I'm kind of an newbie when it comes to networking and websites, but I prefer to learn from bottom-up. So, please do correct me if something seems totally wrong.
www ---> haproxy jail ---> nginx jail ---> php jail ---> mysql jail
For now the only thing important are the first two jails. For my first Nginx site, it will contain mostly pre-build web-pages and most of them will be cached. PHP and MySQL will be used latter so that I can get the hang of how things work. Everything is HTTPS. HAProxy is ready to run as reverse-proxy using SNI. Now I’m working on Nginx to see if my HAProxy configuration is correct. However, I rather gut Nginx first.
I will not be using heavy applications like django CMS and WordPress, so there is no need to compile Nginx with all of the modules that a simple HTTPS web-server will never use. Once I understand this much, then I’ll add only the needed modules that those type of applications requires. With these few details in mind, could you point out anything that I have missed or misunderstood? Such as, I will utterly UNSET uwsgi and all his friends, because this is not for web-hosting, and I will not be using any backend application except PHP. It will only have visitors, and not members who need access to the website. I read a lot about how to secure NGINX, so now, I have no choice but to work from ground-up.
make.conf for minimum use of Nginx modules.
www ---> haproxy jail ---> nginx jail ---> php jail ---> mysql jail
For now the only thing important are the first two jails. For my first Nginx site, it will contain mostly pre-build web-pages and most of them will be cached. PHP and MySQL will be used latter so that I can get the hang of how things work. Everything is HTTPS. HAProxy is ready to run as reverse-proxy using SNI. Now I’m working on Nginx to see if my HAProxy configuration is correct. However, I rather gut Nginx first.
I will not be using heavy applications like django CMS and WordPress, so there is no need to compile Nginx with all of the modules that a simple HTTPS web-server will never use. Once I understand this much, then I’ll add only the needed modules that those type of applications requires. With these few details in mind, could you point out anything that I have missed or misunderstood? Such as, I will utterly UNSET uwsgi and all his friends, because this is not for web-hosting, and I will not be using any backend application except PHP. It will only have visitors, and not members who need access to the website. I read a lot about how to secure NGINX, so now, I have no choice but to work from ground-up.
make.conf for minimum use of Nginx modules.
Code:
# .......................................
# ....................................... MAKE for site1 behind sni-HAProxy
DEFAULT_VERSIONS+=ssl=libressl
DEFAULT_VERSIONS+=php=7.2
DEFAULT_VERSIONS+=pcre=8.40
#........................................ NGINX BUILD-IN MODULES
#........................................ taken from /tmp/script/nginx.txt
#........................................
OPTIONS_FILE_UNSET+=NAXSI # addon. I'll use it
OPTIONS_FILE_UNSET+=CACHE_PURGE # can I do this without a module?
#......
OPTIONS_FILE_UNSET+=gzip_static
OPTIONS_FILE_UNSET+=autoindex # security - gen auto dir list, recompiles
OPTIONS_FILE_UNSET+=auth_basic
OPTIONS_FILE_UNSET+=access # do a ssl webserver really need this?
OPTIONS_FILE_UNSET+=limit_conn
OPTIONS_FILE_UNSET+=limit_req
OPTIONS_FILE_UNSET+=realip # do a ssl webserver really need this?
OPTIONS_FILE_UNSET+=geo
OPTIONS_FILE_UNSET+=geoip
OPTIONS_FILE_UNSET+=map
OPTIONS_FILE_UNSET+=split_clients # files are small and running plain ws?
OPTIONS_FILE_UNSET+=referer # fabrication made possible. why added this?
OPTIONS_FILE_UNSET+=rewrite
OPTIONS_FILE_UNSET+=ssl
OPTIONS_FILE_UNSET+=proxy # not using it as it still eats resources.
OPTIONS_FILE_UNSET+=fastcgi
OPTIONS_FILE_UNSET+=uwsgi # Is there a issue not using this?
OPTIONS_FILE_UNSET+=scgi # Is there a issue not using this?
OPTIONS_FILE_UNSET+=memcached
OPTIONS_FILE_UNSET+=empty_gif
OPTIONS_FILE_UNSET+=browser # do a plain ws really need this?
OPTIONS_FILE_UNSET+=secure_link
OPTIONS_FILE_UNSET+=upstream_hash
OPTIONS_FILE_UNSET+=upstream_ip_hash
OPTIONS_FILE_UNSET+=upstream_least_conn
OPTIONS_FILE_UNSET+=upstream_keepalive
OPTIONS_FILE_UNSET+=upstream_zone
OPTIONS_FILE_UNSET+=stub_status
#........................................ THIRD PARTY MODULES
#........................................ taken from /var/ports/options
OPTIONS_FILE_UNSET+=DSO
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DEBUGLOG
OPTIONS_FILE_UNSET+=FILE_AIO # file_aio
OPTIONS_FILE_UNSET+=IPV6
OPTIONS_FILE_UNSET+=GOOGLE_PERFTOOLS
OPTIONS_FILE_UNSET+=HTTP # why add this?
OPTIONS_FILE_UNSET+=HTTP_ADDITION
OPTIONS_FILE_UNSET+=HTTP_AUTH_REQ
OPTIONS_FILE_UNSET+=HTTP_CACHE # could I use varnish instead?
OPTIONS_FILE_UNSET+=HTTP_DAV
OPTIONS_FILE_UNSET+=HTTP_FLV
OPTIONS_FILE_UNSET+=HTTP_GEOIP # I need to know city/country.
OPTIONS_FILE_UNSET+=HTTP_GZIP_STATIC # gzip_static
OPTIONS_FILE_UNSET+=HTTP_GUNZIP_FILTER
OPTIONS_FILE_UNSET+=HTTP_IMAGE_FILTER
OPTIONS_FILE_UNSET+=HTTP_MP4
OPTIONS_FILE_UNSET+=HTTP_PERL
OPTIONS_FILE_UNSET+=HTTP_RANDOM_INDEX
OPTIONS_FILE_UNSET+=HTTP_REALIP # is this for web hosting or needed?
OPTIONS_FILE_UNSET+=HTTP_REWRITE # rewrite
OPTIONS_FILE_UNSET+=HTTP_SECURE_LINK # why is this needed or not?
OPTIONS_FILE_UNSET+=HTTP_SLICE
OPTIONS_FILE_UNSET+=HTTP_SSL # ssl
OPTIONS_FILE_UNSET+=HTTP_STATUS # status
OPTIONS_FILE_UNSET+=HTTP_SUB # sub
OPTIONS_FILE_UNSET+=HTTP_XSLT
OPTIONS_FILE_UNSET+=MAIL
OPTIONS_FILE_UNSET+=MAIL_IMAP
OPTIONS_FILE_UNSET+=MAIL_POP3
OPTIONS_FILE_UNSET+=MAIL_SMTP
OPTIONS_FILE_UNSET+=MAIL_SSL
OPTIONS_FILE_UNSET+=HTTPV2
OPTIONS_FILE_UNSET+=NJS
OPTIONS_FILE_UNSET+=STREAM
OPTIONS_FILE_UNSET+=STREAM_SSL
OPTIONS_FILE_UNSET+=STREAM_SSL_PREREAD
OPTIONS_FILE_UNSET+=THREADS
OPTIONS_FILE_UNSET+=WWW
OPTIONS_FILE_UNSET+=AJP
OPTIONS_FILE_UNSET+=AWS_AUTH
OPTIONS_FILE_UNSET+=CLOJURE
OPTIONS_FILE_UNSET+=CT
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=FASTDFS
OPTIONS_FILE_UNSET+=HEADERS_MORE
OPTIONS_FILE_UNSET+=HTTP_ACCEPT_LANGUAGE
OPTIONS_FILE_UNSET+=HTTP_AUTH_DIGEST
OPTIONS_FILE_UNSET+=HTTP_AUTH_KRB5
OPTIONS_FILE_UNSET+=HTTP_AUTH_LDAP
OPTIONS_FILE_UNSET+=HTTP_AUTH_PAM
OPTIONS_FILE_UNSET+=HTTP_DAV_EXT
OPTIONS_FILE_UNSET+=HTTP_EVAL
OPTIONS_FILE_UNSET+=HTTP_FANCYINDEX
OPTIONS_FILE_UNSET+=HTTP_FOOTER
OPTIONS_FILE_UNSET+=HTTP_GEOIP2
OPTIONS_FILE_UNSET+=HTTP_JSON_STATUS
OPTIONS_FILE_UNSET+=HTTP_MOGILEFS
OPTIONS_FILE_UNSET+=HTTP_MP4_H264
OPTIONS_FILE_UNSET+=HTTP_NOTICE
OPTIONS_FILE_UNSET+=HTTP_PUSH
OPTIONS_FILE_UNSET+=HTTP_PUSH_STREAM
OPTIONS_FILE_UNSET+=HTTP_REDIS
OPTIONS_FILE_UNSET+=HTTP_RESPONSE
OPTIONS_FILE_UNSET+=HTTP_SUBS_FILTER
OPTIONS_FILE_UNSET+=HTTP_TARANTOOL
OPTIONS_FILE_UNSET+=HTTP_UPLOAD
OPTIONS_FILE_UNSET+=HTTP_UPLOAD_PROGRESS
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_CHECK
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_FAIR
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_STICKY
OPTIONS_FILE_UNSET+=HTTP_VIDEO_THUMBEXTRACTOR
OPTIONS_FILE_UNSET+=HTTP_ZIP
OPTIONS_FILE_UNSET+=ARRAYVAR
OPTIONS_FILE_UNSET+=BROTLI
OPTIONS_FILE_UNSET+=DRIZZLE
OPTIONS_FILE_UNSET+=DYNAMIC_UPSTREAM
OPTIONS_FILE_UNSET+=ENCRYPTSESSION
OPTIONS_FILE_UNSET+=FORMINPUT
OPTIONS_FILE_UNSET+=GRIDFS
OPTIONS_FILE_UNSET+=ICONV
OPTIONS_FILE_UNSET+=LET
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_UNSET+=MEMC
OPTIONS_FILE_UNSET+=MODSECURITY
OPTIONS_FILE_UNSET+=MODSECURITY_DEVEL
OPTIONS_FILE_UNSET+=PASSENGER
OPTIONS_FILE_UNSET+=POSTGRES
OPTIONS_FILE_UNSET+=RDS_CSV
OPTIONS_FILE_UNSET+=RDS_JSON
OPTIONS_FILE_UNSET+=REDIS2
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_UNSET+=SET_MISC
OPTIONS_FILE_UNSET+=SFLOW
OPTIONS_FILE_UNSET+=SHIBBOLETH
OPTIONS_FILE_UNSET+=SLOWFS_CACHE
OPTIONS_FILE_UNSET+=SMALL_LIGHT
OPTIONS_FILE_UNSET+=SRCACHE
OPTIONS_FILE_UNSET+=X11
OPTIONS_FILE_UNSET+=XSS