========================
 Running Horde on nginx
========================

`nginx`_ is a high performance webserver. Unlike Apache and lighttpd nginx need an external helper to execute php scripts.

.. _`nginx`: http://nginx.org

nginx use the concept of include direcrories. You may find a file /etc/nginx/nginx.conf containig a statement
::

 http {
     include                             conf.d/*;
     include                             sites-enabled/*;
 }


That mean any file in /etc/nginx/sites-enabled/ will be used as configfile, too.
So I put my configuration in /etc/nginx/sites-enabled/horde.example.org.::

 server {
     # assume correct DNS settings
     # - horde.example.org = 192.0.2.1 and 2001:db8::1
     # - 1.2.0.192.in-addr.arpa. = horde.example.org
     # - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa = horde.example.org
     listen                              192.0.2.1:443 ssl spdy;
     listen                              [2001:db8::1]:443 ssl spdy;
     server_name                         horde.example.org;
 
     # minimum ssl stuff
     ssl_certificate                     /etc/ssl/horde.example.org/cert+intermediate.pem;
     ssl_certificate_key                 /etc/ssl/horde.example.org/key.pem;
 
     # optional: see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     add_header                          strict-transport-security "max-age=31536000";
     add_header                          x-frame-options           "sameorigin";
     add_header                          x-xss-protection          "1; mode=block";
     add_header                          x-content-type-options    "nosniff";
 
     root                                /path/to/horde/;
     index                               index.php;
 
     client_max_body_size 8m; # allow bigger attachements, default is 1m
 
     location / {
 
        # Ruud Baart
        # support for activesync
        # works for me with Outlook 2013 and Android 5.0.1 but not good enough!
        # needs modification
        location /Microsoft-Server-ActiveSync {
             alias /path/to/horde/rpc.php;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
             fastcgi_intercept_errors    on;
             fastcgi_read_timeout        640;
         }
         location /autodiscover/autodiscover.xml {
             alias /path/to/horde/rpc.php;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
         }
         location /Autodiscover/Autodiscover.xml {
             alias /path/to/horde/rpc.php;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
          }
         location /.well-known/caldav {
             alias /path/to/horde/rpc.php;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
          }
         location /.well-known/carddav {
             alias /path/to/horde/rpc.php;
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
          }
 
         location ^~ /static/ {
             expires                     4w;
             add_header                  Cache-Control public;
         }
 
         location ^~ /themes/ {
             expires                     4w;
             add_header                  Cache-Control public;
         }
 
         location ^~ /services/ajax.php {
             fastcgi_split_path_info     ^(.+\.php)(/.+)$;
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
         }
 
         location ^~ /wicked/ {
         if (!-f $request_filename) {
             rewrite ^/wicked/(.+)$ /wicked/display.php?page=$1&$query_string last;
             break;
         }
         } 
 
         location ~ \.php {
             fastcgi_pass                unix:/var/run/phpcgi/socket;
             include                     /etc/nginx/fastcgi.conf;
         }
 
         try_files                       $uri $uri/ /rampage.php?$args;
 
     }
 }
 

the file /etc/nginx/fastcgi.conf is included in default nginx installations.

The socket /var/run/phpcgi/socket is created by a separate php process. The name of the 
socket can differ between the Linux/Unix distributions. For instance Debian uses /var/run/php5-fpm.sock.
The important thing: nginx must have write access to the socket. So it's best to run nginx and php with the same uid.

I like to run such processes supervised, aka not forking in background, by such script:

::

 #!/bin/sh
 
 exec < /dev/null
 exec 2>&1
 
 # still root now
 # create the directory for the socket to allow the non-root user to create the socket
 install -d -o www-run -g root -m 0700 /var/run/phpcgi/
 rm -f /var/run/phpcgi/socket
 
 cd /empty
 exec env - setuidgid www-run /usr/bin/php5-cgi --bindpath /var/run/phpcgi/socket --no-chdir

setuidgid belong to a toolchain from djb. `It simply switch to the given uid`_.

.. _`It simply switch to the given uid`: http://cr.yp.to/daemontools/setuidgid.html

**ATTENTION: this ist the first configuration published here. It's working but assumed to need optimitzation.**