Home

Awesome

<div align="center"> <h1>Nginx Admin's Handbook</h1> </div> <div align="center"> <b><code>My notes on NGINX administration basics, tips & tricks, caveats, and gotchas.</code></b> </div> <br> <p align="center"> <a href="https://www.hostingadvice.com/how-to/nginx-vs-apache/"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_meme.png" alt="Meme"> </a> </p> <br> <p align="center"> <sup> <i> Hi-diddle-diddle, he played on his<br> fiddle and danced with lady pigs.<br> Number three said, "Nicks on tricks!<br> I'll build my house with <b>EN-jin-EKS</b>!".<br> <a href="https://g.co/kgs/HCcQVz">The Three Little Pigs: Who's Afraid of the Big Bad Wolf?</a> </i> </sup> </p> <br> <p align="center"> <a href="https://github.com/trimstray/nginx-admins-handbook/pulls"> <img src="https://img.shields.io/badge/PRs-welcome-brightgreen.svg?longCache=true" alt="Pull Requests"> </a> <a href="LICENSE.md"> <img src="https://img.shields.io/badge/License-MIT-lightgrey.svg?longCache=true" alt="MIT License"> </a> </p> <br>

Table of Contents

<details> <summary><b>Other chapters</b></summary><br> </details>

Introduction

<br> <p align="center"> <a href="https://www.nginx.com/"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_admins_handbook_logo.png"> </a> </p> <br>

Before you start playing with NGINX please read an official Beginner’s Guide. It's a great introduction for everyone.

Nginx (/ˌɛndʒɪnˈɛks/ EN-jin-EKS, stylized as NGINX or nginx) is an open source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server with a strong focus on high concurrency, performance and low memory usage. It is originally written by Igor Sysoev.

For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. At this moment some high-profile companies using NGINX include Cisco, DuckDuckGo, Facebook, GitLab, Google, Twitter, Apple, Intel, and many more. In the September 2019 it was the most commonly used HTTP server (see Netcraft survey).

NGINX is a fast, light-weight and powerful web server that can also be used as a:

So, to be brief, it provides the core of complete web stacks and is designed to help build scalable web applications. When it comes to performance, NGINX can easily handle a huge amount of traffic. The other main advantage of the NGINX is that allows you to do the same thing in different ways.

Unlike traditional HTTP servers, NGINX doesn't rely on threads to handle requests and it was written with a different architecture in mind - one which is much more suitable for nonlinear scalability in both the number of simultaneous connections and requests per second.

NGINX is also known as a Apache Killer (mainly because of its lightness and much less RAM consumption). It is event-based, so it does not follow Apache's style of spawning new processes or threads for each web page request. Generally, it was created to solve the C10K problem.

For me, it is a one of the best and most important service that I used in my SysAdmin career.


These essential documents should be the main source of knowledge for you:

In addition, I would like to recommend three great docs focuses on the concept of the HTTP protocol:

If you love security keep your eye on this one: Cryptology ePrint Archive. It provides access to recent research in cryptology and explores many subjects of security (e.g. Ciphers, Algorithms, SSL/TLS protocols). A great introduction that covers core concepts of cryptography is Practical Cryptography for Developers. I also recommend to read the Bulletproof SSL and TLS. Yep, it's definitely the most comprehensive book about deploying TLS for me.

An obligatory source of knowledge is also the OWASP Cheat Sheet Series. You should ought treat it as an excellent security guidance. Burp Scanner - Issue Definitions introduces you to the web apps and security vulnerabilities. Finally, The Web Security Academy is a free online training center for web application security with high-quality reading materials and interactive labs of varying levels of difficulty. All are really good source to start learning about web application security.

And, of course, always browse official Nginx Security Advisories and CVE databases like CVE Details or CVE - The MITRE Corporation - to stay Up-to-Date on NGINX vulnerabilities.

Prologue

When I was studying architecture of HTTP servers I became interested in NGINX. As I was going through research, I kept notes. I found a lot of information about it, e.g. forum posts on the web about every conceivable problem was great. However, I've never found one guide that covers the most important things in a suitable form. I was a little disappointed.

I was interested in everything: NGINX internals, functions, security best practices, performance optimisations, tips & tricks, hacks and rules, but for me some of the documents treated the subject lightly.

Of course, NGINX Official Documentation is the best place but I know that we also have other great resources:

These are definitely the best assets for us and in the first place you should seek help there. Moreover, in order to improve your knowledge, please see Books chapter - it contains top literature on NGINX.

Why I created this handbook

For me, however, there hasn't been a truly in-depth and reasonably simple cheatsheet which describe a variety of configurations and important cross-cutting topics for HTTP servers. Configuration of the NGINX can be tricky sometimes and you really need to get into the syntax and concepts to get an understanding tricks, loopholes, and mechanisms. The documentation isn't as pretty as other projects and should certainly include more robust examples.

This handbook is a set of rules and recommendations for the NGINX Open Source HTTP server. It also contains the best practices, notes, and helpers with countless examples. Many of them refer to external resources.

There are a lot of things you can do to improve in your NGINX instance and this guide will attempt to cover as many of them as possible. For the most part, it contains the most important things about NGINX for me. I think the configuration you provided should work without any talisman. That's why I created this repository.

With this handbook you will explore the many features and capabilities of the NGINX. You'll find out, for example, how to testing the performance or how to resolve debugging problems. You will learn configuration guidelines, security design patterns, ways to handle common issues and how to stay out of them. I explained here a few best tips to avoid pitfalls and configuration mistakes.

I added set of guidelines and examples has also been produced to help you administer of the NGINX. They give us insight into NGINX internals also.

Mostly, I apply the rules presented here on the NGINX working as a reverse proxy. However, does not to prevent them being implemented for NGINX as a standalone server.

Who this handbook is for

If you do not have the time to read hundreds of articles (just like me) this multipurpose handbook may be useful. I created it in the hope that it will be useful especially for System Administrators and Experts of Web-based applications.

This handbook does not get into all aspects of NGINX. What's more, some of the things described in this guide may be rather basic because most of us do not configure NGINX every day and it is easy to forget about basic/trivial things. On the other hand, also discusses heavyweight topics so there is something for advanced users. I tried to put external resources in many places in this handbook in order to dispel any suspicion that may exist.

I did my best to make this handbook a single and consistent (but now I know that is really hard). It's organized in an order that makes logical sense to me. I think it can also be a good complement to official documentation and other great documents. Many of the topics described here can certainly be done better or different. Of course, I still have a lot to improve and to do. I hope you enjoy and have fun with it.

Do not treat this handbook and notes written here as revealed knowledge. You should take a scientific approach when reading this document. If you have any doubts and disagree with me, please point out my mistakes. You should to discover cause and effect relationships by asking questions, carefully gathering and examining the evidence, and seeing if all the available information can be combined in to a logical answer.

I create this handbook for one more reason. Rather than starting from scratch in, I putting together a plan for answering your questions to help you find the best way to do things and ensure that you don't repeat my mistakes from the past.

So, what's most important:

Finally, you should know I'm not a NGINX expert but I love to know how stuff works and why work the way they do. I’m not a crypto expert... but I do know the term "elliptic curve" (I really like this quote!). Don't need to be an expert to figure out the reason just got to have used this and not this or why something works this way and not another. It feels good to understand the recommendations and nuances of a topic you’re passionate about.

Before you start

Remember about the following most important things:

Blindly deploying of the rules described here can damage your web application!

Do not follow guides just to get 100% of something. Think about what you actually do at your server!

Copy-and-paste is not the best way to learn. Think twice before adopting rules from this handbook.

There are no settings that are perfect for everyone.

Always think about what is better and more important for you: security vs usability/compatibility.

Security mainly refers to minimise the risk.

Change one thing may open a whole new set of problems.

Read about how things work and what values are considered secure enough (and for what purposes).

The only correct approach is to understand your exposure, measure and tune.

+ Security is important for ethical reasons. Compliance is important for legal reasons.
+ The key to workplace contentment is understanding they are unrelated to each other.
+ Both are important, but one does not lead to the other (compliance != security).
author: unknown

+ Security is always needed, no matter what type of website it is. It can be static HTML
+ or fully dynamic, an attacker can still inject hostile content into the page in transit
+ to attack the user.
author: Scott Helme

+ Don’t enable older deprecated protocols just because Karen in Florida is still using
+ a PC that she bought back in 2001.
author: thisinterestsmeblog

I think, in the age of phishing, cyber attacks, ransomware, etc., you should take care of security of your infrastructure as hard as possible but don't ever forget about this one...

<br> <p align="center"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/crypto_nerds.png"> </p>

Lastly, I would like to quote two very important comments found on the web about compliance with the standards and regulations, and essence of a human factor in security:

Regulations that make sense are often not descriptive - capturing the intent and scope of a rule often requires technical expertise. More than that, it's the type of expertise most organisations do not have. And instead of improving themselves, these companies, who may form the grand majority of the industry, petition the regulators to provide a safe checklist of technical mitigations that can be implemented to remain compliant. [...] Instead of doing the right thing and meeting the planned intent, companies are instead ticking nonsensical boxes that the regulators and their auditors demand. Blindly. Mindlessly. Divorced from reality. - by bostik

Whenever considering security, the human factor is nearly always as important or more important than just the technical aspects. Policy and procedures need to consider the human element and try to ensure that these policies and procedures are structured in such a way as to help enable staff to do the right thing, even when they may not fully understand why they need to do it. - by Tim X

Contributing & Support

A real community, however, exists only when its members interact in a meaningful way that deepens their understanding of each other and leads to learning.

If you find something which doesn't make sense, or something doesn't seem right, please make a pull request and please add valid and well-reasoned explanations about your changes or comments.

Before adding a pull request, please see the contributing guidelines.

Code Contributors

This project exists thanks to all the people who contribute.

<a href="https://github.com/trimstray/nginx-admins-handbook/graphs/contributors"><img src="https://opencollective.com/nginx-admins-handbook/contributors.svg?width=890&button=false"></a>

ToDo

What needs to be done? Look at the following ToDo list:

New chapters:

Existing chapters:

<details> <summary><b>Introduction</b></summary><br> </details> <details> <summary><b>Bonus Stuff</b></summary><br> </details> <details> <summary><b>Books</b></summary><br> </details> <details> <summary><b>External Resources</b></summary><br> </details> <details> <summary><b>HTTP Basics</b></summary><br> </details> <details> <summary><b>SSL/TLS Basics</b></summary><br> </details> <details> <summary><b>NGINX Basics</b></summary><br> </details> <details> <summary><b>Helpers</b></summary><br> </details> <details> <summary><b>Base Rules</b></summary><br> </details> <details> <summary><b>Debugging</b></summary><br> </details> <details> <summary><b>Performance</b></summary><br> </details> <details> <summary><b>Hardening</b></summary><br> </details> <details> <summary><b>Reverse Proxy</b></summary><br> </details> <details> <summary><b>Others</b></summary><br> </details>

If you have any idea, send it back to me or add a pull request.

RSS Feed & Updates

GitHub exposes an RSS/Atom feed of the commits, which may also be useful if you want to be kept informed about all changes.

Checklist to rule them all

This checklist was the primary aim of the nginx-admins-handbook. It contains a set of best practices and recommendations on how to configure and maintain the NGINX properly.

This checklist contains all rules (79) from this handbook.

Generally, I think that each of these principles is important and should be considered. I separated them into four levels of priority to help guide your decision.

<b>PRIORITY</b><b>NAME</b><b>AMOUNT</b><b>DESCRIPTION</b>
high<i>critical</i>33definitely use this rule, otherwise it will introduce high risks of your NGINX security, performance, and other
medium<i>major</i>26it's also very important but not critical, and should still be addressed at the earliest possible opportunity
low<i>normal</i>12there is no need to implement but it is worth considering because it can improve the NGINX working and functions
info<i>minor</i>8as an option to implement or use (not required)

Remember, these are only guidelines. My point of view may be different from yours so if you feel these priority levels do not reflect your configurations commitment to security, performance or whatever else, you should adjust them as you see fit.

<b>RULE</b><b>CHAPTER</b><b>PRIORITY</b>
Define the listen directives with address:port pair<br><sup>Prevents soft mistakes which may be difficult to debug.</sup>Base Ruleshigh
Prevent processing requests with undefined server names<br><sup>It protects against configuration errors, e.g. traffic forwarding to incorrect backends.</sup>Base Ruleshigh
Never use a hostname in a listen or upstream directives<br><sup>While this may work, it will comes with a large number of issues.</sup>Base Ruleshigh
Set the HTTP headers with add_header and proxy_*_header directives properly<br><sup>Set the right security headers for all contexts.</sup>Base Ruleshigh
Configure log rotation policy<br><sup>Save yourself trouble with your web server: configure appropriate logging policy.</sup>Base Ruleshigh
Use simple custom error pages<br><sup>Default error pages reveals information which leads to information leakage vulnerability.</sup>Base Ruleshigh
Use HTTP/2<br><sup>HTTP/2 will make our applications faster, simpler, and more robust.</sup>Performancehigh
Always keep NGINX up-to-date<br><sup>Use newest NGINX package to fix vulnerabilities, bugs, and to use new features.</sup>Hardeninghigh
Run as an unprivileged user<br><sup>Use the principle of least privilege. This way only master process runs as root.</sup>Hardeninghigh
Protect sensitive resources<br><sup>Hidden directories and files should never be web accessible.</sup>Hardeninghigh
Take care about your ACL rules<br><sup>Test your access-control lists and to stay secure.</sup>Hardeninghigh
Hide upstream proxy headers<br><sup>Don't expose what version of software is running on the server.</sup>Hardeninghigh
Remove support for legacy and risky HTTP request headers<br><sup>Supports for the offending headers should be removed.</sup>Hardeninghigh
Force all connections over TLS<br><sup>Protects your website for handle sensitive communications.</sup>Hardeninghigh
Use min. 2048-bit for RSA and 256-bit for ECC<br><sup>2048 bit (RSA) or 256 bit (ECC) keys are sufficient for commercial use.</sup>Hardeninghigh
Keep only TLS 1.3 and TLS 1.2<br><sup>Use TLS with modern cryptographic algorithms and without protocol weaknesses.</sup>Hardeninghigh
Use only strong ciphers<br><sup>Use only strong and not vulnerable cipher suites.</sup>Hardeninghigh
Use more secure ECDH Curve<br><sup>Use ECDH Curves with according to NIST recommendations.</sup>Hardeninghigh
Use strong Key Exchange with Perfect Forward Secrecy<br><sup>Establishes a shared secret between two parties that can be used for secret communication.</sup>Hardeninghigh
Defend against the BEAST attack<br><sup>The server ciphers should be preferred over the client ciphers.</sup>Hardeninghigh
Enable HTTP Strict Transport Security<br><sup>Tells browsers that it should only be accessed using HTTPS, instead of using HTTP.</sup>Hardeninghigh
Reduce XSS risks (Content-Security-Policy)<br><sup>CSP is best used as defence-in-depth. It reduces the harm that a malicious injection can cause.</sup>Hardeninghigh
Control the behaviour of the Referer header (Referrer-Policy)<br><sup>The default behaviour of referrer leaking puts websites at risk of privacy and security breaches.</sup>Hardeninghigh
Provide clickjacking protection (X-Frame-Options)<br><sup>Defends against clickjacking attack.</sup>Hardeninghigh
Prevent some categories of XSS attacks (X-XSS-Protection)<br><sup>Prevents to render pages if a potential XSS reflection attack is detected.</sup>Hardeninghigh
Prevent Sniff Mimetype middleware (X-Content-Type-Options)<br><sup>Tells browsers not to sniff MIME types.</sup>Hardeninghigh
Reject unsafe HTTP methods<br><sup>Only allow the HTTP methods for which you, in fact, provide services.</sup>Hardeninghigh
Prevent caching of sensitive data<br><sup>It helps to prevent critical data (e.g. credit card details, or username) leaked.</sup>Hardeninghigh
Limit concurrent connections<br><sup>Limit concurrent connections to prevent a rogue guys from repeatedly connecting to and monopolizing NGINX.</sup>Hardeninghigh
Use pass directive compatible with backend protocol<br><sup>Set pass directive only to working with compatible backend layer protocol.</sup>Reverse Proxyhigh
Set properly values of the X-Forwarded-For header<br><sup>Identify clients communicating with servers located behind the proxy.</sup>Reverse Proxyhigh
Don't use X-Forwarded-Proto with $scheme behind reverse proxy<br><sup>Prevent pass incorrect value of this header.</sup>Reverse Proxyhigh
Always use $request_uri instead of $uri in proxy_pass<br><sup>You should always pass unchanged URI to the backend layer.</sup>Reverse Proxyhigh
Organising Nginx configuration<br><sup>Well organised code is easier to understand and maintain.</sup>Base Rulesmedium
Format, prettify and indent your Nginx code<br><sup>Formatted code is easier to maintain, debug, and can be read and understood in a short amount of time.</sup>Base Rulesmedium
Use reload option to change configurations on the fly<br><sup>Graceful reload of the configuration without stopping the server and dropping any packets.</sup>Base Rulesmedium
Use return directive for URL redirection (301, 302)<br><sup>The by far simplest and fastest because there is no regexp that has to be evaluated.</sup>Base Rulesmedium
Maintaining SSL sessions<br><sup>Improves performance from the clients’ perspective.</sup>Performancemedium
Enable OCSP Stapling<br><sup>Enable to reduce the cost of an OCSP validation.</sup>Performancemedium
Use exact names in a server_name directive if possible<br><sup>Helps speed up searching using exact names.</sup>Performancemedium
Avoid checks server_name with if directive<br><sup>It decreases NGINX processing requirements.</sup>Performancemedium
Use $request_uri to avoid using regular expressions<br><sup>By default, the regex is costly and will slow down the performance.</sup>Performancemedium
Use try_files directive to ensure a file exists<br><sup>Use it if you need to search for a file, it saving duplication of code also.</sup>Performancemedium
Use return directive instead of rewrite for redirects<br><sup>Use return directive to more speedy response than rewrite.</sup>Performancemedium
Enable PCRE JIT to speed up processing of regular expressions<br><sup>NGINX with PCRE JIT is much faster than without it.</sup>Performancemedium
Activate the cache for connections to upstream servers<br><sup> Nginx can now reuse its existing connections (keepalive) per upstream.</sup>Performancemedium
Disable unnecessary modules<br><sup>Limits vulnerabilities, improve performance and memory efficiency.</sup>Hardeningmedium
Hide Nginx version number<br><sup>Don't disclose sensitive information about NGINX.</sup>Hardeningmedium
Hide Nginx server signature<br><sup>Don't disclose sensitive information about NGINX.</sup>Hardeningmedium
Use only the latest supported OpenSSL version<br><sup>Stay protected from SSL security threats and don't miss out of new features.</sup>Hardeningmedium
Prevent Replay Attacks on Zero Round-Trip Time<br><sup>0-RTT is disabled by default but you should know that enabling this option creates a significant security risks.</sup>Hardeningmedium
Mitigation of CRIME/BREACH attacks<br><sup>Disable HTTP compression or compress only zero sensitive content.</sup>Hardeningmedium
Deny the use of browser features (Feature-Policy)<br><sup>A mechanism to allow and deny the use of browser features.</sup>Hardeningmedium
Control Buffer Overflow attacks<br><sup>Prevents errors are characterised by the overwriting of memory fragments of the NGINX process.</sup>Hardeningmedium
Mitigating Slow HTTP DoS attacks (Closing Slow Connections)<br><sup>Prevents attacks in which the attacker sends HTTP requests in pieces slowly.</sup>Hardeningmedium
Set and pass Host header only with $host variable<br><sup>Use of the $host is the only one guaranteed to have something sensible.</sup>Reverse Proxymedium
Always pass Host, X-Real-IP, and X-Forwarded headers to the backend<br><sup>It gives you more control of forwarded headers.</sup>Reverse Proxymedium
Set the certificate chain correctly<br><sup>Send the complete chain to the client.</sup>Othersmedium
Enable DNS CAA Policy<br><sup>Allows domain name holders to indicate to CA whether they are authorized to issue digital certificates.</sup>Othersmedium
Separate listen directives for 80 and 443 ports<br><sup>Help you maintain and modify your configuration.</sup>Base Ruleslow
Use only one SSL config for the listen directive<br><sup>Prevents multiple configurations on the same listening address.</sup>Base Ruleslow
Use geo/map modules instead of allow/deny<br><sup>Provides the perfect way to block invalid visitors.</sup>Base Ruleslow
Set global root directory for unmatched locations<br><sup>Specifies the root directory for an undefined locations.</sup>Base Ruleslow
Don't duplicate index directive, use it only in the http block<br><sup>Watch out for duplicating the same rules.</sup>Base Ruleslow
Adjust worker processes<br><sup>You can adjust this value to maximum throughput under high concurrency.</sup>Performancelow
Make an exact location match to speed up the selection process<br><sup>Exact location matches are often used to speed up the selection process.</sup>Performancelow
Use limit_conn to improve limiting the download speed<br><sup>Limits NGINX download speed per connection.</sup>Performancelow
Be careful with trailing slashes in proxy_pass directive<br><sup>Incorrect setting could end up with some strange url.</sup>Reverse Proxylow
Use custom headers without X- prefix<br><sup>The use of custom headers with X- prefix is discouraged.</sup>Reverse Proxylow
Tweak passive health checks<br><sup>Improve behaviour of the passive health checks.</sup>Load Balancinglow
Define security policies with security.txt<br><sup>Helps make things easier for companies and security researchers.</sup>Otherslow
Map all the things...<br><sup>Map module provides a more elegant solution for clearly parsing a big list of regexes.</sup>Base Rulesinfo
Use custom log formats<br><sup>This is extremely helpful for debugging specific location directives.</sup>Debugginginfo
Use debug mode to track down unexpected behaviour<br><sup>There's probably more detail than you want, but that can sometimes be a lifesaver.</sup>Debugginginfo
Improve debugging by disable daemon, master process, and all workers except one<br><sup>This simplifies the debugging and lets test configurations rapidly.</sup>Debugginginfo
Use core dumps to figure out why NGINX keep crashing<br><sup>Enable core dumps when your NGINX instance receive an unexpected error or when it crashed.</sup>Debugginginfo
Use mirror module to copy requests to another backend<br><sup>Use mirroring for investigation and debugging of any original request.</sup>Debugginginfo
Don't disable backends by comments, use down parameter<br><sup>Is a good solution to marks the server as permanently unavailable.</sup>Load Balancinginfo
Use tcpdump to diagnose and troubleshoot the HTTP issues<br><sup>Use tcpdump to monitor HTTP.</sup>Othersinfo

Bonus Stuff

You can find here a few of the different things I've worked and included to this repository. I hope that these extras will be useful.

Configuration reports

Many of these recipes have been applied to the configuration of my old private website.

An example configuration is in the configuration examples chapter. It's also based on this version of printable high-res hardening cheatsheets.

SSL Labs

Read about SSL Labs grading here (SSL Labs Grading 2018).

Short SSL Labs grades explanation:

A+ is clearly the desired grade, both A and B grades are acceptable and result in adequate commercial security. The B grade, in particular, may be applied to configurations designed to support very wide audiences (for old clients).

I finally got A+ grade and following scores:

Look also at the following recommendations. I believe the right configuration of NGINX should give the following SSL Labs scores and provides the best security for the most cases:

<p align="center"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/blkcipher_ssllabs_preview.png" alt="blkcipher_ssllabs_preview"> </p>

Something about SSL Labs grading mechanism (that's an interesting point of view):

The whole grading mechanism is more propaganda and public relations than actual security. If you want good security, then you must mind the details and understand how things work internally. If you want a good grade then you should do whatever it takes to have a good grade. An "A+" from SSL Labs is a very nifty thing to add at the end of a report, but it does not really equate with having rock solid security. Having an "A+" equates with being able to say "I have an A+". - from this answer by Tom Leek.

Mozilla Observatory

Read about Mozilla Observatory here and about Observatory Scoring Methodology.

I also got the highest summary note (A+) on the Observatory with a very high test score (120/100, max. 135/100):

<p align="center"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/blkcipher_mozilla_observatory_preview.png" alt="blkcipher_mozilla_observatory_preview"> </p>

Printable hardening cheatsheets

I created two versions of printable posters with hardening cheatsheets (High-Res 5000x8800) based on recipes from this handbook:

For xcf and pdf formats please see this directory.

<p align="center"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/cheatsheets/nginx-hardening-cheatsheet-tls12-100p.png" alt="nginx-hardening-cheatsheet-100p" width="92%" height="92%"> </p> <p align="center"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/cheatsheets/nginx-hardening-cheatsheet-tls13.png" alt="nginx-hardening-cheatsheet-tls13" width="92%" height="92%"> </p>

Fully automatic installation

I created a set of scripts for unattended installation of NGINX from the raw, uncompiled code. It allows you to easily install, create a setup for dependencies (like zlib or openssl), and customized with installation parameters.

For more information please see Installing from source - Automatic installation chapter which describes the installation of NGINX on systems/distros such as Ubuntu, Debian, CentOS, and FreeBSD.

Static error pages generator

I created a simple to use generator for static pages to replace the default error pages that comes with any web server like NGINX.

For more information please see HTTP Static Error Pages Generator.

Server names parser

I added scripts for fast multiple domain searching in the configuration. These tools get specific server_name matches and print them on the screen as a server { ... } blocks. Both are very helpful if you really have tons of domains or if you want to list specific vhosts from file or the active configuration.

You must follow one important rule to be able to use it. Your server block must have the following structure:

server {

  server_name example.com example.org;

  ... # other directives

}

Example of use:

./snippets/server-name-parser/check-server-name.sh example.com
Searching 'example.com' in '/usr/local/etc/nginx' (from disk)

/usr/local/etc/nginx/domains/example.com/servers.conf:79: return 301 https://example.com$request_uri;
/usr/local/etc/nginx/domains/example.com/servers.conf:252: return 301 https://example.com$request_uri;
/usr/local/etc/nginx/domains/example.com/servers.conf:3825: server_name example.com;

Searching 'example.com' in server contexts (from a running process)

>>>>>>>>>> BEG >>>>>>>>>>
server {

  include listen/192.168.252.10/https.example.com.conf;

  server_name example.com;

  location / {

    return 204 "RFC 792";

  }

  access_log /var/log/nginx/example.com/access.log standard;
  error_log /var/log/nginx/example.com/error.log warn;

}
<<<<<<<<<< END <<<<<<<<<<

For more information please see snippets/server-name-parser directory.

Books

Nginx Essentials

Authors: Valery Kholodkov

Excel in Nginx quickly by learning to use its most essential features in real-life applications.

<sup><i>This short review comes from this book or the store.</i></sup>

Nginx Cookbook

Authors: Derek DeJonghe

You’ll find recipes for:

<sup><i>This short review comes from this book or the store.</i></sup>

Nginx HTTP Server

Authors: Martin Fjordvald, Clement Nedelcu

Harness the power of Nginx to make the most of your infrastructure and serve pages faster than ever.

<sup><i>This short review comes from this book or the store.</i></sup>

Nginx High Performance

Authors: Rahul Sharma

Optimize NGINX for high-performance, scalable web applications.

<sup><i>This short review comes from this book or the store.</i></sup>

Mastering Nginx

Authors: Dimitri Aivaliotis

Written for experienced systems administrators and engineers, this book teaches you from scratch how to configure Nginx for any situation. Step-by-step instructions and real-world code snippets clarify even the most complex areas.

<sup><i>This short review comes from this book or the store.</i></sup>

ModSecurity 3.0 and NGINX: Quick Start Guide

Authors: Faisal Memon, Owen Garrett, Michael Pleshakov

Learn in this ebook how to get started with ModSecurity, the world’s most widely deployed web application firewall (WAF), now available for NGINX and NGINX Plus.

<sup><i>This short review comes from this book or the store.</i></sup>

Cisco ACE to NGINX: Migration Guide

Authors: Faisal Memon

This ebook provides step-by-step instructions on replacing Cisco ACE with NGINX and off-the-shelf servers. NGINX helps you cut costs and modernize.

In this ebook you will learn:

<sup><i>This short review comes from this book or the store.</i></sup>

External Resources

Nginx official
<p> &nbsp;&nbsp;:black_small_square: <a href="https://www.nginx.com/"><b>Nginx Project</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://nginx.org/en/docs/"><b>Nginx Documentation</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.nginx.com/resources/wiki/"><b>Nginx Wiki</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://docs.nginx.com/nginx/admin-guide/"><b>Nginx Admin's Guide</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/"><b>Nginx Pitfalls and Common Mistakes</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://nginx.org/en/docs/dev/development_guide.html"><b>Development Guide</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://forum.nginx.org/"><b>Nginx Forum</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://nginx.org/en/security_advisories.html"><b>Nginx Security Advisories</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://docs.nginx.com/nginx/admin-guide/security-controls/"><b>Nginx Security Controls</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://mailman.nginx.org/mailman/listinfo/nginx"><b>Nginx Mailing List</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginx/nginx"><b>Nginx Read-only Mirror</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginxinc/NGINX-Demos"><b>NGINX-Demos </b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.nginx.com/blog/thread-pools-boost-performance-9x/"><b>Thread Pools in NGINX Boost Performance 9x!</b></a><br> </p>
Nginx distributions
<p> &nbsp;&nbsp;:black_small_square: <a href="https://openresty.org/"><b>OpenResty</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://tengine.taobao.org/"><b>The Tengine Web Server</b></a><br> </p>
Comparison reviews
<p> &nbsp;&nbsp;:black_small_square: <a href="https://www.hostingadvice.com/how-to/nginx-vs-apache/"><b>NGINX vs. Apache (Pro/Con Review, Uses, & Hosting for Each)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/jiangwenyuan/nuster/wiki/Web-cache-server-performance-benchmark:-nuster-vs-nginx-vs-varnish-vs-squid"><b>Web cache server performance benchmark: nuster vs nginx vs varnish vs squid</b></a><br> </p>
Cheatsheets & References
<p> &nbsp;&nbsp;:black_small_square: <a href="https://openresty.org/download/agentzh-nginx-tutorials-en.html"><b>agentzh's Nginx Tutorials</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://agentzh.org/misc/slides/nginx-conf-scripting/nginx-conf-scripting.html#1"><b>Introduction to nginx.conf scripting</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.nginx-discovery.com/"><b>Nginx discovery journey</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.nginxguts.com/"><b>Nginx Guts</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://gist.github.com/carlessanagustin/9509d0d31414804da03b"><b>Nginx Cheatsheet</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.scalescale.com/tips/nginx/"><b>Nginx Tutorials, Linux Sysadmin Configuration & Optimizing Tips and Tricks</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/h5bp/server-configs-nginx"><b>Nginx boilerplate configs</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginx-boilerplate/nginx-boilerplate"><b>Awesome Nginx configuration template</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/SimulatedGREG/nginx-cheatsheet"><b>Nginx Quick Reference</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/fcambus/nginx-resources"><b>A collection of resources covering Nginx and more</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/lebinh/nginx-conf"><b>A collection of useful Nginx configuration snippets</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/elasticweb/nginx-configs"><b>Nginx configurations for most popular CMS/CMF/Frameworks based on PHP</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/wmnnd/nginx-certbot"><b>Boilerplate configuration for nginx and certbot with docker-compose</b></a><br> </p>
Performance & Hardening
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/denji/nginx-tuning"><b>Nginx Tuning For Best Performance by Denji</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765"><b>Nginx Optimization: understanding sendfile, tcp_nodelay and tcp_nopush</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://blog.cloudflare.com/how-we-scaled-nginx-and-saved-the-world-54-years-every-day/"><b>How we scaled nginx and saved the world 54 years every day</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://istlsfastyet.com/"><b>TLS has exactly one performance problem: it is not used widely enough</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.ssllabs.com/projects/best-practices/"><b>SSL/TLS Deployment Best Practices</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.ssllabs.com/projects/rating-guide/index.html"><b>SSL Server Rating Guide</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.ssllabs.com/ssl-pulse/"><b>SSL Pulse</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.upguard.com/blog/how-to-build-a-tough-nginx-server-in-15-steps"><b>How to Build a Tough NGINX Server in 15 Steps</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html"><b>Top 25 Nginx Web Server Best Security Practices</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://calomel.org/nginx.html"><b>Nginx Secure Web Server</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html"><b>Strong SSL Security on Nginx</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://enable-cors.org/index.html"><b>Enable cross-origin resource sharing (CORS)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nbs-system/naxsi"><b>NAXSI - WAF for Nginx</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://geekflare.com/install-modsecurity-on-nginx/"><b>ModSecurity for Nginx</b></a><br> </p>
Presentations & Videos
<p> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/Nginx/nginx-basics-and-best-practices"><b>NGINX: Basics and Best Practices</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/Nginx/nginx-installation-and-tuning"><b>NGINX Installation and Tuning</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/joshzhu/nginx-internals"><b>Nginx Internals (by Joshua Zhu)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/feifengxlq/nginx-internals-10514355"><b>Nginx internals (by Liqiang Xu)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/wallarm/how-to-secure-your-web-applications-with-nginx"><b>How to secure your web applications with NGINX</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/chartbeat/tuning-tcp-and-nginx-on-ec2"><b>Tuning TCP and NGINX on EC2</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/trygvevea/extending-functionality-in-nginx-with-modules"><b>Extending functionality in nginx, with modules!</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/tuxtoti/nginx-tips-and-tricks-13087831"><b>Nginx - Tips and Tricks.</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/TonyFabeen/nginx-scripting-extending-nginx-functionalities-with-lua"><b>Nginx Scripting - Extending Nginx Functionalities with Lua</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/kazeburo/advanced-nginx-in-mercari-how-to-handle-over-1200000-https-reqsmin"><b>How to handle over 1,200,000 HTTPS Reqs/Min</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.slideshare.net/harukayon/ngx-lua-public"><b>Using ngx_lua / lua-nginx-module in pixiv</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://mdounin.ru/files/mdounin-nginx-whatsnew-nginxconf2018.pdf"><b>Reading nginx CHANGES together</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://mdounin.ru/files/mdounin-dynamic-modules-nginxconf2016.pdf"><b>Dynamic modules:how it works</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXewvc6tjIGGFZ6DBKHEld3k"><b>NGINX Conf 2014</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXdED9BR6GQ61A6d3fBzjpbn"><b>NGINX Conf 2015</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXcOsB_dT26iu0BvbSxWYG1g"><b>NGINX Conf 2016</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXeT-z_rcZ9yF0kV5SENZ-yt"><b>NGINX Conf 2017</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXeHhKRX6ZS7vmFKN12iYOw9"><b>NGINX Conf 2018 | Deep Dive Track</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/playlist?list=PLGz_X9w9raXe_Vc708VKvr5KJ4gnf1WxS"><b>NGINX Conf 2018 | Keynotes and Sessions</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.youtube.com/watch?v=iHxD-G0YjiU"><b>Making HTTPS Fast(er): Ilya Grigorik @ nginx.conf 2014</b></a><br> </p>
Playgrounds
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/sportebois/nginx-rate-limit-sandbox"><b>NGINX Rate Limit, Burst and nodelay sandbox</b></a><br> </p>
Config generators
<p> &nbsp;&nbsp;:black_small_square: <a href="https://nginxconfig.io/"><b>nginxconfig</b></a> - Nginx config generator on steroids.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/mozilla/ssl-config-generator"><b>ssl-config-generator</b></a> - Mozilla SSL Configuration Generator.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/linkedin/nginx-config-builder"><b>nginx-config-builder</b></a> - is a python library for building nginx configuration files programatically.</a><br> </p>
Config parsers
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginxinc/crossplane"><b>crossplane</b></a> - quick and reliable way to convert NGINX configurations into JSON and back.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/fatiherikli/nginxparser"><b>nginxparser</b></a> - parses nginx configuration with Pyparsing.</a><br> </p>
Config managers
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/jdauphant/ansible-role-nginx"><b>ansible-role-nginx</b></a> - asible role to install and manage nginx configuration.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/geerlingguy/ansible-role-nginx"><b>ansible-role-nginx</b></a> - installs and configures the latest version of Nginx.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginxinc/ansible-role-nginx"><b>ansible-role-nginx</b></a> - installs NGINX, NGINX Plus, the NGINX Amplify agent, and more.</a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/voxpupuli/puppet-nginx"><b>puppet-nginx</b></a> - puppet module to manage NGINX on various UNIXes.</a><br> </p>
Static analyzers
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/yandex/gixy"><b>gixy</b></a> - is a tool to analyze Nginx configuration to prevent security misconfiguration and automate flaw detection.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/1connect/nginx-config-formatter"><b>nginx-config-formatter</b></a> - Nginx config file formatter/beautifier written in Python.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/vasilevich/nginxbeautifier"><b>nginxbeautifier</b></a> - format and beautify Nginx config files.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/lovette/nginx-tools/tree/master/nginx-minify-conf"><b>nginx-minify-conf</b></a> - creates a minified version of a Nginx configuration.<br> </p>
Log analyzers
<p> &nbsp;&nbsp;:black_small_square: <a href="https://goaccess.io/"><b>GoAccess</b></a> - is a fast, terminal-based log analyzer (quickly analyze and view web server statistics in real time).<br> &nbsp;&nbsp;:black_small_square: <a href="https://www.graylog.org/"><b>Graylog</b></a> - is a leading centralized log management for capturing, storing, and enabling real-time analysis.<br> &nbsp;&nbsp;:black_small_square: <a href="https://www.elastic.co/products/logstash"><b>Logstash</b></a> - is an open source, server-side data processing pipeline.<br> </p>
Performance analyzers
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/lebinh/ngxtop"><b>ngxtop</b></a> - parses your Nginx access log and outputs useful, top-like, metrics of your Nginx server.<br> </p>
Builder tools
<p> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/TinkoffCreditSystems/Nginx-builder"><b>Nginx-builder</b></a> - is a tool for building deb or rpm package NGINX from the source code.<br> </p>
Benchmarking tools
<p> &nbsp;&nbsp;:black_small_square: <a href="https://httpd.apache.org/docs/2.4/programs/ab.html"><b>ab</b></a> - is a single-threaded command line tool for measuring the performance of HTTP web servers.<br> &nbsp;&nbsp;:black_small_square: <a href="https://www.joedog.org/siege-home/"><b>siege</b></a> - is an http load testing and benchmarking utility.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/wg/wrk"><b>wrk</b></a> - is a modern HTTP benchmarking tool capable of generating significant load.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/giltene/wrk2"><b>wrk2</b></a> - is a constant throughput, correct latency recording variant of wrk.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/tsenart/vegeta"><b>vegeta</b></a> - HTTP load testing tool and library.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/codesenberg/bombardier"><b>bombardier</b></a> - is a HTTP(S) benchmarking tool.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/cmpxchg16/gobench"><b>gobench</b></a> - is a HTTP/HTTPS load testing and benchmarking tool.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/rakyll/hey"><b>hey</b></a> - is a HTTP load generator, ApacheBench (ab) replacement, formerly known as rakyll/boom.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/tarekziade/boom"><b>boom</b></a> - is a script you can use to quickly smoke-test your web app deployment.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/tarekziade/httperf"><b>httperf</b></a> - the httperf HTTP load generator.<br> &nbsp;&nbsp;:black_small_square: <a href="https://jmeter.apache.org/"><b>JMeter™</b></a> - is designed to load test functional behavior and measure performance.<br> &nbsp;&nbsp;:black_small_square: <a href="https://gatling.io/"><b>Gatling</b></a> - is a powerful open-source load and performance testing tool for web applications.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/locustio/locust"><b>locust</b></a> - is an easy-to-use, distributed, user load testing tool.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/gkbrk/slowloris"><b>slowloris</b></a> - low bandwidth DoS tool. Slowloris rewrite in Python.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/shekyan/slowhttptest"><b>slowhttptest</b></a> - application layer DoS attack simulator.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/jseidl/GoldenEye"><b>GoldenEye</b></a> - GoldenEye Layer 7 (KeepAlive+NoCache) DoS test tool.<br> </p>
Debugging tools
<p> &nbsp;&nbsp;:black_small_square: <a href="https://strace.io/"><b>strace</b></a> - is a diagnostic, debugging and instructional userspace utility (linux syscall tracer) for Linux.<br> &nbsp;&nbsp;:black_small_square: <a href="https://www.gnu.org/software/gdb/"><b>GDB</b></a> - allows you to see what is going on `inside' another program while it executes.<br> &nbsp;&nbsp;:black_small_square: <a href="https://sourceware.org/systemtap/"><b>SystemTap</b></a> - provides infrastructure to simplify the gathering of information about the running Linux system.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/openresty/stapxx"><b>stapxx</b></a> - simple macro language extensions to SystemTap.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/trimstray/htrace.sh"><b>htrace.sh</b></a> - is a simple Swiss Army knife for http/https troubleshooting and profiling.<br> </p>
Security & Web testing tools
<p> &nbsp;&nbsp;:black_small_square: <a href="https://portswigger.net/burp"><b>Burp Suite</b></a> - is a graphical tool for testing Web application security.<br> &nbsp;&nbsp;:black_small_square: <a href="http://w3af.org/"><b>w3af</b></a> - is a Web Application Attack and Audit Framework.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/sullo/nikto"><b>nikto</b></a> - web server scanner which performs comprehensive tests.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/ssllabs/ssllabs-scan"><b>ssllabs-scan</b></a> - client for SSL Labs APIs, designed for automated and/or bulk testing.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/mozilla/http-observatory"><b>http-observatory</b></a> - Mozilla HTTP Observatory.<br> &nbsp;&nbsp;:black_small_square: <a href="https://testssl.sh/"><b>testssl.sh</b></a> - checks a server's service on any port for the support of TLS/SSL ciphers.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nabla-c0d3/sslyze"><b>sslyze</b></a> - is a fast and powerful SSL/TLS server scanning library.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/mozilla/cipherscan"><b>cipherscan</b></a> - is a very simple way to find out which SSL ciphersuites are supported by a target.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/OWASP/O-Saft"><b>O-Saft</b></a> - OWASP SSL advanced forensic tool.<br> &nbsp;&nbsp;:black_small_square: <a href="https://nghttp2.org/"><b>Nghttp2</b></a> - is an implementation of HTTP/2 and its header compression algorithm HPACK in C.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/summerwind/h2spec"><b>h2spec</b></a> - is a conformance testing tool for HTTP/2 implementation.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/gildasio/h2t"><b>h2t</b></a> - is a simple tool to help sysadmins to hardening their websites.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/c0nrad/http2fuzz"><b>http2fuzz</b></a> - HTTP/2 fuzzer written in Golang.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/s0md3v/Arjun"><b>Arjun</b></a> - HTTP parameter discovery suite.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/s0md3v/Corsy"><b>Corsy</b></a> - CORS misconfiguration scanner.<br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/s0md3v/XSStrike"><b>XSStrike</b></a> - most advanced XSS scanner.<br> </p>
Development
<p> &nbsp;&nbsp;:black_small_square: <a href="http://agentzh.org/misc/code/nginx/"><b>Sample ebook generated from NGINX source code.</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.lua.org/pil/contents.html"><b>Programming in Lua (first edition)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.londonlua.org/scripting_nginx_with_lua/"><b>Scripting Nginx with Lua</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.evanmiller.org/nginx-modules-guide.html"><b>Emiller’s Guide To Nginx Module Development</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.evanmiller.org/nginx-modules-guide-advanced.html"><b>Emiller’s Advanced Topics In Nginx Module Development</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.airpair.com/nginx/extending-nginx-tutorial"><b>NGINX Tutorial: Developing Modules</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Nginx-Lua/"><b>An Introduction To OpenResty (nginx + lua) - Part 1</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Part-2/"><b>An Introduction To OpenResty - Part 2 - Concepts</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.openmymind.net/An-Introduction-To-OpenResty-Part-3/"><b>An Introduction To OpenResty - Part 3</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://blog.dutchcoders.io/openresty-with-dynamic-generated-certificates/"><b>OpenResty (Nginx) with dynamically generated certificates</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/openresty/programming-openresty"><b>Programming OpenResty</b></a><br> </p>
Online & Web tools
<p> &nbsp;&nbsp;:black_small_square: <a href="https://www.ssllabs.com/ssltest/"><b>SSL Server Test by SSL Labs</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.htbridge.com/ssl/"><b>Test SSL/TLS (PCI DSS, HIPAA and NIST)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://sslanalyzer.comodoca.com/"><b>SSL analyzer and certificate checker</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://decoder.link"><b>Tools for testing SSL configuration</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://tls.imirhil.fr/"><b>Test your TLS server configuration (e.g. ciphers)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.jitbit.com/sslcheck/"><b>Scan your website for non-secure content</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.ssltools.com"><b>Analyze website security</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://ciphersuite.info/"><b>TLS Cipher Suite Search</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.ssllabs.com/ssltest/viewMyClient.html"><b>SSL/TLS Capabilities of Your Browser</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://suche.org/sslClientInfo"><b>SSL-Client Info's</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://2ton.com.au/dhtool/"><b>Public Diffie-Hellman Parameter Service/Tool</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://securityheaders.com/"><b>Analyse the HTTP response headers by Security Headers</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://observatory.mozilla.org/"><b>Analyze your website by Mozilla Observatory</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://sslmate.com/caa/"><b>CAA Record Helper</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://webhint.io/"><b>Linting tool that will help you with your site's accessibility, speed, security and more</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://urlscan.io/"><b>Service to scan and analyse websites</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.url-encode-decode.com/"><b>Tool from above to either encode or decode a string of text</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://uncoder.io/"><b>Online translator for search queries on log data</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://regex101.com/"><b>Online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://regexr.com/"><b>Online tool to learn, build, & test Regular Expressions</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.regextester.com/"><b>Online Regex Tester & Debugger</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/nginxinc/NGINX-Demos/tree/master/nginx-regex-tester"><b>Tool for testing regular expressions directly within an NGINX configuration</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://gchq.github.io/CyberChef/"><b>A web app for encryption, encoding, compression and data analysis</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://nginx.viraptor.info/"><b>Nginx location match tester</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://detailyang.github.io/nginx-location-match-visible/"><b>Nginx location match visible</b></a><br> </p>
Other stuff
<p> &nbsp;&nbsp;:black_small_square: <a href="https://developer.mozilla.org/en-US/docs/Web"><b>Web technology for developers</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://infosec.mozilla.org/guidelines/web_security.html"><b>Mozilla Web Security</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://appsecwiki.com/#/"><b>Application Security Wiki</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project"><b>OWASP ASVS 3.0.1</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/Santandersecurityresearch/asvs"><b>OWASP ASVS 3.0.1 Web App</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/OWASP/ASVS/tree/master/4.0"><b>OWASP ASVS 4.0</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.owasp.org/index.php/OWASP_Proactive_Controls"><b>OWASP Top 10 Proactive Controls 2018.</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.owasp.org/index.php/OWASP_Testing_Project"><b>OWASP Testing Guide v4</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/OWASP/DevGuide"><b>OWASP Dev Guide</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html"><b>Transport Layer Protection Cheat Sheet by OWASP</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/OWASP/wstg"><b>OWASP WSTG</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://wiki.mozilla.org/Security/Server_Side_TLS"><b>Security/Server Side TLS by Mozilla</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://bettercrypto.org/"><b>Applied Crypto Hardening</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://caniuse.com/#home"><b>Browser support tables for modern web technologies</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://badssl.com/"><b>Memorable site for testing clients against bad SSL configs</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://https.cio.gov/"><b>The HTTPS-Only Standard</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://portswigger.net/web-security"><b>The Web Security Academy</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://portswigger.net/kb/issues"><b>Burp Scanner - Issue Definitions</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://odino.org/wasec-web-application-security-what-to-do-when-dot-dot-dot/"><b>Web application security: what to do when...</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml"><b>Transport Layer Security (TLS) Parameters</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/GrrrDog/TLS-Redirection#technical-details"><b>TLS Redirection (and Virtual Host Confusion)</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/"><b>TLS Security 6: Examples of TLS Vulnerabilities and Attacks</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers"><b>Guidelines for Setting Security Headers</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://infosec.mozilla.org/guidelines/web_security.html"><b>Mozilla Guidelines - Web Security</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://medium.freecodecamp.org/secure-your-web-application-with-these-http-headers-fd66e0367628"><b>Secure your web application with these HTTP headers</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://zinoui.com/blog/security-http-headers"><b>Security HTTP Headers</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/GrrrDog/weird_proxies/wiki"><b>Analysis of various reverse proxies, cache proxies, load balancers, etc.</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://howhttps.works/"><b>How HTTPS works ...in a comic!</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.regular-expressions.info/"><b>Regular-Expressions</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/attackercan/REGEXP-SECURITY-CHEATSHEET"><b>Regexp Security Cheatsheet</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/#the-beginning"><b>HTTPS on Stack Overflow: The End of a Long Road</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://www.aosabook.org/en/nginx.html"><b>The Architecture of Open Source Applications - Nginx</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.bbc.co.uk/blogs/internet/entries/17d22fb8-cea2-49d5-be14-86e7a1dcde04"><b>BBC Digital Media Distribution: How we improved throughput by 4x</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://www.kegel.com/c10k.html"><b>The C10K problem by Dan Kegel</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="http://highscalability.com/blog/2013/5/13/the-secret-to-10-million-concurrent-connections-the-kernel-i.html"><b>The Secret To 10 Million Concurrent Connections</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://hpbn.co/"><b>High Performance Browser Networking</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/donnemartin/system-design-primer"><b>The System Design Primer</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/binhnguyennus/awesome-scalability"><b>awesome-scalability</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://engineering.videoblocks.com/web-architecture-101-a3224e126947"><b>Web Architecture 101</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.com/leandromoreira/linux-network-performance-parameters"><b>Learn where some of the network sysctl variables fit into the Linux/Kernel network flow</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://suniphrase.wordpress.com/2015/10/27/jemalloc-vs-tcmalloc-vs-dlmalloc/"><b>jemalloc vs tcmalloc vs dlmalloc</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://arxiv.org/pdf/1905.01135.pdf"><b>On the Impact of Memory Allocation on High-Performance Query Processing</b></a><br> &nbsp;&nbsp;:black_small_square: <a href="https://github.blog/2018-08-08-glb-director-open-source-load-balancer/"><b>GLB: GitHub’s open source load balancer</b></a><br> </p>

What's next?

Go back to the Table of Contents or read the next chapters:


<br> <p align="center"> <a href="https://nystudio107.com/blog/stop-using-htaccess-files-no-really"> <img src="https://github.com/trimstray/nginx-admins-handbook/blob/master/static/img/nginx_meme_2.png" alt="Meme" width="50%" height="50%"> </a> </p>