Web tier (Nginx) internals
BOA serves every site through Nginx; Apache is not supported and there is
no .htaccess layer. The web tier is assembled from four cooperating
layers, and this section documents the operator-relevant internals of each
— exact paths, template files, control variables, and the render order
that decides which rule wins.
The four layers, from static foundation to per-request enforcement:
- Static config templates that
barracudadeploys at install and on every upgrade fromboa-private/aegir/conf/nginx/—nginx.conf, the init script, the shared SSL/cache/high-load fragments, and the SQL-admin vhost set. - The Provision-rendered master
http{}config, emitted into/var/aegir/config/byserver.tpl.phpwhen a platform or site is verified. This is where the log format, the rate-limit zones, the realip plumbing, and everymap/geodefinition actually live — none of them are in the static template set. - Per-site / per-platform custom rewrites that operators add through
the
nginx_vhost_include.conf/nginx_force_include.confdrop points. - The edge-policy guard chain rendered into the per-vhost include by
Inc/vhost_include.tpl.php— the per-class AI bot maps, the universal secret-path deny, the forged-token block, and the per-vendor rate limits.
The runtime vhost generator that ties layers 1–4 together lives in
boa-private/lib/functions/nginx.sh.inc and emits one vhost per site under
/var/aegir/config/server_master/nginx/vhost.d/ on each Verify.
Pages
- Custom rewrites & location blocks — the two
operator include points (
nginx_vhost_include.conf,nginx_force_include.conf), their exactpost.ddrop directories, where in the rendered vhost each lands, and thelocation/rewriterecipes that survive upgrades. - Config templates — the static
aegir/conf/nginx/file set, where each lands on disk, the Provision-rendered masterhttp{}config (log format, rate-limit zones), HTTP/3 + KTLS rollout, and the SQL-admin subdomain vhost set. - SSL operations — the Let's Encrypt cert tree and
daily renewal cadence, replacing an LE cert with a custom OV/EV/wildcard
cert via the don't-overwrite marker, and the per-cert
dont-overwritecontrol file. - Nginx debugging — diagnosing 502/504 against the
real FPM socket and log paths, the high-load 503 reduced-feature mode, and
the redirect-to-
/install.phploop after a clone-then-migrate. - Edge policy — the per-class AI bot maps and default
actions, the per-vendor rate-limit zones, real-client-IP recovery behind
Cloudflare, the universal secret-path deny, the per-site
policy.txtflips, and the shared Nginx reload lock.
Cross-cutting
- The IDS log scorer (
scan_nginx), the$is_bannedgeo, the asset/content-chain flood maps and the CSF ban pipeline are the abuse layer, documented in Abuse guard. This section covers the edge policy (who is classified/allowed/dropped); the abuse guard covers the detection and ban enforcement that backs it. - Kernel/connection-flood mitigation (SYNPROXY, CSF) is in Security.
- Per-site PHP-FPM version selection and pool sizing — which FPM pool a vhost proxies to — is in PHP-FPM & performance.
See the Reference appendix for the consolidated variable and command tables, and Discontinued features for web-tier tools and models that have been dropped.