>
<p align="center">
<a href="https://nystudio107.com/blog/stop-using-htaccess-files-no-really">
<img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_meme_2.png" alt="Meme" width="50%" height="50%">
</a>
</p>
================================================
FILE: doc/EXAMPLES.md
================================================
# Configuration Examples
Go back to the **[⬆ Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents)** or **[⬆ What's next?](https://github.com/trimstray/nginx-admins-handbook#whats-next)** section.
- **[≡ Configuration Examples](#examples)**
* [Reverse Proxy](#reverse-proxy)
* [Installation](#installation)
* [Configuration](#configuration)
* [Import configuration](#import-configuration)
* [Set bind IP address](#set-bind-ip-address)
* [Set your domain name](#set-your-domain-name)
* [Regenerate private keys and certs](#regenerate-private-keys-and-certs)
* [Update modules list](#update-modules-list)
* [Generating the necessary error pages](#generating-the-necessary-error-pages)
* [Add new domain](#add-new-domain)
* [Test your configuration](#test-your-configuration)
> Remember to make a copy of the current configuration and all files/directories.
This chapter is still work in progress.
## Installation
I used step-by-step tutorial from this handbook [Installing from source](HELPERS.md#installing-from-source).
## Configuration
I used Google Cloud instance with following parameters:
| <b>ITEM</b> | <b>VALUE</b> | <b>COMMENT</b> |
| :--- | :--- | :--- |
| VM | Google Cloud Platform | |
| vCPU | 2x | |
| Memory | 4096MB | |
| HTTP | Varnish on port 80 | |
| HTTPS | NGINX on port 443 | |
## Reverse Proxy
This chapter describes the basic configuration of my proxy server (for [blkcipher.info](https://blkcipher.info) domain).
> Configuration is based on the [installation from source](HELPERS.md#installing-from-source) chapter. If you go through the installation process step by step you can use the following configuration (minor adjustments may be required).
#### Import configuration
It's very simple - clone the repo, backup your current configuration and perform full directory sync:
```bash
git clone https://github.com/trimstray/nginx-admins-handbook
tar czvfp ~/nginx.etc.tgz /etc/nginx && mv /etc/nginx /etc/nginx.old
rsync -avur lib/nginx/ /etc/nginx/
```
> If you compiled NGINX from source you should also update/refresh modules. All compiled modules are stored in `/usr/local/src/nginx-${ngx_version}/master/objs` and installed in accordance with the value of the `--modules-path` variable.
#### Set bind IP address
###### Find and replace 192.168.252.2 string in directory and file names
```bash
cd /etc/nginx
find . -depth -not -path '*/\.git*' -name '*192.168.252.2*' -execdir bash -c 'mv -v "$1" "${1//192.168.252.2/xxx.xxx.xxx.xxx}"' _ {} \;
```
###### Find and replace 192.168.252.2 string in configuration files
```bash
cd /etc/nginx
find . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/192.168.252.2/xxx.xxx.xxx.xxx/g'
```
#### Set your domain name
###### Find and replace blkcipher.info string in directory and file names
```bash
cd /etc/nginx
find . -not -path '*/\.git*' -depth -name '*blkcipher.info*' -execdir bash -c 'mv -v "$1" "${1//blkcipher.info/example.com}"' _ {} \;
```
###### Find and replace blkcipher.info string in configuration files
```bash
cd /etc/nginx
find . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/blkcipher_info/example_com/g'
find . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/blkcipher.info/example.com/g'
```
#### Regenerate private keys and certs
###### For localhost
```bash
cd /etc/nginx/master/_server/localhost/certs
# Private key + Self-signed certificate:
( _fd="localhost.key" ; _fd_crt="nginx_localhost_bundle.crt" ; \
openssl req -x509 -newkey rsa:2048 -keyout ${_fd} -out ${_fd_crt} -days 365 -nodes \
-subj "/C=X0/ST=localhost/L=localhost/O=localhost/OU=X00/CN=localhost" )
```
###### For `default_server`
```bash
cd /etc/nginx/master/_server/defaults/certs
# Private key + Self-signed certificate:
( _fd="defaults.key" ; _fd_crt="nginx_defaults_bundle.crt" ; \
openssl req -x509 -newkey rsa:2048 -keyout ${_fd} -out ${_fd_crt} -days 365 -nodes \
-subj "/C=X1/ST=default/L=default/O=default/OU=X11/CN=default_server" )
```
###### For your domain (e.g. Let's Encrypt)
```bash
cd /etc/nginx/master/_server/example.com/certs
# For multidomain:
certbot certonly -d example.com -d www.example.com --rsa-key-size 2048
# For wildcard:
certbot certonly --manual --preferred-challenges=dns -d example.com -d *.example.com --rsa-key-size 2048
# Copy private key and chain:
cp /etc/letsencrypt/live/example.com/fullchain.pem nginx_example.com_bundle.crt
cp /etc/letsencrypt/live/example.com/privkey.pem example.com.key
```
#### Update modules list
Update modules list and include `modules.conf` to your configuration:
```bash
_mod_dir="/etc/nginx/modules"
:>"${_mod_dir}.conf"
for _module in $(ls "${_mod_dir}/") ; do echo -en "load_module\t\t${_mod_dir}/$_module;\n" >> "${_mod_dir}.conf" ; done
```
#### Generating the necessary error pages
> In the example (`lib/nginx`) error pages are included from `lib/nginx/master/_static/errors.conf` file.
- default location: `/etc/nginx/html`:
```
50x.html index.html
```
- custom location: `/usr/share/www`:
```bash
cd /etc/nginx/snippets/http-error-pages
./httpgen
# You can also sync sites/ directory with /etc/nginx/html:
# rsync -var sites/ /etc/nginx/html/
rsync -var sites/ /usr/share/www/
```
#### Add new domain
###### Updated `nginx.conf`
```nginx
# At the end of the file (in 'IPS/DOMAINS' section):
include /etc/nginx/master/_server/domain.com/servers.conf;
include /etc/nginx/master/_server/domain.com/backends.conf;
```
###### Init domain directory
```bash
cd /etc/nginx/master/_server
cp -R example.com domain.com
cd domain.com
find . -not -path '*/\.git*' -depth -name '*example.com*' -execdir bash -c 'mv -v "$1" "${1//example.com/domain.com}"' _ {} \;
find . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/example_com/domain_com/g'
find . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/example.com/domain.com/g'
```
#### Create log directories
```bash
mkdir -p /var/log/nginx/localhost
mkdir -p /var/log/nginx/defaults
mkdir -p /var/log/nginx/others
mkdir -p /var/log/nginx/domains/blkcipher.info
chown -R nginx:nginx /var/log/nginx
```
#### Logrotate configuration
```bash
cp /etc/nginx/snippets/logrotate.d/nginx /etc/logrotate.d/
```
#### Test your configuration
```bash
nginx -t -c /etc/nginx/nginx.conf
```
================================================
FILE: doc/HELPERS.md
================================================
# Helpers
Go back to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents)** or **[What's next?](https://github.com/trimstray/nginx-admins-handbook#whats-next)** section.
- **[≡ Helpers](#helpers)**
* [Installing from prebuilt packages](#installing-from-prebuilt-packages)
* [RHEL7 or CentOS 7](#rhel7-or-centos-7)
* [Debian or Ubuntu](#debian-or-ubuntu)
* [FreeBSD](#freebsd)
* [Installing from source](#installing-from-source)
* [Automatic installation on RHEL/Debian/BSD](#automatic-installation-on-rheldebianbsd)
* [Nginx package](#nginx-package)
* [Dependencies](#dependencies)
* [Patches](#patches)
* [3rd party modules](#3rd-party-modules)
* [Configure options](#configure-options)
* [Compiler and linker](#compiler-and-linker)
* [Debugging Symbols](#debugging-symbols)
* [SystemTap](#systemtap)
* [stapxx](#stapxx)
* [Installation Nginx on CentOS 7](#installation-nginx-on-centos-7)
* [Pre installation tasks](#pre-installation-tasks)
* [Dependencies](#dependencies)
* [Get Nginx sources](#get-nginx-sources)
* [Download 3rd party modules](#download-3rd-party-modules)
* [Build Nginx](#build-nginx)
* [Post installation tasks](#post-installation-tasks)
* [Installation OpenResty on CentOS 7](#installation-openresty-on-centos-7)
* [Installation Tengine on Ubuntu 18.04](#installation-tengine-on-ubuntu-1804)
* [Installation Nginx on FreeBSD 11.3](#installation-nginx-on-freebsd-113)
* [Installation Nginx on FreeBSD 12.1 (from ports)](#installation-nginx-on-freebsd-121-from-ports)
* [Analyse configuration](#analyse-configuration)
* [Monitoring](#monitoring)
* [GoAccess](#goaccess)
* [Build and install](#build-and-install)
* [Analyse log file and enable all recorded statistics](#analyse-log-file-and-enable-all-recorded-statistics)
* [Analyse compressed log file](#analyse-compressed-log-file)
* [Analyse log file remotely](#analyse-log-file-remotely)
* [Analyse log file and generate html report](#analyse-log-file-and-generate-html-report)
* [Ngxtop](#ngxtop)
* [Analyse log file](#analyse-log-file)
* [Analyse log file and print requests with 4xx and 5xx](#analyse-log-file-and-print-requests-with-4xx-and-5xx)
* [Analyse log file remotely](#analyse-log-file-remotely-1)
* [Testing](#testing)
* [Build OpenSSL 1.0.2-chacha version](HELPERS.md#build-openssl-102-chacha-version)
* [Send request and show response headers](#send-request-and-show-response-headers)
* [Send request with http method, user-agent, follow redirects and show response headers](#send-request-with-http-method-user-agent-follow-redirects-and-show-response-headers)
* [Send multiple requests](#send-multiple-requests)
* [Testing SSL connection](#testing-ssl-connection)
* [Testing SSL connection (debug mode)](#testing-ssl-connection-debug-mode)
* [Testing SSL connection with SNI support](#testing-ssl-connection-with-sni-support)
* [Testing SSL connection with specific SSL version](#testing-ssl-connection-with-specific-ssl-version)
* [Testing SSL connection with specific cipher](#testing-ssl-connection-with-specific-cipher)
* [Testing OCSP Stapling](#testing-ocsp-stapling)
* [Verify 0-RTT](#verify-0-rtt)
* [Testing SCSV](#testing-scsv)
* [Load testing with ApacheBench (ab)](#load-testing-with-apachebench-ab)
* [Standard test](#standard-test)
* [Test with Keep-Alive header](#test-with-keep-alive-header)
* [Load testing with wrk2](#load-testing-with-wrk2)
* [Standard scenarios](#standard-scenarios)
* [POST call (with Lua)](#post-call-with-lua)
* [Random paths (with Lua)](#random-paths-with-lua)
* [Multiple paths (with Lua)](#multiple-paths-with-lua)
* [Random server address to each thread (with Lua)](#random-server-address-to-each-thread-with-lua)
* [Multiple json requests (with Lua)](#multiple-json-requests-with-lua)
* [Debug mode (with Lua)](#debug-mode-with-lua)
* [Analyse data pass to and from the threads](#analyse-data-pass-to-and-from-the-threads)
* [Parsing wrk result and generate report](#parsing-wrk-result-and-generate-report)
* [Load testing with locust](#load-testing-with-locust)
* [Multiple paths](#multiple-paths)
* [Multiple paths with different user sessions](#multiple-paths-with-different-user-sessions)
* [TCP SYN flood Denial of Service attack](#tcp-syn-flood-denial-of-service-attack)
* [HTTP Denial of Service attack](#tcp-syn-flood-denial-of-service-attack)
* [Debugging](#debugging)
* [Show information about processes](#show-information-about-processes)
* [Check memory usage](#check-memory-usage)
* [Show open files](#show-open-files)
* [Check segmentation fault messages](#check-segmentation-fault-messages)
* [Dump configuration](#dump-configuration)
* [Get the list of configure arguments](#get-the-list-of-configure-arguments)
* [Check if the module has been compiled](#check-if-the-module-has-been-compiled)
* [Show the most accessed IP addresses](#show-the-most-accessed-ip-addresses)
* [Show the most accessed IP addresses (ip and url)](#show-the-most-accessed-ip-addresses-ip-and-url)
* [Show the most accessed IP addresses (method, code, ip, and url)](#show-the-most-accessed-ip-addresses-method-code-ip-and-url)
* [Show the top 5 visitors (IP addresses)](#show-the-top-5-visitors-ip-addresses)
* [Show the most requested urls](#show-the-most-requested-urls)
* [Show the most requested urls containing 'string'](#show-the-most-requested-urls-containing-string)
* [Show the most requested urls with http methods](#show-the-most-requested-urls-with-http-methods)
* [Show the most accessed response codes](#show-the-most-accessed-response-codes)
* [Analyse web server log and show only 2xx http codes](#analyse-web-server-log-and-show-only-2xx-http-codes)
* [Analyse web server log and show only 5xx http codes](#analyse-web-server-log-and-show-only-5xx-http-codes)
* [Show requests which result 502 and sort them by number per requests by url](#show-requests-which-result-502-and-sort-them-by-number-per-requests-by-url)
* [Show requests which result 404 for php files and sort them by number per requests by url](#show-requests-which-result-404-for-php-files-and-sort-them-by-number-per-requests-by-url)
* [Calculating amount of http response codes](#calculating-amount-of-http-response-codes)
* [Calculating requests per second](#calculating-requests-per-second)
* [Calculating requests per second with IP addresses](#calculating-requests-per-second-with-ip-addresses)
* [Calculating requests per second with IP addresses and urls](#calculating-requests-per-second-with-ip-addresses-and-urls)
* [Get entries within last n hours](#get-entries-within-last-n-hours)
* [Get entries between two timestamps (range of dates)](#get-entries-between-two-timestamps-range-of-dates)
* [Get line rates from web server log](#get-line-rates-from-web-server-log)
* [Trace network traffic for all processes](#trace-network-traffic-for-all-nginx-processes)
* [List all files accessed by a NGINX](#list-all-files-accessed-by-a-nginx)
* [Check that the gzip_static module is working](#check-that-the-gzip_static-module-is-working)
* [Which worker processing current request](#which-worker-processing-current-request)
* [Capture only http packets](#capture-only-http-packets)
* [Extract User Agent from the http packets](#extract-user-agent-from-the-http-packets)
* [Capture only http GET and POST packets](#capture-only-http-get-and-post-packets)
* [Capture requests and filter by source ip and destination port](#capture-requests-and-filter-by-source-ip-and-destination-port)
* [Capture HTTP requests/responses in real time, filter by GET, HEAD and save to a file](#capture-http-requests--responses-in-real-time-filter-by-get-head-and-save-to-a-file)
* [Dump a process's memory](#dump-a-processs-memory)
* [GNU Debugger (gdb)](#gnu-debugger-gdb)
* [Dump configuration from a running process](#dump-configuration-from-a-running-process)
* [Show debug log in memory](#show-debug-log-in-memory)
* [Core dump backtrace](#core-dump-backtrace)
* [Debugging socket leaks](#debugging-socket-leaks)
* [Shell aliases](#shell-aliases)
* [Configuration snippets](#configuration-snippets)
* [Nginx server header removal](#nginx-server-header-removal)
* [Custom log formats](#custom-log-formats)
* [Log only 4xx/5xx](#log-only-4xx5xx)
* [Restricting access with basic authentication](#restricting-access-with-basic-authentication)
* [Restricting access with client certificate](#restricting-access-with-client-certificate)
* [Restricting access by geographical location](#restricting-access-by-geographical-location)
* [GeoIP 2 database](#geoip-2-database)
* [Dynamic error pages with SSI](#dynamic-error-pages-with-ssi)
* [Blocking/allowing IP addresses](#blockingallowing-ip-addresses)
* [Blocking referrer spam](#blocking-referrer-spam)
* [Limiting referrer spam](#limiting-referrer-spam)
* [Blocking User-Agent](#blocking-user-agent)
* [Limiting User-Agent](#limiting-user-agent)
* [Limiting the rate of requests with burst mode](#limiting-the-rate-of-requests-with-burst-mode)
* [Limiting the rate of requests with burst mode and nodelay](#limiting-the-rate-of-requests-with-burst-mode-and-nodelay)
* [Limiting the rate of requests per IP with geo and map](#limiting-the-rate-of-requests-per-ip-with-geo-and-map)
* [Limiting the number of connections](#limiting-the-number-of-connections)
* [Using trailing slashes](#using-trailing-slashes)
* [Properly redirect all HTTP requests to HTTPS](#properly-redirect-all-http-requests-to-https)
* [Adding and removing the www prefix](#adding-and-removing-the-www-prefix)
* [Proxy/rewrite and keep the original URL](#proxyrewrite-and-keep-the-original-url)
* [Proxy/rewrite and keep the part of original URL](#proxyrewrite-and-keep-the-part-of-original-url)
* [Proxy/rewrite without changing the original URL (in browser)](#proxyrewrite-without-changing-the-original-url-in-browser)
* [Modify 301/302 response body](#modify-301302-response-body)
* [Redirect POST request with payload to external endpoint](#redirect-post-request-with-payload-to-external-endpoint)
* [Route to different backends based on HTTP method](#route-to-different-backends-based-on-HTTP-method)
* [Allow multiple cross-domains using the CORS headers](#allow-multiple-cross-domains-using-the-cors-headers)
* [Set correct scheme passed in X-Forwarded-Proto](#set-correct-scheme-passed-in-x-forwarded-proto)
* [Other snippets](#other-snippets)
* [Recreate base directory](#recreate-base-directory)
* [Create a temporary static backend](#create-a-temporary-static-backend)
* [Create a temporary static backend with SSL support](#create-a-temporary-static-backend-with-ssl-support)
* [Generate password file with htpasswd command](#generate-password-file-with-htpasswd-command)
* [Generate private key without passphrase](#generate-private-key-without-passphrase)
* [Generate private key with passphrase](#generate-private-key-with-passphrase)
* [Remove passphrase from private key](#remove-passphrase-from-private-key)
* [Encrypt existing private key with a passphrase](#encrypt-existing-private-key-with-a-passphrase)
* [Generate CSR](#generate-csr)
* [Generate CSR (metadata from existing certificate)](#generate-csr-metadata-from-existing-certificate)
* [Generate CSR with -config param](#generate-csr-with--config-param)
* [Generate private key and CSR](#generate-private-key-and-csr)
* [List available EC curves](#list-available-ec-curves)
* [Print ECDSA private and public keys](#print-ecdsa-private-and-public-keys)
* [Generate ECDSA private key](#generate-ecdsa-private-key)
* [Generate private key and CSR (ECC)](#generate-private-key-with-csr-ecc)
* [Generate self-signed certificate](#generate-self-signed-certificate)
* [Generate self-signed certificate from existing private key](#generate-self-signed-certificate-from-existing-private-key)
* [Generate self-signed certificate from existing private key and csr](#generate-self-signed-certificate-from-existing-private-key-and-csr)
* [Generate multidomain certificate (Certbot)](#generate-multidomain-certificate-certbot)
* [Generate wildcard certificate (Certbot)](#generate-wildcard-certificate-certbot)
* [Generate certificate with 4096 bit private key (Certbot)](#generate-certificate-with-4096-bit-private-key-certbot)
* [Generate DH public parameters](#generate-dh-public-parameters)
* [Display DH public parameters](#display-dh-public-parameters)
* [Extract private key from pfx](#extract-private-key-from-pfx)
* [Extract private key and certs from pfx](#extract-private-key-and-certs-from-pfx)
* [Extract certs from p7b](#extract-certs-from-p7b)
* [Convert DER to PEM](#convert-der-to-pem)
* [Convert PEM to DER](#convert-pem-to-der)
* [Verification of the certificate's supported purposes](#verification-of-the-certificates-supported-purposes)
* [Check private key](#check-private-key)
* [Verification of the private key](#verification-of-the-private-key)
* [Get public key from private key](#get-public-key-from-private-key)
* [Verification of the public key](#verification-of-the-public-key)
* [Verification of the certificate](#verification-of-the-certificate)
* [Verification of the CSR](#verification-of-the-csr)
* [Check the private key and the certificate are match](#check-the-private-key-and-the-certificate-are-match)
* [Check the private key and the CSR are match](#check-the-private-key-and-the-csr-are-match)
* [TLSv1.3 and CCM ciphers](#tlsv13-and-ccm-ciphers)
#### Installing from prebuilt packages
> **:bookmark: [Always keep NGINX up-to-date - Hardening - P1](RULES.md#beginner-always-keep-nginx-up-to-date)**
##### RHEL7 or CentOS 7
###### From EPEL
```bash
# Install epel repository:
yum install epel-release
# or alternative:
# wget -c --no-check-certificate -c https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum install epel-release-latest-7.noarch.rpm
# Install NGINX:
yum install nginx
```
###### From Software Collections
```bash
# Install and enable scl:
yum install centos-release-scl
yum-config-manager --enable rhel-server-rhscl-7-rpms
# Install NGINX (rh-nginx14, rh-nginx16, rh-nginx18):
yum install rh-nginx16
# Enable NGINX from SCL:
scl enable rh-nginx16 bash
```
###### From Official Repository
```bash
# Where:
# - <os_type> is: rhel or centos
cat > /etc/yum.repos.d/nginx.repo << __EOF__
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/<os_type>/$releasever/$basearch/
gpgcheck=0
enabled=1
__EOF__
# Install NGINX:
yum install nginx
```
##### Debian or Ubuntu
Check available flavours of NGINX before install. For more information please see [this](https://askubuntu.com/a/556382) great answer by [Thomas Ward](https://askubuntu.com/users/10616/thomas-ward).
###### From Debian/Ubuntu Repository
```bash
# Install NGINX:
apt-get install nginx
```
###### From Official Repository
```bash
# Where:
# - <os_type> is: debian or ubuntu
# - <os_release> is: xenial, bionic, jessie, stretch or other
cat > /etc/apt/sources.list.d/nginx.list << __EOF__
deb http://nginx.org/packages/<os_type>/ <os_release> nginx
deb-src http://nginx.org/packages/<os_type>/ <os_release> nginx
__EOF__
# Update packages list:
apt-get update
# Download the public key (or <pub_key> from your GPG error):
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys <pub_key>
# Install NGINX:
apt-get update
apt-get install nginx
```
##### FreeBSD
###### From FreeBSD Repository
```bash
# Install NGINX:
pkg install nginx
```
> If you install NGINX on FreeBSD/OpenBSD please see [Tuning FreeBSD for the highload](http://nginx.org/en/docs/freebsd_tuning.html).
#### Installing from source
> **:bookmark: [Always keep NGINX up-to-date - Hardening - P1](RULES.md#beginner-always-keep-nginx-up-to-date)**
The build is configured using the `configure` command. The configure shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile`. Of course you can adjust certain environment variables to make configure able to find the packages like a `zlib` or `openssl`, and of many other options (paths, modules).
Before the beginning installation process please read these important articles which describes exactly the entire installation process and the parameters using the `configure` command:
- [Installation and Compile-Time Options](https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions/)
- [Installing NGINX Open Source](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#configure)
- [Building nginx from Sources](https://nginx.org/en/docs/configure.html)
In this chapter I'll present several very similar methods of installation:
- [Installation Nginx on CentOS 7](#installation-nginx-on-centos-7)
- [Installation OpenResty on CentOS 7](#installation-openresty-on-centos-7)
- [Installation Tengine on Ubuntu 18.04](#installation-tengine-on-ubuntu-1804)
- [Installation Nginx on FreeBSD 11.3](#installation-nginx-on-freebsd-113)
- [Installation Nginx on FreeBSD 12.1 (from ports)](#installation-nginx-on-freebsd-121-from-ports)
Each of them is suited towards a high performance as well as high-concurrency applications. They work great as a high-end proxy servers too. Of course, if you want you can use the default installation (remember about [dependencies](#dependencies)):
```bash
./configure
make && make install
```
Look also on this short note about the system locations. That can be useful too:
- For booting the system, rescues and maintenance: `/`
- `/bin` - user programs
- `/sbin` - system programs
- `/lib` - shared libraries
- Full running environment: `/usr`
- `/usr/bin` - user programs
- `/usr/sbin` - system programs
- `/usr/lib` - shared libraries
- `/usr/share` - manual pages, data
- Added packages: `/usr/local`
- `/usr/local/bin` - user programs
- `/usr/local/sbin` - system programs
- `/usr/local/lib` - shared libraries
- `/usr/local/share` - manual pages, data
##### Automatic installation on RHEL/Debian/BSD
Installing from source consists of multiple steps. If you don't want to pass through all of them manually, you can run automated script. I created it to facilitate the whole installation process.
> It supports Debian and RHEL like distributions, and FreeBSD system.
This tool is located in `lib/ngx_installer.sh`. Configuration file is in `lib/ngx_installer.conf`, variables is in `lib/ngx_installer.vars`. By default, it show prompt to confirm steps but you can disable it if you want:
```bash
cd lib/
export NGX_PROMPT=0 ; bash ngx_installer.sh
```
##### Nginx package
There are currently two versions of NGINX:
- **stable** - is recommended, doesn’t include all of the latest features, but has critical bug fixes from mainline release
- **mainline** - is typically quite stable as well, includes the latest features and bug fixes and is always up to date
You can download NGINX source code from an official read-only mirrors:
> Detailed instructions about download and compile the NGINX sources can be found later in the handbook.
- [NGINX source code](https://nginx.org/download/)
- [NGINX GitHub repository](https://github.com/nginx/nginx)
##### Dependencies
Mandatory requirements:
> Download, compile and install or install prebuilt packages from repository of your distribution.
- [OpenSSL](https://www.openssl.org/source/) library
- [Zlib](https://zlib.net/) or [Cloudflare Zlib](https://github.com/cloudflare/zlib) library
- [PCRE](https://ftp.pcre.org/pub/pcre/) library
- [LuaJIT v2.1](https://github.com/LuaJIT/LuaJIT) or [OpenResty's LuaJIT2](https://github.com/openresty/luajit2) library
- [jemalloc](https://github.com/jemalloc/jemalloc) library
OpenResty's LuaJIT uses its own branch of LuaJIT with various important bug fixes and optimizations for OpenResty's use cases.
I also use Cloudflare Zlib version due to performance. See below articles:
- [A comparison of Zlib implementations](http://www.htslib.org/benchmarks/zlib.html)
- [Improving Nginx Zlib Compression Performance](https://medium.com/@centminmod/improving-nginx-zlib-compression-performance-eb961f3ac0f4)
If you download and compile above sources the good point is to install additional packages (dependent on the system version) before building NGINX:
| <b>Debian Like</b> | <b>RedHat Like</b> | <b>FreeBSD\*\*</b> | <b>Comment</b> |
| :--- | :--- | :--- | :--- |
| `gcc`<br>`make`<br>`build-essential`<br>`linux-headers*`<br>`bison` | `gcc`<br>`gcc-c++`<br>`kernel-devel`<br>`bison` | `gcc`<br>`gmake`<br>`bison` | |
| `perl`<br>`libperl-dev`<br>`libphp-embed` | `perl`<br>`perl-devel`<br>`perl-ExtUtils-Embed` | `perl5-devel` | |
| `libssl-dev`* | `openssl-devel`* | | |
| `zlib1g-dev`* | `zlib-devel`* | | |
| `libpcre2-dev`* | `pcre-devel`* | `pcre`* | |
| `lua5.1`<br>`libluajit-5.1-dev`* | `lua`<br>`luajit-devel`* | `lua51`<br>`luajit` | |
| `libxslt-dev` | `libxslt libxslt-devel` | `libxslt` | |
| `libgd-dev` | `gd gd-devel` | `libgd` | |
| `libgeoip-dev` | `GeoIP-devel` | | |
| `libxml2-dev` | `libxml2-devel` | `libxml2` | |
| `libexpat-dev` | `expat-devel` | `expat` | |
| `libgoogle-perftools-dev`<br>`libgoogle-perftools4` | `gperftools-devel` | | |
| | `cpio` | | |
| | `gettext-devel` | | |
| `autoconf` | `autoconf` | `autoconf` | for `jemalloc` from sources |
| `libjemalloc1`<br>`libjemalloc-dev`* | `jemalloc`<br>`jemalloc-devel`* | | for `jemalloc` |
| `libpam0g-dev` | `pam-devel` | | for `ngx_http_auth_pam_module` |
| `jq` | `jq` | `jq` | for [http error pages](https://github.com/trimstray/nginx-admins-handbook/tree/master/lib/nginx/snippets/http-error-pages) generator |
| `git` | `git` | `git` | for `ngx_installer.sh` |
| `wget` | `wget` | `wget` | for `ngx_installer.sh` |
| | | `ncurses` | for `ngx_installer.sh` |
<sup><i>* If you don't use from sources.</i></sup><br>
<sup><i>\*\* The package list for FreeBSD may be incomplete.</i></sup>
Shell one-liners:
```bash
# Ubuntu/Debian
apt-get install gcc make build-essential bison perl libperl-dev lua5.1 libphp-embed libxslt-dev libgd-dev libgeoip-dev libxml2-dev libexpat-dev libgoogle-perftools-dev libgoogle-perftools4 autoconf
apt-get install libssl-dev zlib1g-dev libpcre2-dev libluajit-5.1-dev
apt-get install jq git wget logrotate
# RedHat/CentOS
yum install gcc gcc-c++ kernel-devel bison perl perl-devel perl-ExtUtils-Embed lua libxslt libxslt-devel gd gd-devel GeoIP-devel libxml2-devel expat-devel gperftools-devel cpio gettext-devel autoconf
yum install openssl-devel zlib-devel pcre-devel luajit-devel
yum install jq git wget logrotate
# FreeBSD
pkg install gcc gmake bison perl5-devel lua51 libxslt libgd libxml2 expat autoconf
pkg install pcre luajit
pkg install jq git wget ncurses texinfo gettext gettext-tools
```
##### Patches
- [nginx-remove-server-header.patch](https://gitlab.com/buik/nginx/blob/master/nginx-remove-server-header.patch) - to hide NGINX `Server` header (and more), see also this rule: [Hide Nginx server signature](RULES.md#beginner-hide-nginx-server-signature)
- [TLSv1.3 and CCM ciphers](#tlsv13-and-ccm-ciphers) - to enable `TLS_AES_128_CCM_SHA256` and `TLS_AES_128_CCM_8_SHA256` cipher suites
##### 3rd party modules
> Not all external modules can work properly with your currently NGINX version. You should read the documentation of each module before adding it to the modules list. You should also to check what version of module is compatible with your NGINX release. What's more, be careful before adding modules on production. Some of them can cause strange behaviors, increased memory and CPU usage, and also reduce the overall performance of NGINX.
> Before installing external modules please read [Event-Driven architecture](NGINX_BASICS.md#event-driven-architecture) section to understand why poor quality 3rd party modules may reduce NGINX performance.
> If you have running NGINX on your server, and if you want to add new modules, you'll need to compile them against the same version of NGINX that's currently installed (`nginx -v`) and to make new module compatible with the existing NGINX binary, you need to use the same compile flags (`nginx -V`). For more please see [How to Compile Dynamic NGINX Modules](https://gorails.com/blog/how-to-compile-dynamic-nginx-modules).
> If you use, e.g. `--with-stream=dynamic`, then all those `stream_xxx` modules must also be built as NGINX dynamic modules. Otherwise you would definitely see those linker errors.
Modules can be compiled as a shared object (`*.so` file) and then dynamically loaded into NGINX at runtime (`--add-dynamic-module`). On the other hand you can also built them into NGINX at compile time and linked to the NGINX binary statically (`--add-module`).
I mixed both variants because some of the modules are built-in automatically even if I try them to be compiled as a dynamic modules (they are not support dynamic linking).
You can download external modules from:
- [NGINX 3rd Party Modules](https://www.nginx.com/resources/wiki/modules/)
- [OpenResty Components](https://openresty.org/en/components.html)
- [Tengine Modules](https://github.com/alibaba/tengine/tree/master/modules)
A short description of the modules that I used in this step-by-step tutorial:
- [`ngx_devel_kit`](https://github.com/simplresty/ngx_devel_kit)** - adds additional generic tools that module developers can use in their own modules
- [`lua-nginx-module`](https://github.com/openresty/lua-nginx-module) - embed the Power of Lua into NGINX
- [`set-misc-nginx-module`](https://github.com/openresty/set-misc-nginx-module) - various `set_xxx` directives added to NGINX rewrite module
- [`echo-nginx-module`](https://github.com/openresty/echo-nginx-module) - module for bringing the power of `echo`, `sleep`, `time` and more to NGINX config file
- [`headers-more-nginx-module`](https://github.com/openresty/headers-more-nginx-module) - set, add, and clear arbitrary output headers
- [`replace-filter-nginx-module`](https://github.com/openresty/replace-filter-nginx-module) - streaming regular expression replacement in response bodies
- [`array-var-nginx-module`](https://github.com/openresty/array-var-nginx-module) - add supports for array-typed variables to NGINX config files
- [`encrypted-session-nginx-module`](https://github.com/openresty/encrypted-session-nginx-module) - encrypt and decrypt NGINX variable values
- [`nginx-module-sysguard`](https://github.com/vozlt/nginx-module-sysguard) - module to protect servers when system load or memory use goes too high
- [`nginx-access-plus`](https://github.com/nginx-clojure/nginx-access-plus) - allows limiting access to certain http request methods and client addresses
- [`ngx_http_substitutions_filter_module`](https://github.com/yaoweibin/ngx_http_substitutions_filter_module) - can do both regular expression and fixed string substitutions
- [`nginx-sticky-module-ng`](https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/src) - module to add a sticky cookie to be always forwarded to the same
- [`nginx-module-vts`](https://github.com/vozlt/nginx-module-vts) - Nginx virtual host traffic status module
- [`ngx_brotli`](https://github.com/google/ngx_brotli) - module for Brotli compression
- [`ngx_http_naxsi_module`](https://github.com/nbs-system/naxsi) - is an open-source, high performance, low rules maintenance WAF for NGINX
- [`ngx_http_delay_module`](http://mdounin.ru/hg/ngx_http_delay_module) - allows to delay requests for a given time
- [`nginx-backtrace`](https://github.com/alibaba/nginx-backtrace)* - module to dump backtrace when a worker process exits abnormally
- [`ngx_debug_pool`](https://github.com/chobits/ngx_debug_pool)* - provides access to information of memory usage for NGINX memory pool
- [`ngx_debug_timer`](https://github.com/hongxiaolong/ngx_debug_timer)* - provides access to information of timer usage for NGINX
- [`nginx_upstream_check_module`](https://github.com/yaoweibin/nginx_upstream_check_module)* - health checks upstreams for NGINX
- [`nginx-http-footer-filter`](https://github.com/alibaba/nginx-http-footer-filter)* - module that prints some text in the footer of a request upstream server
- [`memc-nginx-module`](https://github.com/agentzh/memc-nginx-module) - extended version of the standard Memcached module
- [`nginx-rtmp-module`](https://github.com/arut/nginx-rtmp-module) - NGINX-based Media Streaming Server
- [`ngx-fancyindex`](https://github.com/aperezdc/ngx-fancyindex) - generates of file listings, like the built-in autoindex module does, but adding a touch of style
- [`ngx_log_if`](https://github.com/cfsego/ngx_log_if) - allows you to control when not to write down access log
- [`nginx-http-user-agent`](https://github.com/alibaba/nginx-http-user-agent) - module to match browsers and crawlers
- [`ngx_http_auth_pam_module`](https://github.com/sto/ngx_http_auth_pam_module) - module to use PAM for simple http authentication
- [`ngx_http_google_filter_module`](https://github.com/cuber/ngx_http_google_filter_module) - is a filter module which makes google mirror much easier to deploy
- [`nginx-push-stream-module`](https://github.com/wandenberg/nginx-push-stream-module) - a pure stream http push technology for your Nginx setup
- [`nginx_tcp_proxy_module`](https://github.com/yaoweibin/nginx_tcp_proxy_module) - add the feature of tcp proxy with nginx, with health check and status monitor
- [`ngx_http_custom_counters_module`](https://github.com/lyokha/nginx-custom-counters-module) - customizable counters shared by all worker processes and virtual servers
- [`ngx_chash_map`](https://github.com/Wine93/chash-map-nginx-module) - creates variables whose values are mapped to group by consistent hashing method
- [`ngx_security_headers`](https://github.com/GetPageSpeed/ngx_security_headers) - adds security headers and removes insecure headers easily
- [`ngx_http_ip2location_module`](https://github.com/ip2location/ip2location-nginx) - enables user to easily perform client's IP to geographical location lookup by using IP2Location database
- [`ngx_http_ip2proxy`](https://github.com/ip2location/ip2location-nginx) - detects visitor IP addresses which are used as VPN anonymizer, open proxies, web proxies and Tor exits
- [`nginx-length-hiding-filter-module`](https://github.com/nulab/nginx-length-hiding-filter-module) - provides functionality to append randomly generated HTML comment to the end of response body to hide correct response length and make it difficult for attackers to guess secure token
<sup><i>* Available in Tengine Web Server (but these modules may have been updated/patched by Tengine Team).</i></sup><br>
<sup><i>** Is already being used in quite a few third party modules.</i></sup>
##### Configure options
Out of the box you probably do not need to provide any flags yourself, the configure script should detect automatically some reasonable defaults.
However, in order to optimize for speed and/or security, you should probably provide a few compiler flags. Red Hat published an article about the flag collections they consider good - see [Compiler and linker](#compiler-and-linker) chapter for more information.
Another reasonable way to do it would be to copy the options used by your distribution provided packages. The maintainer probably knows what he was doing, and you at least know it works for your use case.
There are some of the NGINX configuration options, for more information please see [Building nginx from Sources](http://nginx.org/en/docs/configure.html).
##### Compiler and linker
Out of the box you probably do not need to provide any flags yourself, the configure script should detect automatically some reasonable defaults. However, in order to optimise for speed and/or security, you should probably provide a few compiler flags.
See [this](https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/) recommendations by RedHat. You should also read [Compilation and Installation](https://wiki.openssl.org/index.php/Compilation_and_Installation) for OpenSSL.
There are examples:
```bash
# Example of use compiler options:
# 1)
--with-cc-opt="-I/usr/local/include -I${OPENSSL_INC} -I${LUAJIT_INC} -I${JEMALLOC_INC} -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC"
# 2)
--with-cc-opt="-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -O3 -g -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf"
# 3)
--with-cc-opt="-I/usr/local/include"
# Example of use linker options:
# 1)
--with-ld-opt="-Wl,-E -L/usr/local/lib -ljemalloc -lpcre -Wl,-rpath,/usr/local/lib,-z,relro -Wl,-z,now -pie"
# 2)
--with-ld-opt="-L/usr/local/lib -ljemalloc -Wl,-lpcre -Wl,-z,relro -Wl,-rpath,/usr/local/lib"
# 3)
--with-ld-opt="-L/usr/local/lib"
# For installation on FreeBSD:
--with-cc-opt="-I/usr/local/include"
--with-ld-opt="-L/usr/local/lib"
```
###### Debugging Symbols
Debugging symbols helps obtain additional information for debugging, such as functions, variables, data structures, source file and line number information.
However, if you get the `No symbol table info available` error when you run a `(gdb) backtrace` you should to recompile NGINX with support of debugging symbols. For this it is essential to include debugging symbols with the `-g` flag and make the debugger output easier to understand by disabling compiler optimization with the `-O0` flag:
> If you use `-O0` remember about disable `-D_FORTIFY_SOURCE=2`, if you don't do it you will get: `error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O)`.
```bash
./configure --with-debug --with-cc-opt='-O0 -g' ...
```
Also if you get errors similar to one of them:
```
Missing separate debuginfo for /usr/lib64/libluajit-5.1.so.2 ...
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found) ...
```
You should also recompile libraries with `-g` compiler option and optional with `-O0`. For more information please read [3.9 Options for Debugging Your Program](https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html).
##### SystemTap
SystemTap is a scripting language and tool for dynamically instrumenting running production Linux kernel-based operating systems. It's required for `openresty-systemtap-toolkit` for OpenResty.
> It's good [all-in-one tutorial](https://gist.github.com/notsobad/b8f5ebb9b99f3a818f30) about install and configure SystemTap on CentOS 7/Ubuntu distributions. In case of problems please see this [SystemTap](https://github.com/shawfdong/hyades/wiki/SystemTap) document.
> Hint: Do not specify `--with-debug` while profiling. It slows everything down
significantly.
```bash
cd /opt
git clone --depth 1 https://github.com/openresty/openresty-systemtap-toolkit
# RHEL/CentOS
yum install yum-utils
yum --enablerepo=base-debuginfo install kernel-devel-$(uname -r) kernel-headers-$(uname -r) kernel-debuginfo-$(uname -r) kernel-debuginfo-common-x86_64-$(uname -r)
yum --enablerepo=base-debuginfo install systemtap systemtap-debuginfo
reboot
# Run this commands for testing SystemTap:
stap -v -e 'probe vfs.read {printf("read performed\n"); exit()}'
stap -v -e 'probe begin { printf("Hello, World!\n"); exit() }'
```
For installation SystemTap on Ubuntu/Debian:
- [Ubuntu Wiki - Systemtap](https://wiki.ubuntu.com/Kernel/Systemtap)
- [Install SystemTap in Ubuntu 14.04](https://blog.jeffli.me/blog/2014/10/10/install-systemtap-in-ubuntu-14-dot-04/)
###### stapxx
The author of OpenResty created great and simple macro language extensions to the SystemTap: [stapxx](https://github.com/openresty/stapxx).
#### Installation Nginx on CentOS 7
###### Pre installation tasks
Set NGINX version (I use stable release):
```bash
export ngx_version="1.16.0"
```
Set temporary variables:
```bash
export ngx_src="/usr/local/src"
export ngx_base="${ngx_src}/nginx-${ngx_version}"
export ngx_master="${ngx_base}/master"
export ngx_modules="${ngx_base}/modules"
export NGX_PREFIX="/etc/nginx"
export NGX_CONF="${NGX_PREFIX}/nginx.conf"
```
Create directories:
```bash
for i in "${ngx_base}" "${ngx_master}" "${ngx_modules}" ; do
mkdir "$i"
done
```
Set user/group variables:
```bash
export NGINX_USER="nginx"
export NGINX_GROUP="nginx"
export NGINX_UID="920"
export NGINX_GID="920"
```
###### Dependencies
> In my configuration I used all prebuilt dependencies without `libssl-dev`, `zlib1g-dev`, `libluajit-5.1-dev`, and `libpcre2-dev` because I compiled them manually - for TLS 1.3 support and with OpenResty recommendation for LuaJIT.
**Install prebuilt packages, export variables and set symbolic link:**
```bash
# It's important and required, regardless of chosen sources:
yum install gcc gcc-c++ kernel-devel bison perl perl-devel perl-ExtUtils-Embed lua libxslt libxslt-devel gd gd-devel GeoIP-devel libxml2-devel expat-devel gperftools-devel cpio gettext-devel autoconf jq git wget logrotate
# In this example we use sources for all below packages so we do not install them:
# yum install openssl-devel zlib-devel pcre-devel luajit-devel
# For LuaJIT (luajit-devel):
export LUAJIT_LIB="/usr/local/lib"
# For original:
# export LUAJIT_INC="/usr/local/include/luajit-2.0"
# For OpenResty's:
export LUAJIT_INC="/usr/local/include/luajit-2.1"
for i in libluajit-5.1.so libluajit-5.1.so.2 liblua.so libluajit.so ; do
# For original LuaJIT:
# ln -sf /usr/local/lib/libluajit-5.1.so.2.0.5 ${LUAJIT_LIB}/${i}
# For OpenResty's LuaJIT:
ln -sf /usr/local/lib/libluajit-5.1.so.2.1.0 ${LUAJIT_LIB}/${i}
done
# ln -sf /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2 ${LUAJIT_LIB}/liblua.so
```
> Remember to build [`sregex`](#sregex) also if you use above steps.
**Or download and compile them:**
PCRE:
```bash
cd "${ngx_src}"
export pcre_version="8.42"
export PCRE_SRC="${ngx_src}/pcre-${pcre_version}"
export PCRE_LIB="/usr/local/lib"
export PCRE_INC="/usr/local/include"
wget -c --no-check-certificate https://ftp.pcre.org/pub/pcre/pcre-${pcre_version}.tar.gz && tar xzvf pcre-${pcre_version}.tar.gz
cd "$PCRE_SRC"
# Add to compile with debugging symbols:
# CFLAGS='-O0 -g' ./configure
./configure
make -j2 && make test
make install
```
Zlib:
```bash
# I recommend to use Cloudflare Zlib version (cloudflare/zlib) instead an original Zlib (zlib.net), but both installation methods are similar:
cd "${ngx_src}"
export ZLIB_SRC="${ngx_src}/zlib"
export ZLIB_LIB="/usr/local/lib"
export ZLIB_INC="/usr/local/include"
# For original Zlib:
# export zlib_version="1.2.11"
# wget -c --no-check-certificate http://www.zlib.net/zlib-${zlib_version}.tar.gz
# mkdir -p zlib && tar xzvf zlib-${zlib_version}.tar.gz -C zlib
# or:
# git clone --depth 1 https://github.com/madler/zlib
# For Cloudflare Zlib:
git clone --depth 1 https://github.com/cloudflare/zlib
cd "$ZLIB_SRC"
./configure
make -j2 && make test
make install
```
OpenSSL:
```bash
cd "${ngx_src}"
export openssl_version="1.1.1c"
export OPENSSL_SRC="${ngx_src}/openssl-${openssl_version}"
export OPENSSL_DIR="/usr/local/openssl-${openssl_version}"
export OPENSSL_LIB="${OPENSSL_DIR}/lib"
export OPENSSL_INC="${OPENSSL_DIR}/include"
wget -c --no-check-certificate https://www.openssl.org/source/openssl-${openssl_version}.tar.gz && tar xzvf openssl-${openssl_version}.tar.gz
cd "${ngx_src}/openssl-${openssl_version}"
# Please run this and add as a compiler param:
export __GCC_SSL=("__SIZEOF_INT128__:enable-ec_nistp_64_gcc_128")
for _cc_opt in "${__GCC_SSL[@]}" ; do
_cc_key=$(echo "$_cc_opt" | cut -d ":" -f1)
_cc_value=$(echo "$_cc_opt" | cut -d ":" -f2)
if [[ ! $(gcc -dM -E - </dev/null | grep -q "$_cc_key") ]] ; then
if [[ -n "$_cc_key" ]] && [[ -n "$_cc_value" ]] ; then
echo -en "$_cc_value is supported on this machine\n"
_openssl_gcc+="$_cc_value "
else
_openssl_gcc=""
fi
fi
done
# Add to compile with debugging symbols:
# ./config -d ...
if [[ -z "$_openssl_gcc" ]] ; then
./config --prefix="$OPENSSL_DIR" --openssldir="$OPENSSL_DIR" shared zlib no-ssl3 no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong
else
./config --prefix="$OPENSSL_DIR" --openssldir="$OPENSSL_DIR" shared zlib no-ssl3 no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong "$_openssl_gcc"
fi
make -j2 && make test
make install
# Setup PATH environment variables:
cat > /etc/profile.d/openssl.sh << __EOF__
#!/bin/sh
export PATH=${OPENSSL_DIR}/bin:${PATH}
export LD_LIBRARY_PATH=${OPENSSL_DIR}/lib:${LD_LIBRARY_PATH}
__EOF__
chmod +x /etc/profile.d/openssl.sh && source /etc/profile.d/openssl.sh
# To make the OpenSSL version visible globally first:
if [[ -e "/usr/bin/openssl" ]] ; then
_openssl_version=$(openssl version | awk '{print $2}')
_openssl_date=$(date '+%Y%m%d%H%M%S')
_openssl_str="openssl-${_openssl_version}-${_openssl_date}"
mv /usr/bin/openssl /usr/bin/${_openssl_str}
ln -sf ${OPENSSL_DIR}/bin/openssl /usr/bin/openssl
else
ln -sf ${OPENSSL_DIR}/bin/openssl /usr/bin/openssl
fi
cat > /etc/ld.so.conf.d/openssl.conf << __EOF__
${OPENSSL_DIR}/lib
__EOF__
```
LuaJIT:
```bash
# I recommend to use OpenResty's branch (openresty/luajit2) instead of LuaJIT (LuaJIT/LuaJIT), but both installation methods are similar:
cd "${ngx_src}"
export LUAJIT_SRC="${ngx_src}/luajit2"
export LUAJIT_LIB="/usr/local/lib"
# For original LuaJIT:
# export LUAJIT_INC="/usr/local/include/luajit-2.0"
# git clone http://luajit.org/git/luajit-2.0.git luajit2
# For OpenResty's LuaJIT:
export LUAJIT_INC="/usr/local/include/luajit-2.1"
git clone --depth 1 https://github.com/openresty/luajit2
cd "$LUAJIT_SRC"
# Add to compile with debugging symbols:
# CFLAGS='-g' make ...
make && make install
for i in libluajit-5.1.so libluajit-5.1.so.2 liblua.so libluajit.so ; do
# For original LuaJIT:
# ln -sf /usr/local/lib/libluajit-5.1.so.2.0.5 ${LUAJIT_LIB}/${i}
# For OpenResty's LuaJIT:
ln -sf /usr/local/lib/libluajit-5.1.so.2.1.0 ${LUAJIT_LIB}/${i}
done
# ln -sf /usr/lib/x86_64-linux-gnu/libluajit-5.1.so.2 ${LUAJIT_LIB}/liblua.so
```
<a id="sregex"></a>sregex:
> Required for `replace-filter-nginx-module` module.
```bash
cd "${ngx_src}"
git clone --depth 1 https://github.com/openresty/sregex
cd "${ngx_src}/sregex"
make && make install
```
jemalloc:
> To verify `jemalloc` in use: `lsof -n | grep jemalloc`.
```bash
cd "${ngx_src}"
export JEMALLOC_SRC="${ngx_src}/jemalloc"
export JEMALLOC_INC="/usr/local/include/jemalloc"
git clone --depth 1 https://github.com/jemalloc/jemalloc
cd "$JEMALLOC_SRC"
./autogen.sh
make && make install
```
Update links and cache to the shared libraries for both types of installation:
```bash
ldconfig
```
###### Get Nginx sources
```bash
cd "${ngx_base}"
wget -c --no-check-certificate https://nginx.org/download/nginx-${ngx_version}.tar.gz
# or alternative:
# git clone --depth 1 https://github.com/nginx/nginx master
tar zxvf nginx-${ngx_version}.tar.gz -C "${ngx_master}" --strip 1
```
###### Download 3rd party modules
```bash
cd "${ngx_modules}"
for i in \
https://github.com/simplresty/ngx_devel_kit \
https://github.com/openresty/lua-nginx-module \
https://github.com/openresty/set-misc-nginx-module \
https://github.com/openresty/echo-nginx-module \
https://github.com/openresty/headers-more-nginx-module \
https://github.com/openresty/replace-filter-nginx-module \
https://github.com/openresty/array-var-nginx-module \
https://github.com/openresty/encrypted-session-nginx-module \
https://github.com/vozlt/nginx-module-sysguard \
https://github.com/nginx-clojure/nginx-access-plus \
https://github.com/yaoweibin/ngx_http_substitutions_filter_module \
https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng \
https://github.com/vozlt/nginx-module-vts \
https://github.com/google/ngx_brotli ; do
git clone --depth 1 "$i"
done
wget -c --no-check-certificate http://mdounin.ru/hg/ngx_http_delay_module/archive/tip.tar.gz -O delay-module.tar.gz
mkdir delay-module && tar xzvf delay-module.tar.gz -C delay-module --strip 1
```
For `ngx_brotli`:
```bash
cd "${ngx_modules}/ngx_brotli"
git submodule update --init
```
I also use some modules from Tengine:
- `ngx_backtrace_module`
- `ngx_debug_pool`
- `ngx_debug_timer`
- `ngx_http_upstream_check_module`
- `ngx_http_footer_filter_module`
```bash
cd "${ngx_modules}"
git clone --depth 1 https://github.com/alibaba/tengine
```
If you use NAXSI:
```bash
cd "${ngx_modules}"
git clone --depth 1 https://github.com/nbs-system/naxsi
```
###### Build Nginx
```bash
cd "${ngx_master}"
# - you can also build NGINX without 3rd party modules
# - remember about compiler and linker options
# - don't set values for --with-openssl, --with-pcre, and --with-zlib if you select prebuilt packages for them
# - add to compile with debugging symbols: -O0 -g
# - and remove -D_FORTIFY_SOURCE=2 if you use above
./configure --prefix=$NGX_PREFIX \
--conf-path=$NGX_CONF \
--sbin-path=/usr/sbin/nginx \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--user=$NGINX_USER \
--group=$NGINX_GROUP \
--modules-path=${NGX_PREFIX}/modules \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-compat \
--with-debug \
--with-file-aio \
--with-threads \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_degradation_module \
--with-http_geoip_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_image_filter_module \
--with-http_perl_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-google_perftools_module \
--with-openssl=${OPENSSL_SRC} \
--with-openssl-opt="shared zlib no-ssl3 no-weak-ssl-ciphers -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong ${_openssl_gcc}" \
--with-pcre=${PCRE_SRC} \
--with-pcre-jit \
--with-zlib=${ZLIB_SRC} \
--without-http-cache \
--without-http_memcached_module \
--without-mail_pop3_module \
--without-mail_imap_module \
--without-mail_smtp_module \
--without-http_fastcgi_module \
--without-http_scgi_module \
--without-http_uwsgi_module \
--add-module=${ngx_modules}/ngx_devel_kit \
--add-module=${ngx_modules}/encrypted-session-nginx-module \
--add-module=${ngx_modules}/nginx-access-plus/src/c \
--add-module=${ngx_modules}/ngx_http_substitutions_filter_module \
--add-module=${ngx_modules}/nginx-sticky-module-ng \
--add-module=${ngx_modules}/nginx-module-vts \
--add-module=${ngx_modules}/ngx_brotli \
--add-module=${ngx_modules}/tengine/modules/ngx_backtrace_module \
--add-module=${ngx_modules}/tengine/modules/ngx_debug_pool \
--add-module=${ngx_modules}/tengine/modules/ngx_debug_timer \
--add-module=${ngx_modules}/tengine/modules/ngx_http_footer_filter_module \
--add-module=${ngx_modules}/tengine/modules/ngx_http_upstream_check_module \
--add-module=${ngx_modules}/tengine/modules/ngx_slab_stat \
--add-dynamic-module=${ngx_modules}/lua-nginx-module \
--add-dynamic-module=${ngx_modules}/set-misc-nginx-module \
--add-dynamic-module=${ngx_modules}/echo-nginx-module \
--add-dynamic-module=${ngx_modules}/headers-more-nginx-module \
--add-dynamic-module=${ngx_modules}/replace-filter-nginx-module \
--add-dynamic-module=${ngx_modules}/array-var-nginx-module \
--add-dynamic-module=${ngx_modules}/nginx-module-sysguard \
--add-dynamic-module=${ngx_modules}/delay-module \
--add-dynamic-module=${ngx_modules}/naxsi/naxsi_src \
--with-cc-opt="-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -O2 -g -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf" \
--with-ld-opt="-L/usr/l
gitextract_b_tfkvj5/
├── .github/
│ ├── CODE_OF_CONDUCT.md
│ ├── CONTRIBUTING.md
│ └── FUNDING.yml
├── LICENSE.md
├── README.md
├── doc/
│ ├── EXAMPLES.md
│ ├── HELPERS.md
│ ├── HTTP_BASICS.md
│ ├── NGINX_BASICS.md
│ ├── RULES.md
│ └── SSL_TLS_BASICS.md
├── lib/
│ ├── nginx/
│ │ ├── dhparam_4096-with-ds.pem
│ │ ├── dhparam_4096.pem
│ │ ├── html/
│ │ │ ├── 50x.html
│ │ │ └── index.html
│ │ ├── master/
│ │ │ ├── _acls/
│ │ │ │ ├── external.geo.acl
│ │ │ │ ├── external.map.acl
│ │ │ │ ├── internal.geo.acl
│ │ │ │ └── internal.map.acl
│ │ │ ├── _basic/
│ │ │ │ ├── logging.conf
│ │ │ │ ├── main.conf
│ │ │ │ ├── proxy-params.conf
│ │ │ │ ├── rate-limiting.conf
│ │ │ │ └── redirects-map.conf
│ │ │ ├── _listen/
│ │ │ │ ├── 192.168.250.2/
│ │ │ │ │ ├── http.conf
│ │ │ │ │ └── https.conf
│ │ │ │ └── localhost/
│ │ │ │ ├── http.conf
│ │ │ │ └── https.conf
│ │ │ ├── _server/
│ │ │ │ ├── _helpers/
│ │ │ │ │ └── global.conf
│ │ │ │ ├── blkcipher.info/
│ │ │ │ │ ├── acls/
│ │ │ │ │ │ └── demo.conf
│ │ │ │ │ ├── backends.conf
│ │ │ │ │ ├── certs/
│ │ │ │ │ │ ├── blkcipher.info.conf
│ │ │ │ │ │ ├── blkcipher.info.key
│ │ │ │ │ │ └── nginx_blkcipher.info_bundle.crt
│ │ │ │ │ ├── credentials/
│ │ │ │ │ │ └── demo.txt
│ │ │ │ │ └── servers.conf
│ │ │ │ ├── defaults/
│ │ │ │ │ ├── backends.conf
│ │ │ │ │ ├── certs/
│ │ │ │ │ │ ├── defaults.conf
│ │ │ │ │ │ ├── defaults.key
│ │ │ │ │ │ └── nginx_defaults_bundle.crt
│ │ │ │ │ └── servers.conf
│ │ │ │ └── localhost/
│ │ │ │ ├── backends.conf
│ │ │ │ ├── certs/
│ │ │ │ │ ├── localhost.conf
│ │ │ │ │ ├── localhost.key
│ │ │ │ │ └── nginx_localhost_bundle.crt
│ │ │ │ └── servers.conf
│ │ │ └── _static/
│ │ │ └── errors.conf
│ │ ├── mime.types
│ │ ├── modules.conf
│ │ ├── nginx.conf
│ │ ├── snippets/
│ │ │ ├── gdb/
│ │ │ │ └── nginx-config.gdb
│ │ │ ├── http-error-pages/
│ │ │ │ ├── README.md
│ │ │ │ ├── httpgen
│ │ │ │ ├── sites/
│ │ │ │ │ └── .gitkeep
│ │ │ │ ├── src/
│ │ │ │ │ ├── 4xx.json
│ │ │ │ │ ├── 5xx.json
│ │ │ │ │ ├── index.html
│ │ │ │ │ ├── main.css
│ │ │ │ │ └── other.json
│ │ │ │ └── templates/
│ │ │ │ ├── _template.html
│ │ │ │ └── nginx/
│ │ │ │ └── errors.conf
│ │ │ ├── logrotate.d/
│ │ │ │ ├── nginx.bsd
│ │ │ │ └── nginx.linux
│ │ │ ├── scripts/
│ │ │ │ ├── git-status.sh
│ │ │ │ └── show-memory.sh
│ │ │ ├── server-name-parser/
│ │ │ │ ├── check-server-name.sh
│ │ │ │ └── server-name-parser.py
│ │ │ ├── skel/
│ │ │ │ ├── .bashrc-bsd
│ │ │ │ ├── .bashrc-linux
│ │ │ │ ├── .cshrc-bsd
│ │ │ │ ├── .exrc
│ │ │ │ ├── .goprofile
│ │ │ │ ├── .profile-bsd
│ │ │ │ ├── .vimrc
│ │ │ │ ├── global-aliases.bash
│ │ │ │ └── global-aliases.csh
│ │ │ └── systemd/
│ │ │ └── nginx.service
│ │ └── win-utf
│ ├── ngx_installer.conf
│ ├── ngx_installer.sh
│ └── ngx_installer.vars
└── static/
└── img/
└── cheatsheets/
├── nginx-hardening-cheatsheet-tls12-100p.xcf
└── nginx-hardening-cheatsheet-tls13.xcf
SYMBOL INDEX (1 symbols across 1 files) FILE: lib/nginx/snippets/server-name-parser/server-name-parser.py function main (line 6) | def main(argv):
Condensed preview — 83 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,134K chars).
[
{
"path": ".github/CODE_OF_CONDUCT.md",
"chars": 3216,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, w"
},
{
"path": ".github/CONTRIBUTING.md",
"chars": 1556,
"preview": "# Contributing\n\n > _A real community, however, exists only when its members interact in a meaningful way that deepens t"
},
{
"path": ".github/FUNDING.yml",
"chars": 45,
"preview": "open_collective: trimstray\ngithub: trimstray\n"
},
{
"path": "LICENSE.md",
"chars": 1066,
"preview": "MIT License\n\nCopyright (c) 2017 trimstray\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\n"
},
{
"path": "README.md",
"chars": 136904,
"preview": "<div align=\"center\">\n <h1>Nginx Admin's Handbook</h1>\n</div>\n\n<div align=\"center\">\n <b><code>My notes on NGINX adminis"
},
{
"path": "doc/EXAMPLES.md",
"chars": 6401,
"preview": "# Configuration Examples\n\nGo back to the **[⬆ Table of Contents](https://github.com/trimstray/nginx-admins-handbook#tabl"
},
{
"path": "doc/HELPERS.md",
"chars": 227308,
"preview": "# Helpers\n\nGo back to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents)** "
},
{
"path": "doc/HTTP_BASICS.md",
"chars": 32413,
"preview": "# HTTP Basics\n\nGo back to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents"
},
{
"path": "doc/NGINX_BASICS.md",
"chars": 203068,
"preview": "# NGINX Basics\n\nGo to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents)** "
},
{
"path": "doc/RULES.md",
"chars": 286633,
"preview": "# Base Rules\n\nGo back to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-contents)"
},
{
"path": "doc/SSL_TLS_BASICS.md",
"chars": 54087,
"preview": "# SSL/TLS Basics\n\nGo back to the **[Table of Contents](https://github.com/trimstray/nginx-admins-handbook#table-of-conte"
},
{
"path": "lib/nginx/dhparam_4096-with-ds.pem",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/dhparam_4096.pem",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/html/50x.html",
"chars": 494,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n<title>Error</title>\n<style>\n body {\n width: 35em;\n margin: 0 auto;\n "
},
{
"path": "lib/nginx/html/index.html",
"chars": 612,
"preview": "<!DOCTYPE html>\n<html>\n<head>\n<title>Welcome to nginx!</title>\n<style>\n body {\n width: 35em;\n margin: 0"
},
{
"path": "lib/nginx/master/_acls/external.geo.acl",
"chars": 204,
"preview": "geo $globals_external_geo_acl {\n\n # Status code:\n # - 0 = false\n # - 1 = true\n default 0;\n\n ### EXTERNAL ###\n 21"
},
{
"path": "lib/nginx/master/_acls/external.map.acl",
"chars": 217,
"preview": "map $remote_addr $globals_external_map_acl {\n\n # Status code:\n # - 0 = false\n # - 1 = true\n default 0;\n\n ### EXTE"
},
{
"path": "lib/nginx/master/_acls/internal.geo.acl",
"chars": 220,
"preview": "geo $globals_internal_geo_acl {\n\n # Status code:\n # - 0 = false\n # - 1 = true\n default 0;\n\n ### INTERNAL ###\n 10"
},
{
"path": "lib/nginx/master/_acls/internal.map.acl",
"chars": 233,
"preview": "map $remote_addr $globals_internal_map_acl {\n\n # Status code:\n # - 0 = false\n # - 1 = true\n default 0;\n\n ### INTE"
},
{
"path": "lib/nginx/master/_basic/logging.conf",
"chars": 4440,
"preview": "# Default main log format from nginx repository:\nlog_format main\n '$remote_addr - $remote_user [$time_loc"
},
{
"path": "lib/nginx/master/_basic/main.conf",
"chars": 835,
"preview": "default_type application/octet-stream;\n\nserver_tokens off;\n\nmore_set_headers "
},
{
"path": "lib/nginx/master/_basic/proxy-params.conf",
"chars": 658,
"preview": "proxy_set_header Host $host;\n\nproxy_set_header X-Real-IP $remote_addr;\n\n# alternative: "
},
{
"path": "lib/nginx/master/_basic/rate-limiting.conf",
"chars": 914,
"preview": "# requests limiting\nlimit_req_zone $binary_remote_addr zone=per_ip_5r_s:5m rate=5r/s;\nlimit_req_zone "
},
{
"path": "lib/nginx/master/_basic/redirects-map.conf",
"chars": 215,
"preview": "set_random $rand_uri 1 3;\n\nmap $rand_uri $goodbye_love {\n 1 /watch?v=jwGfwbsF4c4;\n 2 "
},
{
"path": "lib/nginx/master/_listen/192.168.250.2/http.conf",
"chars": 48,
"preview": "listen 192.168.250.2:80;\n"
},
{
"path": "lib/nginx/master/_listen/192.168.250.2/https.conf",
"chars": 717,
"preview": "listen 192.168.250.2:443 ssl http2;\n\nssl_session_cache shared:SSL:10m;\nssl_session_ti"
},
{
"path": "lib/nginx/master/_listen/localhost/http.conf",
"chars": 44,
"preview": "listen 127.0.0.1:80;\n"
},
{
"path": "lib/nginx/master/_listen/localhost/https.conf",
"chars": 714,
"preview": "listen 127.0.0.1:443 ssl http2;\n\nssl_session_cache shared:SSL:10m;\nssl_session_timeou"
},
{
"path": "lib/nginx/master/_server/_helpers/global.conf",
"chars": 603,
"preview": "################################### HEADERS ####################################\n\nadd_header Allow \"G"
},
{
"path": "lib/nginx/master/_server/blkcipher.info/acls/demo.conf",
"chars": 22,
"preview": "allow 195.156.18.216;\n"
},
{
"path": "lib/nginx/master/_server/blkcipher.info/backends.conf",
"chars": 279,
"preview": "upstream blkcipher_info_prod_backend {\n\n server 10.217.10.10:4000 max_fails=3 fail_timeout=15s;\n server 10.217."
},
{
"path": "lib/nginx/master/_server/blkcipher.info/certs/blkcipher.info.conf",
"chars": 207,
"preview": "ssl_certificate /etc/nginx/master/_server/blkcipher.info/certs/nginx_blkcipher.info_bundle.crt;\nssl_certif"
},
{
"path": "lib/nginx/master/_server/blkcipher.info/certs/blkcipher.info.key",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/blkcipher.info/certs/nginx_blkcipher.info_bundle.crt",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/blkcipher.info/credentials/demo.txt",
"chars": 43,
"preview": "user:$apr1$WWUPPs0j$MajkasP5Wqp23.3EsBaRl/\n"
},
{
"path": "lib/nginx/master/_server/blkcipher.info/servers.conf",
"chars": 3573,
"preview": "# server {\n#\n# include /etc/nginx/master/_listen/10.240.20.2/http.conf;\n#\n# include "
},
{
"path": "lib/nginx/master/_server/defaults/backends.conf",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/defaults/certs/defaults.conf",
"chars": 183,
"preview": "ssl_certificate /etc/nginx/master/_server/defaults/certs/nginx_defaults_bundle.crt;\nssl_certificate_key "
},
{
"path": "lib/nginx/master/_server/defaults/certs/defaults.key",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/defaults/certs/nginx_defaults_bundle.crt",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/defaults/servers.conf",
"chars": 2305,
"preview": "# server {\n#\n# include /etc/nginx/master/_listen/10.240.20.2/http.conf;\n#\n# include "
},
{
"path": "lib/nginx/master/_server/localhost/backends.conf",
"chars": 202,
"preview": "upstream localhost_backend {\n\n server 127.0.0.1:80 max_fails=3 fail_timeout=30s;\n\n}\n\nupstream static_localh"
},
{
"path": "lib/nginx/master/_server/localhost/certs/localhost.conf",
"chars": 187,
"preview": "ssl_certificate /etc/nginx/master/_server/localhost/certs/nginx_localhost_bundle.crt;\nssl_certificate_key "
},
{
"path": "lib/nginx/master/_server/localhost/certs/localhost.key",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/localhost/certs/nginx_localhost_bundle.crt",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/master/_server/localhost/servers.conf",
"chars": 1228,
"preview": "# server {\n#\n# include /etc/nginx/master/_listen/localhost/http.conf;\n#\n# include "
},
{
"path": "lib/nginx/master/_static/errors.conf",
"chars": 3510,
"preview": "#\n# Generate static html files:\n# cd /etc/nginx/snippets/http-error-pages && ./httpgen\n# rsync -var sites/ /usr/shar"
},
{
"path": "lib/nginx/mime.types",
"chars": 3956,
"preview": "types {\n text/html html htm shtml;\n text/css css;\n tex"
},
{
"path": "lib/nginx/modules.conf",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/nginx.conf",
"chars": 2490,
"preview": "# Documentation: https://nginx.org/en/docs/\n# Tested on: nginx/1.14.0\n# nginx/1.15.8\n# nginx/1.16."
},
{
"path": "lib/nginx/snippets/gdb/nginx-config.gdb",
"chars": 305,
"preview": "set $cd = ngx_cycle->config_dump\nset $nelts = $cd.nelts\nset $elts = (ngx_conf_dump_t*)($cd.elts)\nwhile ($nelts-- > 0)\n "
},
{
"path": "lib/nginx/snippets/http-error-pages/README.md",
"chars": 1371,
"preview": "# HTTP Static Error Pages Generator\n\n## Description\n\nA simple to use generator for **static pages with errors** to repla"
},
{
"path": "lib/nginx/snippets/http-error-pages/httpgen",
"chars": 2932,
"preview": "#!/usr/bin/env bash\n\n# The array that store call parameters.\n# shellcheck disable=SC2034\n__init_params=()\n__script_param"
},
{
"path": "lib/nginx/snippets/http-error-pages/sites/.gitkeep",
"chars": 0,
"preview": ""
},
{
"path": "lib/nginx/snippets/http-error-pages/src/4xx.json",
"chars": 3616,
"preview": "[\n {\n \"code\": \"400\",\n \"title\": \"Bad Request\",\n \"desc\": \"The server cannot or will not process the request due "
},
{
"path": "lib/nginx/snippets/http-error-pages/src/5xx.json",
"chars": 1342,
"preview": "[\n {\n \"code\": \"500\",\n \"title\": \"Internal Server Error\",\n \"desc\": \"A generic error message, given when an unexp"
},
{
"path": "lib/nginx/snippets/http-error-pages/src/index.html",
"chars": 1457,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<meta name=\"viewport\" content=\"width=device-width, initia"
},
{
"path": "lib/nginx/snippets/http-error-pages/src/main.css",
"chars": 815,
"preview": "/* Error Page Styles */\nbody {\n padding-top: 20px;\n padding-left: 100px;\n padding-right: 100px;\n}\n.base {\n font-size"
},
{
"path": "lib/nginx/snippets/http-error-pages/src/other.json",
"chars": 534,
"preview": "[\n {\n \"code\": \"900\",\n \"title\": \"Invalid Domain\",\n \"desc\": \"This domain is unsupported by the server.\",\n \"ic"
},
{
"path": "lib/nginx/snippets/http-error-pages/templates/_template.html",
"chars": 1687,
"preview": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-width, in"
},
{
"path": "lib/nginx/snippets/http-error-pages/templates/nginx/errors.conf",
"chars": 4142,
"preview": "#\n# Include this file to your Nginx server section:\n# server {\n# include /etc/nginx/master/_static/errors.conf;\n# "
},
{
"path": "lib/nginx/snippets/logrotate.d/nginx.bsd",
"chars": 482,
"preview": "/var/log/nginx/*.log {\n daily\n rotate 90\n missingok\n sharedscripts\n compress\n postrotate\n kill -HUP `cat /var/run"
},
{
"path": "lib/nginx/snippets/logrotate.d/nginx.linux",
"chars": 1061,
"preview": "/var/log/nginx/*.log {\n daily\n missingok\n rotate 14\n compress\n delaycompress\n notifempty\n create 0640 nginx nginx"
},
{
"path": "lib/nginx/snippets/scripts/git-status.sh",
"chars": 763,
"preview": "#!/usr/bin/env bash\n\n_repo=\"/usr/local/etc/nginx\"\n_rcpt=\"\"\n\ncd \"$_repo\" || exit 1\n\n# _untracked_files=$(git ls-files --o"
},
{
"path": "lib/nginx/snippets/scripts/show-memory.sh",
"chars": 5490,
"preview": "#!/bin/sh\n\n# Display memory usage information on FreeBSD\n# This function is a shell re-writting of the perl script:\n## "
},
{
"path": "lib/nginx/snippets/server-name-parser/check-server-name.sh",
"chars": 2665,
"preview": "#!/usr/bin/env bash\n\n# The array that store call parameters.\n# shellcheck disable=SC2034\n__init_params=()\n__script_param"
},
{
"path": "lib/nginx/snippets/server-name-parser/server-name-parser.py",
"chars": 1152,
"preview": "#!/usr/bin/env python3.6\n\nimport sys\nimport re\n\ndef main(argv):\n\n if len(argv) != 2:\n print('\\x1b[1;31;40m' + "
},
{
"path": "lib/nginx/snippets/skel/.bashrc-bsd",
"chars": 1517,
"preview": "# .bashrc\n\nexport LANG=en_US.UTF-8\numask 22\n\n# User specific aliases and functions\n\nalias rm='rm -i'\nalias cp='cp -i'\nal"
},
{
"path": "lib/nginx/snippets/skel/.bashrc-linux",
"chars": 1476,
"preview": "# .bashrc\n\nexport LANG=en_US.UTF-8\numask 22\n\n# User specific aliases and functions\n\nalias rm='rm -i'\nalias cp='cp -i'\nal"
},
{
"path": "lib/nginx/snippets/skel/.cshrc-bsd",
"chars": 1004,
"preview": "# .cshrc - csh resource script, read at beginning of execution by each shell\n#\n# see also csh(1), environ(7).\n# more exa"
},
{
"path": "lib/nginx/snippets/skel/.exrc",
"chars": 38,
"preview": "set showmatch\nset ignorecase\nset ts=2\n"
},
{
"path": "lib/nginx/snippets/skel/.goprofile",
"chars": 52,
"preview": "export GOROOT=\"/usr/lib/go\"\nexport GOPATH=\"/opt/go\"\n"
},
{
"path": "lib/nginx/snippets/skel/.profile-bsd",
"chars": 443,
"preview": "PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:~/bin\nexport PATH\nHOME=/root\nexport HOME\nTERM=${TERM:-"
},
{
"path": "lib/nginx/snippets/skel/.vimrc",
"chars": 1246,
"preview": "\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n\" Maintainer:\n\" Author: trimstray@gmail.com\n\"\n\" De"
},
{
"path": "lib/nginx/snippets/skel/global-aliases.bash",
"chars": 1510,
"preview": "### GNU/LINUX\nalias ng.status='systemctl status nginx'\nalias ng.reload='systemctl reload nginx'\nalias ng.restart='system"
},
{
"path": "lib/nginx/snippets/skel/global-aliases.csh",
"chars": 1498,
"preview": "### GNU/LINUX\nalias ng.status systemctl status nginx\nalias ng.reload systemctl reload nginx\nalias ng.restart systemctl r"
},
{
"path": "lib/nginx/snippets/systemd/nginx.service",
"chars": 1013,
"preview": "# Stop dance for nginx\n# =======================\n#\n# ExecStop sends SIGSTOP (graceful stop) to the nginx process.\n# If, "
},
{
"path": "lib/nginx/win-utf",
"chars": 3071,
"preview": "# This map is not a full windows-1251 <> utf8 map: it does not\n# contain Serbian and Macedonian letters.\tIf you need a f"
},
{
"path": "lib/ngx_installer.conf",
"chars": 18115,
"preview": " #!/usr/bin/env bash\n\n# shellcheck shell=bash\n\n#########################################################################"
},
{
"path": "lib/ngx_installer.sh",
"chars": 50279,
"preview": "#!/usr/bin/env bash\n\n# shellcheck shell=bash\n\n# Check syntax: shellcheck -s bash -e 1072,1094,1107,2145 -x ngx_installer"
},
{
"path": "lib/ngx_installer.vars",
"chars": 680,
"preview": "#!/usr/bin/env bash\n\n# shellcheck shell=bash\n\nexport PCRE_SRC=\"${_src}/pcre-${_pcre_version}\"\nexport PCRE_LIB=\"/usr/loca"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the trimstray/nginx-admins-handbook GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 83 files (1.0 MB), approximately 299.0k tokens, and a symbol index with 1 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.