2014-05-10, 00:52:34
not yet in the semi-official config, but a few more suggestions for advance setting. All tested and used in production for years:
if using a modern debian server (can't tell about other distros) and knowing what you're doing we can set fastcgi_cache_path /run/shm/ and not /var/cache/ (df should confirm that /run/shm is mounted using tmpfs that defaults to ram).
additional security to admin and login area is quite easy:
# protect login.php and php files in admin/
location ~ (login\.php|admin/.*\.php) {
auth_basic "additional security layer here!";
auth_basic_user_file one-more-pass;
[........]
}
plus we can use stricter rate limiting only for that stanza. I usually have something site-wide like:
#create two zones in order to mitigate small attacks
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
limit_conn perip 3;
limit_conn perserver 12;
## Block some robots ##
if ($http_user_agent ~* MJ12bot|scrapbot|bingbot) {
return 403;
}
and since someone asked about preventing hotlinking that's quite easy
location ~ /dont-hotlink/ {
valid_referers www.mysite.com;
(keep in mind that while limiting hotlinlinking you can sometimes want to grant access to google, in order to get more visits, and images must appear in google images search)
lst but not least, everyone interested in nginx advanced config should read http://nginx.com/resources/admin-guide/
and please, PLEASE report in this thread findings, suggestions and ideas to create a even better config.
my idea is to have something good enough to post it to github too. But i'd like someone else help me verify everything in those 2 (basic and advanced) config
if using a modern debian server (can't tell about other distros) and knowing what you're doing we can set fastcgi_cache_path /run/shm/ and not /var/cache/ (df should confirm that /run/shm is mounted using tmpfs that defaults to ram).
additional security to admin and login area is quite easy:
# protect login.php and php files in admin/
location ~ (login\.php|admin/.*\.php) {
auth_basic "additional security layer here!";
auth_basic_user_file one-more-pass;
[........]
}
plus we can use stricter rate limiting only for that stanza. I usually have something site-wide like:
#create two zones in order to mitigate small attacks
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
limit_conn perip 3;
limit_conn perserver 12;
## Block some robots ##
if ($http_user_agent ~* MJ12bot|scrapbot|bingbot) {
return 403;
}
and since someone asked about preventing hotlinking that's quite easy
location ~ /dont-hotlink/ {
valid_referers www.mysite.com;
(keep in mind that while limiting hotlinlinking you can sometimes want to grant access to google, in order to get more visits, and images must appear in google images search)
lst but not least, everyone interested in nginx advanced config should read http://nginx.com/resources/admin-guide/
and please, PLEASE report in this thread findings, suggestions and ideas to create a even better config.
my idea is to have something good enough to post it to github too. But i'd like someone else help me verify everything in those 2 (basic and advanced) config