Web tier (Nginx) internals
How BOA assembles the web tier from four cooperating Nginx layers, from static config templates to the per-request edge-policy guard chain.
BOA serves every site through Nginx; Apache is not supported and there is
no .htaccess layer. The web tier is assembled from four cooperating
layers, and this section documents the operator-relevant internals of each:
- exact paths
- template files
- control variables
- the render order that decides which rule wins
The four layers, from static foundation to per-request enforcement:
- Static config templates that
barracudadeploys at install and on every upgrade fromboa-private/aegir/conf/nginx/—nginx.conf, the init script, the shared SSL/cache/high-load fragments, and the SQL-admin vhost set. - The Provision-rendered master
http{}config, emitted into/var/aegir/config/byserver.tpl.phpwhen a platform or site is verified. This is where the log format, the rate-limit zones, the realip plumbing, and everymap/geodefinition actually live — none of them are in the static template set. - Per-site / per-platform custom rewrites that operators add through
the
nginx_vhost_include.conf/nginx_force_include.confdrop points. - The edge-policy guard chain rendered into the per-vhost include by
Inc/vhost_include.tpl.php— the per-class AI bot maps, the universal secret-path deny, the forged-token block, and the per-vendor rate limits.
The runtime vhost generator that ties layers 1–4 together lives in
boa-private/lib/functions/nginx.sh.inc and emits one vhost per site under
/var/aegir/config/server_master/nginx/vhost.d/ on each Verify.
The pages below document each layer in turn: the operator rewrite and location include points, the config templates and the rendered master http config, SSL operations, 502/504 and high-load debugging, and the edge-policy guard chain.
Cross-cutting
- The IDS log scorer (
scan_nginx), the$is_bannedgeo, the asset/content-chain flood maps and the CSF ban pipeline are the abuse layer, documented in Abuse guard. This section covers the edge policy (who is classified/allowed/dropped); the abuse guard covers the detection and ban enforcement that backs it. - Kernel/connection-flood mitigation (SYNPROXY, CSF) is in Security.
- Per-site PHP-FPM version selection and pool sizing — which FPM pool a vhost proxies to — is in PHP-FPM & performance.
See the Reference appendix for the consolidated variable and command tables, and Discontinued features for web-tier tools and models that have been dropped.
Custom rewrites & location blocks
How to add per-site rewrites, redirects, and custom location blocks through the two operator include files that survive upgrades, and where each lands in the rendered vhost.
Config templates — static set, master http config, HTTP/3
The two Nginx template surfaces: the static config set BOA copies verbatim, and the Provision-rendered master http config that holds the log format and the rate-limit zones.
SSL operations — LE renewal, custom certs
How BOA issues and renews Let's Encrypt certificates from the nightly run, the daily renewal cadence and failure reporting, and how to install a custom OV/EV or wildcard cert.
Nginx debugging — 502/504, high-load 503, install loops
Diagnosing three Nginx failure modes with BOA's real socket and log paths: 502/504 against PHP-FPM, the high-load 503 reduced-feature mode, and the redirect loop to install.php.
Edge policy — AI bot policy, real client IP, secret-path deny
BOA's Nginx edge policies before PHP-FPM: the per-class AI bot maps, per-vendor rate limits, Cloudflare real-client-IP recovery, secret-path deny, and per-site policy.txt flips.