support Nginx and MU sites?

Hi alexlii,

Thank you. ??

These are covered in more depth in the plugin documentation, but I’ll give you the short answer here.

1. There are different implementations of Nginx, so it depends on the type of install. The type of install we recommend for WordPress is a hybrid Nginx/Apache setup, with have Nginx as a reverse-proxy in front of an Apache server. WP-SpamShield is compatible with this type of setup.If your site is running a standalone Nginx setup, it will not be compatible. As noted in the plugin’s Minimum Requirements, your server must be configured to allow the use of an .htaccess file, which standalone Nginx does not have.
2. Yes it does work on Multisite. It should be noted that it must be activated individually per site, not network activated.

Keep in mind that if you’re running standalone Nginx, there are going to be a lot of limitations on what plugins you can use, as many use .htaccess and lose at least some functionality without it. We did a survey of top WordPress plugins and found that more than 40% of the top 20 plugins lost significant functionality on Nginx because it doesn’t use .htaccess. See this for more info on WP-SpamShield and Nginx. So just be aware of that.

Hope that info helps!

– Scott

According to this great article: Standalone Nginx servers and WordPress – you decide?

I believe it’s not a problem to run wp-spamshield on nginx standalone server.
I haven’t fully tested all the functions of wp-spamsheild, but I think it basically runs fine except for banning ip with .htaccess file method. (comments will still put into trash but request will send to server).

If you are BRAVE enough and want to try it out. Just modify wp-spamshield.php line 8152 (version 1.9.9) and remove “&& FALSE === $is_nginx“

if( ( $inst_plugins_get_test_1 === $get_page || TRUE === $activation ) && file_exists( $inst_file_test_0 ) && file_exists( $inst_file_test_3 ) && FALSE === $jscripts_blocked && $js_status != '500' ) {
    update_option( 'spamshield_install_status', 'correct' ); return TRUE;
} else {
    update_option( 'spamshield_install_status', 'incorrect' ); return FALSE;
}

after change, please deactivate and activate wp-spamshield plugin again. It will show ” Installation Status: Installed Correctly” now.

However, without .htaccess file, you should still deny sensitive file access via nginx configuration, in case insecure access to your configuration files like wp-config.php.

@wuboys

Unfortunately, that article contains inaccurate information and a flawed understanding of Nginx and Apache. I wonder…by chance, are you the author of the article?

The modifications you are suggesting are not recommended and will not make the plugin compatible with standalone Nginx installations. Also, the plugin will be overwritten every time it is updated.

My initial response above was correct and should be heeded. If it was possible to run it successfully on standalone Nginx, we would have coded it to do so. We already explored all possible options and carefully weighed the pros and cons. Every error message built into the plugin is there for good reason, and should be heeded.

We have clearly noted on the plugin’s minimum requirements and on the Known Issues and Plugin Conflicts page that the plugin is not compatible with standalone Nginx.

.htaccess does more than provide security. For example, it also can provide directives to control caching, among others.

The real issue though is that Nginx does not allow for a directory level configuration file, whereas, Apache does. (Even IIS has this.) This is a significant advantage of Apache over Nginx. Plugins are much more powerful when they can use this feature.

No matter what directives you add to your Nginx config, you won’t be able to make up for this.

We do not recommend hacking the plugin, nor do we provide support for hacked versions of the plugin.

If you would like to discuss further, or would like more detailed explanations, feel free to contact us via the WP-SpamShield Support page, and I’ll be happy to explain.

First, I have to clear that, I am not the author of that article. I am just some guy try to use your plugin without luck since I use standalone nginx.

The real issue though is that Nginx does not allow for a directory level configuration file, whereas, Apache does. (Even IIS has this.) This is a significant advantage of Apache over Nginx. Plugins are much more powerful when they can use this feature.

Yes, nginx doesn’t provide directory level configuration. So the real question here is:
Do we really need a directory level configuration for our webserver?

If you are running your application on a web hosting service, then the answer is yes since you can’t touch the global configuration file in apache.

However, if you are running it in a VPS or your own server. You have full control over configuration.In what situation do you need a directory level configuration?
You can always set up everything you need in your virtual host server configuration block, including rewrite, deny, and cache (http header) control rules.
The only situation only .htaccess can do is banning IP function because you may write denying ip rule into .htaccess file and you need hot-activation without restarting web server , so I suggest not to use it. But except that, I think most of functions are still workable.

IMHO, it’s just a conceptual disagreement between apache and nginx. NGINX doesn’t have .htaccess file not because it can’t implement it, it’s just not a good solution for nginx design concept. You can read “> this article for an official explanation from nginx. It compares the performance and telling you DON’T USE IT.

The distributed(directory level) configuration has it’s own pros and cons. Yes, it can load your rule immediately without restarting web server, but it’s slow because apache has to check the .htaccess file and apply the rules to the directory for EVERY request. Also, it give you directory level configuration which will override global configuration. It’s good for virtual host, but what if the owner use .htaccess file incorrectly? It may expose more security issue. I believe those who maintain a .htaccess file is merely a web developer, not an expert to administrate the server security and reliability.

Let’s go back to the question: Do we really need a directory level configuration for our webserver?

I use W3 Total cache plugin and apply the nginx configuration rule they provided in my standalone nginx server, it works fine. Maybe all we need from you is just a suggestion of configuration for wp-spamshield in nginx.

@wuboys

Initially, I wrote a semi-long response, but then, I thought about it, and deleted it.

This thread has gotten way off topic. Your questions and comments aren’t about any issues with the plugin…you want to debate about Nginx vs Apache. That’s a long and neverending argument, and this isn’t the place for that. This is a “Support Forum” not a “Debate Forum”.

Like I said above:

If you would like to discuss further, or would like more detailed explanations, feel free to contact us via the WP-SpamShield Support page, and I’ll be happy to explain.

@rad Sand,

Thanks for your response, it really helps me understand what’s your concern. I think you should add it back. This is the first thread appear when I search “nginx” “wp-spamshield” together by Google. Leave your semi-long response here may help other people.

I am not here to debate anything. Just a poor guy who want to make things work ?? . It’s in deed a “support forum”, and your response supports me to understand more on web server infrastructure. Thanks for your great work and excellent plugin.

And sure, I am curious about how you can set up a hybrid envrionment. I will send you mail on your support page. Thank you.

btw, the broken link from nginx team is:
https://www.nginx.com/resources/wiki/start/topics/examples/likeapache-htaccess/

I can’t submit ticket to your support page. It keeps telling me “That action is currently not allowed.”

Hey wuboys,

Thanks for your response, it really helps me understand what’s your concern.

You’re welcome. ?? I’m glad you know that we are here to help.

I am not here to debate anything. Just a poor guy who want to make things work ?? . It’s in deed a “support forum”, and your response supports me to understand more on web server infrastructure. Thanks for your great work and excellent plugin.

Totally understand. ?? I’m glad that it helps. You’re very welcome.

Yes that’s the link I had guessed it was…read that page many times before. ??

No worries. I got your info out of the logs. I’ll drop you an email in a few minutes.

– Scott

Hello，

Thanks so much for your response here, and sorry for late response to your messages since I have to visit here by VPN in China, and there is a firewall named national Great Wall, so we can not visit any global sites, like Google,Twitter,yahoo,even www.remarpro.com.

I am not a techincal, but I understand LNMP and LANMP,and Apache has different advantage compared with Ngix! After reading your messages above, I really understand you are experts, so Please give a chance to ask a question here, if I want build a massive stress WordPress sites, let’s say, the amount in parallel is 100 thousand for Woocomerce and buddypress application, does WordPress has the capability? What kind of environment you suggest, LNMP or LANMP? What kind of hardware needed? Where should I find right person to do that, and how much should I pay for that?

Well, maybe it is not right place to ask those question, it would be highly appreciated if you would like to comment!
Thanks

Alex