Skip to content

Powered by Grav

Web tier (Nginx) internals

Web tier (Nginx) internals

How BOA assembles the web tier from four cooperating Nginx layers, from static config templates to the per-request edge-policy guard chain.

BOA serves every site through Nginx; Apache is not supported and there is no .htaccess layer. The web tier is assembled from four cooperating layers, and this section documents the operator-relevant internals of each:

  • exact paths
  • template files
  • control variables
  • the render order that decides which rule wins

The four layers, from static foundation to per-request enforcement:

  1. Static config templates that barracuda deploys at install and on every upgrade from boa-private/aegir/conf/nginx/nginx.conf, the init script, the shared SSL/cache/high-load fragments, and the SQL-admin vhost set.
  2. The Provision-rendered master http{} config, emitted into /var/aegir/config/ by server.tpl.php when a platform or site is verified. This is where the log format, the rate-limit zones, the realip plumbing, and every map/geo definition actually live — none of them are in the static template set.
  3. Per-site / per-platform custom rewrites that operators add through the nginx_vhost_include.conf / nginx_force_include.conf drop points.
  4. The edge-policy guard chain rendered into the per-vhost include by Inc/vhost_include.tpl.php — the per-class AI bot maps, the universal secret-path deny, the forged-token block, and the per-vendor rate limits.

The runtime vhost generator that ties layers 1–4 together lives in boa-private/lib/functions/nginx.sh.inc and emits one vhost per site under /var/aegir/config/server_master/nginx/vhost.d/ on each Verify.

The pages below document each layer in turn: the operator rewrite and location include points, the config templates and the rendered master http config, SSL operations, 502/504 and high-load debugging, and the edge-policy guard chain.

Cross-cutting

  • The IDS log scorer (scan_nginx), the $is_banned geo, the asset/content-chain flood maps and the CSF ban pipeline are the abuse layer, documented in Abuse guard. This section covers the edge policy (who is classified/allowed/dropped); the abuse guard covers the detection and ban enforcement that backs it.
  • Kernel/connection-flood mitigation (SYNPROXY, CSF) is in Security.
  • Per-site PHP-FPM version selection and pool sizing — which FPM pool a vhost proxies to — is in PHP-FPM & performance.

See the Reference appendix for the consolidated variable and command tables, and Discontinued features for web-tier tools and models that have been dropped.

© 2026 BOA Documentation. All rights reserved.