Modify nginx config file
location ~ \.php($|/) {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}
Modify codeigniter config
Before:
//$config['uri_protocol'] = "AUTO";
After:
$config['uri_protocol'] = "PATH_INFO";
I came across a separate null-byte injection vulnerability in older versions of nginx (0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37). By taking advantage of this vulnerability, an attacker can cause a server that uses PHP-FastCGI to execute any publicly accessible file on the server as PHP.
In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not.
The attack itself is simple: a malicious user who makes a request to http://example.com/file.ext%00.php causes file.ext to be parsed as PHP. If an attacker can control the contents of a file served up by nginx (ie: using an avatar upload form) the result is arbitrary code execution. This vulnerability can not be mitigated by nginx configuration settings like try_files or PHP configuration settings like cgi.fix_pathinfo: the only defense is to upgrade to a newer version of nginx or to explicitly block potentially malicious requests to directories containing user-controlled content.
# This location block will prevent an attacker from exploiting
# this vulnerability using files in the 'uploads' or 'other_uploads' directory
location ~ ^/(uploads|other_uploads)/.*.php$
{
deny all;
}
Although the affected versions of nginx are relatively old (0.7.66 was released June 7th, 2010, 0.8.38 was released May 24th 2010), no mention of the change appears in the release notes. As a result, administrators may be running vulnerable servers without realizing their risk. I discovered a couple places where vulnerable packages were being distributed:
or anyone who’s curious, the changes can be found at r3528 from svn://svn.nginx.org. At that time, it appears trunk corresponded to nginx 0.8: r3599 merged r3528 into the nginx 0.7 branch. The corresponding commit message is "remove r->zero_in_uri." I’ve reproduced the output of svn diff below:
Index: src/http/ngx_http_request.h
===================================================================
--- src/http/ngx_http_request.h (revision 3527)
+++ src/http/ngx_http_request.h (revision 3528)
@@ -56,7 +56,7 @@
#define NGX_HTTP_PARSE_INVALID_HEADER 13
-#define NGX_HTTP_ZERO_IN_URI 1
+/* unused 1 */
#define NGX_HTTP_SUBREQUEST_IN_MEMORY 2
#define NGX_HTTP_SUBREQUEST_WAITED 4
#define NGX_HTTP_LOG_UNSAFE 8
@@ -435,9 +435,6 @@
/* URI with "+" */
unsigned plus_in_uri:1;
- /* URI with "" or "%00" */
- unsigned zero_in_uri:1;
-
unsigned invalid_header:1;
unsigned valid_location:1;
Index: src/http/ngx_http_core_module.c
===================================================================
--- src/http/ngx_http_core_module.c (revision 3527)
+++ src/http/ngx_http_core_module.c (revision 3528)
@@ -1341,7 +1341,7 @@
/* no content handler was found */
- if (r->uri.data[r->uri.len - 1] == '/' && !r->zero_in_uri) {
+ if (r->uri.data[r->uri.len - 1] == '/') {
if (ngx_http_map_uri_to_path(r, &path, &root, 0) != NULL) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
@@ -2104,7 +2104,6 @@
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
"http subrequest \"%V?%V\"", uri, &sr->args);
- sr->zero_in_uri = (flags & NGX_HTTP_ZERO_IN_URI) != 0;
sr->subrequest_in_memory = (flags & NGX_HTTP_SUBREQUEST_IN_MEMORY) != 0;
sr->waited = (flags & NGX_HTTP_SUBREQUEST_WAITED) != 0;
Index: src/http/ngx_http_special_response.c
===================================================================
--- src/http/ngx_http_special_response.c (revision 3527)
+++ src/http/ngx_http_special_response.c (revision 3528)
@@ -517,8 +517,6 @@
r->err_status = overwrite;
- r->zero_in_uri = 0;
-
if (ngx_http_complex_value(r, &err_page->value, &uri) != NGX_OK) {
return NGX_ERROR;
}
Index: src/http/ngx_http_upstream.c
===================================================================
--- src/http/ngx_http_upstream.c (revision 3527)
+++ src/http/ngx_http_upstream.c (revision 3528)
@@ -1815,10 +1815,6 @@
return NGX_DONE;
}
- if (flags & NGX_HTTP_ZERO_IN_URI) {
- r->zero_in_uri = 1;
- }
-
if (r->method != NGX_HTTP_HEAD) {
r->method = NGX_HTTP_GET;
}
Index: src/http/ngx_http_parse.c
===================================================================
--- src/http/ngx_http_parse.c (revision 3527)
+++ src/http/ngx_http_parse.c (revision 3528)
@@ -438,8 +438,7 @@
r->plus_in_uri = 1;
break;
case '':
- r->zero_in_uri = 1;
- break;
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
default:
state = sw_check_uri;
break;
@@ -496,8 +495,7 @@
r->plus_in_uri = 1;
break;
case '':
- r->zero_in_uri = 1;
- break;
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;
@@ -526,8 +524,7 @@
r->complex_uri = 1;
break;
case '':
- r->zero_in_uri = 1;
- break;
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;
@@ -1202,7 +1199,7 @@
ch = *p++;
} else if (ch == '') {
- r->zero_in_uri = 1;
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
}
state = quoted_state;
@@ -1304,8 +1301,7 @@
}
if (ch == '') {
- *flags |= NGX_HTTP_ZERO_IN_URI;
- continue;
+ goto unsafe;
}
if (ngx_path_separator(ch) && len > 2) {
@@ -1449,34 +1445,19 @@
void
ngx_http_split_args(ngx_http_request_t *r, ngx_str_t *uri, ngx_str_t *args)
{
- u_char ch, *p, *last;
+ u_char *p, *last;
- p = uri->data;
+ last = uri->data + uri->len;
- last = p + uri->len;
+ p = ngx_strlchr(uri->data, last, '?');
- args->len = 0;
+ if (p) {
+ uri->len = p - uri->data;
+ p++;
+ args->len = last - p;
+ args->data = p;
- while (p < last) {
-
- ch = *p++;
-
- if (ch == '?') {
- args->len = last - p;
- args->data = p;
-
- uri->len = p - 1 - uri->data;
-
- if (ngx_strlchr(p, last, '') != NULL) {
- r->zero_in_uri = 1;
- }
-
- return;
- }
-
- if (ch == '') {
- r->zero_in_uri = 1;
- continue;
- }
+ } else {
+ args->len = 0;
}
}
Index: src/http/modules/ngx_http_gzip_static_module.c
===================================================================
--- src/http/modules/ngx_http_gzip_static_module.c (revision 3527)
+++ src/http/modules/ngx_http_gzip_static_module.c (revision 3528)
@@ -89,10 +89,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
gzcf = ngx_http_get_module_loc_conf(r, ngx_http_gzip_static_module);
if (!gzcf->enable) {
Index: src/http/modules/ngx_http_index_module.c
===================================================================
--- src/http/modules/ngx_http_index_module.c (revision 3527)
+++ src/http/modules/ngx_http_index_module.c (revision 3528)
@@ -116,10 +116,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
ilcf = ngx_http_get_module_loc_conf(r, ngx_http_index_module);
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
Index: src/http/modules/ngx_http_random_index_module.c
===================================================================
--- src/http/modules/ngx_http_random_index_module.c (revision 3527)
+++ src/http/modules/ngx_http_random_index_module.c (revision 3528)
@@ -86,10 +86,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
return NGX_DECLINED;
}
Index: src/http/modules/ngx_http_dav_module.c
===================================================================
--- src/http/modules/ngx_http_dav_module.c (revision 3527)
+++ src/http/modules/ngx_http_dav_module.c (revision 3528)
@@ -146,10 +146,6 @@
ngx_int_t rc;
ngx_http_dav_loc_conf_t *dlcf;
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
dlcf = ngx_http_get_module_loc_conf(r, ngx_http_dav_module);
if (!(r->method & dlcf->methods)) {
Index: src/http/modules/ngx_http_flv_module.c
===================================================================
--- src/http/modules/ngx_http_flv_module.c (revision 3527)
+++ src/http/modules/ngx_http_flv_module.c (revision 3528)
@@ -80,10 +80,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
rc = ngx_http_discard_request_body(r);
if (rc != NGX_OK) {
Index: src/http/modules/ngx_http_static_module.c
===================================================================
--- src/http/modules/ngx_http_static_module.c (revision 3527)
+++ src/http/modules/ngx_http_static_module.c (revision 3528)
@@ -66,10 +66,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
log = r->connection->log;
/*
Index: src/http/modules/ngx_http_autoindex_module.c
===================================================================
--- src/http/modules/ngx_http_autoindex_module.c (revision 3527)
+++ src/http/modules/ngx_http_autoindex_module.c (revision 3528)
@@ -160,10 +160,6 @@
return NGX_DECLINED;
}
- if (r->zero_in_uri) {
- return NGX_DECLINED;
- }
-
if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD))) {
return NGX_DECLINED;
}
Index: src/http/modules/perl/ngx_http_perl_module.c
===================================================================
--- src/http/modules/perl/ngx_http_perl_module.c (revision 3527)
+++ src/http/modules/perl/ngx_http_perl_module.c (revision 3528)
@@ -168,10 +168,6 @@
static ngx_int_t
ngx_http_perl_handler(ngx_http_request_t *r)
{
- if (r->zero_in_uri) {
- return NGX_HTTP_NOT_FOUND;
- }
-
r->main->count++;
ngx_http_perl_handle_request(r);
If your web server is apache ,you can add follow line:
<Directory /website/attachments>
php_flag engine off
</Directory>
We want disable upload directory php execute privileges on nginx,It’s so simple
location /upload/ {
location ~ .*\.(php)?$
{
deny all;
}
}
limit more directory
location ~* ^/(upload|images)/.*\.(php|php5)$
{
deny all;
}
If your web server is lighthttpd you can
$HTTP["url"] =~ "^/(forumdata|templates|customavatars?)/" {
fastcgi.server = ()
}
Apache:
<Location "/forumdata">
php_admin_flag engine off
Options -ExecCGI
AddType text/plain .html .htm .shtml .php
</Location>
Hope it will help you.
Nginx from the 0.7.48 release, support for Squid cache similar function. This cache is used as the URL and the relevant combination of Key, with the md5 hash code and saved on the hard drive, so it can support any URL link, also supports 404/301/302 such non-200 status code. Although the official Nginx Web caching service can only status code for the specified URL or set an expiration time, like Squid does not support the PURGE command to manually clear the cache page specified, but Nginx module by a third party, you can clear the cache of the specified URL .
Nginx’s Web caching services are mainly related to the instruction set and fastcgi_cache proxy_cache related instruction set composition, the former agent for the reverse, on the back-end content source server cache, which is mainly used to cache the FastCGI dynamic process. Both features are basically the same.
The latest version of Nginx 0.8.32, proxy_cache and fastcgi_cache been more perfect, with a third party ngx_cache_purge module (used to clear the cache of the specified URL), they can already completely replace the Squid. We have used in the production environment, the proxy_cache Nginx caching more than two months, very stable, speed is not inferior to Squid.
In function, Nginx have already have Squid Web cache acceleration, clear the cache function of the specified URL. In performance, Nginx on the use of multi-core CPU is better than a lot of Squid. In addition, the reverse proxy, load balancing, health checks, back-end server fail, Rewrite rewrite, ease of use, Nginx much stronger than the Squid. This makes a Nginx may also be a "load-balancing server" and "Web cache server" to use.
Install Part:
1.download purge patch for nginx and unzip it
wget http://labs.frickle.com/files/ngx_cache_purge-1.0.tar.gz
tar zxvf ngx_cache_purge-1.0.tar.gz
2.download nginx and unzip nginx
wget http://nginx.org/download/nginx-0.8.32.tar.gz
tar zxvf nginx-0.8.32.tar.gz
3.compile nginx
cd nginx-0.8.32/
./configure –user=www –group=www –add-module=../ngx_cache_purge-1.0 –prefix=/opt/nginx –with-http_stub_status_module –with-http_ssl_module
make && make install
cd /opt/nginx/conf
4.modify config file nginx.conf
user www www;
worker_processes 8;
error_log /opt/nginx/logs/nginx_error.log crit;
pid /opt/nginx/nginx.pid;
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 65535;
}
http
{
include mime.types;
default_type application/octet-stream;
#charset utf-8;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
client_body_buffer_size 512k;
proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
#gzip on;
#gzip_min_length 1k;
#gzip_buffers 4 16k;
#gzip_http_version 1.1;
#gzip_comp_level 2;
#gzip_types text/plain application/x-javascript text/css application/xml;
#gzip_vary on;
proxy_temp_path /data/proxy_temp_dir;
proxy_cache_path /data/proxy_cache_dir levels=1:2 keys_zone=cache_one:500m inactive=1d max_size=20g;
upstream backend_server {
server 192.168.1.38:80 weight=1 max_fails=2 fail_timeout=30s;
}
server
{
listen 80;
server_name www.test.com *.test.com;
index index.html index.htm index.php;
location /
{
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_cache cache_one;
proxy_cache_valid 200 304 12h;
proxy_cache_key $host$uri$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://backend_server;
expires 1d;
}
location ~ /purge(/.*)
{
allow 127.0.0.1;
allow 192.168.1.253;
deny all;
proxy_cache_purge cache_one $host$1$is_args$args;
}
location ~ .*\.(php|jsp|cgi)?$
{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://www.test.com;
}
access_log off;
}
}
5. Nginx start script nginx-start.sh
#!/bin/sh
ulimit -SHn 65535
/opt/nginx/sbin/nginx
chmod +x nginx-start.sh
./nginx-start.sh
6.Clean special url
you can visit page to delete
upload/thumb/20101101/201011011126134751_120_90.jpg file.
http://www.test.com/purge/upload/thumb/20101101/201011011126134751_120_90.jpg
Return Result
Key : www.test.com/upload/thumb/20101101/201011011126134751_120_90.jpg
Path: /data/proxy_cache_dir/0/98/d0a52447df34c0d5abe1cf34b4bf0980
nginx/0.8.32
When running PHP as CGI binary on nginx. You might get above error if you nonexistent PHP file. If you got a custom 404 page,this can be irritating, as it makes for an inconsistent user experience.
I find many articles, and I check php.ini file
cgi.fix_pathinfo=1
doc_root=
And check nginx.conf config file. virtual host parameters.
fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
The red part default is /script/$fastcgi_script_name;
I have modify above these parameters but if I get the error still. I find the parameters,I modify nginx config file add the follow a line
fastcgi_intercept_errors on;
After I add the parameters nginx return a custom 404 page,and not return “No input file specified” error.
I modify php.ini file
cgi.fix_pathinfo=0
the parameters have a serious security problem.
Disable php executive privileges for apache:
<Directory /website/upload>
php_flag engine off
</Directory>
Disable php executive privileges for nginx:
location ~ ^/upload/.*\.(php|php5)$
{
deny all;
}
nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including. The vulnerability will let error file type as php file. It’s a very critical bug.
Generally, nginx will parse php file by cgi. Example:
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}
In location part,nginx will proceed request by URI variable, and the SCRIPT_FILENAME’s value will be defined by $fastcgi_script_name, the $fastcgi_script_name variable default is open by cgi.fix_pathinfo option in php.ini file.
Assume, have a the url http://www.goitowrld.com/nginx.jpg, you can try to visit fllow url.
http://www.goitworld.com/nginx.jpg/nginx.php
will have a URI /nginx.jpg/nginx.php
By location command,the request will submit to fastcgi proceed,the SCRIPT_FILENAME variable will set to /script/nginx.jpg/nginx.php
while cgi.fix_pathinfo parameter have been set to 1, now it will split SCRIPT_FILENAME and PATH_INFO to
/script/nginx.jpg and nginx.php
Final the nginx.jpg will be parsed as php file.
Brose url http://www.goitowrld.com/nginx.jpg respone
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes
Brose url http://www.goitowrld.com/nginx.jpg/nginx.php respone
HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6
Solution:
1.modify php.ini file and set parameter
cgi.fix_pathinfo=0
2.modify nginx config file
if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}
configure determines the features of system and, in particular, the methods, which nginx can use for handling connections. Finally it creates the Makefile.
configure supports the following options:
–prefix=<path> – The path relative to which all other Nginx paths will resolve. If not specified, defaults to /usr/local/nginx.
–sbin-path=<path> – The path to the nginx executable. Only used for installation. If not specified defaults to <prefix>/sbin/nginx.
–conf-path=<path> – The default location of nginx.conf if no -c parameter is provided. If not provided, defaults to <prefix>/conf/nginx.conf.
–pid-path=<path> – The path to nginx.pid, if not set via the "pid" directive in nginx.conf. If not provided, defaults to <prefix>/logs/nginx.pid.
–lock-path=<path> – The path to the nginx.lock file. If not provided, defaults to <prefix>/logs/nginx.lock.
–error-log-path=<path> – The location of the error log if not set via the "error_log" in nginx.conf. If not set, defaults to <prefix>/logs/error.log.
–http-log-path=<path> – The location of the access log if not set via the "access_log" directive in nginx.conf. If not set, defaults to <prefix>/logs/access.log.
–user=<user> – The default user that nginx will run as if not set in nginx.conf via the "user" directive. If not set, defaults to "nobody".
–group=<group> – The default group that nginx will run under if not set via the "user" directive in nginx.conf. If not set defaults to "nobody".
–builddir=DIR – Set the build directory
–with-rtsig_module – Enable rtsig module
–with-select_module –without-select_module – Whether or not to enable the select module. This module is enabled by default if a more suitable method such as kqueue, epoll, rtsig or /dev/poll is not discovered by configure.
–with-poll_module –without-poll_module – Whether or not to enable the poll module. This module is enabled by default if a more suitable method such as kqueue, epoll, rtsig or /dev/poll is not discovered by configure.
–with-http_ssl_module – Enable ngx_http_ssl_module. Enables SSL support and the ability to handle HTTPS requests. Requires OpenSSL. On Debian, this is libssl-dev.
–with-http_realip_module – Enable ngx_http_realip_module
–with-http_addition_module – Enable ngx_http_addition_module
–with-http_sub_module – Enable ngx_http_sub_module
–with-http_dav_module – Enable ngx_http_dav_module
–with-http_flv_module – Enable ngx_http_flv_module
–with-http_stub_status_module – Enable the "server status" page
–without-http_charset_module – Disable ngx_http_charset_module
–without-http_gzip_module – Disable ngx_http_gzip_module. Requires zlib if enabled.
–without-http_ssi_module – Disable ngx_http_ssi_module
–without-http_userid_module – Disable ngx_http_userid_module
–without-http_access_module – Disable ngx_http_access_module
–without-http_auth_basic_module – Disable ngx_http_auth_basic_module
–without-http_autoindex_module – Disable ngx_http_autoindex_module
–without-http_geo_module – Disable ngx_http_geo_module
–without-http_map_module – Disable ngx_http_map_module
–without-http_referer_module – Disable ngx_http_referer_module
–without-http_rewrite_module – Disable ngx_http_rewrite_module. Requires PCRE if enabled.
–without-http_proxy_module – Disable ngx_http_proxy_module
–without-http_fastcgi_module – Disable ngx_http_fastcgi_module
–without-http_memcached_module – Disable ngx_http_memcached_module
–without-http_limit_zone_module – Disable ngx_http_limit_zone_module
–without-http_empty_gif_module – Disable ngx_http_empty_gif_module
–without-http_browser_module – Disable ngx_http_browser_module
–without-http_upstream_ip_hash_module – Disable ngx_http_upstream_ip_hash_module
–with-http_perl_module – Enable ngx_http_perl_module
–with-perl_modules_path=PATH – Set path to the perl modules
–with-perl=PATH – Set path to the perl binary
–http-client-body-temp-path=PATH – Set path to the http client request body temporary files. If not set, defaults to <prefix>/client_body_temp
–http-proxy-temp-path=PATH – Set path to the http proxy temporary files. If not set, defaults to <prefix>/proxy_temp
–http-fastcgi-temp-path=PATH – Set path to the http fastcgi temporary files. If not set, defaults to <prefix>/fastcgi_temp
–without-http – Disable HTTP server
–with-mail – Enable IMAP4/POP3/SMTP proxy module
–with-mail_ssl_module – Enable ngx_mail_ssl_module
–with-cc=PATH – Set path to C compiler
–with-cpp=PATH – Set path to C preprocessor
–with-cc-opt=OPTIONS – Additional parameters which will be added to the variable CFLAGS. With the use of the system library PCRE in FreeBSD, it is necessary to indicate –with-cc-opt="-I /usr/local/include". If we are using select() and it is necessary to increase the number of file descriptors, then this also can be assigned here: –with-cc-opt="-D FD_SETSIZE=2048".
–with-ld-opt=OPTIONS – Additional parameters passed to the linker. With the use of the system library PCRE in FreeBSD, it is necessary to indicate –with-ld-opt="-L /usr/local/lib".
–with-cpu-opt=CPU – Build for specified CPU, the valid values: pentium, pentiumpro, pentium3, pentium4, athlon, opteron, amd64, sparc32, sparc64, ppc64
–without-pcre – Disable PCRE library usage. Also disables HTTP rewrite module. PCRE is also required for regular expressions in "location" directive.
–with-pcre=DIR – Set path to PCRE library sources.
–with-pcre-opt=OPTIONS – Set additional options for PCRE building.
–with-md5=DIR – Set path to md5 library sources.
–with-md5-opt=OPTIONS – Set additional options for md5 building.
–with-md5-asm – Use md5 assembler sources.
–with-sha1=DIR – Set path to sha1 library sources.
–with-sha1-opt=OPTIONS – Set additional options for sha1 building.
–with-sha1-asm – Use sha1 assembler sources.
–with-zlib=DIR – Set path to zlib library sources.
–with-zlib-opt=OPTIONS – Set additional options for zlib building.
–with-zlib-asm=CPU – Use zlib assembler sources optimized for specified CPU, valid values are: pentium, pentiumpro
–with-openssl=DIR – Set path to OpenSSL library sources
–with-openssl-opt=OPTIONS – Set additional options for OpenSSL building
–with-debug – Enable debug logging
–add-module=PATH – Add in a third-party module found in directory PATH
Options may vary slightly between versions. Always check ./configure –help for the current list.
Examples Example 1 This is a single line!
./configure \ --sbin-path=/usr/local/nginx/nginx \ --conf-path=/usr/local/nginx/nginx.conf \ --pid-path=/usr/local/nginx/nginx.pid \ --with-http_ssl_module \ --with-pcre=../pcre-4.4 \ --with-zlib=../zlib-1.1.3
Example 2 Default Debian Lenny.
./configure \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --http-log-path=/var/log/nginx/access.log \ --with-http_dav_module \ --http-client-body-temp-path=/var/lib/nginx/body \ --with-http_ssl_module \ --http-proxy-temp-path=/var/lib/nginx/proxy \ --with-http_stub_status_module \ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ --with-debug \ --with-http_flv_module
Example 3 I use this configuration for 50+ worth millions impressions per day.
./configure \ --prefix=/usr \ --conf-path=/etc/nginx/nginx.conf \ --http-log-path=/var/log/nginx/access_log \ --error-log-path=/var/log/nginx/error_log \ --pid-path=/var/run/nginx.pid \ --http-client-body-temp-path=/var/tmp/nginx/client \ --http-proxy-temp-path=/var/tmp/nginx/proxy \ --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi \ --with-md5-asm --with-md5=/usr/include \ --with-sha1-asm \ --with-sha1=/usr/include \ --with-http_realip_module \ --with-http_ssl_module \ --with-http_perl_module \ --with-http_stub_status_module
Example 4 Example on Ubuntu/debian with libgcrypt11-dev, libpcre3-dev and libssl-dev installed (choose EITHER –with-md5 OR –with-sha1, but not both; on debian and ubuntu, they should both point to /usr/lib)
./configure --with-openssl=/usr/lib/ssl/ --with-md5=/usr/lib
An Ubuntu Edgy .deb for version 0.5.2 can be found here: nginx_0.5.2-1_i386.deb .
Example 5 I use this on RedHat based distros (RHEL, CentOS, Fedora). This is the configuration used for running this wiki.
First, install the dependencies:
yum install gcc openssl-devel pcre-devel zlib-devel
Then run configure:
./configure \ --prefix=/usr \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --pid-path=/var/run/nginx/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --user=nginx \ --group=nginx \ --with-http_ssl_module \ --with-http_flv_module \ --with-http_gzip_static_module \ --http-log-path=/var/log/nginx/access.log \ --http-client-body-temp-path=/var/tmp/nginx/client/ \ --http-proxy-temp-path=/var/tmp/nginx/proxy/ \ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/
Then finally build and install:
make && make install
Nginx Server SSL Certificate Installation:
1.Make sure OpenSSL is installed and in your PATH.
2.Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command: $ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with: $ openssl rsa -in server.key -out server.key.unsecure
3.Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): $ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.yourdomain.dom/, enter "www.yourdomain.dom" here. You can see the details of this CSR by using $ openssl req -noout -text -in server.csr
4.You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:
For details on how to create your own CA, and use this to sign a CSR, see below.
Once your CSR has been signed, you can see the details of the Certificate as follows: $ openssl x509 -noout -text -in yourdomain.crt
Copy them(server.key,yourdomain.crt), along with the .key file you generated when you created the CSR, to the directory on your server where you will keep your certificate and key files. Make them readable by root only to increase security.
Now open your Nginx virtual host file for the website you are securing. If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a server module for each type of connection. Make a copy of the existing non-secure server module and paste it below the original. Then add the lines in bold below:
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/yourdomain.crt;
ssl_certificate_key /etc/ssl/server.key;
server_name www.yourdomain.com;
access_log /var/log/nginx/nginx.vhost.access.log;
error_log /var/log/nginx/nginx.vhost.error.log;
location / {
root /home/www/public_html/your.domain.com/public/;
index index.html;
}
}Adjust the file names to match your certificate files:
For securing, you probably want to turn off the version with the directive “server_tokens off”.
server_tokens
syntax: server_tokens on|off
default: server_tokens on
context: http, server, location
Whether to send the Nginx version number in error pages and Server header.
If you want to remove the name of the server completely you need to alter the source code prior to compiling.
Edit /path/to/nginx-0.*/src/http/ngx_http_header_filter_module.c lines 48 and 49:
static char ngx_http_server_string[] = “Server: nginx” CRLF; static char ngx_http_server_full_string[] = “Server: ” NGINX_VER CRLF;
Put in anything you like.
If you want to edit NGINX_VER, it is defined, along with some other relevant constants, in /path/to/nginx-0.*/src/core/nginx.h, lines 11-13.
Refrence:http://wiki.nginx.org/NginxHttpCoreModule#server_tokens
http://www.net-square.com/httprint/httprint_paper.html
