Nginx
Fearures:
1.Security.
2.Load Distribution.
3.Caching.
4.Compression purpose.
Main Features:
DDOS Protection: Nginx will only pass true http requests so it can protect against some common attacks like DDOS attacks.
GZIP compression: Nginx Admin is compatible with GZIP compression.
High output: Nginx provides maximum performace as a load balancer.
How to install nginx.
# vi /etc/yum.repos.d/nginx.repo
Add the repo as below:
-----
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=0
enabled=1
-----
Install nginx using the following command.
#yum --enablerepo nginx install nginx
Make "proxy.inc" file to pass nginx proxy parameters as below:
When NGINX proxies a request, it sends the request to a specified proxied server, fetches the response, and sends it back to the client. It is possible to proxy requests to an HTTP server (another NGINX server or any other server) or a non-HTTP server (which can run an application developed with a specific framework, such as PHP or Python) using a specified protocol. Supported protocols include FastCGI, uwsgi, SCGI, and memcached. This parameters
proxy_pass_header
Syntax: proxy_pass_header field;
Permits passing otherwise disabled header fields from a proxied server to a client.
Ex:- proxy_pass_header Set-Cookie;
proxy_hide_header
Syntax: proxy_hide_header field;
By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.
The “X-Accel-Expires” header field sets caching time of a response in seconds. The zero value disables caching for a response. If the value starts with the @ prefix, it sets an absolute time in seconds since Epoch, up to which the response may be cached.
If the header does not include the “X-Accel-Expires” field, parameters of caching may be set in the header fields “Expires” or “Cache-Control”.
If the header includes the “Set-Cookie” field, such a response will not be cached.
If the header includes the “Vary” field with the special value “*”, such a response will not be cached (1.7.7). If the header includes the “Vary” field with another value, such a response will be cached taking into account the corresponding request header fields (1.7.7).
Ex:-proxy_hide_header Vary;
Ex:-proxy_hide_header X-Powered-By;
X-Powered-By:-
This will show you how to suppress the PHP banner X-Powered-By.
X-Powered-By: PHP/5.1.2-1+b1
Syntax: proxy_set_header field value;
Allows redefining or appending fields to the request header passed to the proxied server. The value can contain text, variables, and their combinations. These directives are inherited from the previous level if and only if there are no proxy_set_header directives defined on the current level. By default, only two fields are redefined:
Ex:-
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Additional examples:-
To pass a request to an HTTP proxied server, the proxy_pass directive is specified inside a location. For example:
location /some/path/ {
proxy_pass http://www.example.com/link/;
}
location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
Open main nginx configuration file(/etc/nginx/nginx.conf) and provide the details as below.
# Nginx config starts here
user nobody;
worker_processes auto;
#worker_rlimit_nofile 20480;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024; # increase for busier servers
use epoll; # you should use epoll for Linux kernels 2.6.x
}
http {
open_file_cache max=5000 inactive=30s;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_log_file_cache max=1024 inactive=30s min_uses=2;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml application/javascript application/json;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 200m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_temp;
log_format bytes_log "$msec $bytes_sent .";
# Include site configurations
include /etc/nginx/conf.d/*.conf;
}
# Nginx config ends here
Now, open nginx configuration of the domain. The file location is (/etc/nginx/conf.d/domain.conf)
Add the following entries as below:
# Virtual host file starts here
server {
listen ServerIP:80;
access_log /var/log/nginx/access.YOURDOMAIN.log;
error_log /var/log/nginx/error.YOURDOMAIN.log;
server_name YOURDOMAIN www.YOURDOMAIN;
root /home/USERNAME/public_html;
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot)\$ {
expires 7d; #Comment this out if you're using the apache backend cache-control/expires headers.
try_files \$uri \@backend;
}
error_page 405 = \@backend;
error_page 500 = \@custom;
add_header X-Cache "HIT from Backend";
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location \@backend {
internal;
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location \@custom {
internal;
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?\$ {
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}
# Virtual host file ends here
Now download and install mod_rpaf
mod_rpaf.
From the point of view of Apache, all of its clients have the same IP address - the address of the nginx server (see the diagram above). This causes problems for websites and web apps that use client IP addresses for authentication, statistic purposes, and so on. mod_rpaf solves the problem by replacing the IP address of the nginx server in all requests with client IP addresses. In more detail, the module uses the special X-Forwarded-For header in which nginx puts the IP address of a client.
Follow the below steps to download and install mod_rpaf.
wget https://github.com/gnif/mod_rpaf/archive/v0.8.4.tar.gz --no-check-certificate
tar xzf v0.8.4.tar.gz
cd mod_rpaf-0.8.4
chmod +x apxs.sh
/usr/local/apache/bin/apxs -cia mod_rpaf.c
Now, add mod_rpaf configurations as below:
# Mod_raf config file starts here
LoadModule rpaf_module modules/mod_rpaf.so
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 YOURSERVERIP
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
RPAF_ForbidIfNotProxy Off
RPAF_Header X-Forwarded-For
# Mod_raf config file ends here
Now change the listening port of apache to 8081. Find the below entries as below:
-----
Listen 8181
<VirtualHost IP:8181>
</VirtualHost>
<VirtualHost IP:8081>
</VirtualHost>
<VirtualHost IP:8081>
-----
Restart the services using below command:-
service httpd restart
service nginx restart
chkconfig nginx on
Note:- There is following module used here for reverse prxy to function.
mod_aclr2.
This module sets up a handler which runs after handlers of all other Apache modules (mod_rewrite, .htaccess related modules, mod_php, and so on). Therefore, if the request is for dynamic content, mod_aclr2 will never get it as the request will be served by upper-level handlers of certain Apache modules (mod_php, mod_perl, mod_cgi, and so on). The only exceptions are SSI requests: once they reach mod_aclr2, it redirects them to proper handlers. If the request is for a static file, mod_aclr2 searches for the exact file location on the file system and sends the location to nginx.
Now check if nginx is used, use:
curl -I http://domain.com
Also , use the URl : http://browserspy.dk/ to know web server type.
Fearures:
1.Security.
2.Load Distribution.
3.Caching.
4.Compression purpose.
Main Features:
DDOS Protection: Nginx will only pass true http requests so it can protect against some common attacks like DDOS attacks.
GZIP compression: Nginx Admin is compatible with GZIP compression.
High output: Nginx provides maximum performace as a load balancer.
How to install nginx.
# vi /etc/yum.repos.d/nginx.repo
Add the repo as below:
-----
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=0
enabled=1
-----
Install nginx using the following command.
#yum --enablerepo nginx install nginx
Make "proxy.inc" file to pass nginx proxy parameters as below:
When NGINX proxies a request, it sends the request to a specified proxied server, fetches the response, and sends it back to the client. It is possible to proxy requests to an HTTP server (another NGINX server or any other server) or a non-HTTP server (which can run an application developed with a specific framework, such as PHP or Python) using a specified protocol. Supported protocols include FastCGI, uwsgi, SCGI, and memcached. This parameters
proxy_pass_header
Syntax: proxy_pass_header field;
Permits passing otherwise disabled header fields from a proxied server to a client.
Ex:- proxy_pass_header Set-Cookie;
proxy_hide_header
Syntax: proxy_hide_header field;
By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.
The “X-Accel-Expires” header field sets caching time of a response in seconds. The zero value disables caching for a response. If the value starts with the @ prefix, it sets an absolute time in seconds since Epoch, up to which the response may be cached.
If the header does not include the “X-Accel-Expires” field, parameters of caching may be set in the header fields “Expires” or “Cache-Control”.
If the header includes the “Set-Cookie” field, such a response will not be cached.
If the header includes the “Vary” field with the special value “*”, such a response will not be cached (1.7.7). If the header includes the “Vary” field with another value, such a response will be cached taking into account the corresponding request header fields (1.7.7).
Ex:-proxy_hide_header Vary;
Ex:-proxy_hide_header X-Powered-By;
X-Powered-By:-
This will show you how to suppress the PHP banner X-Powered-By.
X-Powered-By: PHP/5.1.2-1+b1
Syntax: proxy_set_header field value;
Allows redefining or appending fields to the request header passed to the proxied server. The value can contain text, variables, and their combinations. These directives are inherited from the previous level if and only if there are no proxy_set_header directives defined on the current level. By default, only two fields are redefined:
Ex:-
proxy_set_header Host $host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Additional examples:-
To pass a request to an HTTP proxied server, the proxy_pass directive is specified inside a location. For example:
location /some/path/ {
proxy_pass http://www.example.com/link/;
}
location /some/path/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
Open main nginx configuration file(/etc/nginx/nginx.conf) and provide the details as below.
# Nginx config starts here
user nobody;
worker_processes auto;
#worker_rlimit_nofile 20480;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024; # increase for busier servers
use epoll; # you should use epoll for Linux kernels 2.6.x
}
http {
open_file_cache max=5000 inactive=30s;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_log_file_cache max=1024 inactive=30s min_uses=2;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5;
gzip on;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
gzip_proxied any;
gzip_http_version 1.1;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_types text/plain text/xml text/css application/x-javascript application/xml image/png image/x-icon image/gif image/jpeg application/xml+rss text/javascript application/atom+xml application/javascript application/json;
ignore_invalid_headers on;
client_header_timeout 3m;
client_body_timeout 3m;
client_max_body_size 200m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
proxy_temp_path /tmp/nginx_temp;
log_format bytes_log "$msec $bytes_sent .";
# Include site configurations
include /etc/nginx/conf.d/*.conf;
}
# Nginx config ends here
Now, open nginx configuration of the domain. The file location is (/etc/nginx/conf.d/domain.conf)
Add the following entries as below:
# Virtual host file starts here
server {
listen ServerIP:80;
access_log /var/log/nginx/access.YOURDOMAIN.log;
error_log /var/log/nginx/error.YOURDOMAIN.log;
server_name YOURDOMAIN www.YOURDOMAIN;
root /home/USERNAME/public_html;
location / {
location ~.*\.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot)\$ {
expires 7d; #Comment this out if you're using the apache backend cache-control/expires headers.
try_files \$uri \@backend;
}
error_page 405 = \@backend;
error_page 500 = \@custom;
add_header X-Cache "HIT from Backend";
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location \@backend {
internal;
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location \@custom {
internal;
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location ~ .*\.(php|jsp|cgi|pl|py)?\$ {
proxy_pass http://YOURSERVERIP:8181;
include proxy.inc;
}
location ~ /\.ht {
deny all;
}
}
# Virtual host file ends here
Now download and install mod_rpaf
mod_rpaf.
From the point of view of Apache, all of its clients have the same IP address - the address of the nginx server (see the diagram above). This causes problems for websites and web apps that use client IP addresses for authentication, statistic purposes, and so on. mod_rpaf solves the problem by replacing the IP address of the nginx server in all requests with client IP addresses. In more detail, the module uses the special X-Forwarded-For header in which nginx puts the IP address of a client.
Follow the below steps to download and install mod_rpaf.
wget https://github.com/gnif/mod_rpaf/archive/v0.8.4.tar.gz --no-check-certificate
tar xzf v0.8.4.tar.gz
cd mod_rpaf-0.8.4
chmod +x apxs.sh
/usr/local/apache/bin/apxs -cia mod_rpaf.c
Now, add mod_rpaf configurations as below:
# Mod_raf config file starts here
LoadModule rpaf_module modules/mod_rpaf.so
RPAF_Enable On
RPAF_ProxyIPs 127.0.0.1 YOURSERVERIP
RPAF_SetHostName On
RPAF_SetHTTPS On
RPAF_SetPort On
RPAF_ForbidIfNotProxy Off
RPAF_Header X-Forwarded-For
# Mod_raf config file ends here
Now change the listening port of apache to 8081. Find the below entries as below:
-----
Listen 8181
<VirtualHost IP:8181>
</VirtualHost>
<VirtualHost IP:8081>
</VirtualHost>
<VirtualHost IP:8081>
-----
Restart the services using below command:-
service httpd restart
service nginx restart
chkconfig nginx on
Note:- There is following module used here for reverse prxy to function.
mod_aclr2.
This module sets up a handler which runs after handlers of all other Apache modules (mod_rewrite, .htaccess related modules, mod_php, and so on). Therefore, if the request is for dynamic content, mod_aclr2 will never get it as the request will be served by upper-level handlers of certain Apache modules (mod_php, mod_perl, mod_cgi, and so on). The only exceptions are SSI requests: once they reach mod_aclr2, it redirects them to proper handlers. If the request is for a static file, mod_aclr2 searches for the exact file location on the file system and sends the location to nginx.
Now check if nginx is used, use:
curl -I http://domain.com
Also , use the URl : http://browserspy.dk/ to know web server type.