• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

How to teardown Nginx built-in modules?

max21

Well-Known Member

Thanks: 17
Messages: 365

#1
I'm kind of an newbie when it comes to networking and websites, but I prefer to learn from bottom-up. So, please do correct me if something seems totally wrong.

www ---> haproxy jail ---> nginx jail ---> php jail ---> mysql jail

For now the only thing important are the first two jails. For my first Nginx site, it will contain mostly pre-build web-pages and most of them will be cached. PHP and MySQL will be used latter so that I can get the hang of how things work. Everything is HTTPS. HAProxy is ready to run as reverse-proxy using SNI. Now I’m working on Nginx to see if my HAProxy configuration is correct. However, I rather gut Nginx first.

I will not be using heavy applications like django CMS and WordPress, so there is no need to compile Nginx with all of the modules that a simple HTTPS web-server will never use. Once I understand this much, then I’ll add only the needed modules that those type of applications requires. With these few details in mind, could you point out anything that I have missed or misunderstood? Such as, I will utterly UNSET uwsgi and all his friends, because this is not for web-hosting, and I will not be using any backend application except PHP. It will only have visitors, and not members who need access to the website. I read a lot about how to secure NGINX, so now, I have no choice but to work from ground-up.

make.conf for minimum use of Nginx modules.
Code:
# .......................................
# .......................................  MAKE for site1 behind sni-HAProxy
DEFAULT_VERSIONS+=ssl=libressl
DEFAULT_VERSIONS+=php=7.2
DEFAULT_VERSIONS+=pcre=8.40
#........................................  NGINX BUILD-IN MODULES
#........................................  taken from /tmp/script/nginx.txt
#........................................
OPTIONS_FILE_UNSET+=NAXSI               #   addon.  I'll use it
OPTIONS_FILE_UNSET+=CACHE_PURGE         #   can I do this without a module?
#......
OPTIONS_FILE_UNSET+=gzip_static
OPTIONS_FILE_UNSET+=autoindex           #   security - gen auto dir list, recompiles
OPTIONS_FILE_UNSET+=auth_basic
OPTIONS_FILE_UNSET+=access              #   do a ssl webserver really need this?
OPTIONS_FILE_UNSET+=limit_conn
OPTIONS_FILE_UNSET+=limit_req
OPTIONS_FILE_UNSET+=realip              #   do a ssl webserver really need this?
OPTIONS_FILE_UNSET+=geo
OPTIONS_FILE_UNSET+=geoip
OPTIONS_FILE_UNSET+=map
OPTIONS_FILE_UNSET+=split_clients       #   files are small and running plain ws?
OPTIONS_FILE_UNSET+=referer             #   fabrication made possible. why added this?
OPTIONS_FILE_UNSET+=rewrite
OPTIONS_FILE_UNSET+=ssl
OPTIONS_FILE_UNSET+=proxy               #   not using it as it still eats resources.
OPTIONS_FILE_UNSET+=fastcgi
OPTIONS_FILE_UNSET+=uwsgi               #   Is there a issue not using this?
OPTIONS_FILE_UNSET+=scgi                #   Is there a issue not using this?
OPTIONS_FILE_UNSET+=memcached
OPTIONS_FILE_UNSET+=empty_gif
OPTIONS_FILE_UNSET+=browser             #   do a plain ws really need this?
OPTIONS_FILE_UNSET+=secure_link
OPTIONS_FILE_UNSET+=upstream_hash
OPTIONS_FILE_UNSET+=upstream_ip_hash
OPTIONS_FILE_UNSET+=upstream_least_conn
OPTIONS_FILE_UNSET+=upstream_keepalive
OPTIONS_FILE_UNSET+=upstream_zone
OPTIONS_FILE_UNSET+=stub_status
#........................................  THIRD PARTY MODULES
#........................................  taken from /var/ports/options
OPTIONS_FILE_UNSET+=DSO
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DEBUGLOG
OPTIONS_FILE_UNSET+=FILE_AIO                    #  file_aio
OPTIONS_FILE_UNSET+=IPV6
OPTIONS_FILE_UNSET+=GOOGLE_PERFTOOLS
OPTIONS_FILE_UNSET+=HTTP                        #  why add this?
OPTIONS_FILE_UNSET+=HTTP_ADDITION
OPTIONS_FILE_UNSET+=HTTP_AUTH_REQ
OPTIONS_FILE_UNSET+=HTTP_CACHE                  #  could I use varnish instead?
OPTIONS_FILE_UNSET+=HTTP_DAV
OPTIONS_FILE_UNSET+=HTTP_FLV
OPTIONS_FILE_UNSET+=HTTP_GEOIP                  #  I need to know city/country.
OPTIONS_FILE_UNSET+=HTTP_GZIP_STATIC            #  gzip_static
OPTIONS_FILE_UNSET+=HTTP_GUNZIP_FILTER
OPTIONS_FILE_UNSET+=HTTP_IMAGE_FILTER
OPTIONS_FILE_UNSET+=HTTP_MP4
OPTIONS_FILE_UNSET+=HTTP_PERL
OPTIONS_FILE_UNSET+=HTTP_RANDOM_INDEX
OPTIONS_FILE_UNSET+=HTTP_REALIP                 #  is this for web hosting or needed?
OPTIONS_FILE_UNSET+=HTTP_REWRITE                #  rewrite
OPTIONS_FILE_UNSET+=HTTP_SECURE_LINK            #  why is this needed or not?
OPTIONS_FILE_UNSET+=HTTP_SLICE
OPTIONS_FILE_UNSET+=HTTP_SSL                    #  ssl
OPTIONS_FILE_UNSET+=HTTP_STATUS                 #  status
OPTIONS_FILE_UNSET+=HTTP_SUB                    #  sub
OPTIONS_FILE_UNSET+=HTTP_XSLT
OPTIONS_FILE_UNSET+=MAIL
OPTIONS_FILE_UNSET+=MAIL_IMAP
OPTIONS_FILE_UNSET+=MAIL_POP3
OPTIONS_FILE_UNSET+=MAIL_SMTP
OPTIONS_FILE_UNSET+=MAIL_SSL
OPTIONS_FILE_UNSET+=HTTPV2
OPTIONS_FILE_UNSET+=NJS
OPTIONS_FILE_UNSET+=STREAM
OPTIONS_FILE_UNSET+=STREAM_SSL
OPTIONS_FILE_UNSET+=STREAM_SSL_PREREAD
OPTIONS_FILE_UNSET+=THREADS
OPTIONS_FILE_UNSET+=WWW
OPTIONS_FILE_UNSET+=AJP
OPTIONS_FILE_UNSET+=AWS_AUTH
OPTIONS_FILE_UNSET+=CLOJURE
OPTIONS_FILE_UNSET+=CT
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=FASTDFS
OPTIONS_FILE_UNSET+=HEADERS_MORE
OPTIONS_FILE_UNSET+=HTTP_ACCEPT_LANGUAGE
OPTIONS_FILE_UNSET+=HTTP_AUTH_DIGEST
OPTIONS_FILE_UNSET+=HTTP_AUTH_KRB5
OPTIONS_FILE_UNSET+=HTTP_AUTH_LDAP
OPTIONS_FILE_UNSET+=HTTP_AUTH_PAM
OPTIONS_FILE_UNSET+=HTTP_DAV_EXT
OPTIONS_FILE_UNSET+=HTTP_EVAL
OPTIONS_FILE_UNSET+=HTTP_FANCYINDEX
OPTIONS_FILE_UNSET+=HTTP_FOOTER
OPTIONS_FILE_UNSET+=HTTP_GEOIP2
OPTIONS_FILE_UNSET+=HTTP_JSON_STATUS
OPTIONS_FILE_UNSET+=HTTP_MOGILEFS
OPTIONS_FILE_UNSET+=HTTP_MP4_H264
OPTIONS_FILE_UNSET+=HTTP_NOTICE
OPTIONS_FILE_UNSET+=HTTP_PUSH
OPTIONS_FILE_UNSET+=HTTP_PUSH_STREAM
OPTIONS_FILE_UNSET+=HTTP_REDIS
OPTIONS_FILE_UNSET+=HTTP_RESPONSE
OPTIONS_FILE_UNSET+=HTTP_SUBS_FILTER
OPTIONS_FILE_UNSET+=HTTP_TARANTOOL
OPTIONS_FILE_UNSET+=HTTP_UPLOAD
OPTIONS_FILE_UNSET+=HTTP_UPLOAD_PROGRESS
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_CHECK
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_FAIR
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_STICKY
OPTIONS_FILE_UNSET+=HTTP_VIDEO_THUMBEXTRACTOR
OPTIONS_FILE_UNSET+=HTTP_ZIP
OPTIONS_FILE_UNSET+=ARRAYVAR
OPTIONS_FILE_UNSET+=BROTLI
OPTIONS_FILE_UNSET+=DRIZZLE
OPTIONS_FILE_UNSET+=DYNAMIC_UPSTREAM
OPTIONS_FILE_UNSET+=ENCRYPTSESSION
OPTIONS_FILE_UNSET+=FORMINPUT
OPTIONS_FILE_UNSET+=GRIDFS
OPTIONS_FILE_UNSET+=ICONV
OPTIONS_FILE_UNSET+=LET
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_UNSET+=MEMC
OPTIONS_FILE_UNSET+=MODSECURITY
OPTIONS_FILE_UNSET+=MODSECURITY_DEVEL
OPTIONS_FILE_UNSET+=PASSENGER
OPTIONS_FILE_UNSET+=POSTGRES
OPTIONS_FILE_UNSET+=RDS_CSV
OPTIONS_FILE_UNSET+=RDS_JSON
OPTIONS_FILE_UNSET+=REDIS2
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_UNSET+=SET_MISC
OPTIONS_FILE_UNSET+=SFLOW
OPTIONS_FILE_UNSET+=SHIBBOLETH
OPTIONS_FILE_UNSET+=SLOWFS_CACHE
OPTIONS_FILE_UNSET+=SMALL_LIGHT
OPTIONS_FILE_UNSET+=SRCACHE
OPTIONS_FILE_UNSET+=X11
OPTIONS_FILE_UNSET+=XSS
 

max21

Well-Known Member

Thanks: 17
Messages: 365

#2
It was not as easy as I thought to remove a few default modules from Nginx. I should have known OPTIONS_FILE_UNSET would not work because it was not in the list of options found under /var/db/ports for Nginx. I had to dig them out of the script /tmp/var/nginx-install.txt that I created at install-time. Here is the link I got the idea from; but he explains how to do it under Linux and it’s a common thing for Linux guru’s to do. I doubt that anyone does stuff like this here, but if so, let me know.


This don’t work:
Code:
#........................................
#                                       #   DEFAULT
#........................................
OPTIONS_FILE_SET+=gzip_static           #
OPTIONS_FILE_UNSET+=autoindex           #   unset
OPTIONS_FILE_UNSET+=auth_basic          #   unset
OPTIONS_FILE_UNSET+=access              #   unset
OPTIONS_FILE_SET+=limit_conn            #
OPTIONS_FILE_SET+=limit_req             #
OPTIONS_FILE_UNSET+=realip              #   unset
OPTIONS_FILE_SET+=geo                   #
OPTIONS_FILE_SET+=geoip                 #
OPTIONS_FILE_SET+=map                   #
OPTIONS_FILE_UNSET+=split_clients       #   unset
OPTIONS_FILE_SET+=referer               #   
OPTIONS_FILE_SET+=rewrite               #
OPTIONS_FILE_SET+=ssl                   #
OPTIONS_FILE_UNSET+=proxy               #   unset
OPTIONS_FILE_SET+=fastcgi               #
OPTIONS_FILE_UNSET+=uwsgi               #   unset
OPTIONS_FILE_UNSET+=scgi                #   unset
OPTIONS_FILE_SET+=empty_gif             #
OPTIONS_FILE_SET+=browser               #   
OPTIONS_FILE_SET+=secure_link           #
OPTIONS_FILE_SET+=upstream_hash         #
OPTIONS_FILE_SET+=upstream_ip_hash      #
OPTIONS_FILE_SET+=upstream_least_conn   #
OPTIONS_FILE_SET+=upstream_keepalive    #
OPTIONS_FILE_SET+=upstream_zone         #
OPTIONS_FILE_SET+=stub_status           #
#........................................