Skip to content

Instantly share code, notes, and snippets.

@linuxmalaysia

linuxmalaysia/nginx-contoh.conf

Last active June 16, 2025 13:59
Show Gist options
  • Save linuxmalaysia/873c396d43b9933bd0e01495bf4540fe to your computer and use it in GitHub Desktop.
Save linuxmalaysia/873c396d43b9933bd0e01495bf4540fe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nginx-contoh.conf
# Generated by nginxconfig.io
# See nginxconfig.txt for the configuration share link
# Note in comments by Harisfazillah Jamel and Google Gemini
# 15 Jun 2025
user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;
# Load modules
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# Log Format
log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $http_cf_ray $http_cf_connecting_ip $http_x_forwarded_for $http_x_forwarded_proto $http_true_client_ip $http_cf_ipcountry $http_cf_visitor $http_cdn_loop';
# Logging
access_log off;
error_log /var/log/nginx/error.log warn;
# Limits
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Mozilla Modern configuration
ssl_protocols TLSv1.3;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53] 9.9.9.9 149.112.112.112 [2620:fe::fe] [2620:fe::9] 64.6.64.6 64.6.65.6 [2620:74:1b::1:1] [2620:74:1c::2:2] valid=60s;
resolver_timeout 2s;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# --- NGINX CACHE CONFIGURATION START ---
# Define a cache zone named 'my_cache'
# Keys will be stored in memory (10m)
# Total cache size will be 1g
# Inactive items will be removed after 60m
# Cache directory: /var/cache/nginx
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m use_temp_path=off;
# --- NGINX CACHE CONFIGURATION END ---
# Load configs
include /etc/nginx/conf.d/*.conf;
# linuxmalaysia.com
server {
listen 443 ssl reuseport;
listen [::]:443 ssl reuseport;
http2 on;
server_name linuxmalaysia.com;
root /var/www/linuxmalaysia.com/public;
# SSL
ssl_certificate /etc/nginx/ssl/linuxmalaysia.com.crt;
ssl_certificate_key /etc/nginx/ssl/linuxmalaysia.com.key;
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}
# security.txt
location /security.txt {
return 301 /.well-known/security.txt;
}
location = /.well-known/security.txt {
alias ~/security.txt;
}
# restrict methods
if ($request_method !~ ^(GET|POST|PUT|HEAD|CONNECT)$) {
return '405';
}
# logging
access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
error_log /var/log/nginx/error.log warn;
# reverse proxy
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# --- NGINX CACHE APPLICATION START ---
proxy_cache my_cache; # Use the defined cache zone
proxy_cache_valid 200 302 10m; # Cache successful responses for 10 minutes
proxy_cache_valid 404 1m; # Cache 404 responses for 1 minute
proxy_cache_key "$scheme$proxy_host$request_uri"; # Define the cache key
proxy_cache_min_uses 1; # Cache after 1 request
proxy_cache_revalidate on; # Revalidate stale content
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; # Serve stale content on errors
# Add header to see if content is served from cache (optional, for debugging)
add_header X-Cache-Status $upstream_cache_status;
# --- NGINX CACHE APPLICATION END ---
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# favicon.ico
location = /favicon.ico {
log_not_found off;
}
# robots.txt
location = /robots.txt {
log_not_found off;
}
# # assets, media
# location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
# expires 7d;
# }
#
# # svg, fonts
# location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
# add_header Access-Control-Allow-Origin "*";
# expires 7d;
# }
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
}
# HTTP redirect
server {
listen 80 reuseport;
listen [::]:80 reuseport;
server_name linuxmalaysia.com;
# logging
access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
error_log /var/log/nginx/error.log warn;
return 301 https://linuxmalaysia.com$request_uri;
}
}
@linuxmalaysia
Copy link
Author

Nginx Proxy Timeout Settings Explained

You're looking at the proxy timeout directives, which are critical for controlling how long Nginx waits for your backend application to respond. These settings directly impact the responsiveness and reliability of your service, especially when your backend is under load or experiencing issues.

All of these timeouts are set to 60s (60 seconds), which is a common value for general web applications. Let's break down what each one means:

1. proxy_connect_timeout 60s;

  • Explanation: This sets the maximum time Nginx will wait to establish a connection with your proxied backend server (http://127.0.0.1:3000). This includes the time needed for DNS resolution (if using a hostname), establishing the TCP handshake, and performing the SSL/TLS handshake (if your backend uses HTTPS).
  • Performance Impact:
    • Responsiveness: If your backend server is slow to respond to new connection requests (e.g., due to high load, network issues, or a crash), Nginx will wait up to 60 seconds. If the connection isn't established within this time, Nginx will return a 502 Bad Gateway error to the client.
    • Backend Health: A higher timeout gives a struggling backend more time to recover and accept new connections. A lower timeout makes Nginx fail faster, potentially preventing requests from piling up on a dead backend.
  • Suggestions:
    • 60s is a generous timeout. For most well-behaved local backends, connection establishment should be near-instantaneous.
    • If your backend is highly performant and stable, you could consider lowering this to 5s or 10s to make Nginx fail faster when the backend is truly unreachable, giving immediate feedback to the client or allowing other mechanisms (like retries) to kick in sooner.
    • If your backend starts slowly or occasionally takes time to come online (less common for a Node.js app on 127.0.0.1), a higher value like 60s might be necessary.

2. proxy_send_timeout 60s;

  • Explanation: This sets the maximum time Nginx will wait for your backend server to send a response after it has processed a request. Specifically, it's the timeout for sending a request to the proxied server. It applies between two successive write operations, not for the entire response. If the backend doesn't send anything for 60 seconds (no data, no headers), Nginx will close the connection.
  • Performance Impact:
    • Backend Stuck: Protects Nginx from a backend that accepts a connection but then gets "stuck" and doesn't write any data back to Nginx.
    • Resource Management: Prevents Nginx from holding open connections indefinitely to a non-responsive backend, freeing up Nginx's resources.
  • Suggestions:
    • 60s is a standard and generally safe value.
    • For applications that involve very long-running writes from the backend (e.g., large file uploads from the backend to Nginx, or streaming responses), you might need to increase this. However, for typical web requests, 60s is usually sufficient.

3. proxy_read_timeout 60s;

  • Explanation: This sets the maximum time Nginx will wait for your backend server to send data in response to a request. This applies between two successive read operations. If Nginx doesn't receive any data from the backend for 60 seconds, it will close the connection. This is typically the most important timeout for user experience.
  • Performance Impact:
    • User Experience: Directly impacts how long a user waits for a response. If your backend takes longer than 60 seconds to start sending the response (or send another chunk of data), the user will see a timeout error.
    • Backend Processing Time: If your backend application has computationally intensive tasks or database queries that might exceed 60 seconds to complete, you'll need to increase this timeout.
    • Resource Management: Prevents Nginx from tying up resources waiting for a backend that is too slow or unresponsive.
  • Suggestions:
    • 60s is a common default, suitable for most web applications.
    • Adjust based on application needs: If you have long-running API calls, complex reports, or file generation processes in your backend that might genuinely take more than 60 seconds, you must increase this timeout (e.g., 120s, 300s, or even more).
    • For interactive or fast-response APIs, you could consider lowering it (e.g., 30s) to ensure quicker failure feedback.

Overall Impact on Nginx Performance (CPU and Memory)

  • CPU/Memory: These timeouts don't directly consume CPU or memory during normal operation. Their impact comes when timeouts occur. If a timeout happens, Nginx might use a small amount of CPU to log the error and terminate the connection. Having appropriate timeouts prevents Nginx from holding open connections indefinitely to a problematic backend, which could otherwise tie up Nginx's worker processes and consume memory unnecessarily.
  • Reliability: By setting these timeouts, you define the acceptable window for your backend to perform. If it exceeds these, Nginx intervenes, preventing users from waiting indefinitely and allowing Nginx to free up resources.

Your current timeout settings are a sensible starting point for many web applications. The key is to monitor your Nginx error logs for 502 Bad Gateway errors or "upstream timed out" messages, as these would indicate that your backend is hitting these limits, and you might need to adjust them based on your application's specific behavior.

@linuxmalaysia
Copy link
Author

Nginx Logging Configuration Explained

You've provided your Nginx logging configuration, which is essential for monitoring the health, activity, and potential issues on your server. These settings tell Nginx where to record information and how verbose those logs should be.

Let's break down each line:

1. access_log /var/log/nginx/access.log combined buffer=512k flush=1m;

This directive configures the access log, which records every request Nginx handles.

  • /var/log/nginx/access.log: This is the path to the file where Nginx will write access log entries. It's standard practice to keep Nginx logs in the /var/log/nginx/ directory.
    • Performance Impact: Logging to disk involves disk I/O. For very high-traffic sites, excessive logging (or logging to slow disks) can become a bottleneck. However, the buffering parameters you've set help mitigate this.
    • Suggestion: Ensure the www-data user has write permissions to /var/log/nginx/.
  • combined: This specifies the log format to be used. The combined format is a standard Apache-like format that includes common information like:
    • Remote IP address
    • Request time
    • HTTP method and URI
    • HTTP status code
    • Response body size
    • Referer header
    • User-Agent header
    • Performance Impact: The chosen format slightly affects the amount of data written, but combined is a good balance between detail and file size.
    • Suggestion: combined is excellent for most purposes. If you ever need more detailed information (e.g., specific headers, upstream response times), you can define a custom log_format.
  • buffer=512k: This enables buffering of log entries in memory. Nginx will collect log entries up to 512 kilobytes in size before writing them to disk.
    • Performance Impact (CPU & Disk I/O): This is a significant optimization for busy servers. Instead of writing each log entry individually (which causes many small disk I/O operations and context switches), Nginx writes larger chunks less frequently. This reduces disk I/O, saves CPU cycles, and improves overall throughput.
    • Memory Impact: Directly consumes 512KB of RAM for the buffer. This is a very small and acceptable overhead for the performance gain.
    • Suggestion: 512k is a good size. For extremely high-traffic sites, you might consider increasing this to 1m or 2m, but it's often not necessary.
  • flush=1m: This directive works with buffer. It sets a maximum time limit for how long buffered log entries can remain in memory before being written to disk, even if the buffer isn't full. Here, it means that even if the 512k buffer isn't filled, Nginx will write its contents to disk every 1 minute.
    • Performance Impact: Ensures that log data isn't held indefinitely in memory, which is important for real-time monitoring and analysis, as well as data persistence in case of an unexpected crash.
    • Suggestion: 1m is a standard and reasonable flush interval.

2. error_log /var/log/nginx/error.log warn;

This directive configures the error log, which records messages about Nginx's own operations, warnings, and errors.

  • /var/log/nginx/error.log: This is the path to the file where Nginx will write error log entries.
    • Performance Impact: Less frequent writing than access logs, as it only records problems. The performance impact is minimal.
    • Suggestion: As with access logs, ensure correct write permissions.
  • warn: This sets the minimum severity level of messages that will be written to the error log. Nginx logs messages at different levels: debug, info, notice, warn, error, crit, alert, and emerg (from most verbose to least verbose).
    • Performance Impact: A lower (more verbose) log level (e.g., info or debug) will write many more messages, increasing disk I/O and potentially consuming more CPU. A higher (less verbose) level (e.g., error or crit) will log fewer messages.
    • warn level: Means Nginx will log messages with warn severity or higher (i.e., warn, error, crit, alert, emerg). This is a good balance:
      • It captures important warnings (e.g., keys_zone full, deprecated directives, OCSP stapling issues) that you should be aware of.
      • It avoids flooding the log with info or debug messages, which are usually only needed during active troubleshooting.
    • Suggestion: warn is an excellent choice for a production environment. For active debugging, you might temporarily switch to info or even debug (if Nginx was compiled with debugging enabled), but always revert to warn or higher for normal operation.

Overall Impact on Nginx Performance (CPU and Memory)

  • CPU: Logging consumes some CPU for formatting log entries and performing disk I/O. The buffer setting for access logs significantly reduces this overhead.
  • Memory: A small amount of memory is used for the access_log buffer (512k).
  • Disk I/O: Both logs write to disk. Efficient logging practices (like buffering) minimize the impact on disk I/O.
  • Visibility & Debugging: While not a direct performance gain in terms of request processing speed, well-configured logging is paramount for identifying performance bottlenecks, security incidents, and operational issues. Without proper logs, troubleshooting becomes significantly harder, leading to longer downtimes or unaddressed problems that do affect performance.

Your logging configuration is very solid, balancing verbosity with performance by utilizing buffering for access logs and a sensible warning level for error logs.

@linuxmalaysia
Copy link
Author

HTTP to HTTPS Redirect Configuration

This server block is solely dedicated to handling HTTP requests and redirecting them to your secure HTTPS site. This is a crucial security and SEO best practice.

Let's break down each part:

  • listen 80 reuseport;

    • Explanation: This tells Nginx to listen for incoming connections on port 80 (the standard port for unencrypted HTTP traffic) for IPv4 addresses. The reuseport option (available in Nginx 1.9.1+ on Linux) allows multiple worker processes to listen on the same port, which can improve performance by distributing incoming connections more evenly across workers.
    • Performance Impact: Listening on port 80 is necessary to capture all HTTP requests. reuseport can offer minor performance benefits on high-concurrency systems by reducing lock contention when accepting new connections.

  • listen [::]:80 reuseport;

    • Explanation: This is similar to the above, but it tells Nginx to listen on port 80 for IPv6 addresses. This ensures that users connecting via IPv6 are also correctly redirected.
    • Performance Impact: Same as the IPv4 listen directive.

  • server_name linuxmalaysia.com;

    • Explanation: This specifies that this server block should handle requests for the domain linuxmalaysia.com. If you have other domains or subdomains, you'd need separate server_name entries or additional server blocks for them.
    • Performance Impact: Nginx efficiently matches server_name directives to direct traffic to the correct block.

  • access_log /var/log/nginx/access.log combined buffer=512k flush=1m;

    • Explanation: This configures access logging for this specific HTTP redirect block. It uses the combined format, buffers logs in memory (up to 512KB), and flushes them to disk every 1 minute. This is the same logging configuration as your main HTTPS block.
    • Performance Impact: Logging has a small overhead, but the buffering helps minimize its impact on disk I/O and CPU, even for redirect-only requests. It's useful to log redirects to ensure they're happening as expected.

  • error_log /var/log/nginx/error.log warn;

    • Explanation: This configures error logging for this block, setting the minimum severity level to warn.
    • Performance Impact: Minimal, as errors are less frequent. It helps in diagnosing any issues with the redirection process.

  • return 301 https://linuxmalaysia.com$request_uri;

    • Explanation: This is the core of the redirection.
      • return 301: Nginx will send an HTTP 301 Moved Permanently status code to the client. This is crucial for SEO, as it tells search engines that the content has permanently moved to the HTTPS version, transferring any SEO "link juice" to the new URL.
      • https://linuxmalaysia.com: This is the target protocol and domain.
      • $request_uri: This Nginx variable preserves the original path and query string from the incoming HTTP request. So, if a user types http://linuxmalaysia.com/about?lang=en, they will be redirected to https://linuxmalaysia.com/about?lang=en.
    • Performance Impact: This is an incredibly efficient way to handle redirects in Nginx. Nginx doesn't need to process the request further or hit your backend application; it simply sends the redirect header directly. This minimizes CPU and memory usage for HTTP requests.

Overall Performance and Importance

This entire server block is extremely important for:

  • Security: Forcing all traffic to HTTPS is fundamental for securing user data and ensuring privacy.
  • SEO (Search Engine Optimization): Using a 301 redirect ensures that search engines correctly update their indexes and your site doesn't lose ranking due to duplicate content (HTTP vs. HTTPS).
  • User Experience: While it adds a single extra HTTP round-trip for the initial redirect, it ensures users always land on the secure version of your site. Modern browsers (especially with HSTS preloading) often automatically upgrade HTTP requests to HTTPS, making this redirect transparent after the first visit.
  • Efficiency: Nginx handles this redirect very efficiently, serving the redirect directly without involving your backend application.

This is a standard and highly recommended configuration for any website using HTTPS. You've implemented it correctly and efficiently.

@linuxmalaysia
Copy link
Author

Nginx Proxy SSL Server Name Indication (SNI)

You're asking about the proxy_ssl_server_name directive. This setting is crucial when Nginx is proxying HTTPS requests to a backend server that hosts multiple SSL certificates on the same IP address.

Here's a breakdown:

What is SNI (Server Name Indication)?

Traditionally, for a server to host multiple secure websites (each with its own SSL certificate) on a single IP address, it would need a separate IP address for each. This is because the SSL handshake happens before the HTTP Host header (which indicates the desired website) is sent. So, the server wouldn't know which certificate to present.

Server Name Indication (SNI) is an extension to the TLS protocol that solves this problem. With SNI, the client (e.g., a web browser) includes the hostname it's trying to connect to within the initial TLS handshake. This allows the server to present the correct SSL certificate, even if it's hosting many websites on the same IP address.

proxy_ssl_server_name on;

  • Explanation: When proxy_ssl_server_name is set to on, Nginx will pass the hostname from the client's original request (the Host header Nginx received from the client) to your backend server during the SSL/TLS handshake.
  • How it works:
    1. A client connects to Nginx over HTTPS (e.g., https://linuxmalaysia.com).
    2. Nginx receives the request, including the Host header (linuxmalaysia.com).
    3. Nginx acts as a client to your backend server (http://127.0.0.1:3000).
    4. If your backend also uses HTTPS (e.g., https://127.0.0.1:3000), Nginx will include the original hostname (linuxmalaysia.com) in its TLS handshake with the backend.
    5. This allows your backend server to select and present the correct SSL certificate for linuxmalaysia.com (if it hosts multiple SSL-secured sites) to Nginx.
  • When it's important: This setting is essential if:
    • Your Nginx instance is proxying to an HTTPS backend (meaning proxy_pass is to https://...).
    • And that HTTPS backend hosts multiple domains/certificates on the same IP address. Without proxy_ssl_server_name on;, the backend might present the wrong certificate, leading to SSL errors between Nginx and the backend.

Performance Impact

  • Negligible on CPU/Memory: This setting has a minimal to negligible impact on Nginx's CPU or memory usage. It's primarily about ensuring the correct SSL handshake happens between Nginx and the backend.
  • Crucial for Correctness: Its main "performance" benefit is that it enables your SSL-secured backend to function correctly in a multi-domain setup. Without it, you'd encounter SSL handshake failures or certificate mismatches between Nginx and your backend, leading to client errors and service outages.

Suggestions

  • Keep it on if your backend uses HTTPS and hosts multiple domains: If your proxy_pass URL is https://127.0.0.1:3000 (instead of http://127.0.0.1:3000 as in your current config) AND your backend application serves different domains over HTTPS from a single IP, then proxy_ssl_server_name on; is absolutely necessary.
  • It's currently redundant in your provided config: In your current configuration, proxy_pass is set to http://127.0.0.1:3000;. This means Nginx is connecting to your backend using plain HTTP, not HTTPS. In this scenario, proxy_ssl_server_name on; has no effect because there's no SSL handshake happening between Nginx and the backend.

Conclusion: While proxy_ssl_server_name on; is a best practice for Nginx when proxying to HTTPS backends, it's currently a no-op given your proxy_pass http://127.0.0.1:3000; directive. If you ever switch your backend to serve over HTTPS, this line will become highly relevant and important.

@linuxmalaysia
Copy link
Author

Nginx Security and .well-known File Handling

You're configuring some important aspects of how Nginx handles specific files and directories, particularly those starting with a dot (.) and the security.txt file. These settings are crucial for both security and compliance with modern web standards.

Let's break down each of these location blocks:

1. location ~ /\.(?!well-known) { deny all; }

  • Explanation: This location block uses a regular expression to match requests for files or directories that start with a dot (.) but are NOT within the .well-known directory.
    • ~: Indicates a regular expression match (case-sensitive).
    • /\.: Matches a literal dot at the beginning of a path segment (like .htaccess, .env, .git).
    • (?!well-known): This is a negative lookahead assertion. It means "match a dot, but only if it's NOT followed by 'well-known'".
    • deny all;: If a request matches this pattern, Nginx will immediately deny access, returning a 403 Forbidden error.
  • Security Benefit: This is a critical security measure. Many sensitive files used by applications or version control systems (like .env for environment variables, .git for Git repositories, .htaccess for Apache configurations) start with a dot. Serving these files publicly could expose sensitive information, leading to severe security vulnerabilities. This directive ensures they are never served by Nginx.
  • Performance Impact: Negligible. It's a quick check and deny, which is very efficient.
  • Suggestion: Keep this as is. It's a fundamental security best practice.

2. location /security.txt { return 301 /.well-known/security.txt; }

  • Explanation: This location block handles requests for /security.txt. It issues a permanent redirect (301 Moved Permanently) to /.well-known/security.txt.
  • Security Benefit: The security.txt file is a proposed standard for website security, allowing security researchers to easily find contact information for reporting vulnerabilities. The official standard dictates it should be placed under the /.well-known/ directory. This redirect ensures that if someone (human or automated scanner) looks for the file at the old or common root location, they are guided to the correct, standardized location.
  • Performance Impact: Minor. It's a single HTTP redirect. The 301 status code tells browsers and search engines to cache the redirect, so subsequent requests go directly to the new location.
  • Suggestion: Keep this redirect. It helps with compliance and discoverability for security researchers.

3. location = /.well-known/security.txt { alias ~/security.txt; }

  • Explanation: This location block specifically handles requests for /.well-known/security.txt.
    • =: Denotes an exact match. This means this block will only process requests that precisely match /.well-known/security.txt.
    • alias ~/security.txt;: This is an important part.
      • alias: Specifies a different base path for the file than the root directive of the server block.
      • ~/security.txt: The tilde ~ symbol usually refers to the user's home directory. If Nginx is running as www-data, ~ would typically resolve to /var/www/. This implies your security.txt file is expected to be located at /var/www/security.txt (or /home/www-data/security.txt if that's the user's home).
  • Security Benefit: Correctly serves the security.txt file from a designated location, fulfilling the proposed standard for vulnerability reporting.
  • Performance Impact: Negligible. Serving a small static file is very efficient for Nginx.
  • Important Consideration / Suggestion:
    • File Location: You need to ensure that the security.txt file actually exists at the path specified by alias ~/security.txt. Based on your earlier root /var/www/linuxmalaysia.com/public; setting, a more common and explicit path for this would be alias /var/www/linuxmalaysia.com/security.txt; or even alias /etc/nginx/security.txt; if you prefer to keep it separate from your website's public directory.
    • User Permissions: The Nginx user (www-data) must have read permissions for the security.txt file at the alias path.

Overall Summary of these Directives:

These location blocks demonstrate good practices for managing specific file access and adhering to web standards:

  • The deny all for dotfiles is a crucial security hardened default.
  • The security.txt redirects and serving ensure you comply with a valuable security and transparency standard.

Your configuration for these elements is generally solid. The main point to double-check is the exact path of your security.txt file to ensure it aligns with the alias directive's interpretation of ~.

Is there anything else you'd like to understand about your Nginx setup, or any other parts of the configuration you'd like to review?

@linuxmalaysia
Copy link
Author

Nginx Request Method Restriction

You're using an if directive to restrict the HTTP methods that Nginx will allow for requests. This is a security measure that can help protect your backend application from unexpected or potentially malicious requests using methods your application isn't designed to handle.

Let's break down this configuration:

  • if ($request_method !~ ^(GET|POST|PUT|HEAD|CONNECT)$) { ... }

    • if directive: This is a conditional statement in Nginx. While generally discouraged for complex logic (due to some known issues and performance characteristics with complex if blocks), for simple checks like this, it's often used.
    • $request_method: This is a built-in Nginx variable that holds the HTTP method of the current request (e.g., GET, POST, DELETE, OPTIONS).
    • !~: This is the "does not match" operator for regular expressions (case-sensitive).
    • ^(GET|POST|PUT|HEAD|CONNECT)$: This is the regular expression pattern.
      • ^: Matches the beginning of the string.
      • $: Matches the end of the string.
      • (GET|POST|PUT|HEAD|CONNECT): This is a group that matches any of the specified HTTP methods.
        • GET: Used to retrieve data.
        • POST: Used to submit data to be processed.
        • PUT: Used to create or replace a resource.
        • HEAD: Similar to GET, but requests only the headers, not the body.
        • CONNECT: Used to establish a tunnel to the server, primarily for proxies.
    • In summary: The if condition evaluates to true if the $request_method is not one of GET, POST, PUT, HEAD, or CONNECT.

  • return '405';

    • Explanation: If the if condition is true (i.e., the request method is not one of the allowed ones), Nginx will immediately return an HTTP 405 Method Not Allowed status code to the client. This tells the client that the method used is not supported for the requested resource.

Security Benefit

  • Method Filtering: This helps ensure that your backend application only receives requests using the HTTP methods it's designed to process.
  • Reduced Attack Surface: By explicitly denying unexpected methods, you can reduce the attack surface. For example, if your application doesn't implement DELETE or OPTIONS (which it likely should for REST APIs, but this is a generic setup), blocking them at the Nginx level can prevent potential vulnerabilities if these methods were somehow mishandled by your backend.
  • Compliance: Can help in scenarios where strict adherence to allowed methods is required.

Performance Impact

  • Minimal CPU/Memory: The impact on Nginx's CPU and memory is very minimal. Regular expression matching for a short string is a highly optimized operation. If a method is denied, Nginx returns the error immediately, consuming very few resources for that request.
  • Efficiency: For disallowed methods, Nginx efficiently terminates the request at the edge, preventing it from ever reaching your backend application. This saves CPU and resources on your backend that would otherwise be spent processing and rejecting an invalid request.

Suggestions

  • Consider your application's needs: Before implementing method restrictions, ensure that your backend application genuinely does not use any other HTTP methods.
    • For a typical RESTful API, you'd usually also allow DELETE and PATCH.
    • OPTIONS is commonly used for CORS (Cross-Origin Resource Sharing) preflight requests. If you have a frontend application on a different domain interacting with your backend, denying OPTIONS will break CORS.
  • Placement: This if block is typically placed within a server block or a specific location block. Placing it in the http block (which seems to be the case here, given the context of your previous snippets) applies it globally to all server blocks unless overridden. This is fine for a blanket restriction.
  • Nginx if directive caution: While this specific use case is generally considered acceptable for if, it's worth noting that the if directive can sometimes lead to unexpected behavior when combined with other directives, especially in more complex scenarios. For method restriction specifically, it's usually safe.

In summary, this if block is a simple yet effective security measure to restrict HTTP methods, contributing to a more robust and secure Nginx setup. Just ensure the allowed methods align with your application's actual requirements.

@linuxmalaysia
Copy link
Author

Nginx Configuration for favicon.ico and robots.txt

These two location blocks are dedicated to handling requests for favicon.ico and robots.txt. While seemingly minor, they help optimize your Nginx logs and prevent unnecessary logging noise, which can be beneficial for performance in very high-traffic scenarios.

Let's look at each:

1. location = /favicon.ico { log_not_found off; }

  • Explanation: This block specifically targets requests for /favicon.ico.

    • location = /favicon.ico: The = sign ensures an exact match for this URI. Requests for favicon.ico (which is the small icon displayed in browser tabs) are very common.
    • log_not_found off;: This is the key part. It tells Nginx not to log 404 "file not found" errors to the error_log if favicon.ico isn't found.

  • Performance Impact:

    • Reduced Log Noise: Favicons are often requested automatically by browsers, and if the file doesn't exist (or isn't found at that exact path), it would generate a 404 error entry in your error_log. Turning log_not_found off keeps your error logs cleaner and more focused on actual issues.
    • Minimal CPU/Disk I/O: For very high-traffic sites, preventing thousands of 404 error log entries can save a tiny amount of CPU and disk I/O, as Nginx doesn't have to write these messages. This is more about efficiency and clean logs than a major performance boost.

  • Suggestion: Keep this setting. It's a standard and good practice for managing Nginx logs.

2. location = /robots.txt { log_not_found off; }

  • Explanation: This block is identical in purpose to the favicon.ico one, but it applies to /robots.txt.

    • location = /robots.txt: Ensures an exact match for the robots.txt file, which search engine crawlers (like Googlebot) request to understand your site's crawling rules.
    • log_not_found off;: Prevents 404 errors for robots.txt from being logged if the file isn't found.

  • Performance Impact:

    • Reduced Log Noise: Similar to favicon.ico, if robots.txt isn't present or found by Nginx, it would generate 404 entries. This directive keeps those out of your error logs.
    • Minimal CPU/Disk I/O: Again, this contributes to marginal savings in CPU and disk I/O by avoiding unnecessary log writes.

  • Suggestion: Keep this setting. It's another standard and good practice for log management.

Overall Summary

These directives don't directly enhance the speed of content delivery, but they are beneficial for the operational efficiency and clarity of your Nginx server. By explicitly turning off 404 logging for these commonly requested (and sometimes missing) files, you keep your error logs focused on more significant issues, making it easier to monitor and troubleshoot your server. This is especially useful for managing a web server like yours, which handles traffic in Cyberjaya, Selangor, Malaysia, and globally.

@linuxmalaysia
Copy link
Author

That's a very common if block you've got there! While it serves a good purpose in restricting HTTP methods, the general consensus in the Nginx community is to avoid if statements when possible due to potential unexpected behavior in certain complex scenarios.

However, for simple method checks like this, it's often deemed acceptable. If you're running a basic web server with a standard application (like a blog or a simple API), your current setup is likely fine and provides good security benefits by explicitly allowing only the methods your application expects.

Here are a few suggestions based on your current configuration and common Nginx practices:

1. Keep it as is (if your application strictly uses these methods)

If your application truly only relies on GET, POST, PUT, HEAD, and CONNECT methods, then your current if statement effectively limits unnecessary requests to your backend, providing a basic security layer.

  • Pros: Simple, readable, and immediately understood. It effectively filters unwanted methods at the Nginx edge.
  • Cons: Uses an if statement, which purists generally avoid, though its impact here is minimal.
  • Use Case: Ideal for applications that definitely don't use methods like DELETE, PATCH, or OPTIONS (e.g., a static site served through Nginx, or an API that uses only the listed methods).

2. Refine the Allowed Methods (if your application needs more)

Consider if your application requires other standard HTTP methods. For example, if you're building a RESTful API, you'll very likely need DELETE and PATCH. Additionally, OPTIONS is frequently used for CORS (Cross-Origin Resource Sharing) preflight requests. If you have a frontend JavaScript application hosted on a different domain from your API, it will send OPTIONS requests, and blocking them will break your frontend's ability to communicate with the API.

Suggestion: Add any methods your application legitimately uses. For a typical API, a more comprehensive list might look like this:

---
# Suggested Method Restriction
if ($request_method !~ ^(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS|CONNECT)$) {
    return 405;
}
  • Pros: Ensures your application functions correctly with all necessary HTTP verbs. Handles common CORS scenarios.
  • Cons: Still uses an if statement.
  • Use Case: Recommended for modern web applications, especially those with APIs and separate frontends.

3. Remove the Restriction (if you're unsure or your backend handles it)

If you're unsure which methods your backend uses or if your application server (e.g., Node.js, Python, PHP framework) is already robustly handling method validation, you could simply remove this if block.

  • Pros: Simplifies your Nginx configuration. Defers method validation entirely to your application, which might be more appropriate if the application logic is complex.
  • Cons: Less filtering at the Nginx edge; all method types will hit your backend, potentially exposing it to methods it doesn't handle.
  • Use Case: When your application framework (like Express.js, Django REST Framework, Laravel) is explicitly designed to handle all HTTP methods and return appropriate 405 responses or specific logic for each, making Nginx's check redundant.

Which suggestion is best for you?

Given your setup with proxy_pass http://127.0.0.1:3000;, it sounds like you're running a backend application (likely Node.js, since 3000 is a common port).

  1. If you're running a simple content-serving application or a blog without complex interactive features/APIs, then keeping your current list of methods is probably sufficient.
  2. However, if your linuxmalaysia.com site includes APIs, user interactions, or forms that might update/delete data, or if you have a separate frontend that makes AJAX requests, then I'd strongly suggest you refine the allowed methods to include OPTIONS, DELETE, and PATCH (if your API uses them). This will prevent unexpected 405 errors and ensure full functionality.

Before making any changes, always test thoroughly to ensure your application behaves as expected with the chosen method restrictions!

@linuxmalaysia
Copy link
Author

User ulimit (for Nginx user):

Even with fs.file-max set, the user running Nginx (often nginx or www-data) needs a high nofile limit in /etc/security/limits.conf or a file in /etc/security/limits.d/.

nginx soft nofile 655360
nginx hard nofile 655360

@linuxmalaysia
Copy link
Author

Let's break down the events block in your Nginx configuration. This block is crucial because it defines how Nginx handles connections and influences its scalability and performance, particularly concerning concurrent users.

events { ... }

The events block is a top-level configuration block in Nginx (alongside http, mail, stream, etc.). It contains directives that set global parameters for connection processing.

1. worker_connections 65536;

  • Explanation: This directive specifies the maximum number of simultaneous connections that a single Nginx worker process can open.
    • Since Nginx typically runs multiple worker processes (controlled by worker_processes in the main configuration block, often set to auto or the number of CPU cores), the total maximum number of connections Nginx can handle concurrently is worker_connections * worker_processes.
    • For example, if you have 4 worker processes and worker_connections 65536;, Nginx can theoretically handle $4 \times 65536 = 262144$ simultaneous connections.
  • Performance Impact (Scalability & Resource Usage):
    • High Concurrency: A high worker_connections value allows Nginx to handle a very large number of concurrent clients, which is essential for high-traffic websites.
    • Memory: Each connection consumes a small amount of memory. Setting this too high without sufficient RAM could lead to memory exhaustion.
    • CPU: While Nginx is very efficient, handling a vast number of connections will consume CPU cycles for processing requests.
    • File Descriptors: Each connection is a file descriptor. This setting must be lower than or equal to the operating system's per-process file descriptor limit.
  • Suggestions:
    • 65536 is a very common and high value, indicating a server designed for high concurrency.
    • Practical Limit: While Nginx might be configured for 65,536 connections per worker, the actual practical limit is often determined by the server's CPU, memory, and network bandwidth.
    • Monitoring: Monitor your server's resource usage (CPU, RAM, open file descriptors) under load to ensure it can comfortably handle this many connections. If you consistently hit the limit, consider scaling up your hardware or optimizing other parts of your Nginx/application stack.

2. worker_rlimit_nofile 655360;

  • Explanation: This directive sets the maximum number of open file descriptors (the RLIMIT_NOFILE limit) for Nginx's worker processes.
    • A file descriptor is used for every connection, every file being served, every log file, and so on.
    • The value 655360 (655,360) is ten times your worker_connections value.
  • Performance Impact (Stability & Reliability):
    • Prevents "Too Many Open Files" Errors: If Nginx runs out of file descriptors, it cannot accept new connections or open files, leading to service disruption and "Too many open files" errors in your logs.
    • Must be High Enough: This value must be at least worker_connections. It's often recommended to set it higher (e.g., 1.5x to 2x worker_connections for general use, or even 10x as you have for very busy servers) to account for other file descriptors used by Nginx (e.g., log files, cache files, internal pipes, upstream connections).
    • Operating System Limit: This Nginx setting cannot exceed the operating system's system-wide file descriptor limit (fs.file-max) or the per-user/per-process ulimit -n setting. You often need to adjust these OS limits first.
  • Suggestions:
    • 655360 is a very high and appropriate value for a server aiming for high concurrency.
    • Verify OS Limits: Before setting worker_rlimit_nofile this high, you must ensure your Linux system's ulimit -n for the Nginx user and fs.file-max kernel parameter are set to at least this value (or higher).
      • To check ulimit -n for the Nginx user (e.g., www-data): 
        sudo su - www-data -c 'ulimit -n'
      • To check system-wide fs.file-max: 
        cat /proc/sys/fs/file-max
      • To temporarily set ulimit -n for the current shell (e.g., for testing): ulimit -n 655360
      • To make it permanent, you'd typically edit /etc/security/limits.conf (for nofile for the www-data user) and /etc/sysctl.conf (for fs.file-max).

3. use epoll; (Example, commented out in your snippet)

  • Explanation: This directive specifies the connection processing method Nginx will use.
    • epoll is the most efficient and scalable I/O event notification mechanism on Linux systems. It allows Nginx to efficiently monitor a large number of file descriptors for readiness events (e.g., a new connection, data arriving on an existing connection).
    • Other methods exist (kqueue for FreeBSD/macOS, select, poll), but epoll is the default and preferred method on Linux due to its superior performance for high concurrency.
  • Performance Impact (CPU & Scalability):
    • Highly Efficient: epoll drastically reduces the CPU overhead associated with monitoring thousands of connections compared to older methods like select or poll. It scales very well with the number of connections.
  • Suggestions:
    • Explicitly include it: While Nginx often defaults to the best method for the detected OS, it's good practice to explicitly include use epoll; in your events block if you're on Linux, as it clearly states your intent and ensures Nginx uses the most efficient method.

Overall Impact on Nginx Performance (CPU and Memory)

  • CPU: worker_connections and the chosen use method directly impact CPU. A higher number of connections means more work for the CPU, but epoll minimizes the overhead of managing those connections.
  • Memory: worker_connections directly influences memory consumption as each connection requires a small amount of memory. worker_rlimit_nofile ensures Nginx has enough capacity to use file descriptors but doesn't directly consume memory itself (it's a limit, not an allocation).

Your events block configuration is very aggressive and suitable for a high-performance web server aiming to handle significant traffic, which aligns with serving linuxmalaysia.com effectively. The high worker_connections and worker_rlimit_nofile values are excellent for scalability, provided your underlying operating system is also configured to support them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment