Skip to content

Nginx

Jump to bottom
Cisco edited this page Oct 27, 2025 · 3 revisions

Brief

  • first version in 2004
  • current 1.29 as of august 2025
  • modularity

cf.

Related concepts

  • proxy : a server that forwards a request. forward proxy is client side, and reverse proxy is server-side. Nginx can be used as a reverse proxy for load balancing, security (masking the architecture and IP of backend servers), encrypted traffic handling (forwarding decrypted HTTPS requests to the backend), caching, routing or compression purposes.
  • virtual host : method to host many sites on a single server machine or IP address. The most common type is "name based" : the server will match the Host header provided by the client against its virtual server blocks. Each virtual host block defines :
    • the domain names it responds to - through server_name in Nginx
    • the document root
    • the log files
    • SSL certificates
    • specific rules

Nginx configuration

  • Nginx has its own format
    • can use predefined variables :
      • $host : hostname from request header
      • $uri : current URI
      • $request_uri : full original request with arguments
      • $document_root : root directory for current request
      • $remote_addr : client IP address ...
    • can use custom variables : set $my_var "value"
    • can make variable value depend on others
  • configuration file is made of
    • global context : worker processes, logs, ...
    • http context
    • server blocks representing virtual hosts
    • location blocks : rules for matching URI within a server
  • hierarchy of contexts : main > events | [ http > server > location ]
    map $http_user_agent $is_mobile {
        default "false";
        "~(iPhone|Android)" "true";
    }

Testing

  • configuration nginx -t
  • ports netstat -tulpn | grep :443 (t for TCP, u for UDP, l for listening ports, p for PID, n for numeric addresses)

Certificate generation

self-signed

  • option x509 creates a self-signed certificate, not verified by a Certification Authority
  • option -nodes creates a key without password
if [ ! -f /etc/nginx/certs/mycert.crt ]; then
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/nginx/certs/mycert.key \
    -out /etc/nginx/certs/mycert.crt \
    -subj "/CN=FR/ST=NA/L=Angouleme/O=42/OU=42Angouleme/CN=xxx.42.fr/UID=xxx"
fi

# execute final CMD
exec "$@"

how not to regenerate a different certificate at build time, and keep a constant identity ?

Note

security-wise the cert is inside the image

https://github.com/FiloSottile/mkcert : install a local Certificate Authority - but available through brew or from sources - requires nss-tools

Sources

https://wiki.alpinelinux.org/wiki/Nginx https://nginx.org/en/docs/beginners_guide.html https://nginx.org/en/docs/varindex.html https://www.ubuntumint.com/install-nginx-alpine-linux/ https://ssl-config.mozilla.org/#server=nginx&version=1.27.3&config=intermediate&openssl=3.4.0&guideline=5.7 https://rdr-it.com/nginx-configurer-le-cache-fastcgi-avec-wordpress/ https://korben.info/securiser-facilement-gratuitement-site-https.html

Clone this wiki locally