Join the community today
Register Now

Nginx Nginx Configuration Files Optimization

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by negative, Oct 25, 2018.

  1. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    1:33 PM
    1.9.10
    10.1.11
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.15.3
    • PHP Version Installed: 7.1.21
    • MariaDB MySQL Version Installed: 10.0.x
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config: -
    When i look the Config Analysis recommendations from amplify nginx application, it says that (related with centminmod - nginx configurations)

    Which one is important and should we modify some location pattern recommendations really? @eva2000

    drop.conf recommendations

    Check the following files:
    /usr/local/nginx/conf/drop.conf, line 8
    /usr/local/nginx/conf/drop.conf, line 3
    /usr/local/nginx/conf/drop.conf, line 6
    /usr/local/nginx/conf/drop.conf, line 9

    Code (Text):
      # prepare for letsencrypt
      # https://community.centminmod.com/posts/17774/
      location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
      location = /robots.txt  { access_log off; log_not_found off; }
      location = /favicon.ico { access_log off; log_not_found off; expires 30d; }
      location ~ /\.          { access_log off; log_not_found off; deny all; }
      location ~ ~$           { access_log off; log_not_found off; deny all; }
      location ~ /\.git { access_log off; log_not_found off; deny all; }
      location ~ /\.gitignore { access_log off; log_not_found off; deny all; }
      # for security see https://community.centminmod.com/posts/17234/
      location ~* \.(bak|php~|php#|php.save|php.swp|php.swo)$ { return 444; }
      location ~* ^/wp-content/updraft { deny all; }




    Other conf files

    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf, line 6
    Code (Text):
      location ~* /wp-content/plugins/akismet/.*\.php$ {

    /usr/local/nginx/conf/drop.conf, line 12
    /usr/local/nginx/conf/drop.conf, line 11
    /usr/local/nginx/conf/staticfiles.conf, line 33
    /usr/local/nginx/conf/staticfiles.conf, line 58
    /usr/local/nginx/conf/staticfiles.conf, line 20
    /usr/local/nginx/conf/staticfiles.conf, line 5
    /usr/local/nginx/conf/wpsecure.conf, line 8
    /usr/local/nginx/conf/wpsecure.conf, line 19
    /usr/local/nginx/conf/wpsecure.conf, line 3
    /usr/local/nginx/conf/wpsecure.conf, line 14

    P.S: These files are default by centminmod
    WPSECURE.CONF
    Code (Text):
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }


    STATICFILES.CONF
    Code (Text):
        # prepare for letsencrypt
        # https://community.centminmod.com/posts/17774/
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
        location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso)$ {
          gzip_static off;
          sendfile off;
          sendfile_max_chunk 1m;
          #add_header Pragma public;
          #add_header X-Frame-Options SAMEORIGIN;
          #add_header X-Xss-Protection "1; mode=block" always;
          #add_header X-Content-Type-Options "nosniff" always;
          add_header Access-Control-Allow-Origin *;
          add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
          access_log off;
          expires 30d;
          break;
        }
    
        location ~* \.(js)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
        access_log off;
        expires 30d;
        break;
            }
    
        location ~* \.(css)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
        access_log off;
        expires 30d;
        break;
            }
    
      #  location ~* \.(html|htm|txt)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
        #add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        #access_log off;
        #expires 1d;
        #break;
      #      }
    
        location ~* \.(eot|svg|ttf|woff|woff2)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        access_log off;
        expires 30d;
        break;
            }



    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    9:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Can generally be ignored for those.
     
  3. negative

    negative Active Member

    260
    26
    28
    Apr 11, 2015
    Ratings:
    +59
    Local Time:
    1:33 PM
    1.9.10
    10.1.11
    Yeah i guess it.

    But what about the performance effect? Is it imperceptible ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    9:33 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod has been using these for years and performance has been fine.
     
..