Web tier (Nginx) internals

BOA serves every site through Nginx; Apache is not supported and there is no .htaccess layer. The web tier is assembled from four cooperating layers, and this section documents the operator-relevant internals of each — exact paths, template files, control variables, and the render order that decides which rule wins.

The four layers, from static foundation to per-request enforcement:

  1. Static config templates that barracuda deploys at install and on every upgrade from boa-private/aegir/conf/nginx/nginx.conf, the init script, the shared SSL/cache/high-load fragments, and the SQL-admin vhost set.
  2. The Provision-rendered master http{} config, emitted into /var/aegir/config/ by server.tpl.php when a platform or site is verified. This is where the log format, the rate-limit zones, the realip plumbing, and every map/geo definition actually live — none of them are in the static template set.
  3. Per-site / per-platform custom rewrites that operators add through the nginx_vhost_include.conf / nginx_force_include.conf drop points.
  4. The edge-policy guard chain rendered into the per-vhost include by Inc/vhost_include.tpl.php — the per-class AI bot maps, the universal secret-path deny, the forged-token block, and the per-vendor rate limits.

The runtime vhost generator that ties layers 1–4 together lives in boa-private/lib/functions/nginx.sh.inc and emits one vhost per site under /var/aegir/config/server_master/nginx/vhost.d/ on each Verify.

Pages

  • Custom rewrites & location blocks — the two operator include points (nginx_vhost_include.conf, nginx_force_include.conf), their exact post.d drop directories, where in the rendered vhost each lands, and the location / rewrite recipes that survive upgrades.
  • Config templates — the static aegir/conf/nginx/ file set, where each lands on disk, the Provision-rendered master http{} config (log format, rate-limit zones), HTTP/3 + KTLS rollout, and the SQL-admin subdomain vhost set.
  • SSL operations — the Let's Encrypt cert tree and daily renewal cadence, replacing an LE cert with a custom OV/EV/wildcard cert via the don't-overwrite marker, and the per-cert dont-overwrite control file.
  • Nginx debugging — diagnosing 502/504 against the real FPM socket and log paths, the high-load 503 reduced-feature mode, and the redirect-to-/install.php loop after a clone-then-migrate.
  • Edge policy — the per-class AI bot maps and default actions, the per-vendor rate-limit zones, real-client-IP recovery behind Cloudflare, the universal secret-path deny, the per-site policy.txt flips, and the shared Nginx reload lock.

Cross-cutting

  • The IDS log scorer (scan_nginx), the $is_banned geo, the asset/content-chain flood maps and the CSF ban pipeline are the abuse layer, documented in Abuse guard. This section covers the edge policy (who is classified/allowed/dropped); the abuse guard covers the detection and ban enforcement that backs it.
  • Kernel/connection-flood mitigation (SYNPROXY, CSF) is in Security.
  • Per-site PHP-FPM version selection and pool sizing — which FPM pool a vhost proxies to — is in PHP-FPM & performance.

See the Reference appendix for the consolidated variable and command tables, and Discontinued features for web-tier tools and models that have been dropped.