DEV Community

All About NGINX Configuration, HTTPS/SSL, HTTP2, Caching

HasOne on September 25, 2020

To work in the TECH industry as a Full Stack Engineer It's essential to know the configuration of NGINX and its core features! in this post I'm gon...

Read full post

Maxime Veber • Oct 8 '20 • Edited

At first glance I liked the article. But then I figure out some issues.

Of course I understand it's written nowhere that this is the absolute best practice guide to nginx, but well I think a comment that mention the issues related to this cannot be a bad thing.

So let get started:

Installing nginx by compiling it is interesting for learning, but bad for security. Using the package manager of your distribution is actually easier (no systemd to manually configure) and more secure: you get updates.
Removing the whole content of nginx config file is not a great idea. It contains a lot of great configuration and should just be tweaked for special needs but not entirely rewritten. The folder sites-enabled is designed to receive your configuration, and the default file can be remove (this one is designed to be entirely removed).
self signing certificate is not a great idea either, if you're in the local install context it would be better to use mkcert, and in a server context using certbot (letsencrypt) would have been easy and better.
There's probably a lot more to tell about the configuration, I'm not an expert but worker_processes 1; is not good (especially with the worker_connection config), and now nginx will use root user which is not really great...

Thanks anyway for writing this article that shows nginx in a(n interesting) way. I just wanted to highlight that it's not the recommanded way. And I think you should mention this in your article.

Jonathan Boudreau • Sep 25 '20 • Edited

If you're setting up a load balancer with TLS I recommend redirecting http to https. You can do this with a configuration along the following lines in nginx:

server {
    listen 80;
    server_name localhost;

    location / {
        return 301 https://localhost$request_uri;
    }
}

I'd also recommend running ssltest against your site. HTTPS has been around for a long time and there are several cyphers you don't want to allow; this site will give recommendations as to which cyphers you probably want to block.

HasOne • Sep 26 '20 • Edited

Thanks, Jonathan for the tip. I think we need to create another virtual server in order to redirect HTTP to HTTPS:

http {

 # redirect all traffic to HTTPS
 server {
   listen 80;
   server_name 127.0.0.1/www.example.com;

   return 301 https://$host$request_uri;
 }

 server {
   # all your configuration code  goes here..
 }
}

I'm assuming you meant! great to hear ssltest, this is something I didn't know, will use it definitely in the future, and the credits will go to you. hope to have good rest of your life!

tom • Sep 30 '20

Is there a reason to build from source instead of sudo apt install nginx?

SteveT • Sep 30 '20 • Edited

Your distribution may (or may not) support optional packages such as headers-more, needed for proxy applications where you want to set the Server: response header for example.

docs.nginx.com/nginx/admin-guide/d...

If your distro doesn't have them, then building from source is an alternative.

Travis van der F. • Oct 7 '20

Nice to see simple and updated article on HTTP2 and SSL support :] well done!

HasOne • Oct 7 '20

Glad to hear it, Travis!

Antonio Martin • Oct 1 '20

Simple and informative. Just what I needed. Thanks

Laci Kosco • Oct 10 '20

A small typo in ssl part where you have slef.crt instead of self.crt
For easy folks with copy paste disorder might get busy by this :)

Anzhari Purnomo • Sep 26 '20

Great article!

Lately I'm working with gRPC, I'm wondering if you can proxy gRPC backend with NGINX HTTP2? Have you tried it?

HasOne • Sep 26 '20 • Edited

Honestly, I just heard gPRC and don't know how to configure. here is the blog post Nginx as Reverse Proxy with GRPC and GRPC! Thanks for this awesome question, I'll try to learn this!

Vaibhav Khulbe • Sep 25 '20

Nicely written!