Sanity check of my config - is it secure?
benseb
nginx-forum at nginx.us
Sun May 22 18:56:51 MSD 2011
Hi
We had Nginx setup on a domain serving static content
(images[0-9].domain.com). Recently we've made our main domain also use
the same Nginx installation and proxy any php requests to Apache.
All is working fine. We've set it to serve all static content from our
images.domain.com domains, and it will also catch any static content
served from the main www.domain.com as well, before finally passing any
dynamic php requests through to Apache.
What I want to check is that there are no problems with the
configuration that would let someone view the source of our PHP pages or
access restricted 'admin' directories, etc. I've not configured NGinx
before so would appreciate some help checking my config?
user www;
worker_processes 6;
error_log /var/log/nginx-error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
## Timeouts
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
gzip on;
# gzip_static on;
gzip_comp_level 5;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_types text/plain text/css image/x-icon
application/x-javascript;
server{
listen 80 default_server; #all other hosts deny
server_name _;
return 444;
}
server { #IMAGES DOMAIN
listen x.x.x.x:80;
server_name images.x.com images1.x.com images2.x.com stat
server_tokens off;
gzip_comp_level 9;
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
# Only serve these locations
location ^~ /images/folder1/{
if ($request_uri ~*
(^\/|\.ico|\.css|\.js|\.swf|\.gif|\.jp?g|\.png)$ ) {
break;
}
root /home/vhosts/x.com/httpdocs;
expires 7d;
}
location ^~ /images/folder2/{
root /home/vhosts/x.com/httpdocs;
expires 7d;
}
location ^~/images/ {
root /home/vhosts/x.com/httpdocs;
}
location ^~ /applets/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ^~ /css/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
root /home/vhosts/x.com/httpdocs;
}
location ~* \.(php|html){
return 444; #should not happen, but just incase
}
if ($host !~
^(images.x.com|images1.x.com|images2.x.com)){
return 444;
}
location ^~/admin/ {
deny all;
}
}
server { #MAIN DOMAIN - REDIRECT TO www.
listen x.x.x.x:80;
server_name x.com;
rewrite ^(.*) http://www.x.com$1 permanent;
}
server { #MAIN DOMAIN
listen x.x.x.x:80;
server_name www.x.com;
#access_log /var/log/nginx.access.log;
error_log /var/log/nginx.error.log;
location /nginx_status {
stub_status on;
access_log off;
allow x.x.x.x/24;
deny all;
}
location ^~ /images/folder1/{
root /home/vhosts/x.com/httpdocs;
expires 7d;
}
location ^~ /images/folder2/{
root /home/vhosts/x.com/httpdocs;
expires 7d;
}
location ^~/images/ {
root /home/vhosts/x.com/httpdocs;
}
location ^~ /applets/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ^~ /css/{
root /home/vhosts/x.com/httpdocs;
expires max;
}
location ~* \.(ico|css|js|swf|gif|jp?g|png)$ {
root /home/vhosts/x.com/httpdocs;
#expires max;
}
location / {
proxy_pass http://127.0.0.1:8080;
#CACHING
#proxy_cache my-cache;
#proxy_cache_valid 200 302 1m;
#proxy_cache_valid 404 1m;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
client_max_body_size 200m; #max upload size
client_body_buffer_size 128k;
proxy_connect_timeout 900;
proxy_send_timeout 900;
proxy_read_timeout 900;
#proxy_buffer_size 4k;
#proxy_buffers 4 32k;
#proxy_busy_buffers_size 64k;
#proxy_temp_file_write_size 64k;
}
}
}
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,199902,199902#msg-199902
More information about the nginx
mailing list