Articles

The complete WordPress + NGINX + PHP-FPM setup for Debian and Ubuntu: server block config, pool tuning, FastCGI caching for anonymous traffic, Redis object cache, Brotli compression, and security hardening with ModSecurity and Snuffleupagus.

NGINX load balancing distributes traffic across multiple backends with automatic failover. This guide covers all five load balancing algorithms, passive health checks, keepalive connection pooling, backup servers, and TCP/UDP load balancing.

A reverse proxy puts NGINX in front of your Node.js, Python, or PHP backend — handling SSL termination, caching, buffering, and security. This guide covers proxy_pass, upstream keepalive, caching, WebSocket proxying, and security headers.

NGINX rate limiting with limit_req_zone stops credential stuffing, scrapers, and DDoS floods before they reach your application. This guide covers burst handling, per-endpoint limits, IP whitelisting, WordPress-specific config, and Redis-backed cross-server limiting.

Brotli achieves 15-26% better compression than gzip on HTML, CSS, and JavaScript. This guide covers installing the NGINX Brotli module, configuring on-the-fly compression, pre-compressing static assets at level 11, and running Brotli alongside gzip.

Debian 13 Trixie brings GCC 14, OpenSSL 3.3, PHP 8.4, systemd 256, and a newer Linux kernel. Here is what each change means for your NGINX and Angie setup, with a complete upgrade checklist.

Version 1.29.8 — 2026-05-12 Changes Full rebuild and backport with latest Mainline Merged with the source package from Debian Trixie in november…

PHP-Snuffleupagus blocks dangerous functions, eval(), remote file inclusion and cookie theft inside the PHP interpreter itself — where a WAF can’t reach. Full installation, WordPress-specific rules, per-pool config, and production tuning guide.

A complete Postfix + Dovecot + Rspamd mail server on Debian 12 and 13 — with TLS, DKIM, SPF, DMARC, spam filtering, virtual mailboxes, security hardening, and a 10/10 score on mail-tester.com. No shortcuts.

This post has been consolidated into the complete Angie guide.

ModSecurity v3 with the OWASP CRS blocks SQL injection, XSS, shell injection, and scanner traffic at the HTTP layer. This guide covers installation, CRS paranoia levels, WordPress tuning, false positive handling, and performance impact.

NGINX beats Apache at static files and high concurrency; Apache wins on .htaccess flexibility and legacy app compatibility. Benchmark tables for static files, PHP-FPM, TLS handshakes, and memory under load.

HTTP/3 runs on QUIC over UDP, eliminating TCP head-of-line blocking and enabling 0-RTT connection resumption. This guide covers installation, configuration, 0-RTT security, load balancer setup, and performance tuning.

Version 4.0.0 — 2026-05-12 Changes MIGRATION TO OpenSSL 4.0.0 (2026-05-12): – Upgraded from OpenSSL 3.5.6 to OpenSSL 4.0.0 – Session lookup callback…

We just upgraded our openssl-nginx package from OpenSSL 3.x to OpenSSL 4.0. This guide explains what openssl-nginx is, what changed in version 4.0, the real pros and cons of upgrading, and how to do it safely on your Debian or Ubuntu server.

zstd is the fastest compression algorithm for web servers today — but the nginx module that adds it had 22 bugs hiding inside, including a buffer overflow and silent data truncation at exactly 128 KB. We found them, fixed them, and built a CI pipeline to keep it that way. Here’s everything explained in plain language.

Everything about Angie in one place: what it adds over NGINX (native ACME, JSON API, dynamic upstreams, monthly releases), how it performs, how to migrate from NGINX in five minutes, full ACME certificate setup, Prometheus monitoring, and a side-by-side comparison with NGINX Plus.

Nazi Germany built a cipher machine with 158 quintillion possible settings and called it unbreakable. They were wrong. Here’s the full story of the Enigma machine, the brilliant misfits at Bletchley Park who cracked it, and why the whole thing matters for every padlock icon in your browser today.

ML-KEM (Kyber) is in OpenSSL 3.5. Chrome has shipped hybrid X25519+ML-KEM since 2024. Here is what post-quantum TLS actually is, why it matters before quantum computers exist, and exactly how to configure NGINX and Angie for hybrid PQC key exchange today.

Learn how to configure TLS for maximum security and achieve a perfect A+++ rating on SSLLabs. A comprehensive guide covering cipher selection, certificates, and cryptographic best practices.

Google PageSpeed was the magic module that automatically made your website faster — until Google quietly walked away from it. Here’s the full story: what PageSpeed actually did, why it’s now effectively dead on NGINX and Angie, and what you should use instead.

NGINX is the world’s most popular web server. Angie is what happens when the people who wrote NGINX decide to do it better. Here’s the complete 2026 feature comparison, performance breakdown, and migration guide — so you can make the call yourself.

Version 1.29.8 — 2026-05-12 Changes Full rebuild and backport with latest Mainline Merged with the source package from Debian Trixie in november…

This post has been consolidated into the complete Angie guide.

Your server’s system OpenSSL juggles SSH, apt, Python, and your web server all at once. openssl-nginx says no to that. Here’s the dedicated OpenSSL built exclusively for NGINX and Angie — faster handshakes, post-quantum crypto, kernel TLS offload, zero legacy bloat.

docker-cms is a PHP 8.5 Docker container loaded with WP-CLI, Composer, Xdebug, database clients, and every tool you need to maintain and debug WordPress — without touching your live server.

The complete guide to building and running an optimised Nginx or Angie server on Debian and Ubuntu — HTTP/3, TLS 1.3, brotli, ModSecurity WAF, FastCGI caching, and eight layers of WordPress defence. Every directive explained.

NJS is NGINX’s built-in JavaScript engine — write real JavaScript that runs inside your web server at request time, with no Node.js, no external services, and microsecond latency.

The NGINX Lua module (ngx_http_lua) runs Lua/LuaJIT scripts inside NGINX worker processes — Redis rate limiting, JWT auth, LRU caching, dynamic routing, all without blocking a single request.

Most WAFs sit outside PHP and can be tricked. PHP-Snuffleupagus lives inside the PHP interpreter itself — blocking dangerous functions, SQL injection, XSS, type juggling, and deserialization attacks where attackers can’t reach. This is what defence in depth actually looks like.

nginx-minimal strips 12 unused static modules from NGINX while keeping HTTP/3, TLS 1.3, jemalloc, zlib-ng, and all 50+ dynamic modules. Smaller binary, smaller attack surface, same blazing speed. Perfect for WordPress, PHP-FPM, and Docker.

Debian deprecated nginx-core, nginx-full, and nginx-light. Don’t panic — the replacements are actually better. Here’s what happened, why it’s good news, and exactly what to install instead.