Nginx is an extremely efficient and quite flexible web server. When you want to do a redirect in Nginx, you have a few options to select from, so you can choose the one that suits you best to do an Nginx redirect.
Continue reading “How to do an Nginx redirect”
Let’s install an SSL-certificate from Let’s Encrypt for Nginx.
Continue reading “Let’s Encrypt for Nginx”
Depending on your time zone, PHP 7 was finally released on 3rd/4th of December 2015. Even though the general recommendation for production servers is to wait for a little bit and gather some experiences before upgrading, some of us want to jump right on and upgrade to PHP 7.
Continue reading “How to upgrade to PHP 7 on Ubuntu”
Security vulnerabilities are often exploits of software that fails when trying to deal with unexpected input. Other times they are exploits of a misconfiguration or a service that unintentionally was open to the public.
For the above reasons, we should limit as much as possible what services are exposed to the public and limit as much as possible what they do and accept from the visitors. To follow those security principles, we should only allow the HTTP methods for which we, in fact, provide services. Under all normal circumstances, that would be the methods
Continue reading “Restrict allowed HTTP methods in Nginx”
In your WordPress site, there are directories that include PHP files that visitors should never be able to access directly. They are only there for WordPress to function as an application that runs on your server. But because of WordPress’ directory and file structure, they are kind of accessible to the public. All of them are meant to be part of a larger application – WordPress, that is – and should not cause any harm if called directly – that we know. Some of the files execute some code even when ran standalone. An attacker might know of a clever way to make that code run in an unexpected manner, causing harm. To be on the safe side, we should deny access to all these PHP files from the outside world. Since we block access to them in our Nginx configuration, PHP will still run them as usual and WordPress will work just fine.
Continue reading “Block access to PHP files on your WordPress site with Nginx”
If you have a static IP address, like from your office, or your own private VPN, you can increase your security tremendously by restricting all logins to that IP address. The effect is that even if an attacker knows your login credentials, they will not be able to log in or access any part of the WordPress Dashboard.
Continue reading “Restrict access to the WordPress dashboard by IP address in Nginx”
All login credentials transferred over plain HTTP can easily be sniffed by an MITM attacker, but is is not enough to encrypt the login forms. If you are visiting plain HTTP pages while logged in, your session can be hijacked, and not even two-factor authentication will protect you. To protect all info sent between your visitors – which includes you – and your web server, we will redirect all requests that are coming over plain HTTP to the HTTPS equivalent.
Continue reading “Redirect all HTTP requests to HTTPS with Nginx”
Logs are nice and all that, but sometimes certain entries are there just to fill up the logs or are cluttering them. Here’s a few ways to exclude requests – by URL or visitor IP – from the Nginx access log.
Continue reading “Exclude certain requests from the Nginx access log”
Experimental support for HTTP/2 became available in Nginx version 1.9.5 (mainline). It is really easy to enable, and I’ll show you how. Continue reading “Enable HTTP/2 on Nginx”
Using HTTPS helps preventing someone from snooping your username/password or hijacking your sessions. Using HSTS makes sure the connection stays on HTTPS, even if a MITM tries to redirect you to the plain HTTP version of a web site. But it is easier than you might think for a MITM to use a rogue certificate, making you believe everything is fine. HTTP Public Key Pinning (HPKP) helps the browser check that everything actually is fine. Continue reading “HTTP Public Key Pinning (HPKP)”
HHVM can really speed up your PHP-based web site. Most reports are somewhere in the range of 2–4x faster. Unfortunately, HHVM isn’t very stable and will suddenly die, just of the blue, from time to another. Fortunately, if you’re running Nginx it’s really easy to set up PHP-FPM as a fallback. Continue reading “Running HHVM with fallback to PHP-FPM”
Since version 3.9, WordPress have been 100% compatible with HHVM and I have begun replacing PHP with it on a few of my servers to experiment. Continue reading “Running HHVM instead of PHP with Nginx on Ubuntu”
Now that you have secured Nginx with HTTPS and
enabled SPDY enabled HTTP/2, it’s time to improve both the security and the performance of the server. Continue reading “Optimizing HTTPS on Nginx”
SPDY is this new, cool, fast protocol created by Google that “replaces” HTTP (the first draft of HTTP 2.0 is using SPDY as the working base). It is supported in all the major browsers – yes, even Internet Explorer – with the exception of Apple’s Safari. Continue reading “Enabling SPDY with Nginx”
Adding a certificate and using the HTTPS protocol is a good improvement to the security in the communication between the browser and the server, and should be in place on all sites that have a user login. Contrary to what many (older) guides say, it doesn’t add much load on your server and is fairy easy and cheap to set up right. Continue reading “Securing Nginx with HTTPS”
I always run the latest LTS version of Ubuntu on all my servers. Unfortunately, the Nginx versions tend to be quite the bit behind the current release. So how do you get an updated, current version of without resorting to having to maintain the packages yourself? Luckily, the Nginx team have their own Ubuntu apt repository so it’s easy to keep current with the latest version of Nginx. Continue reading “Install latest version of Nginx on Ubuntu”
If you have a static IP address, like from your own VPN, it is very easy to increase your security tremendously. Simply restrict all logins to that IP address.
Continue reading “Restricting access to WordPress login by IP address”
TL;DR: Varnish lacks support for SSL and SPDY. Nginx handles it just fine, and has very fast cache with either memcache or disk storage (ramdisk). Both can serve stale cache if your backend is down. But Nginx can not write to the memcache storage directly, it has to be done by the application. Also, Nginx can not purge the cache itself, without you compiling your own package.
Continue reading “Caching: Varnish or Nginx?”