[Improvement Request] htaccess-lite for nginx

Pascal Nitsche pascal.nitsche at fansubcode.org
Wed Dec 8 17:39:55 MSK 2010


  Am 08.12.2010 15:02, schrieb Grzegorz Nosek:
> It goes to hell by using PHP (or whatever heavy backend) anyway. Nginx 
> wins by serving static content extremely fast and by proxying with 
> very low overhead. If you use Apache for PHP mostly (I'm not sure 
> rewriting URLs to static content is at all popular), you're 
> effectively using Apache2+mod_php as a HTTP SAPI for PHP (with built 
> in htaccess support). It's more flexible than php_fcgi too (though 
> php-fpm offers some more options).

Apache is currently running as mpm-worker with php over fcgi anyway.

> You (usually) only do it once when deploying the app and given the 
> typical user you'll get a ticket anyway (teh htaccess is no worky!).

I myself am developing on a apache xampp configuration and testing with 
nginx and then documenting setup on nginx and apache. It's true most 
apps don't do this because nginx is not that wide spread with hosters at 
the moment but I think if nginx would support some things the users need 
(or think they need) and this is usable nginx would be used more and 
this would be documented more.
And with the tickets it's not that much a problem since I already 
informed the users that this will no longer work once I completly 
convert all vhosts to nginx (it's planned for the next weeks) and they 
should work on that themselves and only submit tickets like "please add 
rewrite rule xy" 'cause I will ignore questions like "Y is teh htaccess 
not worky?" - Who don't read my mails don't deserves an answer I think.

I'm now suggessting this feature to automate this a little.

> They'd need a way to reload nginx then (looking for htaccess-like 
> files upon every request would kill performance). How about deploying 
> an Nginx instance per user then?
nginx is reloaded every five minutes by the master cron of froxlor 
anyhow so this is not the problem. And everyone using it can just set up 
a cron reloading nginx periodically.

Furthermore I didn't mean to have configuration abilities in every file 
- just in one file (eg. .custom-config in the root dir or something) 
where they cut put their own additional configuration (it's better for 
maintrance too I think.
If this would be possible I think the great apps (Wordpress, Joomla etc) 
would have documentation on how to setup if using nginx really fast and 
the more nginx will be used by hostes the more documentation on that

Deploying more then one instance of nginx isn't really what I think is a 
good idea since this would be many in no time (at this point around 50 
or 60 )

Also it's working at the moment it's just a pain in the ass to have to 
set up this many things for users who just could do this themselves and 
then wouldn't need to wait hours until I can change the configuration 
and issue a reload (I am not available 24/7 and most people don't 
understand this and then complain "How long do you plan on making me 
wait?").

> You'd need a very thorough security audit of Nginx code because 
> (AFAIR) the setup is done in the master process while still 
> potentially running as root, so every vulnerability (in user-supplied 
> config files) at that stage equals immediate root. Nginx is written 
> far better than most software I've seen so this is less of a concern 
> but instead of full privilege separation, you're now this -><- close 
> to a compromise.
Therefore I would suggest to only allow directives which don't take you 
at risk like location, rewrite, expires... nothing actually changing 
directories outside the vhost or something... But I think you are right. 
It's kind of risky if it runs as root - which I don't think is a good 
method anyway it should run as an unprivileged user like ex. www-data 
(as on debian)At the moment the lack of some kind of possibility to add 
rewrites etc.
> Apache as a webserver sucks (compared to Nginx) but Apache as an 
> application server (mod_* container) isn't that bad.
Maybe true, but nginx is faster even with php-cgi. I tested this with a 
Zend application I wrote.
On apache the requests did take up to 5s (about 1.5s on average) and on 
nginx the average loading time was about 800ms (0.8s)
I tried with 50 requests each. (The times are a bit high both I think 
but the app was still in development and it's Zend Framework so it will 
go down when performance will be optimized anyway)

Also I do not like running dual-httpd setups really well because there 
are two configs to maintain then. And apache does not support proxying 
to a unix socket set (I tried with thin for redmine since I don't like 
passenger and I don't liike blocking 4 TCP ports for each thin 
application instance.)

So I think nginx is still better then apache even if apache isn't that 
bad a application server as you say.

> Best regards,
>  Grzegorz Nosek

Best regards,
Pascal Nitsche



More information about the nginx-devel mailing list