NGiNX Nginx ( /ˌɛndʒɪnˈɛks/ EN-jin-EKS[8]) (stylized as NGiNX or nginx) is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004. A company of the same name was founded in 2011 to provide support and Nginx plus paid software.

Nginx is free and open-source software, released under the terms of a BSD-like license. A large fraction of web servers use NGINX, often as a load balancer.

Basic NGiNX setup

This will serve basic HTML pages to browsers.

       server {
               listen 80;
               listen [::]:80;
               server_name tbpchan.cz www.tbpchan.cz;
               root /www/location/;
               index index.html index.htm index.nginx-debian.html index.php;
               location / {
                       try_files $uri $uri/ =404;
               }
       }

Proxy Forwarding

This is a basic reverse proxy setting for a subdomain within a network that doesn't have outside access due to reasons. This can be set for anything else as well. Be aware of how you access this within the local network and if https is needed as it has to be set exact within "proxy_pass" and the first part of "proxy_redirect":

        server {
                 listen 443 ssl;
                 listen [::]:443 ssl;
                 server_name test.tbpchan.cz;
        ssl on;
                ssl_certificate /usr/local/etc/fullchain.pem;
            ssl_certificate_key /usr/local/etc/privkey.pem;
        location / {
                        proxy_pass http://192.168.1.255:8080;
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_redirect      http://192.168.1.255:8080 http://192.168.1.255;
                }
        }

Pass PHP rendering to PHP-FPM

This is required in order to get PHP working with hosting websites.

           location ~ \.php$ {
       try_files $uri =404;
       fastcgi_split_path_info ^(.+?\.php)(.*)$;
       fastcgi_pass 127.0.0.1:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $request_filename;
       include /usr/local/etc/nginx/fastcgi_params;
       include fastcgi_params;
           }

You can also pass it to a Unix socket instead of a port using the following:

       fastcgi_pass unix:/usr/local/var/run/php5-fpm.sock;

NGiNX Caching

In order to set up NGiNX caching, you have to set the following above the "server" heading.

        proxy_cache_path /DIR levels=1:2 keys_zone=tbpchan.cz_cache:10m max_size=2g inactive=120m use_temp_path=off;

To assign a virtual server to caching, use the following:

       location / {
               try_files $uri $uri/ =404;
      proxy_buffers 256 16k;
      proxy_buffer_size 16k;
      proxy_read_timeout 600s;
      proxy_cache tbpchan.cz_cache;
      proxy_cache_revalidate on;
      proxy_cache_min_uses 2;
      proxy_cache_use_stale timeout;
      proxy_cache_lock on;
       }

NGiNX authentication browser popup

This provides blocking based on logins. You have to run the first command and create a new .htpasswd file before using it however.

• Generate .htpasswd file

        htpasswd -c /home/username/.htpasswd username

• Change or update .htpasswd file

        htpasswd /home/username/.htpasswd-users username

• NGiNX configuration for .htpasswd authentication

        auth_basic "Restricted Content";
        auth_basic_user_file /home/username/.htpasswd;

NGiNX Security

In order to better secure your server, use the following within each virtual host but be aware these may break compatibility with certain websites:

ssl_ecdh_curve secp384r1;

       ssl_session_tickets off;
       add_header X-XSS-Protection "1; mode=block";
       add_header Expect-CT "max-age=0";

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";

These can be added to the nginx.conf file to help secure even more:

               ssl_protocols TLSv1.2; #TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
       	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
       	ssl_dhparam /home/USER/dhparams.pem;
               ssl_prefer_server_ciphers on;
       	ssl_session_cache shared:SSL:50m;
       	ssl_session_timeout 5m;
       	add_header Strict-Transport-Security max-age=15768000;
       	add_header X-Frame-Options SAMEORIGIN;
       	add_header X-Content-Type-Options nosniff;
       	add_header X-XSS-Protection "1; mode=block";
               ssl_ecdh_curve secp384r1;
               ssl_session_tickets off;
               add_header X-XSS-Protection "1; mode=block";
               add_header Expect-CT "max-age=0";