Getting the most out of your Nginx setup.
Posted By :Ankit Kumar |22nd May 2019
Make Nginx faster, lighter, and more powerful
1. Adjust worker_processes:
Nginx has one master process and many worker processes. The main goal of the master process is to read and ascertain configuration and maintain worker processes.
Worker processes do the actual processing of received requests. The best practice to configure the worker process is to leave it to "auto", It will automatically detect the cores in your system and then assign them to the worker process for best performance.
worker_processes auto;
events {
worker_connections 1024;
multi_accept on;
}
Here,Assuming a system with 4 cores, this would allow us to have 4096 simultaneous connections.
2. Enabling Gzip Compression:
Let's make a configuration file for gzip and then include this file in our main nginx.conf
vim /etc/nginx/default_conf/gzip.conf
##Gzip setting configurationFile:
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/jpeg image/png image/jpg image/bmp image/svg+xml image/x-icon text/cache-manifest text/js text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy application/font-woff application/octet-stream;
3. Enabling Browser Caching:
Let's make a configuration file for browser caching and then include this file in our main nginx.conf.
vim /etc/nginx/default_conf/browsercaching.conf
Paste the following content:
##Browser caching configurationFile:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
4. Enabling Security Header:
Let's make a configuration file for Security Header and then include this file in our main nginx.conf
vim /etc/nginx/default_conf/security.conf
Paste the following content:
## Security headers configurationFile:
server {
### X-XSS PROTECTION HEADER
add_header X-XSS-Protection "1; mode=block";
### CLICK-JACKING PROTECTION HEADER
add_header X-Frame-Options "SAMEORIGIN";
### X-Content-Type-Options
#Having this header forces browser to consider files types as defined and disallow content sniffing.
add_header X-Content-Type-Options "nosniff" always;
### Content Security Policy
#Prevent XSS, clickjacking, code injection attacks. CSP forces browser to load allowed content to load on the website.
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
### HTTP Strict Transport Security:
#enforce the use of HTTPS going forwards and never permit the user to attempt any connection using HTTP.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
### Referrer Policy
#Referrer-Policy is a security header that should) be included on communication from client to your website's server.
#The Referrer-Policy tells the web-browser how to handle referrer information that is sent to websites when a user clicks a
#link that leads to another page or website.
add_header Referrer-Policy same-origin;
}
Include This Segment only if You've compiled your nginx with dynamic module named: headers-more-nginx-module.
#Stop nginx showing its server details server_tokens off; more_set_headers 'Server: YourName' ;
5. Enabling Rate Limiting:
Let's make a configuration file for browser caching and then include this file in our main nginx.conf
vim /etc/nginx/default_conf/security.conf
Paste the following content:
##: RateLimiting configurationFile: limit_req_log_level warn; limit_req_zone $binary_remote_addr zone=reqlimit:10m rate=10r/m; limit_conn_zone $binary_remote_addr zone=connlimit:100m; limit_conn servers 1000; # Simultaneous Connections
6. Forcing http2 over http1:
Note: To fore the http2 protocol over http1, simply replace http with http2
eg,
server{
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl on;
server_name app.myserver.io;
}
7. Configuring dhpm.
mkdir -p /etc/nginx/dhpm && cd /etc/nginx/dhpm
now let's generate dhparams.pem, use the following command to generate dhparams.
openssl dhparam -out dhparams.pem 2048
Note: nginx.conf
Since I'm using RHEL based OS my user is nginx, If you're using ubuntu based OS you should use " user www-data "
Your main nginx.conf file should look like this
user nginx;
worker_processes auto;
pid /run/nginx.pid;
##load Dynamic module
##only if You've compiled your nginx with dynamic module named: headers-more-nginx-module, uncomment the load_modules line
#load_module modules/ngx_http_headers_more_filter_module.so;
events {
worker_connections 1024;
multi_accept on;
}
http {
##Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##SSL Settings
#supported protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#supported ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#Cipher Order
#With the ciphers ordered, so that the most preferred ciphers appear first, we want to ensure that we enforce their use in that order.
ssl_prefer_server_ciphers on;
#command to generate dhparams.pem>> openssl dhparam -out dhparams.pem 2048
ssl_dhparam /etc/nginx/dhpm/dhparams.pem;
#This will allow the client to send multiple requests via the same connection. This a trade off on higher capacity servers as we need to
#strike a balance between connection limits and inducing more load by severing connections prematurely.
keepalive_timeout 70;
### Optimize session cache:
#Creating a cache of TLS connection parameters reduces the number of handshakes, and thus can improve the performance of application
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
### Enable session tickets
#Session tickets are an alternative to session cache. Here, information about the session is stored on the server.
ssl_session_tickets on;
### OCSP Stapling
#To have a secure connection to a server, the client needs to verify the certificate which the server presented. In order to verify that
#the certificate is not revoked, the client (browser) will contact the issuer of the certificate. This adds a bit more overhead to
#connection initialisation
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
##Logging Settings
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##Virtual Host Configs
include /etc/nginx/sites-enabled/*;
##including security headers
include /etc/nginx/default_conf/security.conf;
##gzip setting
include /etc/nginx/default_conf/gzip.conf;
##browser_caching
include /etc/nginx/default_conf/browsercaching.conf;
###rateLimits
include /etc/nginx/default_conf/rateLimiting.conf
}
Now,
open your domain specific config files
vim /etc/nginx/sites-available/default
Depending upon your website parameters paste the following content in your server block.
server {
##client-side content caching
location ~* .(js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=31536000, public";
}
}
Ready to innovate ? Let's get in touch
