Since I'm using NGINX as a web server for Ghost, the information below is adapted to its config. But it is easily modifiable to whatever web server you are using, these are the tweaks I did to mine.
Security Headers
Adding headers to increase the security of your site, protecting it from cross-site scripting attacks (XSS) should be on top of your things to add to NGINX configuration, for your peace of mind.
I used this site to check how well I did implement the headers. At the beginning it was all red. Not that I expected it to be all fine from the start. After the test, you will have a table with the missing headers and their explanation. Take the time to read what each header does.
So I proceeded with adding the missing headers in the configuration file related to my site.
Open the configuration file for your domain and in it go to the server - location. For myself, I had to add the following missing headers:
Now retest. This time you'll like the results.
Enable HTTP/2
Many people think of HTTP/2 as a shiny, superior successor to HTTP/1. I do not share this opinion, and here’s why. HTTP/2 is actually just another transport layer for HTTP/1, which isn’t bad because as a result, you can use HTTP/2 without having to change your application – it works with the same headers. You can just switch on HTTP/2 in NGINX and NGINX will gently handle all the protocol stuff for you. - Valentin Bartenev of NGINX
With this in mind, locate the listen variables associated with port 443 in your config file. The first one is for IPv6 connections and the second one is for all IPv4 connections. So why not enable HTTP/2 for both since you're here.
Now that you edited your config, it's a good time to check it before restarting nginx. For that, you have to run
If everything's ok, reload NGINX web server with the following command:
To test your work, use the https://http2.pro/ web site. You should see this result:
Enable NGINX caching
Yesterday evening, in my quest to push the Futro S900 thin client to its limits, I enabled caching with NGINX. In the last flood test that I run, I saw that the requests were hitting hard Node.js and consumed a lot of CPU power to serve the website for a load of a hundred users. It just choked after 32 simultaneous connections. Enabling the NGINX cache means that the requests are now served by NGINX, and the Node.js server will be left out of the game.
As you can see, the impact of caching is huge! I will run some additional tests, but as the things are looking now, I'm assuming that only the network bandwidth can limit the website performance. Enough with the talking, here's my complete configuration file for boratory.net:
Drop a comment if something looks odd to you. I'm always fiddling with the configuration, but for the moment I'm pleased with the results.
Since there's no place like 127.0.0.1, I try my best to keep it up to date and add network services using various (mostly old and cheap) network devices.