Nginx

From DreamHost
Jump to: navigation, search
Dh-kb-important-icon.fw.png Important: This article contains information/examples about root/sudo/admin users.

On December 9, 2015, DreamHost disabled admin users on VPS machines (private servers). For details of why this was done, please review the following article:

If you still require sudo/admin access, you must upgrade to a Dedicated server.


Overview

Nginx (pronounced engine-x) is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. It's known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.

As of September 2015, Nginx hosts nearly 12.18% (22.2M) of active sites across all domains. It powers several high-visibility sites, such as Netflix, Hulu, Pinterest, CloudFlare, Airbnb, WordPress.com, GitHub, SoundCloud, Zynga, Eventbrite, Zappos, Media Temple, Heroku, RightScale, Engine Yard, and MaxCDN

View the following article for further details:

Nginx is available on DreamHost Private Servers as an optional web server to run your sites.

Nginx at DreamHost

All DreamHost private servers use Apache by default instead of Nginx. This is because Apache supports a larger toolbox of things it can do immediately and is probably the most compatible across all web software out there today.

However, Nginx is a very good choice in cases where you have a site that gets large volumes of traffic and is running into performance/memory issues on a VPS. A server running Nginx serves your site faster while using less memory than Apache. This lets you handle a much larger amount of traffic more gracefully than Apache would. For a more detailed look at this, visit the Web Server Performance Comparison page:

PHP with Nginx at DreamHost

Dh-kb-note-icon.fw.png Note:

PHP 5.5 is the only version available in the panel to use with your Nginx website.


PHP processes per user

For security purposes, it's generally advised to assign a single user to each domain. This way if that user is compromised, no other sites are affected. However, when running Nginx, it's recommended that you consolidate your domains under a single username. This is for performance reasons.

Nginx uses a set number of PHP processes when starting up. This happens for each user, and the same number are started regardless of how many domains are hosted under the user.

However, if you have 10 domains spread across 10 separate FTP users, you'll get 10x as many PHP processes as you would otherwise get with a single user.

Also, keep in mind that the number of PHP processes that spawn per user is automatically scaled with the amount of memory your VPS is set to use.

Limiting the amount of processes spawned per domain

Unlike Apache or Lighttpd, Nginx does not automatically spawn FCGI processes. You must start them separately. PHP5 auto-spawns as many as you set in the PHP_FCGI_CHILDREN environment variable.

View the following article for details:

The PHP_FCGI_CHILDREN variable affects how many PHP pages can be processed simultaneously. The lower the value, the less memory used. But if you're getting a lot of traffic this slows down your response time. This value defaults to 9 on DreamHost Nginx servers.

Globally

  1. Using an admin user, navigate to the following directory:
    /dh/nginx/servers/httpd-ps12345/environ
    
  2. Use the 'sudo' command to edit this file. You'll see the following lines:
    PHP_FCGI_CHILDREN=9
    PHP_FCGI_MAX_REQUESTS=1000
    

PHP_FCGI_CHILDREN is the number of desired processes per domain.

Per-user

  1. Navigate to your user's $HOME directory.
    cd ~
  2. Create a .php-launcher file with the following contents:
    #!/bin/sh
    export PHP_FCGI_CHILDREN=9
    exec /dh/cgi-system/php5.cgi $*
    
  3. Make the script executable:
    chmod a+x .php-launcher

Enabling Nginx

  1. Navigate to the (Panel > 'VPS' > 'Dashboard') page.
  2. To the right of your server, click the Configure button.
    Under the section 'Web Serve Configuration' is an 'HTTP Server' dropdown:
    VPS options.png
  3. From this dropdown, select 'nginx'.
  4. Scroll down and click the blue Save settings button.
    A message appears notifying you that this make take a few minutes to update.

How to reload and restart Nginx

Reloading

Anytime you make a change to a configuration file, you should reload Nginx. You can do this by logging into your server via SSH with your admin user. Then, run the following command:

sudo /etc/init.d/nginx reload
  • Reloading keeps the server running while re-reading any configuration file updates.
  • Reloading is safer than restarting because if a syntax error is noticed in a config file, it will not proceed with the reload and your server remains running.
  • If there is a syntax error in a config file and you restart, it's possible the server will not restart correctly.

Restarting

You can restart Nginx with the following commands after logging into your server via SSH with your admin user:

sudo /etc/init.d/nginx stop
sudo /etc/init.d/nginx start

You can also restart in your DreamHost panel. Navigate to the (Panel > 'VPS' > 'Dashboard') page, and then click the Restart button to the right of your server.

Configuration file locations

The nginx.conf file

The main config file can only be seen or edited if you're using an admin user.

  1. Once you've created and admin user, log into your VPS and navigate to the following directory:
    /dh/nginx/servers/httpd-psXXXXXX/
    
  2. Use 'sudo' to view the directory contents:
    sudo ls -la
  3. Enter your password when prompted.
    You'll see the nginx.conf file listed.
  4. Edit the file using 'sudo':
    sudo nano nginx.conf
    

Local configuration files

Nginx hard codes an include path for every domain, as seen in the following example:

/home/username/nginx/example.com

This /home/username/nginx/example.com directory is the only place you should load any .conf file you want your actual site to use. Additionally, any file ending in .conf is inserted into the server block of the nginx.conf file.

Dh-kb-note-icon.fw.png Note:

The /nginx/example.com folders do not exist by default. You must create them manually by running the following commands under your username:

mkdir -p nginx/example.com


To clarify, you'll now have two directories your domain uses:

  • Your actual web directory (aka document root)
/home/username/example.com
  • Your nginx/example.com directory where ALL config files should be placed
/home/username/nginx/example.com

View the 'Password protected directories' section below for an example.

Password protecting directories

On an Apache server, it's possible to password protect a directory using .htaccess and .htpasswd files. However, .htaccess files are not supported on Nginx.

You can still password protect your directories, but you need to use a basic_auth.conf file instead:

  1. Log into your server via SSH
  2. Navigate to your user's directory.
  3. Make sure you have a /home/username/nginx/example.com directory. This doesn't exist by default; you must create it by running the following:
    mkdir -p nginx/example.com
    
  4. In this /home/username/nginx/example.com directory, add a file named 'basic_auth.conf' with the following:
    location / {
      auth_basic "Restricted";
      auth_basic_user_file /home/username/nginx/example.com/.htpasswd;
    }
    
    • The auth_basic parameter is just the title of the prompt the user sees when visiting this directory.
    • The auth_basic_user_file parameter specifies where the password file is. Note how its path is set to the /nginx directory.
    Dh-kb-note-icon.fw.png Notes:
    • In this example, the 'location' directive password protects the entire domain since it's pointing to '/'.
    • If you want a subdirectory to be password protected, change the 'location' directive as follows:
    location /subdirectory/
    


  5. Run the following to create the .htpasswd file:
    htpasswd -c /home/username/nginx/example.com/.htpasswd LOGIN
    
    • LOGIN is the username you want to be used to authenticate in the login prompt.
  6. After typing that command, enter a password and confirm it when prompted:
    New password: 
    Re-type new password: 
    Adding password for user LOGIN
    
  7. Reload the nginx config file.
  8. In your browser, load the directory your /home/username/nginx/example.com/basic_auth.conf points to. *In the example above, this would be your domain's root directory since the 'location' directive points to /.
  9. Enter a user/password when prompted to log in.
    • In this example, your username is LOGIN and the password is the one you created above.

How to redirect

Follow these steps to create your redirects:

  1. View the Local configuration files section above to create your local /nginx/example.com directory.
  2. Create a file named redirects.conf in this /nginx/example.com directory.
  3. Add the contents from the following sections.
  4. Make sure to reload Nginx for the changes to take effect.

Redirecting a single file

if ($request_filename ~ oldfile.html){
	rewrite ^ http://example.com/newfile.html? permanent;
}
This redirects requests from example.com/oldfile.html to example.com/newfile.html.

Redirecting an entire site

if ($request_filename ~ /*){
        rewrite ^ http://example.com? permanent;
}
This redirects requests to your site to example.com. Change example.com to any site you'd like to redirect to.

Redirecting non-secure traffic to HTTPS

if ($server_port = 80) {
	rewrite ^/(.*)$ https://example.com/$1 permanent;
}

How to block IPs

Follow these steps to block an IP address.

  1. View the Local configuration files section above to create your local /nginx/example.com directory.
  2. Create a file named access.conf in this /nginx/example.com directory.
  3. Add the contents from the following sections.
  4. Make sure to reload Nginx for the changes to take effect.

Blocking an IP from hitting your site

 location / {
   deny 1.2.3.4;
 }
This blocks the IP address of 1.2.3.4 from accessing your site entirely.

Blocking an IP from hitting a subdirectory

 location /subdirectory/ {
   deny 1.2.3.4;
 }

Allowing a single IP while blocking all others

If you want to block access to all IPs while allowing a specific IP to still access your site, use this:

 location / {
   allow 9.8.7.6;
   deny all;
 }
This may be helpful if you're working on your site and do not want anyone but you to view it.

Combining rules

You can also create and combine multiple sets of these rules in your access.conf file:

 location /subdir {
   allow 1.2.3.4;
   deny all;
 }

 location / {
   deny all;
 }
The above allows 1.2.3.4 to only browse the subdirectory named /subdir. All other IPs are blocked from everywhere in your site.

View the following page for further details:

Gzip compression

By default, gzip compression is enabled on your Nginx server. Follow these steps to disable gzip compression:

  1. View the Local configuration files section above to create your local /nginx/example.com directory.
  2. Create a file named settings.conf in this /nginx/example.com directory.
  3. Add the following content:
    gzip off;
    
  4. Make sure to reload Nginx for the changes to take effect.

There are additional gzip compression options you can set that are all detailed at the following link:

Nginx configurations for common applications

Many web applications such as WordPress and MediaWiki are originally configured to work with Apache. Since .htaccess files are not supported with Nginx, there are some adjustments you must make in order to get your applications running properly.

View the following article for further details and examples:

See also

WordPress-related

Drupal-related