Solid-State Society

Tag: Nginx

  • Nginx Notion Proxy

    What these configs do:

    • Proxy all traffic from Notion to your custom domain notion.example.tld and deliver it to your clients
    • WebSocket proxy support
    • Image local disk caching support
    • Correct URL rewriting
    • Get access logs from real request IPs

    This post is a proof of concept proxying a general XaaS without using any vendor-locked FaaS such as Cloudflare Workers or AWS Lambda.

    (more…)

  • Nginx Multiple Upstreams with HTTPS Support

    This example can make sure all requests to the upstreams are handled via HTTPS.

    upstream source.example.tld {
  server s1.example.tld:443;
  server s2.example.tld:443 max_fails=2 fail_timeout=5s;
  server s2.example.tld:443;
}

server {
    proxy_pass https://source.example.tld/;
    proxy_ssl_protocols     TLSv1.2 TLSv1.3;
    proxy_ssl_verify        off;
    proxy_ssl_session_reuse on;
}

  • Nginx `nodelay` Option in Action

    The nodelay option for limit_req can delay excessive requests but it’s not desired in some situations. I just found an intuitive way to show the difference while tweaking the GitHub Avatar proxy.

    Every grid is an image loaded from GitHub avatar.

    With nodelay:

    Without nodelay:

    So in my use case with nodelay option can make clients feel faster loading. But may hit request limit more easily. Without nodelay keep excessive requests in the burst bucket and load them in sequence. But clients may feel slow.

  • Docker Mounted Volumes Permission Issues with Nginx and PHP-FPM

    Prerequisites:

    • Official Nginx alpine Docker image
    • Official PHP Docker (Debian) image with fpm tags

    Get currenty PHP-FPM running user info:

    $ docker exec php_container_name id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Change the owner of your existing mounted volume:

    chown 33:33 -R /srv/www

  • Detecting WeChat In-App Browser via Nginx User-Agent

    You can use this directive to check for WeChat in-app browser and set cache off:

    if ($http_user_agent ~* "MicroMessenger") {
  set $skip_cache 1;
}

  • GeoIP Bypassing for Nginx Proxy

    Goal:

    • Proxy content for requests in specific country or region
    • Redirect any requests made outside specific country or region to original URL (to save bandwidth
    geoip_country         /usr/share/GeoIP/GeoIPv6.dat;
map $geoip_country_code $proxy_direct_pass {
  default yes;
  CN no;
}

location ~* ^/proxied-content/(.*)$ {
  if ($proxy_direct_pass = yes) {
    return 302 https://original_content/$1$is_args$args;
  }

  proxy_pass https://original_content/$1$is_args$args;
}

  • Proxying and Caching WebP Images Using the Same URI Based on User Accept Headers with Nginx

    Case:

    • The proxied image backend serves WebP images when the client requests support it with Accept headers ($http_accept)
    • The backend also provides the same URI for all WebP requests. That means URI like image.png can also be in WebP format

    The solution:

    • Using Nginx map module
    • Apply variables to different cache pools

    In nginx.conf:

    # Proxy cache pools for image caching
proxy_cache_path        /dev/shm/image_cache
                        keys_zone=image_cache:10m;

proxy_cache_path        /dev/shm/image_cache_webp
                        keys_zone=image_cache_webp:10m;

# Differenate WebP requests
map $http_accept $webp_pool {
  default                 image_cache;
  ~*webp                  image_cache_webp;
}

    In your site config:

    proxy_cache             $webp_pool;

  • Allow WordPress Embedded Posts with Global X-Frame-Options for Nginx Servers

    The problem: when you enables X-Frame-Options globally. You won’t be able to embed your posts with latest WordPress embed posts method.

    The solution: you can simply exclude it in your Nginx configuration. I’ll use Nginx map for better performance:

    map $request_uri $x_frame_options_headers {
  default                 SAMEORIGIN;
  # Matching WordPress embed page, ie. https://example.com/my-post/embed#?secret=vLi4CQcWkH
  ~/embed                 "";
}

# Don't allow the browser to render the page inside an frame or iframe
add_header X-Frame-Options $x_frame_options_headers;
    HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way
    Embedding Demo

  • Increase PHP-FPM File Upload Limit

    Nginx:

    • client_max_body_size

    PHP:

    • post_max_size
    • upload_max_filesize

  • SELinux policy for nginx and GitLab unix socket in Fedora 19

    The installation of GitLab in Fedora 19 went fine. I followed the official installation guide with some deviations where necessary, mostly taken from the CentOS guide in gitlab-recipes. I setup nginx using the ssl config, and poked some holes in iptables. For systemd services I used these files.

    Source: SELinux policy for nginx and GitLab unix socket in Fedora 19

  • Using SSL Certificates with HAProxy – Servers for Hackers

    What programmers need to know about servers.

    Source: Using SSL Certificates with HAProxy – Servers for Hackers

  • Configuring NGINX to accept the PROXY Protocol – NGINX

    This article explains how to configure NGINX and NGINX Plus to accept the PROXY protocol. Table of Contents Introduction Using the PROXY protocol with SSL, HTTP/2, SPDY, and WebSocket Using the PROXY protocol with a TCP Stream Complete Example Introduction The PROXY protocol enables NGINX and NGINX Plus to receive client connection information passed through […]

    Source: Configuring NGINX to accept the PROXY Protocol – NGINX

  • Shaving your RTT with TCP Fast Open – Bradley Falzon

    Check out the recently released RFC on TCP Fast Open, a spec that allows most TCP connections to send data during the initial SYN packet – reducing the initial round trips required from 2 to 1. Excellent for HTTPS connections.

    Source: Shaving your RTT with TCP Fast Open – Bradley Falzon

  • How to Generate SSL Certificate Chain for Nginx

    I’m using Comodo Certificate, you will get these files from their email:

    • Root CA Certificate – AddTrustExternalCARoot.crt
    • Intermediate CA Certificate – UTNAddTrustSGCCA.crt
    • Intermediate CA Certificate – ComodoUTNSGCCA.crt
    • Intermediate CA Certificate – EssentialSSLCA_2.crt
    • Your EssentialSSL Certificate – www_example_com.crt

    Correct order:

    1. Your EssentialSSL Certificate – www_example_com.crt
    2. Intermediate CA Certificate – EssentialSSLCA_2.crt
    3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
    4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
    5. Root CA Certificate – AddTrustExternalCARoot.crt

    You can create a chained certificate required by Nginx:

    cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt

    In fact, you can only need the first three certificates: most systems have their root CA.

    cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt

    Update Mar 21, 2015:

    Comodo updated their certificates filename, so the correct order now is:

    1. Your EssentialSSL Certificate – www_example_com.crt
    2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
    3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
    4. Root CA Certificate – AddTrustExternalCARoot.crt
    cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt

  • logrotate for nginx

    vi /etc/logrotate.d/nginx
    /srv/www/*/logs/*log {
        daily
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 nginx adm
}

    # debug
logrotate -d /etc/logrotate.conf

    # focus logrotate with verbose info
logrotate -f -v /etc/logrotate.conf

  • Debian 手動編譯安裝 nginx + PHP-FPM 指北

    目前網上各種不靠譜的自動化安裝腳本不計其數。 nginx + PHP-FPM 教程也不多,本篇備忘錄重點針對 PHP-FPM 安裝,參考 nginx 官方 docs 與 Slicehost wiki 編寫而成

    (more…)