[commits] [Wiki] created: webserver/nginx

Wiki Guest wikiguest at horde.org
Fri Jan 9 16:48:54 UTC 2015


guest [188.192.208.213]  Fri, 09 Jan 2015 16:48:54 +0000

Created page: http://wiki.horde.org/webserver/nginx

+ Running Horde on nginx

[http://nginx.org nginx] is a high performance webserver. Unlike  
Apache and lighttpd nginx need an external helper to execute php  
scripts.

nginx use the concept of include direcrories. You may find a file  
/etc/nginx/nginx.conf containig a statement
<code>
http {
     include                             conf.d/*;
     include                             sites-enabled/*;
}
</code>
That mean any file in /etc/nginx/sites-enabled/ will be used as  
configfile, too.
So I put my configuration in /etc/nginx/sites-enabled/horde.example.org.

<code>
server {
     # assume correct DNS settings
     # - horde.example.org = 192.0.2.1 and 2001:db8::1
     # - 1.2.0.192.in-addr.arpa. = horde.example.org
     # -  
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa =  
horde.example.org
     listen                              192.0.2.1:443 ssl spdy;
     listen                              [2001:db8::1]:443 ssl spdy;
     server_name                         horde.example.org;

     # minimum ssl stuff
     ssl_certificate                      
/etc/ssl/horde.example.org/cert+intermediate.pem;
     ssl_certificate_key                 /etc/ssl/horde.example.org/key.pem;

     # optional: see  
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     add_header                          strict-transport-security  
"max-age=31536000";
     add_header                          x-frame-options            
"sameorigin";
     add_header                          x-xss-protection          "1;  
mode=block";
     add_header                          x-content-type-options    "nosniff";

     root                                /path/to/horde/;
     index                               index.php;

     location / {

         location ^~ /static/ {
             expires                     4w;
             add_header                  Cache-Control public;
         }

         location ^~ /themes/ {
             expires                     4w;
             add_header                  Cache-Control public;
         }

         location ^~ /services/ajax.php {
             fastcgi_split_path_info     ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
         }

         location ~ \.php {
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
         }

         try_files                       $uri $uri/ /rampage.php?$args;

     }
}

</code>

the file /etc/nginx/fastcgi.conf is included in default nginx installations.

The socket {{/var/run/phpcgi/socket}} is created by a separate php process.
The important thing: nginx must have write access to the socket. So  
it's best to run nginx and php with the same uid.

I like to run such processes supervised, aka not forking in  
background, by such script:

<code>
#!/bin/sh

exec < /dev/null
exec 2>&1

# still root now
# create the directory for the socket to allow the non-root user to  
create the socket
install -d -o www-run -g root -m 0700 /var/run/phpcgi/
rm -f /var/run/phpcgi/socket

cd /empty
exec env - setuidgid www-run /usr/bin/php5-cgi --bindpath  
/var/run/phpcgi/socket --no-chdir
</code>

{{setuidgid}} belong to a toolchain from djb.  
[http://cr.yp.to/daemontools/setuidgid.html It simply switch the  
current uid].

**ATTENTION: this ist the first configuration published here. It's  
working but assumed to need optimitzation.**



More information about the commits mailing list