Nginx is great, but before you get down and start using it, make certain that you'll never, ever use any features it doesn't support. I was bitten by this when I found out Nginx has no equivalent to Apache's mpm_itk_module.
Absolutely correct. Use Nginx because it's small and fast. But don't use it because it's fully featured, because compared to Apache it's not. But that doesn't have to be a problem. I use Nginx by default, and on the occasions that I need an Apache feature I just reverse proxy the virtual host from Nginx to Apache.
"mpm-itk allows you to run each of your vhost under a separate uid and gid—in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts"
I don't quite understand why that would be necessary. Nginx has no business accessing other users' files in the first place.
I mean, I understand why Apache needs to do it: with Apache, you have things like mod_php running in-process, so it makes sense to restrict Apache, running one of Bob's scripts, from accessing Alice's files.
But with Nginx, anything with "intelligence" runs out-of-process. What Nginx expects you to do is to run it as one user, but run each app server (in PHP terms, each FCGI socket daemon) as the user whose files that server should access. (Or, better yet, run the app server in an LXC container along with a bind mount to only the files it needs to access. Very Plan9y.)
It may still be a good idea for security reasons. Suppose that an Nginx process is exploited. If it runs under a certain user ID then the exploit likely does not travel past that user. You can make the Nginx user ID different from the actual user ID so that it only has read access.
