[Improvement Request] htaccess-lite for nginx

Grzegorz Nosek root at localdomain.pl
Wed Dec 8 17:02:59 MSK 2010

W dniu 08.12.2010 14:37, Pascal Nitsche pisze:
> I didn't know you already discussed this some time ago, my apologies for
> rewarming this topic.

Feel free, I was just relating my personal experiences. I'm not an Nginx 
developer anyway (wrote some stuff some time ago).

> But I don't think it's good to proxy to apache for that because it's
> making the performance improvement by using nginx go to hell mostly.

It goes to hell by using PHP (or whatever heavy backend) anyway. Nginx 
wins by serving static content extremely fast and by proxying with very 
low overhead. If you use Apache for PHP mostly (I'm not sure rewriting 
URLs to static content is at all popular), you're effectively using 
Apache2+mod_php as a HTTP SAPI for PHP (with built in htaccess support). 
It's more flexible than php_fcgi too (though php-fpm offers some more 

> And I think it's more annoying to have to write a ticket to the admin
> for each rewrite or other light configuration change then to learn
> simple (and clean!) nginx syntax (or copy/paste from some docs).

You (usually) only do it once when deploying the app and given the 
typical user you'll get a ticket anyway (teh htaccess is no worky!).

> Also I didn't mean to be full compatible - I just suggested a
> possibility to load user-written configurations without worrying about
> misconfiguration and security breaches.

They'd need a way to reload nginx then (looking for htaccess-like files 
upon every request would kill performance). How about deploying an Nginx 
instance per user then?

> If this would be possible I think the great apps (Wordpress, Joomla etc)
> would have documentation on how to setup if using nginx really fast and
> the more nginx will be used by hostes the more documentation on that
> will be written for not as well known apps as Wordpress or Joomla or Typo3.
> I still think it would be an improvement many people could have a need
> of (myself included) and would be a nice feature.
> Since not everyone will need it I also thought of making it optional to
> compile in as I wrote in the default settings it could be turned off for
> compiling.

You'd need a very thorough security audit of Nginx code because (AFAIR) 
the setup is done in the master process while still potentially running 
as root, so every vulnerability (in user-supplied config files) at that 
stage equals immediate root. Nginx is written far better than most 
software I've seen so this is less of a concern but instead of full 
privilege separation, you're now this -><- close to a compromise.

> At the moment the lack of some kind of possibility to add rewrites etc.
> dynamicly by the customer is the greatest thing preventing me from
> banning apache2 or at least reducing its use to only the apps that
> REALLY DO NEED apache functionalities (ex. Redmine Perl Auth for SVN is
> only available for Apache) from my box and gain some speed and
> performance from nginx.

Apache as a webserver sucks (compared to Nginx) but Apache as an 
application server (mod_* container) isn't that bad.

Best regards,
  Grzegorz Nosek

More information about the nginx-devel mailing list