Tag Archives: nginx

nginx as a reverse-proxy

tar -zxf nginx-*.tar.gz
cd nginx-*/
./configure && make && sudo make install

vi nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 3;
server {
listen 1.2.3.4:81;
server_name nginx;
location / {
proxy_pass http://1.2.3.4:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_connect_timeout 20;
proxy_send_timeout 20;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}

iptables -t nat -I PREROUTING ! -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to :81

nginx as reverse proxy for apache

yum install httpd httpd-devel -y

vi /etc/httpd/conf/httpd.conf
Listen 81
NameVirtualHost 127.0.0.1:81

# Define Server document root
DocumentRoot /var/www/html/

# Define the virtual host

ServerName www.yourwebsite.com
ServerAlias yourwebsite.com
DocumentRoot /var/www/yourwebsite.com

Options FollowSymLinks -Includes
AllowOverride All
Order allow,deny
Allow from all

RewriteEngine on

service httpd restart

vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

yum install nginx -y
vi /etc/nginx/nginx.conf

user nobody;
worker_processes 4;
error_log logs/error.log crit;

worker_rlimit_nofile 8192;

events {
worker_connections 1024; # you might need to increase this setting for busy servers
use epoll; # Linux kernels 2.6.x change to epoll
}

http {
server_names_hash_max_size 2048;
server_names_hash_bucket_size 512;

server_tokens off;

include mime.types;
default_type application/octet-stream;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 10;

# Gzip on
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain application/x-javascript text/xml text/css;

# Other configurations
ignore_invalid_headers on;
client_max_body_size 8m;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;

# Cache most accessed static files
open_file_cache max=10000 inactive=10m;
open_file_cache_valid 2m;
open_file_cache_min_uses 1;
open_file_cache_errors on;

# virtual hosts includes
include “/etc/nginx/conf.d/*.conf”;

}

Then lets create some virtuals hosts:

vi /etc/nginx/conf.d/yourwebsite.com.conf

server {
listen 80;
server_name yourwebsite.com yourwebsite.com;
access_log off;
error_log logs/yourwebsite.com-error_log crit;

location ~* .(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|html|htm|wml)$ {
root /var/www/yourwebsite.com;
expires 365d;
}

location / {
client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;

proxy_redirect http://www.yourwebsite.com:81 http://www.yourwebsite.com;
proxy_redirect http://yourwebsite.com:81 http://yourwebsite.com;

proxy_pass http://127.0.0.1:81/;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

Also you need mod_rpaf, if you want to see client real IP after proxy.

cd /tmp
wget https://github.com/y-ken/mod_rpaf/archive/master.zip
unzip master.zip
cd mod_rpaf-master/
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

vi /etc/httpd/conf.d/rpaf.conf

LoadModule rpaf_module modules/mod_rpaf-2.0.so

RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 YOUR.SERVER.IP

service httpd restart

ispconfig – ERROR 404 – Not Found!

If you are running ispconfig + nginx + php-fpm and have such error:

FastCGI sent in stderr: “PHP message: PHP Warning: Unknown: open_basedir restriction in effect. File(/var/www/clients/client0/webXXX/web/index.php) is not within the allowed path(s):

Fix.

You need check your nginx virtual host:

/etc/nginx/sites-enabled/100-linuxÄ—you.tk.vhost
line
fastcgi_pass = some_ip:PORT

grepp PORT /etc/php5/fpm/pool.d/webXXX.conf

/etc/init.d/nginx restart

modsecurity for nginx

yum install gcc make automake autoconf libtool
yum install pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel

From source:

mod_security:
./configure –enable-standalone-module
make
make install
or GIT:
git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security
./autogen.sh
./configure –enable-standalone-module
make

nginx:
./configure –add-module=../mod_security/nginx/modsecurity
make
make install

ModSecurity configuration nginx.conf:

server {
listen 80;
server_name localhost;

location / {
ModSecurityEnabled on;
ModSecurityConfig modsecurity.conf;
}

}

custom rules for mod_security applied to different directories in your website, you can create new mod_security.conf:

location /secured {
ModSecurityConfig modsecurity3.conf;
proxy_pass http://secured.mysite.com/;
proxy_read_timeout 180s;
}

turn off mod_security for one directory:

location /unsecured/ {
ModSecurityEnabled off;
proxy_pass http://unsecured.mysite.com/;
proxy_read_timeout 180s;
}

service nginx restart