Getting the most out of your Nginx setup.

Posted By :Ankit Kumar |22nd May 2019

Make Nginx faster, lighter, and more powerful

1. Adjust worker_processes:

 

Nginx has one master process and many worker processes. The main goal of the master process is to read and ascertain configuration and maintain worker processes.

Worker processes do the actual processing of received requests. The best practice to configure the worker process is to leave it to "auto", It will automatically detect the cores in your system and then assign them to the worker process for best performance.

worker_processes auto;
events {
    worker_connections 1024;
    multi_accept on;
}

Here,Assuming a system with 4 cores, this would allow us to have 4096 simultaneous connections. 

 

2. Enabling Gzip Compression:


Let's make a configuration file for gzip and then include this file in our main nginx.conf

vim /etc/nginx/default_conf/gzip.conf
##Gzip setting configurationFile:
  gzip  on;
       gzip_comp_level 6;
       gzip_vary on;
       gzip_min_length 1024;
       gzip_proxied expired no-cache no-store private auth;
       gzip_types     application/atom+xml     application/javascript     application/json     application/ld+json     application/manifest+json     application/rss+xml     application/vnd.geo+json     application/vnd.ms-fontobject     application/x-font-ttf     application/x-web-app-manifest+json     application/xhtml+xml     application/xml     font/opentype    image/jpeg  image/png image/jpg image/bmp     image/svg+xml     image/x-icon     text/cache-manifest  text/js   text/css     text/plain     text/vcard     text/vnd.rim.location.xloc     text/vtt     text/x-component     text/x-cross-domain-policy application/font-woff application/octet-stream;

 

 

3. Enabling Browser Caching:


Let's make a configuration file for browser caching and then include this file in our main nginx.conf.

vim /etc/nginx/default_conf/browsercaching.conf


Paste the following content:

##Browser caching configurationFile:
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

 

4. Enabling Security Header:


Let's make a configuration file for Security Header and then include this file in our main nginx.conf

vim /etc/nginx/default_conf/security.conf

Paste the following content:

## Security headers configurationFile:

server {

###     X-XSS PROTECTION HEADER
add_header X-XSS-Protection "1; mode=block";

###     CLICK-JACKING PROTECTION HEADER
add_header X-Frame-Options "SAMEORIGIN";

###     X-Content-Type-Options
#Having this header forces browser to consider files types as defined and disallow content sniffing.
add_header X-Content-Type-Options "nosniff" always;

###     Content Security Policy
#Prevent XSS, clickjacking, code injection attacks. CSP forces browser to load allowed content to load on the website.
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;

### HTTP Strict Transport Security:
#enforce the use of HTTPS going forwards and never permit the user to attempt any connection using HTTP.
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

###     Referrer Policy
#Referrer-Policy is a security header that  should) be included on communication from client to your website's server. 
#The Referrer-Policy tells the web-browser how to handle referrer information that is sent to websites when a user clicks a 
#link that leads to another page or website.
add_header Referrer-Policy same-origin;
        }


Include This Segment only if You've compiled your nginx with dynamic module named: headers-more-nginx-module.

#Stop nginx showing its server details
server_tokens off;
more_set_headers 'Server: YourName' ;

 

5. Enabling Rate Limiting:


Let's make a configuration file for browser caching and then include this file in our main nginx.conf

vim /etc/nginx/default_conf/security.conf

Paste the following content:

##: RateLimiting configurationFile:
limit_req_log_level warn;
limit_req_zone $binary_remote_addr zone=reqlimit:10m rate=10r/m;
limit_conn_zone $binary_remote_addr zone=connlimit:100m;
limit_conn servers 1000; # Simultaneous Connections

 

6. Forcing http2 over http1:

Note: To fore the http2 protocol over http1, simply replace http with http2 

eg, 
server{
        listen 443  ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        ssl on;
        server_name app.myserver.io;
}
 

 

7. Configuring dhpm.

mkdir -p /etc/nginx/dhpm  && cd /etc/nginx/dhpm

now let's generate dhparams.pem, use the following command to generate dhparams.

openssl dhparam -out dhparams.pem 2048

Note: nginx.conf 
Since I'm using RHEL based OS my user is nginx, If you're using ubuntu based OS you should use " user www-data "

Your main nginx.conf file should look like this

user nginx;

worker_processes auto;
pid /run/nginx.pid;

##load Dynamic module
##only if You've compiled your nginx with dynamic module named: headers-more-nginx-module, uncomment the load_modules line
#load_module modules/ngx_http_headers_more_filter_module.so;

events {
        worker_connections 1024;
        multi_accept on;
}

http {

        ##Basic Settings

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##SSL Settings

        #supported protocols
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        #supported ciphers
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        #Cipher Order
        #With the ciphers ordered, so that the most preferred ciphers appear first, we want to ensure that we enforce their use in that order.
        ssl_prefer_server_ciphers on;

        #command to generate dhparams.pem>> openssl dhparam -out dhparams.pem 2048
        ssl_dhparam /etc/nginx/dhpm/dhparams.pem;

        #This will allow the client to send multiple requests via the same connection. This a trade off on higher capacity servers as we need to        
        #strike a balance between connection limits and inducing more load by severing connections prematurely.
        keepalive_timeout 70;

        ###   Optimize session cache:
        #Creating a cache of TLS connection parameters reduces the number of handshakes, and thus can improve the performance of application
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        ###   Enable session tickets
        #Session tickets are an alternative to session cache. Here, information about the session is stored on the server.
        ssl_session_tickets on;

        ###   OCSP Stapling
        #To have a secure connection to a server, the client needs to verify the certificate which the server presented. In order to verify that        
        #the certificate is not revoked, the client (browser) will contact the issuer of the certificate. This adds a bit more overhead to 
        #connection initialisation
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
        resolver_timeout 2s;

        ##Logging Settings
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##Virtual Host Configs
        include /etc/nginx/sites-enabled/*;

        ##including security headers
        include /etc/nginx/default_conf/security.conf;

        ##gzip setting
        include /etc/nginx/default_conf/gzip.conf;

        ##browser_caching
        include /etc/nginx/default_conf/browsercaching.conf;

        ###rateLimits
include /etc/nginx/default_conf/rateLimiting.conf

}

 

Now,
open your domain specific config files

vim  /etc/nginx/sites-available/default

Depending upon your website parameters paste the following content in your server block.

server {

##client-side content caching
location ~* .(js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=31536000, public";
}

      }
      
 

About Author

Ankit Kumar

RedHat certified in System Administration as well as Ansible Automation. A self-motivated professional with excellent research skill, enthusiasm to learn new things and always try to do his best

Request For Proposal

[contact-form-7 404 "Not Found"]

Ready to innovate ? Let's get in touch

Chat With Us