background preloader

Nginx "how to" - Fast and Secure Web Server (nginx.conf) @ - Open Source Research and Reference

Home RSS Search April 07, 2014 with HTTP, HTTPS SSL and Reverse Proxy Examples Nginx is a secure, fast and efficient web server. It can be configured to serve out files or be a reverse proxy depending on your application. What makes this web server different from Apache, Lighttpd or thttpd is the overall efficiency of the daemon, the number of configuration options and how easy it is to setup. Nginx ("engine x") is a high-performance HTTP server and reverse proxy server. Security methodology behind our configuration In the following example we are going to setup some web servers to serve out web pages to explain the basics. The security mindset of the configuration is very paranoid. Our goal is to setup a fast serving and CPU/disk efficient web server, but most importantly a _very secure_ web server. Below you will find a few different example nginx.conf configuration files in scrollable windows. You are welcome to copy and paste the following working examples. make clean; . Related:  NginxUnix System Adminstration

A faster Web server: ripping out Apache for Nginx I am, at best, a fly-by-night sysadmin. I grew to adult nerdhood doing tech support and later admin work in a Windows shop with a smattering of *nix, most of which was attended to by bearded elders locked away in cold, white rooms. It wasn't until I started managing enterprise storage gear that I came to appreciate the power of the bash shell, and my cobbled-together home network gradually changed from a Windows 2003 domain supporting some PCs to a mixture of GNU/Linux servers and OS X desktops and laptops. Like so many others, I eventually decided to put my own website up on the Internets, and I used the Apache HTTP server to host it. But it wasn't quite right for me. Old and busted Apache was easy to set up. Things ran well this way for a couple of years, but as I started doing more with the Web server, it began to be apparent that my setup, while perfectly workable, could be better. Additionally, I began running a small wiki on the same box. There were many paths to take.

Optimizing NGINX TLS Time To First Byte (TTTFB) By Ilya Grigorik on December 16, 2013 Network latency is one of our primary performance bottlenecks on the web. In the worst case, new navigation requires a DNS lookup, TCP handshake, two roundtrips to negotiate the TLS tunnel, and finally a minimum of another roundtrip for the actual HTTP request and response — that's five network roundtrips to get the first few bytes of the HTML document! Modern browsers try very hard to anticipate and predict user activity to hide some of this latency, but speculative optimization is not a panacea: sometimes the browser doesn't have enough information, at other times it might guess wrong. The why and the how of TTFB According to the HTTP Archive, the size of the HTML document at 75th percentile is ~20KB+, which means that a new TCP connection will incur multiple roundtrips (due to slow-start) to download this file - with IW4, a 20KB file will take 3 extra roundtrips, and upgrading to IW10 will reduce that to 2 extra roundtrips. Much better!

WordPress on Nginx, Part 2: vhost, MySQL & APC Configurations What good a website with a “Welcome to nginx” note? That’s where we left last time. My primary reference for this Apache to Nginx migration was this article — in fact, my configs are more or less a copy-paste from this guide. For your convenience I’ll just repeat the steps here… Configuring the Nginx vhost Since it’s always nice to save a backup of the original default config files before we make any changes — because it’s easy to roll back to the reference point and troubleshoot when something goes wrong — we move the original nginx.conf file as follows: Then create a new /etc/nginx/nginx.conf file and insert the following text in it: The worker_processes 1 directive above is of special importance here. Second, if you notice, the nginx.conf above doesn’t have any WordPress specific configs yet. This second directory is where we’ll have our vhost configs, while in the former we’ll simply have individual vhost configs files’ symlinks. Remember the “Welcome to nginx!” With that done. All good.

Network Tuning and Performance Guide Home RSS Search November 12, 2013 Many of today's desktop systems and servers come with on board gigabit network controllers. After some simple speeds tests you will soon find out that you are not be able to transfer data over the network much faster than you did with a 100MB link. There are many factors which affect network performance including hardware, operating systems and network stack options. It is important to remember that you can not expect to reach gigabit speeds using slow hardware or an unoptimized firewall rule set. Hardware No matter what operating system you choose, the machine you run on will determine the theoretical speed limit you can expect to achieve. In terms of a firewall or bridge we are looking to move data through the system as fast as possible. The quality of a network card is key to high though put. A gigabit network controller built on board using the CPU will slow the entire system down. Not to say that all on-board chip sets are bad. Yes.

nginx How to monitor ZFS with SNMP in FreeBSD? Créer et Installer un certificat SSL sous NGinx | Admin Serveur Créer et Installer un certificat SSL sous NGinx Installer un certificat SSL sur NGinx est l'affaire de quelques minutes. Dans cet exemple, j'ai choisi NameCheap comme fournisseur de Certificat SSL. Les certificats SSL de type GeoTrust RapidSSL sont au prix de 10.95 USD (~7.95 €uros au moment de ce billet). Préparation des certificats SSL Rendez-vous sur votre serveur: cd /etc/nginx/ # Création d'un dossier ssl pour y mettre les certificats mkdir ssl cd ssl/ Génération des certificats: # Génération du fichier .key openssl genrsa -des3 -out 2048 Generating RSA private key, 2048 bit long modulus ...+++ ..................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for Verifying - Enter pass phrase for Votre fichier .key (protégé par mot de passe) est maintenant créé, nous passons à la génération du CSR: Votre fichier CSR est désormais créé. Votre commentaire

arm/Raspberry Pi - FreeBSD Wiki FreeBSD/ARM on Raspberry Pi FreeBSD-CURRENT has supported Raspberry Pi since November, 2012 and Raspberry Pi 2 since March, 2015. If you have questions, ask on the freebsd-arm mailing list. What is Raspberry Pi? The Raspberry Pi launched in early 2012 as an inexpensive ($35) PC based on a Broadcom BCM2835 SoC. There are several versions of the Raspberry Pi: The "Model B" includes Ethernet, 2 USB ports and originally included 256MB RAM. What works How to Boot the Raspberry Pi As of January 2013, FreeBSD-CURRENT fully supports either a video console (you'll need a USB keyboard and display connected) or it can be configured to use a serial console (you'll need a USB to TTL Serial Cable such as the one sold by After connecting video, keyboard, and inserting the SDHC card, you connect power to actually boot. Anatomy of a Raspberry Pi Boot Image A FreeBSD bootable image for Raspberry Pi has both FAT and UFS partitions containing the following files: How to Build an Image Binary snapshots

Nging pour optimiser son serveur web Si vous êtes l’heureux possesseur d’un site hébergé sur un serveur dédié, la popularité est une bonne chose mais peut vite s’accompagner d’autres inconvénients comme la saturation des ressources de votre serveur. La solution la plus simple est souvent de passer à une offre supérieure (et donc plus chère), mais cela peut être sans fin ou presque, et les migrations ne sont pas forcément une partie de plaisir. Modifier l’architecture est parfois une meilleure solution et permet de mieux profiter de son hébergement actuel sans trop d’efforts et sans surcoût. Si vous travaillez bien, vous pourrez en plus anticiper le passage à une architecture à plusieurs serveurs. Pourquoi mon serveur plante ? Le problème principal affectant les serveurs Web comme Apache est la quantité de RAM disponible sur le système. Si le SWAP est utilisé, le temps de réponse du serveur augmente, et les visiteurs rafraichissent alors plusieurs fois la page accentuant encore la charge sur le serveur. nginx (Source).

Moving away from puppet: SaltStack or Ansible? | Ryan D Lane Over the past month at Lyft we’ve been working on porting our infrastructure code away from Puppet. We had some difficulty coming to agreement on whether we wanted to use SaltStack (Salt) or Ansible. We were already using Salt for AWS orchestration, but we were divided on whether Salt or Ansible would be better for configuration management. We decided to settle it the thorough way by implementing the port in both Salt and Ansible, comparing them over multiple criteria. First, let me start by explaining why we decided to port away from Puppet: We had a complex puppet code base that has around 10,000 lines of actual Puppet code. Before I delve into the comparison, we had some requirements of the new infrastructure: No masters. Here’s how we compared: Simplicity/Ease of UseMaturityPerformanceCommunity Simplicity/Ease of Use Ansible: As I started Ansible was indeed simple. Developing the playbook was straightforward. My initial playbook was a single file. Introspection for Ansible was lacking.

Installing PHP 5.3, Nginx And PHP-fpm On Ubuntu/Debian | HowtoFo Version 1.1 Follow me on Twitter Since Apache is most of the time a memory hungy process, people started to look for different ways to host their website. Apache is clearly not the only webserver available. A few good examples are lighttpd and nginx. Ready? Step 0 - Preliminary Notes In order to complete this tutorial, I assume you have installed a base system of Debian or Ubuntu. Step 1 - Nginx Installing nginx is the first step we have to do. sudo apt-get install nginx The default vhost has to be changed in order to work properly. sudo vim /etc/nginx/sites-available/default A nice starting point for your config is: Ok, we're done here. Step 2 - Installing PHP Many sites rely on PHP for providing them dynamic content, whether this is a wiki, forum software, weblog or something entirely different. If you are running Ubuntu, we first have to resolve two dependencies required for the dotdeb packages. For Debian you won't have to do this! cd /tmp sudo dpkg -i *.deb Update apt: sudo apt-get update