Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "NGINX"

From NetSec
Jump to: navigation, search
(LimitZone (DoS Prevention))
(HttpRealIpModule: Added Realtime List)
 
(8 intermediate revisions by one other user not shown)
Line 144: Line 144:
 
= VirtualHost Equivalents =
 
= VirtualHost Equivalents =
  
<source lang="bash">
+
{{code|text=<source lang="bash">
 
   server {
 
   server {
 
     error_log  /var/log/nginx/error_log warn;
 
     error_log  /var/log/nginx/error_log warn;
Line 186: Line 186:
 
   }
 
   }
  
</source>
+
</source>}}
  
 
= Main Configuration =
 
= Main Configuration =
Line 192: Line 192:
 
== Log Format ==
 
== Log Format ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
log_format main
 
log_format main
 
   '$remote_addr - $remote_user [$time_local] '
 
   '$remote_addr - $remote_user [$time_local] '
Line 198: Line 198:
 
   '"$http_referer" "$http_user_agent" '
 
   '"$http_referer" "$http_user_agent" '
 
   '"$gzip_ratio"';
 
   '"$gzip_ratio"';
</source>
+
</source>}}
  
 
== Timeouts ==
 
== Timeouts ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
client_header_timeout 10;
 
client_header_timeout 10;
 
client_body_timeout  10;
 
client_body_timeout  10;
 
send_timeout          30;
 
send_timeout          30;
 
keepalive_timeout    40 20;
 
keepalive_timeout    40 20;
</source>
+
</source>}}
  
 
== Socket settings ==
 
== Socket settings ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
connection_pool_size        8192;
 
connection_pool_size        8192;
 
client_header_buffer_size  4k;
 
client_header_buffer_size  4k;
 
large_client_header_buffers 8 8k;
 
large_client_header_buffers 8 8k;
 
request_pool_size          8k;
 
request_pool_size          8k;
</source>
+
</source>}}
  
 
== Character Encoding ==
 
== Character Encoding ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
charset                utf-8;
 
charset                utf-8;
 
source_charset          utf-8;
 
source_charset          utf-8;
</source>
+
</source>}}
  
 
== Security ==
 
== Security ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
server {
 
server {
 
   server_name _;
 
   server_name _;
Line 235: Line 235:
 
ignore_invalid_headers on;
 
ignore_invalid_headers on;
 
server_name_in_redirect off;
 
server_name_in_redirect off;
</source>
+
</source>}}
  
 
== Performance ==
 
== Performance ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
sendfile off;
 
sendfile off;
 
postpone_output 0;
 
postpone_output 0;
 
tcp_nopush on;
 
tcp_nopush on;
 
tcp_nodelay off;
 
tcp_nodelay off;
</source>
+
</source>}}
  
 
== GZIP Compression ==
 
== GZIP Compression ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
gzip            on;
 
gzip            on;
 
gzip_comp_level 4;
 
gzip_comp_level 4;
Line 254: Line 254:
 
gzip_types      text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
gzip_types      text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
gzip_buffers    16 8k;
 
gzip_buffers    16 8k;
</source>
+
</source>}}
  
 
== Output Buffering ==
 
== Output Buffering ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
output_buffers 8 32k;
 
output_buffers 8 32k;
</source>
+
</source>}}
  
 
== DirectoryIndex Equivalent ==
 
== DirectoryIndex Equivalent ==
Line 268: Line 268:
 
== Upstream Example ==
 
== Upstream Example ==
  
<source lang="perl">
+
{{code|text=<source lang="perl">
 
upstream backend {
 
upstream backend {
 
   ip_hash;
 
   ip_hash;
Line 276: Line 276:
 
   server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90;
 
   server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90;
 
}
 
}
</source>
+
</source>}}
  
 
= NGINX & CloudFlare =
 
= NGINX & CloudFlare =
  
 
== HttpRealIpModule ==
 
== HttpRealIpModule ==
 +
 +
{{Info|You can now get the real-time updated list of backend IPs from CloudFlare [https://www.cloudflare.com/ips here]}}
  
 
http://wiki.nginx.org/NginxHttpRealIpModule
 
http://wiki.nginx.org/NginxHttpRealIpModule
  
<source lang="bash">
+
{{code|text=<source lang="bash">
 
   set_real_ip_from 204.93.240.0/24;
 
   set_real_ip_from 204.93.240.0/24;
 
   set_real_ip_from 204.93.177.0/24;
 
   set_real_ip_from 204.93.177.0/24;
Line 294: Line 296:
 
   set_real_ip_from 190.93.240.0/20;
 
   set_real_ip_from 190.93.240.0/20;
 
   real_ip_header CF-Connecting-IP;
 
   real_ip_header CF-Connecting-IP;
</source>
+
</source>}}
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 306: Line 308:
 
*Requires '''--with-http_stub_status_module''' flag at compile time.
 
*Requires '''--with-http_stub_status_module''' flag at compile time.
  
<source lang="bash">
+
{{code|text=<source lang="bash">
 
  server {
 
  server {
 
   listen    80;
 
   listen    80;
Line 317: Line 319:
 
   }
 
   }
 
  }
 
  }
</source>
+
</source>}}
  
 
Then restart NGINX with:
 
Then restart NGINX with:
  
  nginx -s reload
+
{{LinuxCMD|nginx -s reload}}
  
  
Line 360: Line 362:
 
http://wiki.nginx.org/HttpUpstreamModule
 
http://wiki.nginx.org/HttpUpstreamModule
  
<source lang="bash">
+
{{code|text=<source lang="bash">
 
upstream backend  {
 
upstream backend  {
 
   # If upstreaming to >1 servers, uncomment next line
 
   # If upstreaming to >1 servers, uncomment next line
Line 375: Line 377:
 
   }
 
   }
 
}
 
}
</source>
+
</source>}}
  
 
== LimitZone (DoS Prevention) ==
 
== LimitZone (DoS Prevention) ==
Line 400: Line 402:
  
 
=== Examples ===
 
=== Examples ===
 
+
{{code|text=<source lang="perl">
 
   #rewrite /page200.html to /page.php?id=200
 
   #rewrite /page200.html to /page.php?id=200
 
   rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last;
 
   rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last;
Line 406: Line 408:
 
   # rewrite /profile/user15 to /profile.php?user=user15
 
   # rewrite /profile/user15 to /profile.php?user=user15
 
   rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last;
 
   rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last;
 
+
</source>}}
 
== SpawnFCGI Script ==
 
== SpawnFCGI Script ==
  
<source lang="bash">
+
{{code|text=<source lang="bash">
 
#! /bin/sh
 
#! /bin/sh
 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Line 458: Line 460:
 
exit 0
 
exit 0
  
</source>
+
</source>}}
  
 
= PHP Configuration =
 
= PHP Configuration =
  
The easiest way to get PHP working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup.  php-cgi usually runs locally via a UNIX Socket, or via TCP on loopback device at 127.0.0.1:9000.
+
The easiest way to get [[PHP]] working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup.  php-cgi usually runs locally via a UNIX Socket, or via [[TCP]] on loopback interface at 127.0.0.1:9000.
  
The following configuration block is meant to pass PHP script requests to a FastCGI listener for processing:
+
The following configuration block is meant to pass [[PHP]] script requests to a FastCGI listener for processing:
  
<syntaxhighlight lang="bash">
+
{{code|text=<syntaxhighlight lang="bash">
 
location ~* \.php$ {
 
location ~* \.php$ {
 
   include fastcgi_params;
 
   include fastcgi_params;
Line 485: Line 487:
 
   # }
 
   # }
 
}  
 
}  
</syntaxhighlight>
+
</syntaxhighlight>}}
  
 
{{Administration}}
 
{{Administration}}

Latest revision as of 03:56, 22 October 2012

Nginx

nginx serves as:

  • HTTP server
  • HTTPS server
  • Reverse Proxy
  • Load Balancer
  • Mail Proxy

Basic HTTP Features

  • Serving static and index files, and autoindexing; open file descriptor cache;
  • Accelerated reverse proxying with caching; simple load balancing and fault tolerance;
  • Accelerated support with caching of remote FastCGI servers; simple load balancing and fault tolerance;
  • Modular architecture. Filters include gzipping, byte ranges, chunked responses, XSLT, SSI, and image resizing filter.
    • Multiple SSI inclusions within a single page can be processed in parallel if they are handled by FastCGI or proxied servers.
  • SSL and TLS SNI support.

Additional HTTP Features

  • Name-based and IP-based virtual servers;
  • Keep-alive and pipelined connections support;
  • Flexible configuration;
  • Reconfiguration and online upgrade without interruption of the client processing;
  • Access log formats, bufferred log writing, and quick log rotation;
  • 3xx-5xx error codes redirection;
  • The rewrite module;
  • Access control based on client IP address and HTTP Basic authentication;
  • The PUT, DELETE, MKCOL, COPY and MOVE methods;
  • FLV streaming;
  • Speed limitation;
  • Limitation of simultaneous connections or requests from one address.
  • Embedded Perl

Mail Proxy Server Features

  • User redirection to IMAP/POP3 backend using an external HTTP authentication server;
  • User authentication using an external HTTP authentication server and connection redirection to internal SMTP backend;
  • Authentication methods:
    • POP3: USER/PASS, APOP, AUTH LOGIN/PLAIN/CRAM-MD5;
    • IMAP: LOGIN, AUTH LOGIN/PLAIN/CRAM-MD5;
    • SMTP: AUTH LOGIN/PLAIN/CRAM-MD5;
  • SSL support;
  • STARTTLS and STLS support.

Architecture and Scalability

  • One master process and several workers processes. The workers run as unprivileged user;
  • The notification methods:
    • kqueue (FreeBSD 4.1+)
      • The support of the various kqueue features including:
        • EV_CLEAR
        • EV_DISABLE (to disable event temporalily)
        • NOTE_LOWAT
        • EV_EOF
    • epoll (Linux 2.6+)
    • rt signals (Linux 2.2.19+)
    • /dev/poll (Solaris 7 11/99+)
    • event ports (Solaris 10)
    • select, and poll;
    • sendfile (FreeBSD 3.1+, Linux 2.2+, Mac OS X 10.5)
    • sendfile64 (Linux 2.4.21+)
    • sendfilev (Solaris 8 7/01+)
    • File AIO (FreeBSD 4.3+, Linux 2.6.22+);
  • Accept-filters (FreeBSD 4.1+) and TCP_DEFER_ACCEPT (Linux 2.4+) support;
  • 10,000 inactive HTTP keep-alive connections take about 2.5M memory;
  • Data copy operations are kept to a minimum.

Nginx Configuration Directives

Nginx Configuration Reference

Directive Index

error_log

The error log for the domain, this is set by default the same on all vhosts(/var/log/nginx/vhost-error_log).

 error_log file [ debug | info | notice | warn | error | crit ]

Disabling error logging

 error_log /dev/null crit;

access_log

 access_log path [format [buffer=size]]|off
 
  access_log /usr/local/apache/domlogs/YOURDOMAIN.COM-bytes_log bytes_log;
  access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined;
 

proxy_pass

This directive sets the address of the proxied server and the URI to which location will be mapped.

  • Target address may be given as Hostname|IP:PORT|Backend, for example:
 
  proxy_pass http://ws2:example.com:8081/;
  proxy_pass http://10.0.1.1:8080/;
  proxy_pass backend;
 

root

This is equivalent to DocumentRoot in Apache. Used in location blocks to serve matched content from this document root.

 root /srv/web/example.com/htdocs/;

Location Block

 location [=|~|~*|^~|@] /uri/ { ... };

Case-Insensitive

 location ~* /images/ { ... };

Case-Sensitive

 location ~ /images/ { ... };

Match "/"

 location = / { ... };

Match everything

 location / { ... };

Regex Matching

 
  location ~* \.(bmp|gif|jpe?g|png|tiff)$ {
    root /srv/web/cdn.example.com/images/;
  };
  location ~* \.(swf|(j|cs)s)$ {
    root /srv/web/cdn.example.com/lib/;
  };
 

VirtualHost Equivalents

 
  server {
    error_log  /var/log/nginx/error_log warn;
    access_log /usr/local/apache/domlogs/YOURDOMAIN.COM.com-bytes_log bytes_log;
    access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined;
 
    listen    80;
    server_name  YOURDOMAIN.COM WWW.YOURDOMAIN.COM;
 
    # Redirect media file or static content extensions to a specific document_root 
    location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ {
     root   /home/user/public_html;
    }
 
    location / {
     client_max_body_size    10m;
     client_body_buffer_size 128k;
 
     proxy_send_timeout   90;
     proxy_read_timeout   90;
 
     proxy_buffer_size    4k;
 
     # fixes upstream response buffering warning
     proxy_buffers     16 32k;
 
     proxy_busy_buffers_size 64k;
     proxy_temp_file_write_size 64k;
 
     proxy_connect_timeout 30s;
 
     proxy_redirect  http://www.YOURDOMAIN.COM:8081   http://www.YOURDOMAIN.COM;
     proxy_redirect  http://YOURDOMAIN.COM:8081   http://YOURDOMAIN.COM;
 
     proxy_pass   http://IP_ADDRESS:8081/;
 
     proxy_set_header   Host   $host;
     proxy_set_header   X-Real-IP  $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
 
 

Main Configuration

Log Format

 
log_format main
  '$remote_addr - $remote_user [$time_local] '
  '"$request" $status $bytes_sent '
  '"$http_referer" "$http_user_agent" '
  '"$gzip_ratio"';
 

Timeouts

 
client_header_timeout 10;
client_body_timeout   10;
send_timeout          30;
keepalive_timeout     40 20;
 

Socket settings

 
connection_pool_size        8192;
client_header_buffer_size   4k;
large_client_header_buffers 8 8k;
request_pool_size           8k;
 

Character Encoding

 
charset                 utf-8;
source_charset          utf-8;
 

Security

 
server {
  server_name _;
  return 444;
}
server_tokens off;
ignore_invalid_headers on;
server_name_in_redirect off;
 

Performance

 
sendfile off;
postpone_output 0;
tcp_nopush on;
tcp_nodelay off;
 

GZIP Compression

 
gzip            on;
gzip_comp_level 4;
gzip_min_length 1100;
gzip_types      text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers    16 8k;
 

Output Buffering

 
output_buffers 8 32k;
 

DirectoryIndex Equivalent

 index index.html index.php;

Upstream Example

 
upstream backend {
  ip_hash;
  server 172.16.10.4:8080 weight=5 max_fails=3 fail_timeout=30;
  server 172.16.10.3:8080 weight=4 max_fails=5 fail_timeout=45;
  server 172.16.10.2:8080 weight=3 max_fails=7 fail_timeout=60 down;
  server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90;
}
 

NGINX & CloudFlare

HttpRealIpModule

c3el4.png You can now get the real-time updated list of backend IPs from CloudFlare here

http://wiki.nginx.org/NginxHttpRealIpModule

 
  set_real_ip_from 204.93.240.0/24;
  set_real_ip_from 204.93.177.0/24;
  set_real_ip_from 199.27.128.0/21;
  set_real_ip_from 173.245.48.0/20;
  set_real_ip_from 103.22.200.0/22;
  set_real_ip_from 141.101.64.0/18;
  set_real_ip_from 108.162.192.0/18;
  set_real_ip_from 190.93.240.0/20;
  real_ip_header CF-Connecting-IP;
 

Troubleshooting

.xml ISE 500

Remove XML being handled by nginx if the back end of the customer's site uses xml files for configurations.

Status Page

  • Requires --with-http_stub_status_module flag at compile time.
 
 server {
   listen    80;
   server_name  0.0.0.0;
 
   location /nginx_status {
     stub_status on;
     access_log   off;
     allow MANAGEMENT_IP;
   }
 }
 

Then restart NGINX with:

Terminal

localhost:~ $ nginx -s reload


Status Page Details

Active connections: 17802
server accepts handled requests
 219633918 2198306548 21970465
Reading: 195 Writing: 1979 Waiting: 850

Status Stub Variables

Key Value
active connections # of open connections +backends
reading # of sockets currently reading request headers
writing # of sockets currently reading request body, processing a request, or in response phase
waiting # of active keep-alive sockets

Reverse Proxy & Load Balancer

Upstream (proxy/load_balancer)

Context: http

http://wiki.nginx.org/HttpUpstreamModule

 
upstream backend  {
  # If upstreaming to >1 servers, uncomment next line
  # ip_hash;
  server 172.16.10.4:8080;
  server 172.16.10.3:8080;
  server 172.16.10.2:8080;
  server 172.16.10.1:8080;
}
 
server {
  location / {
    proxy_pass  http://backend;
  }
}
 

LimitZone (DoS Prevention)

Context: http

 
http {
  # limit_zone <zone_name> <$variable>         <max_zone_sizeM>
    limit_zone limit0      $binary_remote_addr 10m;
 
  server {
    location /download/ {
      # limit_conn <zone_name> <max_clients_per_ip>
        limit_conn limit0      4;
    }
  }
}
 

Apache Rewrites to NGINX Rewrites

http://www.anilcetin.com/convert-apache-htaccess-to-nginx/

Examples

 
  #rewrite /page200.html to /page.php?id=200
  rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last;
 
  # rewrite /profile/user15 to /profile.php?user=user15
  rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last;
 

SpawnFCGI Script

 
#! /bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=spawn-fcgi-php
 
PID=/var/run/fcgi.pid
NCHILDREN=100
 
BINDIP=127.0.0.1
BINDPORT=10001
BINDUSER=nobody
BINDGROUP=nobody
 
DAEMON=/usr/bin/spawn-fcgi
DAEMON_OPTS="-f /usr/bin/php -C $NCHILDREN -a $BINDIP -p $BINDPORT -u $BINDUSER -g $BINDGROUP -P $PID"
 
test -x $DAEMON || exit 0
 
set -e
 
case "$1" in
  start)
    echo "Starting $NAME: "
    $DAEMON $DAEMON_OPTS
    echo "OK"
  ;;
  stop) 
    echo "Stopping $NAME: "
    kill -15 `cat $PID`
    rm -f $PID
    echo "OK"
  ;;
  restart)
    echo "Stopping $NAME: "
    kill -15 `cat $PID`
    rm -f $PID
    echo "OK"
    sleep 3
    echo "Starting $NAME: "
    $DAEMON $DAEMON_OPTS
    echo "OK"
  ;;
  *)
    echo "USAGE: /etc/init.d/$NAME {start|stop|restart}" >&2
    exit 1
  ;;
esac
exit 0
 
 

PHP Configuration

The easiest way to get PHP working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup. php-cgi usually runs locally via a UNIX Socket, or via TCP on loopback interface at 127.0.0.1:9000.

The following configuration block is meant to pass PHP script requests to a FastCGI listener for processing:

<syntaxhighlight lang="bash"> location ~* \.php$ {

 include fastcgi_params;
 fastcgi_intercept_errors on;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 try_files $uri =404;
 error_page 404 /404page.html; # return default 404
 fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
 # If you used php-fpm installed as a TCP service, change the above to:
 # fastcgi_pass 127.0.0.1:9000
 # If you have more than one fcgi listener open, you can create an upstream backend, and use
 # fastcgi_pass backend;
 # Example:
 # upstream backend {
 #   server 127.0.0.1:9000;
 #   server 127.0.0.1:9001;
 # }

} </syntaxhighlight>

NGINX is part of a series on administration.