[commits] [Wiki] created: webserver/nginx
Wiki Guest
wikiguest at horde.org
Fri Jan 9 16:48:54 UTC 2015
guest [188.192.208.213] Fri, 09 Jan 2015 16:48:54 +0000
Created page: http://wiki.horde.org/webserver/nginx
+ Running Horde on nginx
[http://nginx.org nginx] is a high performance webserver. Unlike
Apache and lighttpd nginx need an external helper to execute php
scripts.
nginx use the concept of include direcrories. You may find a file
/etc/nginx/nginx.conf containig a statement
<code>
http {
include conf.d/*;
include sites-enabled/*;
}
</code>
That mean any file in /etc/nginx/sites-enabled/ will be used as
configfile, too.
So I put my configuration in /etc/nginx/sites-enabled/horde.example.org.
<code>
server {
# assume correct DNS settings
# - horde.example.org = 192.0.2.1 and 2001:db8::1
# - 1.2.0.192.in-addr.arpa. = horde.example.org
# -
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa =
horde.example.org
listen 192.0.2.1:443 ssl spdy;
listen [2001:db8::1]:443 ssl spdy;
server_name horde.example.org;
# minimum ssl stuff
ssl_certificate
/etc/ssl/horde.example.org/cert+intermediate.pem;
ssl_certificate_key /etc/ssl/horde.example.org/key.pem;
# optional: see
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header strict-transport-security
"max-age=31536000";
add_header x-frame-options
"sameorigin";
add_header x-xss-protection "1;
mode=block";
add_header x-content-type-options "nosniff";
root /path/to/horde/;
index index.php;
location / {
location ^~ /static/ {
expires 4w;
add_header Cache-Control public;
}
location ^~ /themes/ {
expires 4w;
add_header Cache-Control public;
}
location ^~ /services/ajax.php {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/phpcgi/socket;
include /etc/nginx/fastcgi.conf;
}
location ~ \.php {
fastcgi_pass unix:/var/run/phpcgi/socket;
include /etc/nginx/fastcgi.conf;
}
try_files $uri $uri/ /rampage.php?$args;
}
}
</code>
the file /etc/nginx/fastcgi.conf is included in default nginx installations.
The socket {{/var/run/phpcgi/socket}} is created by a separate php process.
The important thing: nginx must have write access to the socket. So
it's best to run nginx and php with the same uid.
I like to run such processes supervised, aka not forking in
background, by such script:
<code>
#!/bin/sh
exec < /dev/null
exec 2>&1
# still root now
# create the directory for the socket to allow the non-root user to
create the socket
install -d -o www-run -g root -m 0700 /var/run/phpcgi/
rm -f /var/run/phpcgi/socket
cd /empty
exec env - setuidgid www-run /usr/bin/php5-cgi --bindpath
/var/run/phpcgi/socket --no-chdir
</code>
{{setuidgid}} belong to a toolchain from djb.
[http://cr.yp.to/daemontools/setuidgid.html It simply switch the
current uid].
**ATTENTION: this ist the first configuration published here. It's
working but assumed to need optimitzation.**
More information about the commits
mailing list