Forked from pimbrouwers/ubuntu-20_04-web-server-setup-instructions.md
Created
January 23, 2025 14:57
-
-
Save projectoperations/71b76598e28662c356e88ec4a5c604b1 to your computer and use it in GitHub Desktop.
Revisions
-
pimbrouwers revised this gist
Mar 21, 2022 . 1 changed file with 9 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,18 +117,6 @@ send_timeout 10; **keep_alive_timeout** - duration keep-alive connection will stay open **send_timeout** - duration server will attempt to transmit response to client ### Error Logs Setting the appropriate log **log_level** can dramatically reduce the IO overhead. A good starting point is the "error" level (note: this is the default setting, used when nothing is specified). @@ -145,7 +133,7 @@ If it's required to have access logging, then enable access-log buffering. This access_log /var/log/nginx/access.log buffer=16k ``` ### Rate Limiting @@ -185,6 +173,14 @@ server { index index.html index.htm; server_name _; location ~* .(jpg|jpeg|png|gif|ico|svg)$ { expires 30d; } location ~* .(css|js)$ { expires 1d; } location / { try_files $uri $uri/ =404; } -
Mar 21, 2022 . 1 changed file with 80 additions and 10 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,10 +18,10 @@ $ sudo apt autoremove # Removes any old packages that are no longer needed Add a new user for the purposes of logging in and doing administrative work. > The *root* user has permissions to change every aspect of your server. This is good for the sake of administration, but regularly logging in and navigating your VPS as root isn't great for security. ```shell adduser username ``` You will be prompted with: @@ -35,12 +35,12 @@ passwd: password updated successfully Add the new user to the sudo group. ```shell usermod -aG sudo remote-user ``` After logging out, and back in as the new user, make sure your sudo access is working. One way of doing this is by listing the /root/ directory, which is only possible with sudo access. You'll be asked for your user's password to authenticate. ```shell sudo ls -la /root [sudo] password for username: ``` @@ -53,6 +53,8 @@ $ sudo systemctl enable --now nginx; ## Configure nginx ### Worker procesess and Worker Connection First two variables to tune are **worker_processes** and **worker_connections**. **worker_processess** - how many workers should be spawn @@ -61,25 +63,93 @@ First two variables to tune are **worker_processes** and **worker_connections**. Configure worker connections to be the number of cores available. Run the following to display the cores available: ```shell grep processor /proc/cpuinfo | wc -l ```` Check the core's limitations by issuing a ulimit command: ```shell ulimit -n ``` Update the config with the new values. ```shell sudo nano /etc/nginx/nginx.conf worker_processes 1; worker_connections 1024; ``` ### Enable GZip By enabling gzip can save bandwidth and improving website load time on slow connections. ```shell gzip on; gzip_vary on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; ``` **gzip** on - Enables gzip compression. **gzip_vary** on - Tells proxies to cache both gzipped and regular versions of a resource. **gzip_min_length** 1024 - Informs NGINX to not compress anything smaller than the defined size. **gzip_proxied** - Compress data even for clients that are connecting via proxies (here we're enabling compression if: a response header includes the "expired", "no-cache", "no-store", "private", and "Authorization" parameters). **gzip_types** - Enables the types of files that can be compressed. **gzip_disable** - "MSIE [1-6]\.", disable compression for Internet Explorer versions 1-6. ### Reducing Timeouts Timeouts also really improve the Nginx performance considerably. The keepalive connections reduce CPU and network overhead required when opening and closing connections. ```shell client_body_timeout 12; client_header_timeout 12; keepalive_timeout 15; send_timeout 10; ``` **client_body_timeout** - duration server will attempt reading client body **client_header_timeout** - duration server will attempt reading client header **keep_alive_timeout** - duration keep-alive connection will stay open **send_timeout** - duration server will attempt to transmit response to client ### Static File Caching ```shell location ~* .(jpg|jpeg|png|gif|ico|svg)$ { expires 30d; } location ~* .(css|js)$ { expires 1d; } ``` ### Error Logs Setting the appropriate log **log_level** can dramatically reduce the IO overhead. A good starting point is the "error" level (note: this is the default setting, used when nothing is specified). ```shell error_log /var/log/nginx/error.log error; ``` ### Access Logs If it's required to have access logging, then enable access-log buffering. This enables Nginx to buffer a series of log entries and writes them to the log file together at once instead of performing the different write operations for each request. ```shell access_log /var/log/nginx/access.log buffer=16k ``` ### Limits ## Create a vhost "server" block Create the website directory in `/var/www`: -
Mar 21, 2022 . 1 changed file with 14 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,14 +6,22 @@ - certbot - iptables ## Updates ```shell $ sudo apt update # Fetches the list of available updates $ sudo apt full-upgrade # Installs updates; may also remove some packages, if needed $ sudo apt autoremove # Removes any old packages that are no longer needed ``` ## Adding a new user Add a new user for the purposes of logging in and doing administrative work. > The *root* user has permissions to change every aspect of your server. This is good for the sake of administration, but regularly logging in and navigating your VPS as root isn’t great for security. ```shell $ adduser username ``` You will be prompted with: @@ -27,12 +35,12 @@ passwd: password updated successfully Add the new user to the sudo group. ```shell $ usermod -aG sudo remote-user ``` After logging out, and back in as the new user, make sure your sudo access is working. One way of doing this is by listing the /root/ directory, which is only possible with sudo access. You’ll be asked for your user’s password to authenticate. ```shell $ sudo ls -la /root [sudo] password for username: ``` @@ -53,19 +61,19 @@ First two variables to tune are **worker_processes** and **worker_connections**. Configure worker connections to be the number of cores available. Run the following to display the cores available: ```shell $ grep processor /proc/cpuinfo | wc -l ```` Check the core’s limitations by issuing a ulimit command: ```shell $ ulimit -n ``` Update the config with the new values. ```shell $ sudo nano /etc/nginx/nginx.conf worker_processes 1; worker_connections 1024; -
Mar 21, 2022 . 1 changed file with 33 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ # Ubuntu 20.04 Web Server Setup Instructions > !!! **Work in progress, use at your own risk.** !!! - nginx - certbot @@ -43,13 +43,41 @@ $ sudo apt install nginx -y; $ sudo systemctl enable --now nginx; ``` ## Configure nginx First two variables to tune are **worker_processes** and **worker_connections**. **worker_processess** - how many workers should be spawn **worker_connections** - how many clients can be simultaneously connection Configure worker connections to be the number of cores available. Run the following to display the cores available: ```shell grep processor /proc/cpuinfo | wc -l ```` Check the core’s limitations by issuing a ulimit command: ```shell ulimit -n ``` Update the config with the new values. ```shell sudo nano /etc/nginx/nginx.conf worker_processes 1; worker_connections 1024; ``` ## Create a simple static site vhost "server" block Create the website directory in `/var/www`: ```shell $ sudo mkdir -p /var/www/www.mywebsite.com $ cd /var/www/www.mywebsite.com $ nano index.html ``` @@ -70,12 +98,12 @@ Paste the following into nano editor: Next add a server configuration block. Instead of going through site-available folders and then creating symlinks, just write the server block in there conf.d folder. It will work on all platforms and it is simpler to manage: ```shell $ nano /etc/nginx/conf.d/www.mywebsite.com.conf server { listen 80 default_server; listen [::]:80 default_server; root /var/www/www.mywebsite.com; index index.html index.htm; server_name _; -
Mar 21, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,93 @@ # Ubuntu 20.04 Web Server Setup Instructions > *Work in progress, use at your own risk.* - nginx - certbot - iptables ## Adding a new user Add a new user for the purposes of logging in and doing administrative work. > The *root* user has permissions to change every aspect of your server. This is good for the sake of administration, but regularly logging in and navigating your VPS as root isn’t great for security. ```shell adduser username ``` You will be prompted with: ```shell Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully ``` Add the new user to the sudo group. ```shell usermod -aG sudo remote-user ``` After logging out, and back in as the new user, make sure your sudo access is working. One way of doing this is by listing the /root/ directory, which is only possible with sudo access. You’ll be asked for your user’s password to authenticate. ```shell sudo ls -la /root [sudo] password for username: ``` ## Install nginx ```shell $ sudo apt install nginx -y; $ sudo systemctl enable --now nginx; ``` ## Create a simple static site vhost "server" block Create the website directory in `/var/www`: ```shell $ sudo mkdir -p /var/www/some-website $ cd /var/www/some-website $ nano index.html ``` Paste the following into nano editor: ```html <!DOCTYPE html> <html> <head> <title>Nginx Static Website</title> </head> <body> <h1>Hello world</h1> </body> </html> ``` Next add a server configuration block. Instead of going through site-available folders and then creating symlinks, just write the server block in there conf.d folder. It will work on all platforms and it is simpler to manage: ```shell $ nano /etc/nginx/conf.d/some-website.conf server { listen 80 default_server; listen [::]:80 default_server; root /var/www/some-website; index index.html index.htm; server_name _; location / { try_files $uri $uri/ =404; } } ``` Remove the default configuration and reload nginx: ```shell $ sudo rm /etc/sites-enabled/default $ sudo systemctl reload nginx ```