Performances Nginx
###Équilibrage de charge Nginx ####php-fpmSocket Unix
upstream php {
least_conn;
server unix:/var/run/php/php-fpm.sock;
server unix:/var/run/php/php-two-fpm.sock;
keepalive 5;
}
####php-fpm TCP
upstream php {
least_conn;
server 127.0.0.1:9090;
server 127.0.0.1:9091;
keepalive 5;
}
####HTTP load-balancing
# Upstreams
upstream backend {
least_conn;
server 10.10.10.1:80;
server 10.10.10.2:80;
}
server {
server_name site.ltd;
location / {
proxy_pass http://backend;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Support HTTP/3 QUIC
Le support HTTP/3 QUIC est disponible dans Nginx à partir de la version 1.25.5 et antérieure. Une bibliothèque SSL qui fournit le support de QUIC comme BoringSSL, LibreSSL ou QuicTLS est recommandée pour créer et exécuter ce module. Sinon, lors de l'utilisation de la bibliothèque OpenSSL, une couche de compatibilité OpenSSL sera utilisée et ne prend pas en charge les premières données.
La directive reuseport n'est disponible que sur un seul hôte virtuel. Si Nginx n'est pas construit avec more_set_headers module, vous pouvez utiliser add_header X-protocol $server_protocol always; and add_header Alt-Svc 'h3=":$server_port"; ma=86400';
# Main virtualhost
server {
server_name yoursite.tld;
# enable http/2
http2 on;
# display http version used in header (optional)
more_set_headers "X-protocol : $server_protocol always";
# Advertise HTTP/3 QUIC support (required)
more_set_headers 'Alt-Svc h3=":$server_port"; ma=86400';
# enable QUIC address validation (https://datatracker.ietf.org/doc/html/rfc9000#name-address-validation)
quic_retry on;
# Listen on port 443 with HTTP/3 QUIC as default_server
listen 443 quic reuseport default_server;
listen [::]:443 quic reuseport default_server;
# listen on port 443 with HTTP/2
listen 443 ssl;
listen [::]:443 ssl;
# enable HSTS with HSTS preloading
more_set_headers "Strict-Transport-Security : max-age=31536000; includeSubDomains; preload";
# SSL certificate
ssl_certificate /etc/letsencrypt/live/yoursite.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yoursite.tld/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yoursite.tld/ca.pem;
# enable SSL Stapling
ssl_stapling_verify on;
}
# Other virtualhosts
server {
server_name othersite.tld;
# enable http/2
http2 on;
# display http version used in header (optional)
more_set_headers "X-protocol : $server_protocol always";
# Advertise HTTP/3 QUIC support (required)
more_set_headers 'Alt-Svc h3=":$server_port"; ma=86400';
# enable QUIC address validation (https://datatracker.ietf.org/doc/html/rfc9000#name-address-validation)
quic_retry on;
# Listen on port 443 with HTTP/3 QUIC
listen 443 quic;
listen [::]:443 quic;
# listen on port 443 with HTTP/2
listen 443 ssl;
listen [::]:443 ssl;
# enable HSTS with HSTS preloading
more_set_headers "Strict-Transport-Security : max-age=31536000; includeSubDomains; preload";
# SSL certificate
ssl_certificate /etc/letsencrypt/live/othersite.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/othersite.tld/key.pem;
ssl_trusted_certificate /etc/letsencrypt/live/othersite.tld/ca.pem;
# enable SSL Stapling
ssl_stapling_verify on;
}
###WordPress Fastcgi cache cartographie fastcgi_cache_bypass conditions À mettre dans un fichier de configuration dans /etc/nginx/conf.d/
# do not cache xmlhttp requests
map $http_x_requested_with $http_request_no_cache {
default 0;
XMLHttpRequest 1;
}
#ne pas mettre en cache les demandes pour les témoins suivants
map $http_cookie $cookie_no_cache {
default 0;
"~*wordpress_[a-f0-9]+" 1;
"~*wp-postpass" 1;
"~*wordpress_logged_in" 1;
"~*wordpress_no_cache" 1;
"~*comment_author" 1;
"~*woocommerce_items_in_cart" 1;
"~*woocommerce_cart_hash" 1;
"~*wptouch_switch_toogle" 1;
"~*comment_author_email_" 1;
}
# do not cache requests for the following uri
map $request_uri $uri_no_cache {
default 0;
"~*/wp-admin/" 1;
"~*/wp-[a-zA-Z0-9-]+.php" 1;
"~*/feed/" 1;
"~*/index.php" 1;
"~*/[a-z0-9_-]+-sitemap([0-9]+)?.xml" 1;
"~*/sitemap(_index)?.xml" 1;
"~*/wp-comments-popup.php" 1;
"~*/wp-links-opml.php" 1;
"~*/wp-.*.php" 1;
"~*/xmlrpc.php" 1;
}
# do not cache request with args (like site.tld/index.php?id=1)
map $query_string $query_no_cache {
default 1;
"" 0;
}
# map previous conditions with the variable $skip_cache
map $http_request_no_cache$cookie_no_cache$uri_no_cache$query_no_cache $skip_cache {
default 1;
0000 0;
}
###Define fastcgi_cache settings Pour mettre dans un autre fichier de configuration dans /etc/nginx/conf.d
# FastCGI cache paramètres
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:360m inactive=24h max_size=256M;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
fastcgi_cache_lock on;
fastcgi_cache_lock_age 5s;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_methods GET HEAD;
fastcgi_cache_background_update on;
fastcgi_cache_valid 200 24h;
fastcgi_cache_valid 301 302 30m;
fastcgi_cache_valid 499 502 503 1m;
fastcgi_cache_valid 404 1h;
fastcgi_cache_valid any 1h;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_keep_conn on;
# disponible uniquement avec Nginx 1.15.6 et versions antérieures
fastcgi_socket_keepalive on;
Pour travailler avec les témoins, vous pouvez modifier le fichier fastcgi_cache_key. Un témoin peut être ajouté avec la variable $cookie_{COOKIE_NAME}. Par exemple, le plugiciel WordPress Polylang utilise un cookie nommé pll_langage, donc la directive fastcgi_cache_key serait:
fastcgi_cache_key "$scheme$request_method$host$request_uri$cookie_pll_language";
fastcgi_cache vhost example
server {
server_name domain.tld;
access_log /var/log/nginx/domain.tld.access.log;
error_log /var/log/nginx/domain.tld.error.log;
root /var/www/domain.tld/htdocs;
index index.php index.html index.htm;
# add X-fastcgi-cache header to see if requests are cached
add_header X-fastcgi-cache $upstream_cache_status;
# default try_files directive for WP 5.0+ with pretty URLs
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# pass requests to fastcgi with fastcgi_cache enabled
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 30m;
}
# block to purge nginx cache with nginx was built with ngx_cache_purge module
location ~ /purge(/.*) {
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
access_log off;
}
}
###Nginx comme proxy
####Proxy simple
location / {
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
####Proxy dans un sous-dossier
location /folder/ { # The / is important!
proxy_pass http://127.0.0.1:3000/;# The / is important!
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
####Proxy keepalive pour websocket
# Upstreams
upstream backend {
server 127.0.0.1:3000;
keepalive 5;
}
# HTTP Server
server {
server_name site.tld;
error_log /var/log/nginx/site.tld.access.log;
location / {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
####Proxy inverse pour Apache
server {
server_name domain.tld;
access_log /var/log/nginx/domain.tld.access.log;
error_log /var/log/nginx/domain.tld.error.log;
root /var/www/domain.tld/htdocs;
# pass requests to Apache backend
location / {
proxy_pass http://backend;
}
# handle static files with a fallback
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
add_header "Access-Control-Allow-Origin" "*";
access_log off;
log_not_found off;
expires max;
try_files $uri @fallback;
}
# fallback to pass requests to Apache if files are not found
location @fallback {
proxy_pass http://backend;
}
}
###Nginx Sécurité ####Refuser l’accès fichiers de sauvegarde et d’archives courants
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
####Refuser l’accès aux fichiers et répertoires cachés
location ~ /\.(?!well-known\/) {
deny all;
}
####Bloquer les attaques courantes #####URL encodée en base64
location ~* "(base64_encode)(.*)(\()" {
deny all;
}
#####javascript eval() url
location ~* "(eval\()" {
deny all;
}
###Nginx SEO ####robots.txt location
location = /robots.txt {
# Certains plugiciels WordPress génèrent le fichier robots.txt
# Refer #340 issue
try_files $uri $uri/ /index.php?$args @robots;
access_log off;
log_not_found off;
}
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
####Make a website not indexable
add_header X-Robots-Tag "noindex";
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
###Nginx Media ####MP4 stream module
location /videos {
location ~ \.(mp4)$ {
mp4;
mp4_buffer_size 1m;
mp4_max_buffer_size 5m;
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
}
}
####WebP images Conditions de mappage pour afficher les images WebP
# serve WebP images if web browser support WebP
map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}
####Définir les fichiers try_files conditionnels sur l’image WebP du serveur :
si le navigateur Web supporte WebP si une alternative WebP existe
# règles de réécriture Webp pour les images jpg et png
# essayez de charger une alternative image.png.webp avant image.png
location /wp-content/uploads {
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri$webp_suffix $uri =404;
}
}