NGINX Web Server

Brightboxes come with Apache by default, but NGINX is a faster alternative with lower memory requirements. If you don't need all the features of Apache, NGINX is definitely recommended.

The Brightbox GEM does not currently support NGINX, but you can easily set it up manually and use the gem for everything else (monit config, code deploy etc.). It will just create Apache configs that you can ignore.

First stop Apache if it is running. If Apache is listening on port 80, the NGINX install will not complete successfully.

sudo monit stop apache

Then install Passenger-enabled NGINX from our Launchpad PPA:

sudo apt-add-repository ppa:brightbox/passenger-nginx
sudo apt-get update
sudo apt-get install nginx-full

Point your web browser to your Brightbox server and you should see the 'Welcome to nginx!' holding page.

You can prevent Apache from starting up on the next boot like this:

sudo update-rc.d -f apache2 remove

In /etc/nginx/nginx.conf put this base config:

# Run as the www-data user
user www-data;
 
# For high performance you'll need one worker process per disk spindle
# but in most cases 1 or 2 is fine.
worker_processes 2;
 
error_log  /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
 
events {
  # Max concurrent connections = worker_processes * worker_connections
  # You can increase this past 1024 but you must set the rlimit before starting
  # ngxinx using the ulimit command (say ulimit -n 8192)
  worker_connections 1024;
  # Linux performance awesomeness on
  use epoll;
}
 
http {
  server_names_hash_bucket_size 64;
  # More Linux performance awesomeness
  sendfile on;
  tcp_nopush  on;
  tcp_nodelay off;
 
  # Where to store the body of large client requests on disk
  # NGINX will stream this to disk before posting it to your Mongrels,
  # preventing slow clients tying up your app.
  client_body_temp_path /var/spool/nginx-client-body 1 2;
 
  # Max size of a request from a client (usually a POST).  This will limit
  # the size of file uploads to your app
  client_max_body_size 32m;
 
  ## MIME stuff
  # Mime-type table
  include /etc/nginx/mime.types;
  # Default mime-type if nothing matches from the table
  default_type application/octet-stream;
 
  ## Logging
  # Specify a log format compatible with Apache's combined format
  log_format main '$remote_addr - $remote_user [$time_local] '
                '"$request" $status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for"' ;
 
  access_log /var/log/nginx/access.log main;
 
  ## Compression
  gzip on;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_proxied any;
  gzip_min_length  1100;
  gzip_buffers 16 8k;
  gzip_types text/plain text/html text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  # Some version of IE 6 don't handle compression well on some mime-types, so just disable for them
  gzip_disable "MSIE [1-6].(?!.*SV1)";
  # Set a vary header so downstream proxies don't send cached gzipped content to IE6
  gzip_vary on;
 
  # Send along useful info to the mongrels
  proxy_set_header  X-Real-IP  $remote_addr;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_redirect false;
  proxy_max_temp_file_size 0;
 
  server {
    listen 80;
    root /home/rails/default;
  }
 
  include /etc/nginx/sites-enabled/*;
}

Create configs for each virtual host in /etc/nginx/sites-available, symlink them into /etc/nginx/sites-enabled and reload nginx. appname should be the name you used when running the Brightbox gem, but it doesn't have to be.

You need a separate server declaration listening on 443 with the following additional options:

  ssl on;
  ssl_certificate /etc/ssl/certs/myssl.crt;
  ssl_certificate_key /etc/ssl/private/myssl.key;
  proxy_set_header X_FORWARDED_PROTO https;

It turns out, array directive overrides (such as proxy_set_header) will clear out any directives set at a higher level. Hence when you set X_FORWARDED_PROTO in for your ssl server, you will also need to set up all the other proxy_set_header directives again. Since I'm generating my server blocks with erb during my cap deployment I was able to move the declarations but still keep things dry.

Intermediate Certificates

If the certificate you have bought requires an 'intermediate certificate' or certificate chain (GoDaddy requires this) then you need to merge this into the same file as your SSL Certificate. See the NGINX documentation on SSL Certificate Chains for instructions on how to do this.

First of all delete the Apache monitoring config file :

sudo rm /etc/monit/conf.d/apache.monitrc

Then create a new config file for monitoring Nginx in /etc/monit/conf.d/nginx.monitrc :

check process nginx with pidfile /var/run/nginx.pid
  start program = "/etc/init.d/nginx start"
  stop program  = "/etc/init.d/nginx stop"
  group server

Finally we need to resart monit :

sudo /etc/init.d/monit restart