Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "NGINX"

From NetSec
Jump to: navigation, search
(Nginx)
(NGINX & CloudFlare)
Line 188: Line 188:
  
 
= NGINX & CloudFlare =
 
= NGINX & CloudFlare =
 +
 +
== HttpRealIpModule ==
  
 
http://wiki.nginx.org/NginxHttpRealIpModule
 
http://wiki.nginx.org/NginxHttpRealIpModule
  
 
<source lang="bash">
 
<source lang="bash">
set_real_ip_from  AUTHORIZED_IP;         # CloudFlare IP forwarded in request headers
+
  set_real_ip_from  204.93.240.0/24;
real_ip_header    CF-Originating-IP;
+
  set_real_ip_from  204.93.177.0/24;
 +
  set_real_ip_from  199.27.128.0/21;
 +
  set_real_ip_from  173.245.48.0/20;
 +
  set_real_ip_from  103.22.200.0/22;
 +
  set_real_ip_from  141.101.64.0/18;
 +
  real_ip_header    CF-Connecting-IP;
 
</source>
 
</source>
  

Revision as of 08:00, 24 October 2011

Nginx

nginx serves as:

  • HTTP server
  • HTTPS server
  • Reverse Proxy
  • Load Balancer
  • Mail Proxy

Basic HTTP Features

  • Serving static and index files, and autoindexing; open file descriptor cache;
  • Accelerated reverse proxying with caching; simple load balancing and fault tolerance;
  • Accelerated support with caching of remote FastCGI servers; simple load balancing and fault tolerance;
  • Modular architecture. Filters include gzipping, byte ranges, chunked responses, XSLT, SSI, and image resizing filter.
    • Multiple SSI inclusions within a single page can be processed in parallel if they are handled by FastCGI or proxied servers.
  • SSL and TLS SNI support.

Additional HTTP Features

  • Name-based and IP-based virtual servers;
  • Keep-alive and pipelined connections support;
  • Flexible configuration;
  • Reconfiguration and online upgrade without interruption of the client processing;
  • Access log formats, bufferred log writing, and quick log rotation;
  • 3xx-5xx error codes redirection;
  • The rewrite module;
  • Access control based on client IP address and HTTP Basic authentication;
  • The PUT, DELETE, MKCOL, COPY and MOVE methods;
  • FLV streaming;
  • Speed limitation;
  • Limitation of simultaneous connections or requests from one address.
  • Embedded Perl

Mail Proxy Server Features

  • User redirection to IMAP/POP3 backend using an external HTTP authentication server;
  • User authentication using an external HTTP authentication server and connection redirection to internal SMTP backend;
  • Authentication methods:
    • POP3: USER/PASS, APOP, AUTH LOGIN/PLAIN/CRAM-MD5;
    • IMAP: LOGIN, AUTH LOGIN/PLAIN/CRAM-MD5;
    • SMTP: AUTH LOGIN/PLAIN/CRAM-MD5;
  • SSL support;
  • STARTTLS and STLS support.

Architecture and Scalability

  • One master process and several workers processes. The workers run as unprivileged user;
  • The notification methods:
    • kqueue (FreeBSD 4.1+)
      • The support of the various kqueue features including:
        • EV_CLEAR
        • EV_DISABLE (to disable event temporalily)
        • NOTE_LOWAT
        • EV_EOF
    • epoll (Linux 2.6+)
    • rt signals (Linux 2.2.19+)
    • /dev/poll (Solaris 7 11/99+)
    • event ports (Solaris 10)
    • select, and poll;
    • sendfile (FreeBSD 3.1+, Linux 2.2+, Mac OS X 10.5)
    • sendfile64 (Linux 2.4.21+)
    • sendfilev (Solaris 8 7/01+)
    • File AIO (FreeBSD 4.3+, Linux 2.6.22+);
  • Accept-filters (FreeBSD 4.1+) and TCP_DEFER_ACCEPT (Linux 2.4+) support;
  • 10,000 inactive HTTP keep-alive connections take about 2.5M memory;
  • Data copy operations are kept to a minimum.

Nginx Configuration Directives

Nginx Configuration Reference

Directive Index

error_log

The error log for the domain, this is set by default the same on all vhosts(/var/log/nginx/vhost-error_log).

 error_log file [ debug | info | notice | warn | error | crit ]

Disabling error logging

 error_log /dev/null crit;

access_log

 access_log path [format [buffer=size]]|off
 
  access_log /usr/local/apache/domlogs/YOURDOMAIN.COM-bytes_log bytes_log;
  access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined;
 

proxy_pass

This directive sets the address of the proxied server and the URI to which location will be mapped.

  • Target address may be given as Hostname|IP:PORT|Backend, for example:
 
  proxy_pass http://ws2:example.com:8081/;
  proxy_pass http://10.0.1.1:8080/;
  proxy_pass backend;
 

root

This is equivalent to DocumentRoot in Apache. Used in location blocks to serve matched content from this document root.

 root /srv/web/example.com/htdocs/;

Location Block

 location [=|~|~*|^~|@] /uri/ { ... };

Case-Insensitive

 location ~* /images/ { ... };

Case-Sensitive

 location ~ /images/ { ... };

Match "/"

 location = / { ... };

Match everything

 location / { ... };

Regex Matching

 location ~* \.(bmp|gif|jpe?g|png|tiff)$ {
   root /srv/web/cdn.example.com/images/;
 };
 location ~* \.(swf|(j|cs)s)$ {
   root /srv/web/cdn.example.com/lib/;
 };

VirtualHost Equivalents

 
  server {
    error_log  /var/log/nginx/error_log warn;
    access_log /usr/local/apache/domlogs/YOURDOMAIN.COM.com-bytes_log bytes_log;
    access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined;
 
    listen    80;
    server_name  YOURDOMAIN.COM WWW.YOURDOMAIN.COM;
 
    # Redirect media file or static content extensions to a specific document_root 
    location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
     root   /home/user/public_html;
    }
 
    location / {
     client_max_body_size    10m;
     client_body_buffer_size 128k;
 
     proxy_send_timeout   90;
     proxy_read_timeout   90;
 
     proxy_buffer_size    4k;
 
     # fixes upstream response buffering warning
     proxy_buffers     16 32k;
 
     proxy_busy_buffers_size 64k;
     proxy_temp_file_write_size 64k;
 
     proxy_connect_timeout 30s;
 
     proxy_redirect  http://www.YOURDOMAIN.COM:8081   http://www.YOURDOMAIN.COM;
     proxy_redirect  http://YOURDOMAIN.COM:8081   http://YOURDOMAIN.COM;
 
     proxy_pass   http://IP_ADDRESS:8081/;
 
     proxy_set_header   Host   $host;
     proxy_set_header   X-Real-IP  $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
 
 

NGINX & CloudFlare

HttpRealIpModule

http://wiki.nginx.org/NginxHttpRealIpModule

 
  set_real_ip_from   204.93.240.0/24;
  set_real_ip_from   204.93.177.0/24;
  set_real_ip_from   199.27.128.0/21;
  set_real_ip_from   173.245.48.0/20;
  set_real_ip_from   103.22.200.0/22;
  set_real_ip_from   141.101.64.0/18;
  real_ip_header     CF-Connecting-IP;
 

Troubleshooting

.xml ISE 500

Remove XML being handled by nginx if the back end of the customer's site uses xml files for configurations.

Status Page

  • Requires --with-http_stub_status_module flag at compile time.
 
 server {
   listen    80;
   server_name  0.0.0.0;
 
   location /nginx_status {
     stub_status on;
     access_log   off;
     allow MANAGEMENT_IP;
   }
 }
 

Then restart NGINX with:

 nginx -s reload


Status Page Details

Active connections: 17802
server accepts handled requests
 219633918 2198306548 21970465
Reading: 195 Writing: 1979 Waiting: 850

Status Stub Variables

Key Value
active connections # of open connections +backends
reading # of sockets currently reading request headers
writing # of sockets currently reading request body, processing a request, or in response phase
waiting # of active keep-alive sockets

Reverse Proxy & Load Balancer

Upstream (proxy/load_balancer)

Context: http

http://wiki.nginx.org/HttpUpstreamModule

 
upstream backend  {
 
  # ip_hash; # remove first "#" for upstream to >1 servers
 
  # weighted to decrease failure tolerance and spray traffic using escalating fault tolerance
  server 172.16.10.4:8080 weight=5 max_fails=3 fail_timeout=30;
  server 172.16.10.3:8080 weight=4 max_fails=5 fail_timeout=45;
  server 172.16.10.2:8080 weight=3 max_fails=7 fail_timeout=60;
  server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90;
 
}
 
server {
  location / {
    proxy_pass  http://backend;
  }
}
 

LimitZone (DoS Prevention)

Context: http

 
http {
  # limit_zone <zone_name> <$variable>         <max_zone_sizeM>
    limit_zone limit0      $binary_remote_addr 10m;
 
  server {
    location /download/ {
      # limit_conn <zone_name> <max_clients_per_ip>
        limit_conn limit0      4;
    }
  }
}
 

Apache Rewrites to NGINX Rewrites

http://www.anilcetin.com/convert-apache-htaccess-to-nginx/

Examples

 #rewrite /page200.html to /page.php?id=200
 rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last;
 # rewrite /profile/user15 to /profile.php?user=user15
 rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last;

SpawnFCGI Script

 
#! /bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=spawn-fcgi-php
 
PID=/var/run/fcgi.pid
NCHILDREN=100
 
BINDIP=127.0.0.1
BINDPORT=10001
BINDUSER=nobody
BINDGROUP=nobody
 
DAEMON=/usr/bin/spawn-fcgi
DAEMON_OPTS="-f /usr/bin/php -C $NCHILDREN -a $BINDIP -p $BINDPORT -u $BINDUSER -g $BINDGROUP -P $PID"
 
test -x $DAEMON || exit 0
 
set -e
 
case "$1" in
  start)
    echo "Starting $NAME: "
    $DAEMON $DAEMON_OPTS
    echo "OK"
  ;;
  stop) 
    echo "Stopping $NAME: "
    kill -15 `cat $PID`
    rm -f $PID
    echo "OK"
  ;;
  restart)
    echo "Stopping $NAME: "
    kill -15 `cat $PID`
    rm -f $PID
    echo "OK"
    sleep 3
    echo "Starting $NAME: "
    $DAEMON $DAEMON_OPTS
    echo "OK"
  ;;
  *)
    echo "USAGE: /etc/init.d/$NAME {start|stop|restart}" >&2
    exit 1
  ;;
esac
exit 0