Running a high‑traffic site means every millisecond counts — and every vulnerability matters. In this post, I’ll share the exact Nginx tweaks I use on Sajber Sfera to keep things fast, secure, and resilient.
The Problem My Nginx logs were full of botnet exploit scans, and my time to first byte (TTFB) was creeping up under load.
I needed to:
Block malicious requests without breaking legitimate traffic.
Reduce server response time.
Keep configs rollback‑safe and update‑proof.
The Approach
- Harden Nginx
Code
Drop requests for disallowed PHP files
location ~* .php$ {
set $block_php 1;
if ($uri ~ "^/wp-admin/") { set $block_php 0; }
if ($uri ~ "^/index.php$") { set $block_php 0; }
if ($block_php) { return 444; }
}
Blocks common exploit probes.
Allows only safe PHP entry points.
- Enable Micro‑Caching
Code
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:10m max_size=100m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";
location / {
proxy_cache microcache;
proxy_cache_valid 200 1s;
proxy_cache_valid 404 1s;
}
Serves repeated requests instantly.
Reduces PHP‑FPM load.
- Optimize SSL
Code
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
ssl_prefer_server_ciphers on;
Modern, secure cipher suites.
TLS 1.3 for faster handshakes.
The Results
TTFB dropped from ~450 ms to ~120 ms under load.
Blocked hndreds of exploit scans per day.
Stable configs that survive updates.
For more guides and examples visit this link
Top comments (0)