iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
also nginx can help as proxy.
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
also nginx can help as proxy.
server_name *.linux4you.tk
vi /etc/nginx/nginx.conf
Change limit_conn_zone $binary_remote_address zone=addr:10m; to
limit_conn_zone $http_x_forwarded_for zone=addr:10m;
vi /etc/nginx/conf.d/default.conf
Add to server section:
location /munin {
alias /var/www/html/munin/;
index index.html;
}
server {
listen 80;
server_name linux4you.t;
return 301 http://www.linux4you.t$request_uri;
}
server {
listen 80;
server_name www.linux4you.tk;
}
2>&1 nginx -V | tr — – ‘\n’ | grep _module
Probably you are missing semicolon “;” at the end of some configuration statement.
tar -zxf nginx-*.tar.gz
cd nginx-*/
./configure && make && sudo make install
vi nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 3;
server {
listen 1.2.3.4:81;
server_name nginx;
location / {
proxy_pass http://1.2.3.4:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_connect_timeout 20;
proxy_send_timeout 20;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}
iptables -t nat -I PREROUTING ! -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to :81
vi nginx.conf
events {
# worker_connections – max number of concurrent connections
# not only clients, but also connections with proxy_pass
# worker_connections < worker_rlimit_nofile
#worker_connections 1024;
worker_connections 8192;
# multi_accept on;
# use kqueue; for freebsd
use epoll;
}
yum install httpd httpd-devel -y
vi /etc/httpd/conf/httpd.conf
Listen 81
NameVirtualHost 127.0.0.1:81
# Define Server document root
DocumentRoot /var/www/html/
# Define the virtual host
ServerName www.yourwebsite.com
ServerAlias yourwebsite.com
DocumentRoot /var/www/yourwebsite.com
Options FollowSymLinks -Includes
AllowOverride All
Order allow,deny
Allow from all
RewriteEngine on
service httpd restart
vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
yum install nginx -y
vi /etc/nginx/nginx.conf
user nobody;
worker_processes 4;
error_log logs/error.log crit;
worker_rlimit_nofile 8192;
events {
worker_connections 1024; # you might need to increase this setting for busy servers
use epoll; # Linux kernels 2.6.x change to epoll
}
http {
server_names_hash_max_size 2048;
server_names_hash_bucket_size 512;
server_tokens off;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10;
# Gzip on
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;
# Other configurations
ignore_invalid_headers on;
client_max_body_size 8m;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
# Cache most accessed static files
open_file_cache max=10000 inactive=10m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# virtual hosts includes
include “/etc/nginx/conf.d/*.conf”;
}
Then lets create some virtuals hosts:
vi /etc/nginx/conf.d/yourwebsite.com.conf
server {
listen 80;
server_name yourwebsite.com yourwebsite.com;
access_log off;
error_log logs/yourwebsite.com-error_log crit;
location ~* .(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|html|htm|wml)$ {
root /var/www/yourwebsite.com;
expires 365d;
}
location / {
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_redirect http://www.yourwebsite.com:81 http://www.yourwebsite.com;
proxy_redirect http://yourwebsite.com:81 http://yourwebsite.com;
proxy_pass http://127.0.0.1:81/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Also you need mod_rpaf, if you want to see client real IP after proxy.
cd /tmp
wget https://github.com/y-ken/mod_rpaf/archive/master.zip
unzip master.zip
cd mod_rpaf-master/
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
vi /etc/httpd/conf.d/rpaf.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 YOUR.SERVER.IP
service httpd restart
If you are running ispconfig + nginx + php-fpm and have such error:
FastCGI sent in stderr: “PHP message: PHP Warning: Unknown: open_basedir restriction in effect. File(/var/www/clients/client0/webXXX/web/index.php) is not within the allowed path(s):
Fix.
You need check your nginx virtual host:
/etc/nginx/sites-enabled/100-linuxÄ—you.tk.vhost
line
fastcgi_pass = some_ip:PORT
grepp PORT /etc/php5/fpm/pool.d/webXXX.conf
/etc/init.d/nginx restart
nginx -t
ps aux | grep nginx
kill -HUP master_nginx_proccess
yum install gcc make automake autoconf libtool
yum install pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel
From source:
mod_security:
./configure –enable-standalone-module
make
make install
or GIT:
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security
./autogen.sh
./configure –enable-standalone-module
make
nginx:
./configure –add-module=../mod_security/nginx/modsecurity
make
make install
ModSecurity configuration nginx.conf:
server {
listen 80;
server_name localhost;
location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}
}
custom rules for mod_security applied to different directories in your website, you can create new mod_security.conf:
location /secured {
ModSecurityConfig modsecurity3.conf;
proxy_pass http://secured.mysite.com/;
proxy_read_timeout 180s;
}
turn off mod_security for one directory:
location /unsecured/ {
ModSecurityEnabled off;
proxy_pass http://unsecured.mysite.com/;
proxy_read_timeout 180s;
}
service nginx restart
vi /etc/nginx/nginx.conf
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
nginx -t
service nginx restart