LevitatingBusinessMan/nginx.conf
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
No description
14 commits 1 branch 0 tags 44 KiB
Find a file
Exact
LevitatingBusinessMan 1e864c7da6 Add common.d/proxy_websocket.conf
2025-12-28 14:07:56 +00:00
common.d Add common.d/proxy_websocket.conf 2025-12-28 14:07:56 +00:00
conf.d add conf.d/.gitkeep 2025-05-16 03:13:17 +02:00
vhosts.d add comment to example vhost 2025-09-09 22:53:08 +00:00
nginx.conf remove whitspace in nginx.conf 2025-05-16 03:23:22 +02:00
README.adoc update default vhost 2025-09-09 22:49:49 +00:00

README.adoc

This is my nginx configuration template.

It assumes the following default configuration files are present:

/etc/ngninx/fastcgi.conf
/etc/ngninx/fastcgi_params
/etc/ngninx/koi-utf
/etc/ngninx/koi-win
/etc/ngninx/mime.types
/etc/ngninx/scgi_params
/etc/ngninx/uwsgi_params
/etc/ngninx/win-utf

Usage

server blocks are stored in vhosts.d
common options are stored in common.d
global options are stored in conf.d

nginx.conf is an extremely minimal configuration, relying mostly on the daemons defaults. It

Where to place websites (or webapps)

Your websites should likely be stored in /srv/www or /opt.

Packages should package your website in /usr/share or /usr/lib.
Some packages use /srv/www but this is wrong according to the FHS.

How to set up SSL

I recommend running nginx as root. This way it has access to your letsencrypted certificates.

Otherwise I recommend specyfing a renewal hook with certbot (--renew-hook) to ensure the correct permissions are set on the certificates.

Use common.d/ssl.conf to automatically specify the ssl certificate and key from letsencrypt. Use common.d/ssl_redirect.conf to redirect http requests to https.

For certbot, there is common.d/certbot.conf which routes ACME requests to /srv/www/certbot. You can then invoke certbot with --webroot -w /srv/www/certbot and perform ACME challenges while nginx is running.

include common.d/ssl.conf;
include common.d/certbot.conf;
include common.d/ssl_redirect.conf;

If ssl_redict.conf is used, a certificate already has to exist during an ACME challenge.

Examples

# pass example.com to a unix socket
server {
  listen 8080;
  listen 8443 ssl;
  server_name example.com;

  include common.d/ssl.conf;
  include common.d/certbot.conf;
  include common.d/ssl_redirect.conf;

  location / {
    include common.d/proxy_headers.conf;
    proxy_pass unix:/run/mybackend.sock;
  }
}
# php website with php-fpm
server {
  listen 8080;
  listen 8443 ssl;
  server_name php.example.com;

  # /opt would also be a good choice
  root /srv/www/mywebsite;

  include common.d/ssl.conf;
  include common.d/certbot.conf;
  include common.d/ssl_redirect.conf;

  location / {
    index index.php;
    root /srv/www/;
  }

  include common.d/php_fpm.conf;
}
# default vhost which returns either an empty reply or an ssl error
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  include common.d/certbot.conf;
  location / {
    return 444;
  }
  ssl_reject_handshake on;
}