Top Nav

Archive | Nginx

Plesk / Nginx Open Files Limit

Was trying to increase open files limit for nginx on a Plesk server following instructions here:

MariaDB on CentOS 7 – “Error in accept: Too many open files”

But the limit was not changing. After digging around I found that Plesk was overriding with a config file here:

As described here:

https://support.plesk.com/hc/en-us/articles/213938485-nginx-fails-to-start-reload-on-a-Plesk-server-Too-many-open-files

the easy way to fix open file limit on Plesk is to use:

0

Expires Header In Nginx On Plesk

Trying to add an Expires header in Nginx on a Plesk server like this is problematic.

The “location” directive conflicts (overrides) the “location” directive created by Plesk. The work around is to disable “Serve static files directly by nginx” but this is a valuable feature that we usually don’t want to turn off.

An alternative is to use a “map” directive. Setup the map in the global nginx config by creating /etc/nginx/conf.d/expires_map.conf with:

Next in the “Additional nginx directives” field add:

This works well but may not be possible on a shared server where the global nginx configuration can not be changed.

0

Nginx Redirects With Map File

Client provided a CSV file with several thousand redirects for site hosted on Plesk server. For maximum efficiency we implemented the redirects using a map file in Nginx.

Start by convert the CSV file to a map include file with one redirect per line, space delimited and terminated with a colon. For example:

I placed the file at:

/var/www/vhosts/acme.com/redirects/redirect.map

Next step is to add to global nginx config by creating a file at:

/etc/nginx/conf.d/redirect_maps.conf

containing:

Finally in Plesk, for the target subscription (acme.com) in “Apache & Nginx Setting” add the following to “Additional Nginx directives:

0

Diffie–Hellman (DHE) Ciphers On Nginx

In some cases you may wish to allow Diffie–Hellman (DHE) ciphers in order to support older clients like IE on Windows 7.  On Plesk we often use the “intermediate” level in the Mozilla cipher set as described here:

https://wiki.mozilla.org/Security/Server_Side_TLS

The “intermediate” level includes:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384

Of course the “ECDSA” or “Elliptic Curve Digital Signature Algorithm” ciphers will only be available if you are using ECC signed certificates.

Additionally the “DHE” ciphers will not be available by default if you are using Nginx releases greater then 1.11. With the 1.11 release Nginx moved the DHE key to an external setting instead of an internally generated key. The stock Nginx packages on Ubuntu and CentoOS do not setup a DHE key which results in the DHE ciphers not being available.

To address this problem, start by generating a key:

Next tell Nginx where to find the key:

Verify Nginx config and restart:

Now the DHE ciphers will be offered to clients and Window 7 / IE clients will be able to connect to the sites hosted on the server.

 

 

 

0

Disable OPTIONS method in NGINX

To disable the OPTIONS method in Nginx add the following config:

The result can be tested with curl:

 

1