Luc Shelton

NGINX: Default Server Configurations

NGINX: Default Server Configurations

NGINX: Default Server Configurations

NGINX: Default Server Configurations

Updated 3 years ago
8 Minute(s) to read
Posted 3 years ago Updated 3 years ago 8 Minute(s) to read 644 comments

I recently encountered a critical issue when configuring my NGINX server (that serves this website), when I had multiple (unrelated) domain names configured to point to the same virtual private server (VPS). The problem was that only one set were meant to be in use (such as loveduckie.*). Unfortunately, this then meant that the remaining domain names (the ones intended to be left unused) were erroneously pointing to my portfolio website when they should not have been. This is can be particularly problematic, because Google can severely relegate the search ranking for your website, if it deems it not to be the "canonical" version of it.

What this means exactly is that there could be two completely separate and unrelated domain names pointing to the same page or content, but because Google considers the wrong one to be the "one true source", it then defines it as the canonical version which is not our intention. I don't want an unrelated domain name to become the "canonical" source for my portfolio!

To fix this, I produced a NGINX configuration that ensured that any time the unused set of domains were visited, they would be redirected to a default error landing page (much like you would expect when navigating to a HTTP 404). This means that subsequent crawls from Google will be able to determine a difference between my portfolio's domain names, and the ones that are considered to be unrelated.

The error pages look a little something like this.

The default landing page that is presented to viewers when they navigate to the wrong domain name.

The default landing page that is presented to viewers when they navigate to the wrong domain name.

And of course, there are custom error pages depending on the HTTP status code that is being returned.

The error page that is served to the user when the HTTP 404 error code is returned.

The error page that is served to the user when the HTTP 404 error code is returned.

Aside from the overkill templating of the error pages with Bootstrap, there's nothing particularly fancy about this so far.


NGINX Configuration

Configuring your NGINX server is pretty straight forward, and only relies on you needing to use a particular set of keywords that NGINX parses when reading your configuration files. To begin with, you are going to want to create a new server configuration file called default.conf. The name of the configuration file is largely irrelevant, as your NGINX server should be configured to read all configuration files under a certain directory. For instance, your default nginx.conf configuration file should contain a statement such as include /etc/nginx/conf.d/*.conf so that it can read all configuration files (that presumably have server blocks) and load your virtual servers accordingly.

server 
{
    listen  80 default_server;
    listen  [::]:80 default_server;
    listen  443 ssl default_server;
    listen  [::]:443 ssl default_server;
    server_name_in_redirect off;
    server_name  default_server;
}

So far, so good. All this server block is ensuring that it is binding itself to both port 80 and 443, which are used for HTTP and HTTPS traffic. You'll also note the usage of "default_server", which basically tells NGINX that if the domain name does not have a server block configuration available for it on the server, then simply make use of this "default" server block configuration instead.

There's a few other things going on here as well.

  • server_name_in_redirect off; basically states that there doesn't need to be a match between the host name defined in the HTTP request Host header and the server_name configuration value in order for the our default configuration to be considered a valid match.
  • server_tokens off; is not strictly related to this article, but basically states that the HTTP response mustn't specify that this was served by NGINX (i.e. Server HTTP header).

Handling Specific HTTP Errors

In the instance that someone navigates to a page that does not exist or cannot be served by any of the "server block" configurations loaded by NGINX, you will likely want to redirect them to a 40x or 50x error status page. Configuring page redirects for both range of error codes is straight forward.

server 
{

    ...

    root   /var/www/default;
    index  index.html index.htm;

    location ~* ^.+ {
        try_files $uri $uri/ =404;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    error_page 404 /404.html;
    error_page 403 /403.html;
    location = /404.html {
        root   /var/www/default;
    }
    
    error_page  500 502 503 504 /500.html;
    location = /500.html {
        root   /var/www/default;
    }

    ...

}

In the example above, I set the root directory to /var/www/default which is the path I am using for storing static page files for my error pages in my NGINX Docker container (as shown in the screenshots above). If you are building a NGINX service from a Docker image, you will want to make sure that the path exists, and that there are static files that you can serve from the path.

Handling SSL Traffic

Next, you are going to want to make sure that you have some kind of SSL certificate that you can use for serving HTTPS traffic. Unless you actually have a valid HTTPS certificate for the traffic that you are intending on redirecting, you will want to create your own self-signed one using the available SSL command-line tooling.

Installing Dependencies for SSL in Docker (Optional)

If you are using the Alpine Linux variant of the NGINX Docker image (nginx:stable-alpine for example), you must ensure that you've installed the required dependencies through the Alpine Linux package manager.

RUN apk add --no-cache openssl

And then you will want to generate your own self-signed certificate, and then store it somewhere appropriate in the filesystem for the Docker container.

RUN openssl req -new -x509 -nodes -days 365 -newkey rsa:4096 -extensions 'v3_req' \
        -keyout /etc/nginx/ssl-default/default-privkey.pem \
        -out /etc/nginx/ssl-default/default-fullchain.pem \
        -config /etc/nginx/openssl-gen.cnf > /dev/null 2>&1

You'll note that this command-line expression is referring to a configuration file that is located at /etc/nginx/openssl-gen.cnf. This is a custom configuration file that I've copied into the Docker image from a previous COPY statement. The path can be changed with wherever you decide to copy this configuration file to inside your Docker container. The configuration file looks little something like this...

[req]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
name = Your Name Goes Here
countryName= Your Country Name Goes Here
stateOrProvinceName = Your State or Province Name Goes Here
emailAddress = Your Email Address Goes Here
localityName = London
organizationalUnitName = Your Name Goes Here
commonName = localhost

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1

Nothing too fancy, and it doesn't necessarily need to have the SAN (subject alternate names) definitions for the unsupported domain names that you intend on redirecting to your default landing pages. Of course, because it is a self-signed certificate (i.e. a certificate signed using your own created certificate authority), you should assume that this will throw HTTPS errors should people navigate to the domain through HTTPS.

Testing Configuration Changes

Ensure that you've tested your changes before restarting your Docker container, or reloading your configuration file.

#!/bin/bash
nginx -t

And then reload your configuration if the response is without errors.

#!/bin/bash
nginx -s reload

Alternatively, if you are running NGINX from a Docker container, you can do it from the command-line (outside of the container) using a command similar to this.

#!/bin/bash
docker exec -it your-nginx-container-name-goes-here nginx -s reload

Conclusion

Use a default configuration to prevent there being "search result collisions" between two unrelated domain names that target the same host.

I hope you found this useful. There is another approach to this, and that is to adjust the firewall configuration for your virtual private server, so that all traffic to that particular host (read: domain) name is rejected. This is largely contingent on what Linux operating system you are using, and is arguably not as convenient as managing it at container-level (i.e. from the NGINX instance itself).

You can find the complete NGINX configuration snippet for everything discussed in this article, in this Gist on GitHub.


Complete NGINX Configuration

server 
{
    listen  80 default_server;
    listen  [::]:80 default_server;
    listen  443 ssl default_server;
    listen  [::]:443 ssl default_server;
    server_name_in_redirect off;
    server_name  default_server;
    server_tokens off;

    charset utf-8;

    access_log  /var/log/nginx/host.access.log  main;
    error_log  /var/log/nginx/host.error.log  warn;

    ssl_certificate /etc/nginx/ssl-default/default-fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl-default/default-privkey.pem;

    root   /var/www/default;
    index  index.html index.htm;

    location ~* ^.+ 
    {
        try_files $uri $uri/ =404;
    }

    location / 
    {
        try_files $uri $uri/ =404;
    }

    error_page 404 /404.html;
    error_page 403 /403.html;
    location = /404.html 
    {
        root   /var/www/default;
    }

    error_page  500 502 503 504 /500.html;
    location = /500.html 
    {
        root   /var/www/default;
    }
}

Useful Reading

Find below some other useful links that I found when trying to troubleshoot my woes.

I hope you found this useful. Feel free to get in touch if you require any help!


Programming Languages:

Dockerfile

Technologies:

NGINX Docker


Comments

Comments

vavada в сети казино - функционирующее зеркалка

<a href=https://www.goldenplus.com>jili slot</a>
Easy Lang Manalo Dito guys
Legit paying apps payout thru Gcash meron po !

Free ?60 Pesos For Newmemeber!
<a href="https://dradams.net/blog/what-are-the-best-plastic-surgery-combinations/#comment-135618">jili slot</a> 12d8c7d

El american sharpei he belongs to the smaller line, thicker and with increasingly articulated wrinkles, despite having
a thicker gag and longer hair. He is something but a weak canine, even though he might look like one because of his wrinkled pores and skin image.
For this, they despatched some duplicates to the United States because of the trade of letters between one in every of their deliverymen, Matgo Lawe, and the supervisor of Canine magazine, Marjorie
Farnsworth. Animals will be educated from very younger, and it's a
reality that there are particular canines which have certain attributes
included into their genetics which might be manifest through the years and the preparation they obtain, however, domestication is one
thing that can be apply to one of these canine, without complications and problems.

This variety, like most Chinese canine species, experienced an exceptionally troublesome time when the
communists took energy in the course of the 1940s. From then on, home
canines were seen as an extravagance, and thus it was declared that the canines were to be consumed as food.

By a cooperative agreement with NASA, the Professional and Citizen Assessment
of Science and Expertise (ECAST) network conducted a pTA-based mostly forum on NASA's Asteroid Initiative and the Journey to Mars.
Participatory know-how evaluation (pTA) is a technique that goals to
understand public preferences and values in order to tell upstream government choice-making.

And it is even more difficult and rare to contemplate public views prior to really growing a mission. Public support and
interest are wanted to design an ambitious human spaceflight program.

Implications of the findings presented listed here are invaluable
not just for the long run exploration and settlement of
Mars however other solar system bodies the
place human activity could also be an eventual actuality.
Finally, we argue that the human-marine frontier should be
a direct steppingstone for future exploration, innovation and discovery.
On the one aspect, it may be assumed that the very likely
scenario is a repetition of conflict model that was characteristic of the area race during the Chilly Conflict.

Taking on her new function, Kansan's morning tasks at the lodge also included clearing the
desk after French company Veronique Gandon and Herve Tisserand finished breakfast.
Gandon said they were unaware of the community venture after they
made their reservation, but have been glad to see it. Mahera Nassar Ghareeb, the community chief of Maan lil-Hayat, an organisation which supports
Palestinians with mental disabilities. Showcasing their abilities on the hotel is intended to make Palestinians with disabilities more seen and overhaul perceptions
inside the group. Maan lil-Hayat (Collectively for all times), which was founded in 2009,
is simply weeks into its hotel enterprise in a restored nineteenth century house.
Antonio De Benedetto, the founder of Albergo Etico, said his team "lead them to their unbiased life" by giving employees a large number of abilities equivalent
to cooking. Maan also approached the Italian organisation Albergo Etico which
runs multiple resorts with disabled employees.


buy cc with high balance Good validity rate Sell Make good job for MMO Pay on website activate your card now for worldwide transactions.


-------------CONTACT-----------------------
WEBSITE : >>>>>> https://www.amazon.com/dp/B0BKKN6G2R✶ Shop

----- HERE COMES THE PRICE LIST -----------
***** CCV US:
- US MASTER CARD = $2,4 per 1 (buy >5 with price $3 per 1).

- US VISA CARD = $2,2 per 1 (buy >5 with price $2.5 per 1).


- US AMEX CARD = $2,2 per 1 (buy >5 with price $2.5 per 1).

- US DISCOVER CARD = $3,8 per 1 (buy >5 with price $3.5 per 1).

- US CARD WITH DOB = $15 per 1 (buy >5 with price $12 per 1).

- US FULLZ INFO = $40 per 1 (buy >10 with price $30 per 1).

***** CCV UK:
- UK CARD NORMAL = $3,3 per 1 (buy >5 with
price $3 per 1).
- UK MASTER CARD = $2,4 per 1 (buy >5 with price $2.5 per 1).

- UK VISA CARD = $3,2 per 1 (buy >5 with
price $2.5 per 1).
- UK AMEX CARD = $3 per 1 (buy >5 with price $4 per 1).
$5,9


- UK CARD WITH DOB = $15 per 1 (buy >5 with price $14 per 1).

- UK WITH BIN = $10 per 1 (buy >5 with price $9
per 1).
- UK WITH BIN WITH DOB = $25 per 1 (buy >20 with
price $22 per 1).
- UK FULLZ INFO = $40 per 1 (buy >10 with price $35 per 1).

***** CCV AU:
- AU MASTER CARD = $5.5 per 1 (buy >5 with price $5 per 1).

- AU VISA CARD = $5.5 per 1 (buy >5 with price $5 per 1).

- AU AMEX CARD = $8.5 per 1 (buy >5 with price $8 per 1).


- AU DISCOVER CARD = $8.5 per 1 (buy >5 with price $8
per 1).
***** CCV CA:
- CA MASTER CARD = $6 per 1 (buy >5 with price $5 per 1).

- CA VISA CARD = $6 per 1 (buy >5 with price $5 per 1).


- CA VISA BUSINESS = $14 per 1 (buy >5 with price $13 per 1).

The system will continually be updated by way of the invoxia application and they will continuously be creating new companies.
The AudiOffice will sell for $299 -- fairly dear for what's essentially
an iDevice dock -- however that is nonetheless way more inexpensive than the $599 the NVX 610 is fetching.
This provides the impression that all of the contributors
on the decision appear to be seated at the identical desk: conversations are simpler to observe, less
exacting, more targeted on the essentials. Right here, your sweet telephony comes courtesy of your iPhone, whereas Invoxia's hardware
is mainly there to reinforce the decision high
quality, with the assistance of four huge-bandwidth audio system and two
digital microphones. An additional advantage of invoxia's revolutionary know-how
allows the consumer to hearken to music or podcasts within the workplace by providing sound
spacialization: a novel sensation which feels
just like the particular person is standing in the course of the orchestra.
The invoxia software - available free from Apple's App Retailer - is designed to maximise
person expertise, by offering software updates
and allow invoxia to offer seamlessly new functionalities.

A teaser poster was released on June 16, 2022, and a second trailer was released on July 21, 2022.

In the uncommon moments where Pugh has talked concerning
the movie, she seemed to contradict Wilde’s feedback.