Setup Nginx as web server and as reverse proxy for Apache with Virtualmin support

Sorry, this entry is only available in Brazilian Portuguese. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.

We know that Nginx is more faster than Apache and most of us prefer to replace Apache with Nginx as their web server. Nginx is known to serve faster static content and run with less RAM. As of this writing, Virtualmin supports Apache as its web server. To take advantage of Nginx, we will install it as reverse proxy for Apache and continue using Virtualmin to manage your domains. This guide also applies to Nginx+PHP FPM setup just skip the “Configure Apache” section and skip the “Configure Virtualmin” section if you are not using Virtualmin. Nginx configurations for virtual host are tailored for Drupal site and the following are the features:

Support for Virtualmin to manage domains.
Microcache support for anonymous and authenticated users.
Seamless upstream switch between reverse proxy to Apache and PHP FPM backends.
Script that aids to generate Nginx configuration from template for your web site domain (for those who don’t use Virtualmin).
Protections from: MIME type deviation, DoS attacks, bad bot/referrer user agents, clickjacking attacks, unauthorized access to private file directory and hotlinking.
Disabled access to any code files and known Drupal files and directories.
Better handling of static resources: css, cur, json, js, jpg/jpeg, gif, htc, ico, png, htm, html, xml, txt, otf, ttf, eot, woff, svg, webp, webm, zip, gz, tar, rar, pdf, pptx, mp3, ogg, flv, mp4, mpa.
Nginx PageSpeed support.
Boost module support.
Advanced CSS/JS Aggregation module support.
RobotsTxt module support.
XML Sitemap module support.
Advanced Help module support.
imagecache module support.
File Force Download module support.
Provision to support Filefield Nginx Progress module.
RSS feed support.
Supports Drupal 8, Drupal 7 and Durpal 6.
The configurations observes Nginx’s inheritance rules for add_header directives.
Protection against illegal HTTP methods (HEAD, GET and POST are only allowed).
The error_log is set to “error” level and access_log is disabled in this Nginx configurations to avoid spending disk IO time.
Implements Nginx PageSpeed module’s Shard domains technique for non-SSL sites.
Uses the Let’s Encrypt free SSL/TLS certificates.

The following procedures are tested on Linode server running Centos 7 64-bit Linux distribution.

Install Nginx

If you need to install Nginx with PageSpeed module please follow the steps here instead then jump to configure Nginx section.

In able to install the latest Nginx server we will need to register Nginx repository:
vi /etc/yum.repos.d/nginx.repo
1
vi /etc/yum.repos.d/nginx.repo
Have the following codes as its content:
name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=0 priority=1 enabled=0
1
2
3
4
5
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=0
priority=1
enabled=0
Note: if just in case the nginx does not install try to hard code the $releasever with value of 7
Install Nginx using yum:
yum --enablerepo=nginx -y install nginx
1
yum --enablerepo=nginx -y install nginx
Make Nginx auto-start upon reboot:
chkconfig nginx on
1
chkconfig nginx on

Configure Nginx

We will not need the native Nginx configurations provided because we will create new configurations. Lets backup the original Nginx configurations first:
mv /etc/nginx /etc/nginx.bak
1
mv /etc/nginx /etc/nginx.bak
Create the folders following the directory structure shown below:
In the next steps, we will populate these folders with Nginx configurations. We will start populating each folder from bottom folder (utils) to top folder (apps).

Create the main Nginx file /etc/nginx/nginx.conf and copy the following scripts to this file:

user apache; ## This number should be, at maximum, the number of CPU cores on your system.
## (since nginx doesn't benefit from more than one worker per CPU.)
worker_processes auto; ## Only log errors
error_log  /var/log/nginx/error.log error;
pid /var/run/nginx.pid; ## Number of file descriptors used for Nginx.
## This is set in the OS with 'ulimit -n 200000'
## or using /etc/security/limits.conf
worker_rlimit_nofile 200000; events { ## Determines how many clients will be served by each worker process. ## (worker_connections = 256 * worker_processes) ## worker_processes can be identified by `cat /proc/cpuinfo | grep processor` ## (Max clients = worker_connections * worker_processes) ## "Max clients" is also limited by the number of socket connections ## available on the system (~64k) worker_connections  1024; ## Accept as many connections as possible, ## after nginx gets notification about a new connection. ## May flood worker_connections, if that option is set too low. multi_accept on;
} http { ## MIME types. include lib/mime.types; default_type application/octet-stream; ## Logs log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; ## Default log and error files. log_not_found off; error_log /var/log/nginx/error.log error; ## Buffer log writes to speed up IO, or disable them altogether #access_log /var/log/nginx/access.log main buffer=16k; #access_log /var/log/nginx/access.log; access_log off; ## Use sendfile() syscall to speed up I/O operations and speed up ## static file serving. ## Sendfile copies data between one FD and other from within the kernel. ## More efficient than read() + write(), since the requires transferring ## data to and from the user space. sendfile on; ## Handling of IPs in proxied and load balancing situations. set_real_ip_from 0.0.0.0/32; # all addresses get a real IP. real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy ## Limit Request/Connection ## Limit number of requests to mitigate DDoS attack limit_req_zone $binary_remote_addr zone=reqlimit:10m rate=60r/s; ## Define a zone for limiting the number of simultaneous ## connections nginx accepts. 1m means 32000 simultaneous ## sessions. We need to define for each server the limit_conn ## value referring to this or other zones. limit_conn_zone $binary_remote_addr zone=connlimit:5m; ## Timeouts. client_body_timeout 60s; client_header_timeout 60s; ## Timeout for keep-alive connections. ## Server will close connections after this time. keepalive_timeout 75 75; send_timeout 60s; ## Reset lingering timed out connections. Deflect DDoS. reset_timedout_connection on; ## TCP options. ## don't buffer data-sends (disable Nagle algorithm). ## Good for sending frequent small bursts of data in real time. tcp_nodelay on; ## Optimization of socket handling when using sendfile. ## Tcp_nopush causes nginx to attempt to send its HTTP response head in one packet, ## instead of using partial frames. This is useful for prepending headers ## before calling sendfile, or for throughput optimization. tcp_nopush on; ## Compression. ## Reduces the amount of data that needs to be transferred over the network gzip on; gzip_buffers 16 8k; gzip_comp_level 1; gzip_http_version 1.1; gzip_min_length 10; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-javascript application/x-font-ttf text/x-js; gzip_vary on; gzip_proxied any; # Compression for all requests. ## No need for regexps. See ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable gzip_disable "msie6"; ## SSL ## Use a SSL/TLS cache for SSL session resume. This needs to be ## here (in this context, for session resumption to work. See this ## thread on the Nginx mailing list: ## http://nginx.org/pipermail/nginx/2010-November/023736.html. ## 1MB store about 4000 sessions: ## In this case, it store about 80000 sessions in 1 day ssl_session_cache shared:SSL:20m; ssl_session_timeout 1d; ## The server dictates the choice of cipher suites. ssl_prefer_server_ciphers on; ## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH ## for crufty clients. ## Modern Mozilla SSL Configuration #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; #ssl_protocols TLSv1.2; ## Intermediate Mozilla SSL Configuration ## https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.2&openssl=1.0.1e&hsts=no&profile=intermediate #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ## No SSLv3 support (SSLv3 POODLE Vulnerability) ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ## Old Mozilla SSL Configuration ## https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.2&openssl=1.0.1e&hsts=no&profile=old ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP'; #ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ## Pregenerated Diffie-Hellman parameters 2048. ssl_dhparam key/dh_param.pem; ## Curve to use for ECDH. ssl_ecdh_curve prime256v1; ## Enable OCSP stapling. A better way to revocate server certificates. ssl_stapling on; ## Enable verification of OCSP stapling responses by the server. ssl_stapling_verify on; ## Server certificate and key (using Let's Encrypt free SSL certificate). ssl_certificate /etc/letsencrypt/live/yourwebsite.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourwebsite.com/privkey.pem; ## Verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/yourwebsite.com/chain.pem; ## Use Google's DNS resolver 8.8.8.8 8.8.4.4; ## Body size. client_max_body_size 50m; ## To build optimal server_names_hash server_names_hash_bucket_size 72; ## If start getting [emerg]: could not build the map_hash, ##  you should increase map_hash_bucket_size: 64 in your ## logs. Cf. http://wiki.nginx.org/NginxOptimizations. #map_hash_bucket_size 192; ## Uncomment one of the lines below if you start getting this message: ## "[emerg] could not build the variables_hash, you should increase ## either variables_hash_max_size: 512 or variables_hash_bucket_size: 64" ## You only need to increase one. Increasing variables_hash_max_size to 1024 ## was recommended in nginx forum by developers. ## See this forum topic and responses ## http://forum.nginx.org/read.php?2,192277,192286#msg-192286 ## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size ## The line variables_hash_bucket_size was added for completeness but not ## changed from default. #variables_hash_max_size 1024; # default 512 #variables_hash_bucket_size 64; # default is 64 ## For the filefield_nginx_progress module to work. From the ## README. Reserve 1MB under the name 'uploads' to track uploads. #upload_progress uploads 1m; ## Modify HTTP header include utils/mod_header.conf; ## Hide the Nginx version number. server_tokens off; ## Map ## Include the map to block HTTP methods. include map/block_http_methods.conf; ## Support the X-Forwarded-Proto header for fastcgi. include map/x_forwarded_proto.conf; ## Include blacklist for bad bot and referer blocking. include map/blacklist.conf; ## Include the Nginx stub status allowed hosts configuration block. include map/nginx_status_allowed_hosts.conf; ## Include list of allowed hosts to run cron include map/cron_allowed_hosts.conf; ## Include the php-fpm status allowed hosts configuration block. include map/php_fpm_status_allowed_hosts.conf; ## Include the caching setup. ## Needed for using Drupal with an external cache. include map/drupal_external_cache.conf; ## Include the upstream servers. include utils/service/upstream.conf; ## Microcache zone definition. include utils/service/microcache_zone.conf; ## Handle all undefined server_name include utils/undefined_server_name_handler.conf; ## Google PageSpeed module ## Uncomment the line below if Google PageSpeed module is present #include apps/pagespeed/core.conf; ## Include all vhosts. include sites-enabled README.txt$ { access_log off; include utils/service/php_pass.conf; }
} ## Replicate the Apache  directive of Drupal standard
## .htaccess. Disable access to any code files. Return a 404 to curtail
## information disclosure. Hide also the text files.
location ~* ^(?:.+.(?:htaccess|gitignore|txt|engine|inc|info|install|make|module|profile|test|po|sh|.*sql|test|theme|twig|tpl(?:.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(/.(?!well-known).*|/code-style.pl|/Entries.*|/Repository|/Root|/Tag|/Template|/composer.(json|lock))$|^#.*#$|/.*.php(.sw[op]|.bak|.orig|.save)+)$ { return 404;
} ## Disallow access to .bzr, .git, .hg, .svn, .cvs directories:
## return 404 as not to disclose information.
location ^~ /.bzr { return 404;
}
location ^~ /.git { return 404;
}
location ^~ /.hg { return 404;
}
location ^~ /.svn { return 404;
}
location ^~ /.cvs { return 404;
} ## Disallow access to patches directory.
location ^~ /patches { return 404;
} ## Disallow access to drush backup directory.
location ^~ /backup { return 404;
} ## Disable access logs for robots.txt.
location = /robots.txt { access_log off; ## Add support for the robotstxt module ## https://drupal.org/project/robotstxt. try_files $uri $uri/ @drupal;
} ## RSS feed support.
location = /rss.xml { try_files $uri $uri/ @drupal;
} ## XML Sitemap support.
location = /sitemap.xml { try_files $uri $uri/ @drupal;
} ## Support for favicon. Return an 1x1 transparent GIF if it
## doesn't exist.
location = /favicon.ico { expires 30d; try_files /favicon.png @empty;
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

## Pagespeed optimized resources that returns 404, redirect to original resource

location ~* (.+)/x(.+),(.+).pagespeed.[.-_[:alnum:]]+$ {

## Handle resources with query string and Pagespeed optimized resources with

## file name prefixed with x (eg. xMyImage.png,qitok=qwer.pagespeed.asdf.webp)

error_page 404 = @orig-resource;

set $orig_resource_uri $1/$2?$3;

try_files $uri $uri/ $orig_resource_uri;

}

location ~* (.+),(.+).pagespeed.[.-_[:alnum:]]+$ {

## Handle resources with query string

error_page 404 = @orig-resource;

set $orig_resource_uri $1?$2;

try_files $uri $uri/ $orig_resource_uri;

}

location ~* (.+)/x(.+).pagespeed.[.-_[:alnum:]]+$ {

## Handle Pagespeed optimized resources with file name prefixed with x

## (eg. xMyImage.png.pagespeed.asdf.webp)

error_page 404 = @orig-resource;

set $orig_resource_uri $1/$2;

try_files $uri $uri/ $orig_resource_uri;

}

location ~* (.+).pagespeed.[.-_[:alnum:]]+$ {

## Default handler

error_page 404 = @orig-resource;

set $orig_resource_uri $1;

try_files $uri $uri/ $orig_resource_uri;

}

## Regular private file serving.

location ^~ /system/files/ {

include utils/service/php_pass.conf;

## For not signalling a 404 in the error log whenever the

## system/files directory is accessed add the line below.

## Note that the 404 is the intended behaviour.

log_not_found off;

}

## Trying to access private files directly returns a 404.

location ^~ /sites/[.-[:alnum:]]+/files/private/ {

internal;

}

location ^~ /sites/[.-[:alnum:]]+/private/ {

internal;

}

## Support for the file_force module

## https://drupal.org/project/file_force.

location ^~ /system/files_force/ {

include utils/service/php_pass.conf;

## For not signalling a 404 in the error log whenever the

## system/files directory is accessed add the line below.

## Note that the 404 is the intended behaviour.

log_not_found off;

}

## If accessing an image generated by Drupal 6 imagecache, serve it

## directly if available, if not relay the request to Drupal to (re)generate

## the image.

location ~* /imagecache/ {

## Image hotlinking protection. If you want hotlinking

## protection for your images uncomment the following line.

include map/hotlinking_protection_allowed_hosts.conf;

access_log off;

expires 30d;

try_files $uri $uri/ @drupal;

}

## Drupal 7 generated image handling, i.e., imagecache in core. See:

## https://drupal.org/node/371374.

location ~* /files/styles/ {

## Image hotlinking protection. If you want hotlinking

## protection for your images uncomment the following line.

include map/hotlinking_protection_allowed_hosts.conf;

access_log off;

expires 30d;

try_files $uri $uri/ @drupal;

}

## Advanced Aggregation module CSS/JS

## support. https://drupal.org/project/advagg.

location ~ ^/sites/[.-[:alnum:]]+/files/advagg_(?:css|js)/ {

location ~* (?:css|js)[_-[:alnum:]]+.(?:css|js)(.gz)?$ {

access_log off;

expires max;

gzip_static on;

add_header ETag '';

add_header Accept-Ranges '';

## Set a far future Cache-Control header to 52 weeks and add no-transform

## to make Pagespeed bypass these CSS/JS optimized by advagg module

add_header Cache-Control 'max-age=31449600, no-transform, public';

## Inheritance Rules for add_header Directives

## Because this 'server' block contains another 'add_header' directive,

## we must redeclare the 'add_header' from 'http' context

include utils/mod_header.conf;

add_header Strict-Transport-Security $hsts;

try_files $uri $uri/ @drupal;

}

## All static files will be served directly.

location ~* ^.+.(?:css|cur|json|js|jpe?g|gif|htc|ico|png|txt|otf|ttf|eot|woff|svg|webp|webm|zip|gz|tar|rar)$ {

access_log off;

expires 30d;

## No need to bleed constant updates. Send the all shebang in one

## fell swoop.

tcp_nodelay off;

## Set the OS file cache.

open_file_cache max=3000 inactive=120s;

open_file_cache_valid 45s;

open_file_cache_min_uses 2;

open_file_cache_errors off;

try_files $uri $uri/ @cache;

}

## PDFs and powerpoint files handling.

location ~* ^.+.(?:pdf|pptx?)$ {

access_log off;

expires 30d;

## No need to bleed constant updates. Send the all shebang in one

## fell swoop.

tcp_nodelay off;

try_files $uri $uri/ @drupal;

}

## MP3 and Ogg/Vorbis files are served using AIO when supported. Your OS must support it.

location ~ ^/sites/[.-[:alnum:]]+/files/audio/mp3 {

location ~* .*.mp3$ {

access_log off;

directio 4k; ## for XFS

## If you're using ext3 or similar uncomment the line below and comment the above.

#directio 512; ## for ext3 or similar (block alignments)

tcp_nopush off;

aio on;

output_buffers 1 2M;

try_files $uri $uri/ @drupal;

}

location ~ ^/sites/[.-[:alnum:]]+/files/audio/ogg {

location ~* .*.ogg$ {

access_log off;

directio 4k; # for XFS

## If you're using ext3 or similar uncomment the line below and comment the above.

#directio 512; ## for ext3 or similar (block alignments)

tcp_nopush off;

aio on;

output_buffers 1 2M;

try_files $uri $uri/ @drupal;

}

## Pseudo streaming of FLV files:

## http://wiki.nginx.org/HttpFlvStreamModule.

## If pseudo streaming isn't working, try to comment

## out in nginx.conf line with:

## add_header X-Frame-Options SAMEORIGIN;

location ~ ^/sites/[.-[:alnum:]]+/files/video/flv {

location ~* .*.flv$ {

access_log off;

flv;

try_files $uri $uri/ @drupal;

}

## Pseudo streaming of H264/AAC files. This requires an Nginx

## version greater or equal to 1.0.7 for the stable branch and

## greater or equal to 1.1.3 for the development branch.

## Cf. http://nginx.org/en/docs/http/ngx_http_mp4_module.html.

location ~ ^/sites/[.-[:alnum:]]+/files/video/mp4 { # videos

location ~* .*.(?:mp4|mov)$ {

access_log off;

mp4;

mp4_buffer_size 1M;

mp4_max_buffer_size 5M;

try_files $uri $uri/ @drupal;

}

location ~ ^/sites/[.-[:alnum:]]+/files/audio/m4a { # audios

location ~* .*.m4a$ {

access_log off;

mp4;

mp4_buffer_size 1M;

mp4_max_buffer_size 5M;

try_files $uri $uri/ @drupal;

}

## Advanced Help module makes each module provided README available.

location ^~ /help/ {

location ~* ^/help/[^/]*/README.txt$ {

access_log off;

include utils/service/php_pass.conf;

}

## Replicate the Apache directive of Drupal standard

## .htaccess. Disable access to any code files. Return a 404 to curtail

## information disclosure. Hide also the text files.

location ~* ^(?:.+.(?:htaccess|gitignore|txt|engine|inc|info|install|make|module|profile|test|po|sh|.*sql|test|theme|twig|tpl(?:.php)?|xtmpl|yml)(~|.sw[op]|.bak|.orig|.save)?$|^(/.(?!well-known).*|/code-style.pl|/Entries.*|/Repository|/Root|/Tag|/Template|/composer.(json|lock))$|^#.*#$|/.*.php(.sw[op]|.bak|.orig|.save)+)$ {

return 404;

}

## Disallow access to .bzr, .git, .hg, .svn, .cvs directories:

## return 404 as not to disclose information.

location ^~ /.bzr {

return 404;

}

location ^~ /.git {

return 404;

}

location ^~ /.hg {

return 404;

}

location ^~ /.svn {

return 404;

}

location ^~ /.cvs {

return 404;

}

## Disallow access to patches directory.

location ^~ /patches {

return 404;

}

## Disallow access to drush backup directory.

location ^~ /backup {

return 404;

}

## Disable access logs for robots.txt.

location = /robots.txt {

access_log off;

## Add support for the robotstxt module

## https://drupal.org/project/robotstxt.

try_files $uri $uri/ @drupal;

}

## RSS feed support.

location = /rss.xml {

try_files $uri $uri/ @drupal;

}

## XML Sitemap support.

location = /sitemap.xml {

try_files $uri $uri/ @drupal;

}

## Support for favicon. Return an 1x1 transparent GIF if it

## doesn't exist.

location = /favicon.ico {

expires 30d;

try_files /favicon.png @empty;

}

Create the file /etc/nginx/drupal/php_handler.conf and add the following to it:

## PHP handler include utils/service/php_pass.conf;
include utils/service/microcache_auth.conf;
#include utils/service/microcache.conf;

## PHP handler

include utils/service/php_pass.conf;

include utils/service/microcache_auth.conf;

#include utils/service/microcache.conf;

We have two options here: microcache_auth.conf which uses the Nginx cache for anonymous users only and microcache.conf which uses the Nginx cache for both anonymous and authenticated users. The microcache_auth.conf is enabled by default. Select between the two according to your requirements.

Create the file /etc/nginx/drupal/named_location.conf and add the following to it:

## Restrict access to the strictly necessary PHP files. Reducing the
## scope for exploits. Handling of PHP code and the Drupal event loop.
location @drupal { include apps/drupal/php_handler.conf; ## Filefield Upload progress ## https://drupal.org/project/filefield_nginx_progress support ## through the NginxUploadProgress modules. #track_uploads uploads 60s;
} ## We define a named location for the Boost cache.
location @cache { include apps/drupal/boost.conf; ## We try each boost URI in succession, if every one of them ## fails then hand it to Drupal. try_files /cache/normal/$host${uri}_${args}.html /cache/normal/$host${uri}_${args}.xml /cache/normal/$host${uri}_${args}.json /cache/normal/$host${uri}_${args}.html.gz /cache/normal/$host${uri}_${args}.xml.gz /cache/normal/$host${uri}_${args}.json.gz /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal;
} ## Return an in memory 1x1 transparent GIF.
location @empty { expires 30d; empty_gif;
} ## Redirect Pagespeed optimized resources that returns 404 to
## original resource.
location @orig-resource { return 302 $scheme://$server_name$orig_resource_uri;
}

## Restrict access to the strictly necessary PHP files. Reducing the

## scope for exploits. Handling of PHP code and the Drupal event loop.

location @drupal {

include apps/drupal/php_handler.conf;

## Filefield Upload progress

## https://drupal.org/project/filefield_nginx_progress support

## through the NginxUploadProgress modules.

#track_uploads uploads 60s;

}

## We define a named location for the Boost cache.

location @cache {

include apps/drupal/boost.conf;

## We try each boost URI in succession, if every one of them

## fails then hand it to Drupal.

try_files /cache/normal/$host${uri}_${args}.html /cache/normal/$host${uri}_${args}.xml /cache/normal/$host${uri}_${args}.json /cache/normal/$host${uri}_${args}.html.gz /cache/normal/$host${uri}_${args}.xml.gz /cache/normal/$host${uri}_${args}.json.gz /cache/perm/$host${uri}_.css /cache/perm/$host${uri}_.js /cache/$host/0$uri.html /cache/$host/0${uri}/index.html @drupal;

}

## Return an in memory 1x1 transparent GIF.

location @empty {

expires 30d;

empty_gif;

}

## Redirect Pagespeed optimized resources that returns 404 to

## original resource.

location @orig-resource {

return 302 $scheme://$server_name$orig_resource_uri;

}

Create the file /etc/nginx/drupal/drupal_upload_progress.conf and add the following to it:

## Drupal 7 configuration for the Nginx Upload Progress module:
## https://github.com/masterzen/nginx-upload-progress-module
## This requires the Filefield Nginx Progress module:
## https://drupal.org/project/filefield_nginx_progress. ## The Nginx module wants ?X-Progress-ID query parameter so
## that it report the progress of the upload through a GET
## request. But the drupal form element makes use of clean
## URLs in the POST. location ~ (?.*)/x-progress-id:(?d*) { rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
} ## Now the above rewrite must be matched by a location that
## activates it and references the above defined upload
## tracking zone.
location ^~ /progress { upload_progress_json_output; report_uploads uploads;
}

## Drupal 7 configuration for the Nginx Upload Progress module:

## https://github.com/masterzen/nginx-upload-progress-module

## This requires the Filefield Nginx Progress module:

## https://drupal.org/project/filefield_nginx_progress.

## The Nginx module wants ?X-Progress-ID query parameter so

## that it report the progress of the upload through a GET

## request. But the drupal form element makes use of clean

## URLs in the POST.

location ~ (?.*)/x-progress-id:(?d*) {

rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;

}

## Now the above rewrite must be matched by a location that

## activates it and references the above defined upload

## tracking zone.

location ^~ /progress {

upload_progress_json_output;

report_uploads uploads;

}

Create the file /etc/nginx/drupal/drupal_install.conf and add the following to it:

## Directives for installing drupal. This is for drupal 6 and 7.
location = /install.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file key/.htpasswd-users; # htpasswd file include apps/drupal/php_handler.conf;
} ## This is for drupal 8.
location = /core/install.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file key/.htpasswd-users; # htpasswd file include apps/drupal/php_handler.conf;
}

## Directives for installing drupal. This is for drupal 6 and 7.

location = /install.php {

auth_basic "Restricted Access"; # auth realm

auth_basic_user_file key/.htpasswd-users; # htpasswd file

include apps/drupal/php_handler.conf;

}

## This is for drupal 8.

location = /core/install.php {

auth_basic "Restricted Access"; # auth realm

auth_basic_user_file key/.htpasswd-users; # htpasswd file

include apps/drupal/php_handler.conf;

}

Create the file /etc/nginx/drupal/drupal_cron_update.conf and add the following to it:

## Configuration file for Drupal if you're not using drush to update your site
## or run cron. ## XMLRPC. Comment out if not enabled.
location = /xmlrpc.php { include apps/drupal/php_handler.conf;
} ## Restrict cron access to a specific host.
location = /cron.php { ## If not allowed to run cron then issue a 404 and redirect to the ## site root. if ($not_allowed_cron) { return 404 /; } include apps/drupal/php_handler.conf;
} ## Run the update from the web interface with Drupal 7.
location = /authorize.php { include apps/drupal/php_handler.conf;
} location = /update.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file key/.htpasswd-users; # htpasswd file include apps/drupal/php_handler.conf;
}

## Configuration file for Drupal if you're not using drush to update your site

## or run cron.

## XMLRPC. Comment out if not enabled.

location = /xmlrpc.php {

include apps/drupal/php_handler.conf;

}

## Restrict cron access to a specific host.

location = /cron.php {

## If not allowed to run cron then issue a 404 and redirect to the

## site root.

if ($not_allowed_cron) {

return 404 /;

}

include apps/drupal/php_handler.conf;

}

## Run the update from the web interface with Drupal 7.

location = /authorize.php {

include apps/drupal/php_handler.conf;

}

location = /update.php {

auth_basic "Restricted Access"; # auth realm

auth_basic_user_file key/.htpasswd-users; # htpasswd file

include apps/drupal/php_handler.conf;

}

Create the file /etc/nginx/drupal/core.conf and add the following to it:

## Nginx configuration for Drupal ## Common Nginx configuration for server context
include apps/drupal/common_server_context.conf; ## Named location
include apps/drupal/named_location.conf; ## The 'default' location.
location / { ## Drupal generated static files include apps/drupal/static_files_handler.conf; try_files $uri $uri/ @cache;
} ## Drupal index.
location = /index.php { include apps/drupal/boost.conf; ## We try each boost URI in succession, if every one of them ## fails then hand it to Drupal. try_files /cache/normal/$host/_${args}.html /cache/normal/$host/_${args}.html.gz /cache/$host/0.html /cache/$host/0/index.html @drupal;
} ## Boost stats.
location = /boost_stats.php { include apps/drupal/php_handler.conf;
} ## PHP scipt to log all catch paths
location = /sites/all/logcatchall.php { include apps/drupal/php_handler.conf;
} ## Uncomment the line below if you want to enable basic auth for
## access to all /admin URIs. Note that this provides much better
## protection if use HTTPS. Since it can easily be eavesdropped if you
## use HTTP.
#include apps/drupal/admin_basic_auth.conf; ## Any other attempt to access PHP files returns a 404.
location ~* ^.+.php$ { return 404;
}

## Nginx configuration for Drupal

## Common Nginx configuration for server context

include apps/drupal/common_server_context.conf;

## Named location

include apps/drupal/named_location.conf;

## The 'default' location.

location / {

## Drupal generated static files

include apps/drupal/static_files_handler.conf;

try_files $uri $uri/ @cache;

}

## Drupal index.

location = /index.php {

include apps/drupal/boost.conf;

## We try each boost URI in succession, if every one of them

## fails then hand it to Drupal.

try_files /cache/normal/$host/_${args}.html /cache/normal/$host/_${args}.html.gz /cache/$host/0.html /cache/$host/0/index.html @drupal;

}

## Boost stats.

location = /boost_stats.php {

include apps/drupal/php_handler.conf;

}

## PHP scipt to log all catch paths

location = /sites/all/logcatchall.php {

include apps/drupal/php_handler.conf;

}

## Uncomment the line below if you want to enable basic auth for

## access to all /admin URIs. Note that this provides much better

## protection if use HTTPS. Since it can easily be eavesdropped if you

## use HTTP.

#include apps/drupal/admin_basic_auth.conf;

## Any other attempt to access PHP files returns a 404.

location ~* ^.+.php$ {

return 404;

}

Create the file /etc/nginx/drupal/common_server_context.conf and add the following to it:

## Common to all hosts Nginx configurations for server context ## See the blacklist.conf file at the parent dir: /etc/nginx.
## Deny access based on the User-Agent header.
if ($bad_bot) { return 444;
}
## Deny access based on the Referer header.
if ($bad_referer) { return 444;
} ## Protection against illegal HTTP methods. Out of the box only HEAD,
## GET and POST are allowed.
if ($not_allowed_method) { return 405;
} ## Limits
## limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=60r/s + limit_req zone=req_limit_per_ip burst=5 nodelay
## - Set shared memory as 10MB
## - Limit requests per IP as following
## - Set maximum requests as rate * burst in burst seconds
## For example, maximum value is 300(=60*5) requests in 5 seconds in this case
## - With nodelay option : Nginx would return 503 response and not handle excessive requests
## - Without nodelay option : Nginx would wait (no 503 response) and handle excessive requests with some delay
## limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m + limit_conn conn_limit_per_ip 30
## - Set shared memory as 10MB
## - Limit connections per IP as 30 in this case
## - Note that normal browser makes 2~8 connections and SPDY protocol split each connections
## - Nginx would return 503 response if connection exceeds this value
limit_conn connlimit 32;
limit_req zone=reqlimit burst=5 nodelay; ## PageSpeed filters
## Uncomment the line below if Google PageSpeed module is present
#include apps/pagespeed/optimize.conf;

## Common to all hosts Nginx configurations for server context

## See the blacklist.conf file at the parent dir: /etc/nginx.

## Deny access based on the User-Agent header.

if ($bad_bot) {

return 444;

}

## Deny access based on the Referer header.

if ($bad_referer) {

return 444;

}

## Protection against illegal HTTP methods. Out of the box only HEAD,

## GET and POST are allowed.

if ($not_allowed_method) {

return 405;

}

## Limits

## limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=60r/s + limit_req zone=req_limit_per_ip burst=5 nodelay

## - Set shared memory as 10MB

## - Limit requests per IP as following

## - Set maximum requests as rate * burst in burst seconds

## For example, maximum value is 300(=60*5) requests in 5 seconds in this case

## - With nodelay option : Nginx would return 503 response and not handle excessive requests

## - Without nodelay option : Nginx would wait (no 503 response) and handle excessive requests with some delay

## limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m + limit_conn conn_limit_per_ip 30

## - Set shared memory as 10MB

## - Limit connections per IP as 30 in this case

## - Note that normal browser makes 2~8 connections and SPDY protocol split each connections

## - Nginx would return 503 response if connection exceeds this value

limit_conn connlimit 32;

limit_req zone=reqlimit burst=5 nodelay;

## PageSpeed filters

## Uncomment the line below if Google PageSpeed module is present

#include apps/pagespeed/optimize.conf;

Create the file /etc/nginx/drupal/boost.conf and add the following to it:

## Boost configuration
gzip_static on; ## Error page handler for the case where $no_boost_cache is 1, POST
## request or authenticated.
error_page 418 = @drupal; ## If $no_boost_cache is 1 then it means that Boost session cookie
## is present or uri has wrong dir. So serve the dynamic page.
if ($no_boost_cache) { return 418;
} ## No caching for POST requests.
if ($request_method = POST) { return 418;
} ## Now for some header tweaking. We use a date that differs
## from stock Drupal.
add_header Expires "Tue, 25 Dec 1977 03:45:00 GMT";
## We bypass all delays in the post-check and pre-check
## parameters of Cache-Control. Both set to 0.
add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";
add_header X-DCache "Boost";
## Inheritance Rules for add_header Directives
## Because this 'server' block contains another 'add_header' directive,
## we must redeclare the 'add_header' from 'http' context
include utils/mod_header.conf;
add_header Strict-Transport-Security $hsts;
## Boost doesn't set a charset.
charset utf-8;

## Boost configuration

gzip_static on;

## Error page handler for the case where $no_boost_cache is 1, POST

## request or authenticated.

error_page 418 = @drupal;

## If $no_boost_cache is 1 then it means that Boost session cookie

## is present or uri has wrong dir. So serve the dynamic page.

if ($no_boost_cache) {

return 418;

}

## No caching for POST requests.

if ($request_method = POST) {

return 418;

}

## Now for some header tweaking. We use a date that differs

## from stock Drupal.

add_header Expires "Tue, 25 Dec 1977 03:45:00 GMT";

## We bypass all delays in the post-check and pre-check

## parameters of Cache-Control. Both set to 0.

add_header Cache-Control "must-revalidate, post-check=0, pre-check=0";

add_header X-DCache "Boost";

## Inheritance Rules for add_header Directives

## Because this 'server' block contains another 'add_header' directive,

## we must redeclare the 'add_header' from 'http' context

include utils/mod_header.conf;

add_header Strict-Transport-Security $hsts;

## Boost doesn't set a charset.

charset utf-8;

Populate the /etc/nginx/apps/pagespeed folder under this guide.

To enable Google PageSpeed in your Nginx configuration (make sure first that your Nginx is compiled with PageSpeed module), uncomment the line seen below at /etc/nginx/nginx.conf:

include apps/pagespeed/core.conf;

1	include apps/pagespeed/core.conf;

… also uncomment the line seen below at /etc/nginx/apps/drupal/common_server_context.conf:

include apps/pagespeed/optimize.conf;

1	include apps/pagespeed/optimize.conf;

… and uncomment the line seen below at /etc/nginx/site-available/template.conf:

pagespeed ShardDomain $scheme://$server_name $scheme://s1.{DOM},$scheme://s2.{DOM};

1	pagespeed ShardDomain $scheme://$server_name $scheme://s1.{DOM},$scheme://s2.{DOM};

To enable this Nginx reverse proxy for Apache setup, execute the following:
ln -s /etc/nginx/utils/apache /etc/nginx/utils/service
1
ln -s /etc/nginx/utils/apache /etc/nginx/utils/service
On the other hand, if PHP FPM backend is your setup, execute the following:
ln -s /etc/nginx/utils/fastcgi /etc/nginx/utils/service
1
ln -s /etc/nginx/utils/fastcgi /etc/nginx/utils/service

Set permission:

chmod -R -x /etc/nginx
chmod +x /etc/nginx/lib/ /etc/nginx/apps/ /etc/nginx/apps/drupal/ /etc/nginx/apps/pagespeed/ /etc/nginx/key/ /etc/nginx/sites-available/ /etc/nginx/sites-available/admin/ /etc/nginx/sites-available/dev/ /etc/nginx/sites-available/targeted_server_config/ /etc/nginx/sites-enabled/ /etc/nginx/utils/ /etc/nginx/utils/apache/ /etc/nginx/utils/fastcgi/ /etc/nginx/map/ /etc/nginx/

chmod -R -x /etc/nginx

chmod +x /etc/nginx/lib/ /etc/nginx/apps/ /etc/nginx/apps/drupal/ /etc/nginx/apps/pagespeed/ /etc/nginx/key/ /etc/nginx/sites-available/ /etc/nginx/sites-available/admin/ /etc/nginx/sites-available/dev/ /etc/nginx/sites-available/targeted_server_config/ /etc/nginx/sites-enabled/ /etc/nginx/utils/ /etc/nginx/utils/apache/ /etc/nginx/utils/fastcgi/ /etc/nginx/map/ /etc/nginx/

Restart Nginx:
systemctl restart nginx
1
systemctl restart nginx

Setup Nginx requirements

In this tutorial the Apache will use port 8080 and lets open this port to become accessible:
iptables -I INPUT -p tcp -m tcp --dport 8080 -j ACCEPT iptables --line -vnL service iptables save service iptables restart
1
2
3
4
iptables -I INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables --line -vnL
service iptables save
service iptables restart
Create the Nginx cache path folder:
mkdir /var/cache/nginx/microcache chown apache:root /var/cache/nginx/microcache chmod 700 /var/cache/nginx/microcache
1
2
3
mkdir /var/cache/nginx/microcache
chown apache:root /var/cache/nginx/microcache
chmod 700 /var/cache/nginx/microcache

Create Nginx logrotate script:

vi /etc/logrotate.d/websites_nginx_logs.conf

1	vi /etc/logrotate.d/websites_nginx_logs.conf

Content:

/var/log/virtualmin/*nginx_access_log /var/log/virtualmin/*nginx_error_log { rotate 10 missingok daily compress postrotate service httpd graceful ; sleep 5 endscript sharedscripts
}

/var/log/virtualmin/*nginx_access_log /var/log/virtualmin/*nginx_error_log {

rotate 10

missingok

daily

compress

postrotate

service httpd graceful ; sleep 5

endscript

sharedscripts

}

Configure Apache

Since Nginx is reverse proxy to Apache, the IP address that Apache will get is the IP of the server and we need to correct that. Apache 2.4 and above do have mod_remoteip and we will use that module. Open mod_remoteip’s configuration file:
vi /etc/httpd/conf.d/remoteip.conf
1
vi /etc/httpd/conf.d/remoteip.conf
Add the following codes:
# mod_remoteip settings RemoteIPHeader X-Real-IP RemoteIPInternalProxy 127.0.0.1 RemoteIPInternalProxy 188.8.8.8
1
2
3
4
# mod_remoteip settings
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 127.0.0.1
RemoteIPInternalProxy 188.8.8.8
Note: change 188.8.8.8 to your server’s IP address.
Change the port of Apache:
vi /etc/httpd/conf/httpd.conf
1
vi /etc/httpd/conf/httpd.conf
Look for:
Listen 80
1
Listen 80
… and change to:
Listen 8080
1
Listen 8080
Restart Apache:
systemctl restart httpd
1
systemctl restart httpd

Configure Virtualmin

Set the virtual server template to listen to 8080. Login to Virtualmin, go to “System Settings” -> “Server Templates” -> “Default Settings” and select from the dropdown “Apache Website”. Change the “Port number for virtual hosts” from 80 to 8080. Restart webmin:
systemctl restart webmin
1
systemctl restart webmin

Lets build the script that will automate the creation of website virtual host Nginx configuration file each time Virtualmin created a new server.Create the file /usr/local/bin/virtualmin.sh and add the following to it:

#!/bin/sh function update_nginx_conf { cat /etc/nginx/sites-available/${TEMPLATE_FILENAME} > $NGINX_CONF_FILE perl -pi -e "s#{DOM}#${VIRTUALSERVER_DOM}#g" $NGINX_CONF_FILE perl -pi -e "s#{HOME}#${VIRTUALSERVER_HOME}#g" $NGINX_CONF_FILE cat /etc/nginx/sites-available/${TEMPLATE_FILENAME_SSL} > $NGINX_CONF_FILE_SSL perl -pi -e "s#{DOM}#${VIRTUALSERVER_DOM}#g" $NGINX_CONF_FILE_SSL perl -pi -e "s#{HOME}#${VIRTUALSERVER_HOME}#g" $NGINX_CONF_FILE_SSL if [ -f "/etc/nginx/sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf" ] then perl -pi -e "s#{TARGETED_SERVER_CONFIG}#include sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf;#g" $NGINX_CONF_FILE perl -pi -e "s#{TARGETED_SERVER_CONFIG}#include sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf;#g" $NGINX_CONF_FILE_SSL else perl -pi -e "s#{TARGETED_SERVER_CONFIG}##g" $NGINX_CONF_FILE perl -pi -e "s#{TARGETED_SERVER_CONFIG}##g" $NGINX_CONF_FILE_SSL fi
} NGINX_CONF_FILENAME="${VIRTUALSERVER_DOM}.conf"
NGINX_CONF_FILE="/etc/nginx/sites-available/prod/${NGINX_CONF_FILENAME}"
NGINX_CONF_FILENAME_SSL="${VIRTUALSERVER_DOM}_ssl.conf"
NGINX_CONF_FILE_SSL="/etc/nginx/sites-available/prod/${NGINX_CONF_FILENAME_SSL}"
TEMPLATE_FILENAME=template.conf
TEMPLATE_FILENAME_SSL=template_ssl.conf if [ "$VIRTUALSERVER_ACTION" = "CREATE_DOMAIN" ]
then if [ "${VIRTUALSERVER_WEB}" = "1" ] then update_nginx_conf if [ "${VIRTUALSERVER_SSL}" = "1" ] then ln -s $NGINX_CONF_FILE_SSL /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME_SSL} else ln -s $NGINX_CONF_FILE /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME} fi if [ -f "/home/${VIRTUALSERVER_USER}/etc/dav.digest.passwd" ] then cat /home/$VIRTUALSERVER_USER/etc/dav.digest.passwd >> /etc/nginx/key/.htpasswd-users fi /usr/sbin/nginx -s reload fi
elif [ "$VIRTUALSERVER_ACTION" = "DELETE_DOMAIN" ]
then if [ "${VIRTUALSERVER_WEB}" = "1" ] then rm -f /etc/nginx/sites-enabled/${VIRTUALSERVER_DOM}.conf /etc/nginx/sites-enabled/${VIRTUALSERVER_DOM}_ssl.conf rm -f /etc/nginx/sites-available/prod/${VIRTUALSERVER_DOM}.conf /etc/nginx/sites-available/prod/${VIRTUALSERVER_DOM}_ssl.conf rm -f /var/log/virtualmin/${VIRTUALSERVER_DOM}_nginx_* /usr/sbin/nginx -s reload fi
elif [ "$VIRTUALSERVER_ACTION" = "MODIFY_DOMAIN" ]
then if [ "${VIRTUALSERVER_WEB}" = "1" ] then if [ ! -f $NGINX_CONF_FILE ] then update_nginx_conf fi fi if [ "$VIRTUALSERVER_DOM" != "$VIRTUALSERVER_OLDSERVER_DOM" ] then if [ "${VIRTUALSERVER_WEB}" = "1" ] then rm -f /etc/nginx/sites-available/prod/${VIRTUALSERVER_OLDSERVER_DOM}.conf /etc/nginx/sites-available/prod/${VIRTUALSERVER_OLDSERVER_DOM}_ssl.conf rm -f /etc/nginx/sites-enabled/${VIRTUALSERVER_OLDSERVER_DOM}.conf /etc/nginx/sites-enabled/${VIRTUALSERVER_OLDSERVER_DOM}_ssl.conf update_nginx_conf if [ "${VIRTUALSERVER_SSL}" = "1" ] then ln -s $NGINX_CONF_FILE_SSL /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME_SSL} else ln -s $NGINX_CONF_FILE /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME} fi fi fi if [ "${VIRTUALSERVER_WEB}" = "1" ] then /usr/sbin/nginx -s reload fi
fi

#!/bin/sh

function update_nginx_conf {

cat /etc/nginx/sites-available/${TEMPLATE_FILENAME} > $NGINX_CONF_FILE

perl -pi -e "s#{DOM}#${VIRTUALSERVER_DOM}#g" $NGINX_CONF_FILE

perl -pi -e "s#{HOME}#${VIRTUALSERVER_HOME}#g" $NGINX_CONF_FILE

cat /etc/nginx/sites-available/${TEMPLATE_FILENAME_SSL} > $NGINX_CONF_FILE_SSL

perl -pi -e "s#{DOM}#${VIRTUALSERVER_DOM}#g" $NGINX_CONF_FILE_SSL

perl -pi -e "s#{HOME}#${VIRTUALSERVER_HOME}#g" $NGINX_CONF_FILE_SSL

if [ -f "/etc/nginx/sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf" ]

then

perl -pi -e "s#{TARGETED_SERVER_CONFIG}#include sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf;#g" $NGINX_CONF_FILE

perl -pi -e "s#{TARGETED_SERVER_CONFIG}#include sites-available/targeted_server_config/${VIRTUALSERVER_DOM}.conf;#g" $NGINX_CONF_FILE_SSL

else

perl -pi -e "s#{TARGETED_SERVER_CONFIG}##g" $NGINX_CONF_FILE

perl -pi -e "s#{TARGETED_SERVER_CONFIG}##g" $NGINX_CONF_FILE_SSL

}

NGINX_CONF_FILENAME="${VIRTUALSERVER_DOM}.conf"

NGINX_CONF_FILE="/etc/nginx/sites-available/prod/${NGINX_CONF_FILENAME}"

NGINX_CONF_FILENAME_SSL="${VIRTUALSERVER_DOM}_ssl.conf"

NGINX_CONF_FILE_SSL="/etc/nginx/sites-available/prod/${NGINX_CONF_FILENAME_SSL}"

TEMPLATE_FILENAME=template.conf

TEMPLATE_FILENAME_SSL=template_ssl.conf

if [ "$VIRTUALSERVER_ACTION" = "CREATE_DOMAIN" ]

then

if [ "${VIRTUALSERVER_WEB}" = "1" ]

then

update_nginx_conf

if [ "${VIRTUALSERVER_SSL}" = "1" ]

then

ln -s $NGINX_CONF_FILE_SSL /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME_SSL}

else

ln -s $NGINX_CONF_FILE /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME}

if [ -f "/home/${VIRTUALSERVER_USER}/etc/dav.digest.passwd" ]

then

cat /home/$VIRTUALSERVER_USER/etc/dav.digest.passwd >> /etc/nginx/key/.htpasswd-users

/usr/sbin/nginx -s reload

elif [ "$VIRTUALSERVER_ACTION" = "DELETE_DOMAIN" ]

then

if [ "${VIRTUALSERVER_WEB}" = "1" ]

then

rm -f /etc/nginx/sites-enabled/${VIRTUALSERVER_DOM}.conf /etc/nginx/sites-enabled/${VIRTUALSERVER_DOM}_ssl.conf

rm -f /etc/nginx/sites-available/prod/${VIRTUALSERVER_DOM}.conf /etc/nginx/sites-available/prod/${VIRTUALSERVER_DOM}_ssl.conf

rm -f /var/log/virtualmin/${VIRTUALSERVER_DOM}_nginx_*

/usr/sbin/nginx -s reload

elif [ "$VIRTUALSERVER_ACTION" = "MODIFY_DOMAIN" ]

then

if [ "${VIRTUALSERVER_WEB}" = "1" ]

then

if [ ! -f $NGINX_CONF_FILE ]

then

update_nginx_conf

if [ "$VIRTUALSERVER_DOM" != "$VIRTUALSERVER_OLDSERVER_DOM" ]

then

if [ "${VIRTUALSERVER_WEB}" = "1" ]

then

rm -f /etc/nginx/sites-available/prod/${VIRTUALSERVER_OLDSERVER_DOM}.conf /etc/nginx/sites-available/prod/${VIRTUALSERVER_OLDSERVER_DOM}_ssl.conf

rm -f /etc/nginx/sites-enabled/${VIRTUALSERVER_OLDSERVER_DOM}.conf /etc/nginx/sites-enabled/${VIRTUALSERVER_OLDSERVER_DOM}_ssl.conf

update_nginx_conf

if [ "${VIRTUALSERVER_SSL}" = "1" ]

then

ln -s $NGINX_CONF_FILE_SSL /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME_SSL}

else

ln -s $NGINX_CONF_FILE /etc/nginx/sites-enabled/${NGINX_CONF_FILENAME}

if [ "${VIRTUALSERVER_WEB}" = "1" ]

then

/usr/sbin/nginx -s reload

Make the script executable:

chmod u+x /usr/local/bin/virtualmin.sh

1	chmod u+x /usr/local/bin/virtualmin.sh

Let Virtualmin know about the virtualmin.sh. Login to Virtualmin, go to “System Settings” -> “Virtualmin Configuration” and select from dropdown “Actions upon server and user creation”. Populate the “Command to run after making changes to a server” field with:
/usr/local/bin/virtualmin.sh
1
/usr/local/bin/virtualmin.sh

Fonte: https://www.webfoobar.com/node/35

Facebook Comments

Rate this post

Post Views: 136

Install Nginx

Configure Nginx

Setup Nginx requirements

Configure Apache

Configure Virtualmin

Related posts