This cookbook allows you to manage custom configurations within the nginx "common" directory on EngineYard Classic Cloud.
It is directly applicable to "solo" and "app" instances, and it coveres the following nginx files:
- common/servers.conf
- common/proxy.conf
It does the following for each of those files:
- Apply customizations
- Create a "keep" file so the main chef will not change the file
The common/servers.conf
file is configured via a handful of attributes. Specifically, one can easily configure the global client_max_body_size
, and one can configure a list of HTTP verbs that are allowed for use on the server (non-whitelisted verbs being rejected via status 403).
One can use the cookbook's client_max_body_size
attribute to raise or lower the maximum size of a request that a client can make. Most typically, this is used to increase the maximum size of a file that a user can upload. If this value is not configured, it defaults to "100M"
# attributes/default.rb
default[:nginx_common] = {
:servers => {
:client_max_body_size => '100M'
}
}
In an effort to increase application security (or, at the least, reduce the app attack surface size a bit), one can use a verb whitelist to refuse requests for verbs that are not allowed. This functionality must be enabled via default[:common_server][:http_white_list][:enabled]
, and the whitelist itself (default[:common_server][:http_white_list][:accepted_verbs]
) is an array of HTTP verbs.
By default, the whitelist is not enabled.
# attributes/default.rb
default[:nginx_common] = {
:servers => {
:http_white_list => {
# Enable the whitelist
:enabled => true,
# Accept an incredibly small subset of verbs
:accepted_verbs => [
'GET',
'POST',
'PUT'
]
}
}
}
The common/proxy.conf file is configured via a handful of attributes. Specifically, one can easily configure the global proxy_max_temp_file_size
, proxy_connect_timeout
, proxy_read_timeout
, proxy_send_timeout
, and time formatting for the X-Queue-Start header
As of version 1.2.7, nginx supports millisecond time resolution, so the X-Queue-Start header should be expressed in terms of milliseconds. Unfortunately, this cookbook cannot detect the version of nginx that is installed, so this must be set manually. It has no default, instead raising an error if the feature is not explicitly enabled/disabled.
# attributes/default.rb
# use_msec_time is true to enable, false to disable
default[:nginx_common] = {
:proxy => {
:use_msec_time => true
}
}
Set the global proxy_max_temp_file_size
, which defaults to 0 if not specified.
# attributes/default.rb
default[:nginx_common] = {
:proxy => {
:max_temp_file_size => 0
}
}
Set the global proxy_connect_timeout
. If not configured, the default nginx setting will be used.
# attributes/default.rb
default[:nginx_common] = {
:proxy => {
:connect_timeout => 300
}
}
Set the global proxy_read_timeout
. If not configured, the default nginx setting will be used.
# attributes/default.rb
default[:nginx_common] = {
:proxy => {
:read_timeout => 300
}
}
Set the global proxy_send_timeout
. If not configured, the default nginx setting will be used.
# attributes/default.rb
default[:nginx_common] = {
:proxy => {
:send_timeout => 300
}
}
Tying it all together, here's an example that uses all of the nginx_common
customizations:
# attributes/default.rb
default[:nginx_common] = {
:proxy => {
:use_msec_time => true,
:max_temp_file_size => 0,
:connect_timeout => 300,
:send_timeout => 300,
:read_timeout => 300
},
:servers =>
:client_max_body_size => '500M',
:http_white_list => {
:enabled => true,
:accepted_verbs => [
'ACL',
'BASELINE-CONTROL',
'CHECKIN',
'CHECKOUT',
'CONNECT',
'COPY',
'DELETE',
'GET',
'HEAD',
'LABEL',
'LOCK',
'MERGE',
'MKACTIVITY',
'MKCOL',
'MKWORKSPACE',
'MOVE',
'OPTIONS',
'ORDERPATCH',
'PATCH',
'POST',
'PROPFIND',
'PROPPATCH',
'PUT',
'REPORT',
'SEARCH',
'TRACE',
'UNCHECKOUT',
'UNLOCK',
'UPDATE',
'VERSION-CONTROL'
]
}
}
}