DEV Community

Cover image for All About NGINX Configuration, HTTPS/SSL, HTTP2, Caching

All About NGINX Configuration, HTTPS/SSL, HTTP2, Caching

HasOne on September 25, 2020

To work in the TECH industry as a Full Stack Engineer It's essential to know the configuration of NGINX and its core features! in this post I'm gon...
Collapse
 
nek_dev profile image
Maxime Veber • Edited

At first glance I liked the article. But then I figure out some issues.

Of course I understand it's written nowhere that this is the absolute best practice guide to nginx, but well I think a comment that mention the issues related to this cannot be a bad thing.

So let get started:

  1. Installing nginx by compiling it is interesting for learning, but bad for security. Using the package manager of your distribution is actually easier (no systemd to manually configure) and more secure: you get updates.
  2. Removing the whole content of nginx config file is not a great idea. It contains a lot of great configuration and should just be tweaked for special needs but not entirely rewritten. The folder sites-enabled is designed to receive your configuration, and the default file can be remove (this one is designed to be entirely removed).
  3. self signing certificate is not a great idea either, if you're in the local install context it would be better to use mkcert, and in a server context using certbot (letsencrypt) would have been easy and better.
  4. There's probably a lot more to tell about the configuration, I'm not an expert but worker_processes 1; is not good (especially with the worker_connection config), and now nginx will use root user which is not really great...

Thanks anyway for writing this article that shows nginx in a(n interesting) way. I just wanted to highlight that it's not the recommanded way. And I think you should mention this in your article.

Collapse
 
aghost7 profile image
Jonathan Boudreau • Edited

If you're setting up a load balancer with TLS I recommend redirecting http to https. You can do this with a configuration along the following lines in nginx:

server {
    listen 80;
    server_name localhost;

    location / {
        return 301 https://localhost$request_uri;
    }
}

I'd also recommend running ssltest against your site. HTTPS has been around for a long time and there are several cyphers you don't want to allow; this site will give recommendations as to which cyphers you probably want to block.

Collapse
 
hasone profile image
HasOne • Edited

Thanks, Jonathan for the tip. I think we need to create another virtual server in order to redirect HTTP to HTTPS:

http {

 # redirect all traffic to HTTPS
 server {
   listen 80;
   server_name 127.0.0.1/www.example.com;

   return 301 https://$host$request_uri;
 }

 server {
   # all your configuration code  goes here..
 }
}

I'm assuming you meant! great to hear ssltest, this is something I didn't know, will use it definitely in the future, and the credits will go to you. hope to have good rest of your life!

Collapse
 
exciteabletom profile image
tom

Is there a reason to build from source instead of sudo apt install nginx?

Collapse
 
tuck1s profile image
SteveT • Edited

Your distribution may (or may not) support optional packages such as headers-more, needed for proxy applications where you want to set the Server: response header for example.

docs.nginx.com/nginx/admin-guide/d...

If your distro doesn't have them, then building from source is an alternative.

Collapse
 
travisfont profile image
Travis van der F.

Nice to see simple and updated article on HTTP2 and SSL support :] well done!

Collapse
 
hasone profile image
HasOne

Glad to hear it, Travis!

Collapse
 
antoniowd profile image
Antonio Martin

Simple and informative. Just what I needed. Thanks

Collapse
 
laci profile image
Laci Kosco

A small typo in ssl part where you have slef.crt instead of self.crt
For easy folks with copy paste disorder might get busy by this :)

Collapse
 
anzhari profile image
Anzhari Purnomo

Great article!

Lately I'm working with gRPC, I'm wondering if you can proxy gRPC backend with NGINX HTTP2? Have you tried it?

Collapse
 
hasone profile image
HasOne • Edited

Honestly, I just heard gPRC and don't know how to configure. here is the blog post Nginx as Reverse Proxy with GRPC and GRPC! Thanks for this awesome question, I'll try to learn this!

Collapse
 
vaibhavkhulbe profile image
Vaibhav Khulbe

Nicely written!