Here are a number of Nginx configurations for common scenarios that should help make things easier to get started with. This page will grow as needed.
A quick and easy starter example
First one is for most of you fly-by and cut-and-paste type of people. If you’re using a typical /sites-enabled/default type of configuration, replace the content of that file with this. Make sure to change the root path and your php port/path if it differs.
server {
# .domain.com will match both domain.com and anything.domain.com
server_name .example.com;
# It is best to place the root of the server block at the server level, and not the location level
# any location block path will be relative to this root.
root /usr/local/www/example.com;
# It's always good to set logs, note however you cannot turn off the error log
# setting error_log off; will simply create a file called 'off'.
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
# This can also go in the http { } level
index index.html index.htm index.php;
location / {
# if you're just using wordpress and don't want extra rewrites
# then replace the word @rewrites with /index.php
try_files $uri $uri/ @rewrites;
}
location @rewrites {
# Can put some of your own rewrite rules in here
# for example rewrite ^/~(.*)/(.*)/? /users/$1/$2 last;
# If nothing matches we'll just send it to /index.php
rewrite ^ /index.php last;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# remove the robots line if you want to use wordpress' virtual robots.txt
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
# this prevents hidden files (beginning with a period) from being served
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ \.php {
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_pass 127.0.0.1:9000;
}
}
As for the rest of you, read on for some more goodies and other configuration examples.
Making the PHP inclusion easier
For the purpose of PHP I’ve created a php.conf in the same folder with nginx.conf, this file DOES NOT go into the same folder as your virtual host configuration for example if nginx.conf is in /etc/nginx/ , then php.conf goes into /etc/nginx/ not /etc/nginx/sites-enabled/.
If you are not using PHP-FPM, you really should be as opposed to the old spawn-fcgi or php-cgi methods. For debian lenny/squeeze dotdeb makes php5-fpm available, FreeBSD already includes it in the PHP 5.2 and 5.3 ports.
location ~ \.php {
# for security reasons the next line is highly encouraged
try_files $uri =404;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
# if the next line in yours still contains $document_root
# consider switching to $request_filename provides
# better support for directives such as alias
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# If using a unix socket...
# fastcgi_pass unix:/tmp/php5-fpm.sock;
# If using a TCP connection...
fastcgi_pass 127.0.0.1:9000;
}
I prefer to use a unix socket, it cuts out the TCP overhead, and increases security since file-based permissions are stronger. In php-fpm.conf you can change the listen line to /tmp/php5-fpm.sock, and should uncomment the listen.owner, listen.group and listen.mode lines.
REMEMBER: Set cgi.fix_pathinfo to 0 in the php.ini when using Nginx with PHP-FPM/FastCGI, otherwise something as simple as /forum/avatars/user2.jpg/index.php could be used to execute an uploaded php script hidden as an image.
Path_Info
If you must use PATH_INFO and PATH_TRANSLATED then add the following within your location block above (make sure $ does not exist after \.php or /index.php/some/path/ will not match):
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
It is advised however to update your script to use REQUEST_URI instead.
Optional Config – Drop
You can also have a file called drop.conf in the same folder with nginx.conf with the following:
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
Using include drop.conf; at the end of your server block will include these. The first two simply turn off access logs and prevents logging an error if robots.txt and favicon.ico are not found, which is something a lot of browsers ask for. WordPress typically uses a virtual robots.txt so you may omit the first line if needed so that the request is passed back to wordpress.
The third line prevents nginx from serving any hidden unix/linux files, basically any request beginning with a period.
And the forth line is mainly for people who use vim, or any other command line editor that creates a backup copy of a file being worked on with a file name ending in ~. Hiding this prevents someone from accessing a backup copy of a file you have been working on.
Sample Nginx Configurations
Simple Configuration with PHP enabled
Here we have a very simple starting configuration with PHP support. I will provide most of the comments here for the basic lines. The other sample configurations won’t be as heavily commented.
server {
# This will listen on all interfaces, you can instead choose a specific IP
# such as listen x.x.x.x:80; Setting listen 80 default_server; will make
# this server block the default one if no other blocks match the request
listen 80;
# Here you can set a server name, you can use wildcards such as *.example.com
# however remember if you use server_name *.example.com; You'll only match subdomains
# to match both subdomains and the main domain use both example.com and *.example.com
server_name example.com www.example.com;
# It is best to place the root of the server block at the server level, and not the location level
# any location block path will be relative to this root.
root /usr/local/www/example.com;
# It's always good to set logs, note however you cannot turn off the error log
# setting error_log off; will simply create a file called 'off'.
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
location / {
# Rewrite rules and other criterias can go here
# Remember to avoid using if() where possible (http://wiki.nginx.org/IfIsEvil)
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# We can include our basic configs here, as you can see its much easier
# than pasting out the entire sets of location block each time we add a vhost
include drop.conf;
include php.conf;
}
WordPress Simple (Not using file-based caching or special rewrites)
This can also be used with W3 Total Cache if you’re using Memcache or Opcode Caching.
server {
listen 80;
server_name example.com www.example.com;
root /usr/local/www/example.com;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
location / {
try_files $uri $uri/ /index.php;
}
location /search { limit_req zone=kbeezieone burst=3 nodelay; rewrite ^ /index.php; }
fastcgi_intercept_errors off;
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include php.conf;
# You may want to remove the robots line from drop to use a virtual robots.txt
# or create a drop_wp.conf tailored to the needs of the wordpress configuration
include drop.conf;
}
WordPress w/ W3 Total Cache using Disk (Enhanced)
The following rules have been updated to work with W3TC 0.9.2.8, in some cases $host may need to be replaced with your domain name.
server {
listen 80;
server_name example.com www.example.com;
root /usr/local/www/example.com;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
# the next two location blocks are to ensure gzip encoding is turned off
# for the serving of already gzipped w3tc page cache
# normally gzip static would handle this but W3TC names them with _gzip
location ~ /wp-content/cache/page_enhanced.*html$ {
expires max;
charset utf-8;
add_header Vary "Accept-Encoding, Cookie";
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ /wp-content/cache/page_enhanced.*gzip$ {
expires max;
gzip off;
types {}
charset utf-8;
default_type text/html;
add_header Vary "Accept-Encoding, Cookie";
add_header Content-Encoding gzip;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location / {
if (-f $request_filename) {
break;
}
set $w3tc_rewrite 1;
if ($request_method = POST) { set $w3tc_rewrite 0; }
if ($query_string != "") { set $w3tc_rewrite 0; }
set $w3tc_rewrite2 1;
if ($request_uri !~ \/$) { set $w3tc_rewrite2 0; }
if ($request_uri ~* "(sitemap(_index)?\.xml(\.gz)?|[a-z0-9_\-]+-sitemap([0-9]+)?\.xml(\.gz)?)") { set $w3tc_rewrite2 1; }
if ($w3tc_rewrite2 != 1) { set $w3tc_rewrite 0; }
if ($http_cookie ~* "(comment_author|wp\-postpass|wordpress_\[a\-f0\-9\]\+|wordpress_logged_in)") { set $w3tc_rewrite 0; }
if ($http_user_agent ~* "(W3\ Total\ Cache/0\.9\.2\.4)") { set $w3tc_rewrite 0; }
set $w3tc_ua "";
set $w3tc_ref "";
set $w3tc_ssl "";
set $w3tc_enc "";
if ($http_accept_encoding ~ gzip) { set $w3tc_enc _gzip; }
set $w3tc_ext "";
if (-f "$document_root/wp-content/cache/page_enhanced/$host/$request_uri/_index$w3tc_ua$w3tc_ref$w3tc_ssl.html$w3tc_enc") {
set $w3tc_ext .html;
}
if ($w3tc_ext = "") { set $w3tc_rewrite 0; }
if ($w3tc_rewrite = 1) {
rewrite ^ "/wp-content/cache/page_enhanced/$host/$request_uri/_index$w3tc_ua$w3tc_ref$w3tc_ssl$w3tc_ext$w3tc_enc" last;
}
if (!-e $request_filename) {
rewrite ^ /index.php last;
}
}
location /search { limit_req zone=kbeezieone burst=3 nodelay; rewrite ^ /index.php; }
fastcgi_intercept_errors off;
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include php.conf;
# You may want to remove the robots line from drop to use a virtual robots.txt
# or create a drop_wp.conf tailored to the needs of the wordpress configuration
include drop.conf;
}
WordPress w/ WP Supercache (Full-On mode)
server {
listen 80;
server_name example.com www.example.com;
root /usr/local/www/example.com;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
location / {
# This line when enabled will use Nginx's gzip static module
gzip_static on;
# Disables serving gzip content to IE 6 or below
gzip_disable "MSIE [1-6]\.";
# Sets the default type to text/html so that gzipped content is served
# as html, instead of raw uninterpreted data.
default_type text/html;
# does the requested file exist exactly as it is? if yes, serve it and stop here
if (-f $request_filename) { break; }
# sets some variables to help test for the existence of a cached copy of the request
set $supercache_file '';
set $supercache_uri $request_uri;
# IF the request is a post, has a query attached, or a cookie
# then don't serve the cache (ie: users logged in, or posting comments)
if ($request_method = POST) { set $supercache_uri ''; }
if ($query_string) { set $supercache_uri ''; }
if ($http_cookie ~* "comment_author_|wordpress|wp-postpass_" ) {
set $supercache_uri '';
}
# if the supercache_uri variable hasn't been blanked by this point, attempt
# to set the name of the destination to the possible cache file
if ($supercache_uri ~ ^(.+)$) {
set $supercache_file /wp-content/cache/supercache/$http_host/$1index.html;
}
# If a cache file of that name exists, serve it directly
if (-f $document_root$supercache_file) { rewrite ^ $supercache_file break; }
# Otherwise send the request back to index.php for further processing
if (!-e $request_filename) { rewrite ^ /index.php last; }
}
location /search { limit_req zone=kbeezieone burst=3 nodelay; rewrite ^ /index.php; }
fastcgi_intercept_errors off;
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include php.conf;
# You may want to remove the robots line from drop to use a virtual robots.txt
# or create a drop_wp.conf tailored to the needs of the wordpress configuration
include drop.conf;
}
Nibbleblog 3.4.1+ with Pretty URLs enabled
If you’re using NibbleBlog ( http://nibbleblog.com ), the following basic configuration works with version 3.4.1, and 3.4.1 Markdown.
server {
listen 80;
root /usr/local/www/example.com;;
server_name example.com www.example.com;
# access log turned off for speed
access_log off;
error_log /var/log/nginx/domain.error.log;
# main location block
location / {
expires 7d;
try_files $uri $uri/ @rewrites;
}
# rewrite rules if file/folder did not exist
location @rewrites {
rewrite ^/dashboard$ /admin.php?controller=user&action=login last;
rewrite ^/feed /feed.php last;
rewrite ^/category/([^/]+)/page-([0-9]+)$ /index.php?controller=blog&action=view&category=$1&page=$2 last;
rewrite ^/category/([^/]+)/$ /index.php?controller=blog&action=view&category=$1&page=0 last;
rewrite ^/page-([0-9]+)$ /index.php?controller=blog&action=view&page=$1 last;
}
# location catch for /post-#/Post_Title
# will also catch odd instances of /post-#/something.php
location ~ ^/post-([0-9]+)/ {
rewrite ^ /index.php?controller=post&action=view&id_post=$1 last;
}
# cache control for static files
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
include drop.conf;
include php.conf;
}
Drupal 6+
From http://wiki.nginx.org/Drupal with some changes
server {
listen 80;
server_name example.com www.example.com;
root /usr/local/www/example.com;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
# This matters if you use drush
location = /backup {
deny all;
}
# Very rarely should these ever be accessed outside of your lan
location ~* \.(txt|log)$ {
allow 192.168.0.0/16;
deny all;
}
location ~ \..*/.*\.php$ { return 403; }
location / {
# This is cool because no php is touched for static content
try_files $uri @rewrite;
}
location @rewrite {
# Some modules enforce no slash (/) at the end of the URL
# Else this rewrite block wouldn't be needed (GlobalRedirect)
rewrite ^/(.*)$ /index.php?q=$1;
}
# Fighting with ImageCache? This little gem is amazing.
location ~ ^/sites/.*/files/imagecache/ {
try_files $uri @rewrite;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
log_not_found off;
}
include php.conf;
# You may want to remove the robots line from drop to use a virtual robots.txt
# or create a drop_wp.conf tailored to the needs of the wordpress configuration
include drop.conf;
}
Static with an Apache (for dynamic) Backend
server {
listen 80;
server_name example.com www.example.com;
root /usr/local/www/example.com;
access_log /var/log/nginx/example.access.log;
error_log /var/log/nginx/example.error.log;
location / {
# Rewrite rules can go here
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ \.php {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
include drop.conf;
}