Skip to content

A compilation of best practices of NGINX web server configuration, ready for production use.

License

Notifications You must be signed in to change notification settings

cloudbitsio/filament

Repository files navigation

Drop-in replacement for /etc/nginx

About | Installation | Usage | What's Inside | Credits


NGINX Configurations

The goal of this project is to maintain a compilation of best practices of NGINX server configurations and some opinionated patterns for ease of configurability.

Licensed under MIT.

Features:

  • HTTP for local development, HTTPS with/without FastCGI Cache;
  • HTTP/2, IPv6;
  • Certbot, HSTS, security headers, SSL profiles, OCSP resolvers;
  • FastCGI caching, gzip, fallback routing, www/non-www redirect;
  • Comprehensive WordPress support

Installation

Assuming you have NGINX installed,

  1. Backup your /etc/nginx folder.
tar -czvf /etc/nginx_$(date +'%F_%H-%M-%S').tar.gz /etc/nginx
  1. Filament is a drop-in replacement for NGINX configs. Download Filament into /etc/nginx.
git clone https://github.com/cloudbitsio/filament /etc/nginx

Usage

You have three templates in the templates folder.

  • no-ssl.conf is a simple http with no-www configs. Great for development
  • ssl.conf is the one you should be using (provided you have an SSL certificate)
  • ssl-fastcgi.conf is configured with NGINX fastcgi cache

Start by copying a template file to sites-available

cp /etc/nginx/templates/ssl.conf /etc/nginx/sites-available/http.conf

Replace example.com with your hostname

sed -i 's|example.com|myawesomewebsite.com|g' /etc/nginx/sites-available/http.conf
  • Open the file and check the path to document root
  • Enable the Wordpress server rules if you are using Wordpress. Otherwise discard/ignore.
  • If you want site-specific logs, uncomment the access_log and error_log configs (make sure your log files exist)
  • Provide path to your SSL certificates

default.conf is the default_server that returns 444 to all requests. Create symlinks of both the default server and your custom server into sites-enabled.

ln -s /etc/nginx/templates/default.conf /etc/nginx/sites-enabled/default.conf
ln -s /etc/nginx/sites-available/http.conf /etc/nginx/sites-enabled/http.conf

Finally, test your nginx configuration before you (re)start your service.

nginx -t

What's Inside

The configurations have the following structure:

./
├── conf.d/
│   ├── performance/
│   │   ├── cache.conf
│   │   ├── cache-expires.conf
│   │   ├── cache-fastcgi.conf
│   │   ├── fastcgi-params.conf
│   ├── security/
│   │   ├── exclusions.conf
│   │   ├── policies.conf
│   └── ssl/
│   │   ├── ocsp-stapling.conf
│   │   ├── policy-deprecated.conf
│   │   ├── policy-intermediate.conf
│   │   ├── policy-modern.conf
│   │   ├── ssl-engine.conf
│   ├── wordpress/
│   │   ├── wordpress-cache.conf
│   │   ├── wordpress-security.conf
│   │   ├── wordpress-yoast.conf
│   ├── gzip.conf
│   ├── http.conf
│   ├── php-fpm.conf
├── sites-available/
├── sites-enabled/
├── templates/
│   ├── default.conf
│   ├── no-ssl.conf
│   ├── ssl.conf
│   ├── ssl-fastcgi.conf
├── mime.types
└── nginx.conf

  • sites-available/ folder should contain your working server blocks and drafts. Edit your server block files here because some test editors create temp files.

  • sites-enabled/ folder should only contain symlinks to server blocks that are live.

  • conf.d/ folder

    Contains all the config snippets and are loaded automatically. Do not change anything inside unless you know what you are doing.

    If you need to change the PHP version, edit php-fpm.conf.

    http.conf and gzip.conf are global HTTP and GZip rules that are applied to the http block in our nginx.conf main configuration file.

    • performance/ subfolder contains files that improve performance of the web server blocks.

    • security/ subfolder headers for cross-origin requests and security policies. Check out securityheaders.com for details.

      If you are using a no-ssl config with a .test domain for local development, disable HSTS in policies.conf

    • ssl/ subfolder contains SSL rules:

      • ssl-engine.conf contains the generic SSL rules

      • You have a choice between three SSL profiles:

        policy-deprecated.conf supports TLS v1, v1.1 and 1.2. It is not recommended.

        policy-intermediate.conf supports only TLS v1.2

        policy-modern.conf supports TLS v1.2 and v1.3. This is the default in the provided templates.

      • ocsp-stapling.conf contains resolvers for CloudFlare, Google and OpenDNS.

    • wordpress/ subfolder contains rules that are for performance and security for Wordpress.

  • mime-types.conf file is responsible for mapping file extensions to mime types.

  • nginx.conf file is the main configuration file.

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

TODO

  • Brotli support
  • mod_pagespeed support

Support

NGINX 1.8.0+

Credits

This project would not have been possible without the following. In fact, much of the code snippets are borrowed from these projects.

License

MIT

About

A compilation of best practices of NGINX web server configuration, ready for production use.

Topics

Resources

License

Stars

Watchers

Forks