How to Create a Reusable Config to Include in Custom Snippets

Working With Includes

In Nginx you can use the include statement to avoid duplicate configuration for multiple locations. This can be very useful to keep your configuration files tidy and clear. In this article we describe some options.

Create a Whitelist

If you work with additional applications like Magmi or PHPMyAdmin on a different domain or over ssl, a reusable whitelist or basic auth file can make things much easier, as you only need to manage a single file instead of one for every additional location.

When a new developer joins or when the office IP of your organization changes, you can easily change the config without the need to grep for allow statements or multiple basic_auth files.

Create a Configuration Include File

First we need to create a file that we can include in other locations. We use the include.* extension, as these files are not included anywhere in the Nginx config, but can still be used in /data/web/nginx, for example ‘include.whitelist’:

allow 1.2.3.4;
allow 2.3.4.5;
allow 6.6.6.6;
deny all;

This creates the include file we can use for denying access to IP’s other then the ones defined.

When the whitelist is created, the nginx-config-reloader, the daemon that runs on all Hypernodes and detects config changes. This tool moves all config with a correct syntax to /etc/nginx/app.

Therefore if we want to include the whitelist in our config snippets, we should use the location /etc/nginx/app/include.whitelist.

Use the Whitelist Include File

If you want to use the whitelist, you can include it in custom locations:

location ~* /magmi($|/) {
    include /etc/nginx/app/include.whitelist;

    location ~ \.php$ {
        echo_exec @phpfpm;
    }
}

Using this construction, you don’t need to update every location when another IP is added to the whitelist: just add it to the include file that is used in all locations.

Configure Basic Auth for Multiple Locations

Create a Basic Auth Config File

In case you haven’t created a basic auth password file, do this first.

In this example we use the password file that is automagically created on Hypernode Development nodes: /data/web/nginx/htpasswd-development.

Include the Configuration File in Custom Snippets

If you want to use the same configuration for multiple locations without duplicate configuration, use the following snippet:

auth_basic "Restricted area - Use the password provided by the project manager";
auth_basic_user_file /data/web/nginx/htpasswd-development;

Save this file as /data/web/nginx/include.basic_auth

Now if you want to include the snippet you can include it in your custom location snippets:

location ~* /magmi($|/) {
    include /etc/nginx/app/include.whitelist;
    include /etc/nginx/app/include.basic_auth;

    location ~ \.php$ {
        echo_exec @phpfpm;
    }
}

Make sure you only include files from /etc/nginx/app and NOT from /data/web/nginx!

Use on Staging Environment

As the include.* files are not used in our standard Hypernode configuration as with the http.*, public.*, staging.* and server.* configuration files, but only used in your own custom configuration, they can safely be reused in the staging configuration as well.

Recommendations

  • Filenames are not that important because these include.*snippets are only included in your own configuration and not in the global Nginx config. Just make sure they don’t start with:

    • staging.*

    • server.*

    • public.*

    • http.*

  • You can use include.justarandomname but to keep it easy, choose a logical name.

  • It is not possible to use variables that are set at request time with includes. IE: you cannot map files and use include $filename;