Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "NGINX"
From NetSec
(→SpawnFCGI Script) |
(→HttpRealIpModule: Added Realtime List) |
||
| (7 intermediate revisions by one other user not shown) | |||
| Line 144: | Line 144: | ||
= VirtualHost Equivalents = | = VirtualHost Equivalents = | ||
| − | <source lang="bash"> | + | {{code|text=<source lang="bash"> |
server { | server { | ||
error_log /var/log/nginx/error_log warn; | error_log /var/log/nginx/error_log warn; | ||
| Line 186: | Line 186: | ||
} | } | ||
| − | </source> | + | </source>}} |
= Main Configuration = | = Main Configuration = | ||
| Line 192: | Line 192: | ||
== Log Format == | == Log Format == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
log_format main | log_format main | ||
'$remote_addr - $remote_user [$time_local] ' | '$remote_addr - $remote_user [$time_local] ' | ||
| Line 198: | Line 198: | ||
'"$http_referer" "$http_user_agent" ' | '"$http_referer" "$http_user_agent" ' | ||
'"$gzip_ratio"'; | '"$gzip_ratio"'; | ||
| − | </source> | + | </source>}} |
== Timeouts == | == Timeouts == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
client_header_timeout 10; | client_header_timeout 10; | ||
client_body_timeout 10; | client_body_timeout 10; | ||
send_timeout 30; | send_timeout 30; | ||
keepalive_timeout 40 20; | keepalive_timeout 40 20; | ||
| − | </source> | + | </source>}} |
== Socket settings == | == Socket settings == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
connection_pool_size 8192; | connection_pool_size 8192; | ||
client_header_buffer_size 4k; | client_header_buffer_size 4k; | ||
large_client_header_buffers 8 8k; | large_client_header_buffers 8 8k; | ||
request_pool_size 8k; | request_pool_size 8k; | ||
| − | </source> | + | </source>}} |
== Character Encoding == | == Character Encoding == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
charset utf-8; | charset utf-8; | ||
source_charset utf-8; | source_charset utf-8; | ||
| − | </source> | + | </source>}} |
== Security == | == Security == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
server { | server { | ||
server_name _; | server_name _; | ||
| Line 235: | Line 235: | ||
ignore_invalid_headers on; | ignore_invalid_headers on; | ||
server_name_in_redirect off; | server_name_in_redirect off; | ||
| − | </source> | + | </source>}} |
== Performance == | == Performance == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
sendfile off; | sendfile off; | ||
postpone_output 0; | postpone_output 0; | ||
tcp_nopush on; | tcp_nopush on; | ||
tcp_nodelay off; | tcp_nodelay off; | ||
| − | </source> | + | </source>}} |
== GZIP Compression == | == GZIP Compression == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
gzip on; | gzip on; | ||
gzip_comp_level 4; | gzip_comp_level 4; | ||
| Line 254: | Line 254: | ||
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; | gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; | ||
gzip_buffers 16 8k; | gzip_buffers 16 8k; | ||
| − | </source> | + | </source>}} |
== Output Buffering == | == Output Buffering == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
output_buffers 8 32k; | output_buffers 8 32k; | ||
| − | </source> | + | </source>}} |
== DirectoryIndex Equivalent == | == DirectoryIndex Equivalent == | ||
| Line 268: | Line 268: | ||
== Upstream Example == | == Upstream Example == | ||
| − | <source lang="perl"> | + | {{code|text=<source lang="perl"> |
upstream backend { | upstream backend { | ||
ip_hash; | ip_hash; | ||
| Line 276: | Line 276: | ||
server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90; | server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90; | ||
} | } | ||
| − | </source> | + | </source>}} |
= NGINX & CloudFlare = | = NGINX & CloudFlare = | ||
== HttpRealIpModule == | == HttpRealIpModule == | ||
| + | |||
| + | {{Info|You can now get the real-time updated list of backend IPs from CloudFlare [https://www.cloudflare.com/ips here]}} | ||
http://wiki.nginx.org/NginxHttpRealIpModule | http://wiki.nginx.org/NginxHttpRealIpModule | ||
| − | <source lang="bash"> | + | {{code|text=<source lang="bash"> |
set_real_ip_from 204.93.240.0/24; | set_real_ip_from 204.93.240.0/24; | ||
set_real_ip_from 204.93.177.0/24; | set_real_ip_from 204.93.177.0/24; | ||
| Line 294: | Line 296: | ||
set_real_ip_from 190.93.240.0/20; | set_real_ip_from 190.93.240.0/20; | ||
real_ip_header CF-Connecting-IP; | real_ip_header CF-Connecting-IP; | ||
| − | </source> | + | </source>}} |
= Troubleshooting = | = Troubleshooting = | ||
| Line 306: | Line 308: | ||
*Requires '''--with-http_stub_status_module''' flag at compile time. | *Requires '''--with-http_stub_status_module''' flag at compile time. | ||
| − | <source lang="bash"> | + | {{code|text=<source lang="bash"> |
server { | server { | ||
listen 80; | listen 80; | ||
| Line 317: | Line 319: | ||
} | } | ||
} | } | ||
| − | </source> | + | </source>}} |
Then restart NGINX with: | Then restart NGINX with: | ||
| − | + | {{LinuxCMD|nginx -s reload}} | |
| Line 360: | Line 362: | ||
http://wiki.nginx.org/HttpUpstreamModule | http://wiki.nginx.org/HttpUpstreamModule | ||
| − | <source lang="bash"> | + | {{code|text=<source lang="bash"> |
upstream backend { | upstream backend { | ||
# If upstreaming to >1 servers, uncomment next line | # If upstreaming to >1 servers, uncomment next line | ||
| Line 375: | Line 377: | ||
} | } | ||
} | } | ||
| − | </source> | + | </source>}} |
== LimitZone (DoS Prevention) == | == LimitZone (DoS Prevention) == | ||
| Line 400: | Line 402: | ||
=== Examples === | === Examples === | ||
| − | + | {{code|text=<source lang="perl"> | |
#rewrite /page200.html to /page.php?id=200 | #rewrite /page200.html to /page.php?id=200 | ||
rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last; | rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last; | ||
| Line 406: | Line 408: | ||
# rewrite /profile/user15 to /profile.php?user=user15 | # rewrite /profile/user15 to /profile.php?user=user15 | ||
rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last; | rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last; | ||
| − | + | </source>}} | |
== SpawnFCGI Script == | == SpawnFCGI Script == | ||
| Line 462: | Line 464: | ||
= PHP Configuration = | = PHP Configuration = | ||
| − | The easiest way to get PHP working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup. php-cgi usually runs locally via a UNIX Socket, or via TCP on loopback | + | The easiest way to get [[PHP]] working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup. php-cgi usually runs locally via a UNIX Socket, or via [[TCP]] on loopback interface at 127.0.0.1:9000. |
| − | The following configuration block is meant to pass PHP script requests to a FastCGI listener for processing: | + | The following configuration block is meant to pass [[PHP]] script requests to a FastCGI listener for processing: |
| − | <syntaxhighlight lang="bash"> | + | {{code|text=<syntaxhighlight lang="bash"> |
location ~* \.php$ { | location ~* \.php$ { | ||
include fastcgi_params; | include fastcgi_params; | ||
| Line 485: | Line 487: | ||
# } | # } | ||
} | } | ||
| − | </syntaxhighlight> | + | </syntaxhighlight>}} |
{{Administration}} | {{Administration}} | ||
Latest revision as of 03:56, 22 October 2012
Contents
Nginx
nginx serves as:
- HTTP server
- HTTPS server
- Reverse Proxy
- Load Balancer
- Mail Proxy
Basic HTTP Features
- Serving static and index files, and autoindexing; open file descriptor cache;
- Accelerated reverse proxying with caching; simple load balancing and fault tolerance;
- Accelerated support with caching of remote FastCGI servers; simple load balancing and fault tolerance;
- Modular architecture. Filters include gzipping, byte ranges, chunked responses, XSLT, SSI, and image resizing filter.
- Multiple SSI inclusions within a single page can be processed in parallel if they are handled by FastCGI or proxied servers.
- SSL and TLS SNI support.
Additional HTTP Features
- Name-based and IP-based virtual servers;
- Keep-alive and pipelined connections support;
- Flexible configuration;
- Reconfiguration and online upgrade without interruption of the client processing;
- Access log formats, bufferred log writing, and quick log rotation;
- 3xx-5xx error codes redirection;
- The rewrite module;
- Access control based on client IP address and HTTP Basic authentication;
- The PUT, DELETE, MKCOL, COPY and MOVE methods;
- FLV streaming;
- Speed limitation;
- Limitation of simultaneous connections or requests from one address.
- Embedded Perl
Mail Proxy Server Features
- User redirection to IMAP/POP3 backend using an external HTTP authentication server;
- User authentication using an external HTTP authentication server and connection redirection to internal SMTP backend;
- Authentication methods:
- POP3: USER/PASS, APOP, AUTH LOGIN/PLAIN/CRAM-MD5;
- IMAP: LOGIN, AUTH LOGIN/PLAIN/CRAM-MD5;
- SMTP: AUTH LOGIN/PLAIN/CRAM-MD5;
- SSL support;
- STARTTLS and STLS support.
Architecture and Scalability
- One master process and several workers processes. The workers run as unprivileged user;
- The notification methods:
- kqueue (FreeBSD 4.1+)
- The support of the various kqueue features including:
- EV_CLEAR
- EV_DISABLE (to disable event temporalily)
- NOTE_LOWAT
- EV_EOF
- The support of the various kqueue features including:
- epoll (Linux 2.6+)
- rt signals (Linux 2.2.19+)
- /dev/poll (Solaris 7 11/99+)
- event ports (Solaris 10)
- select, and poll;
- sendfile (FreeBSD 3.1+, Linux 2.2+, Mac OS X 10.5)
- sendfile64 (Linux 2.4.21+)
- sendfilev (Solaris 8 7/01+)
- File AIO (FreeBSD 4.3+, Linux 2.6.22+);
- kqueue (FreeBSD 4.1+)
- Accept-filters (FreeBSD 4.1+) and TCP_DEFER_ACCEPT (Linux 2.4+) support;
- 10,000 inactive HTTP keep-alive connections take about 2.5M memory;
- Data copy operations are kept to a minimum.
Nginx Configuration Directives
error_log
The error log for the domain, this is set by default the same on all vhosts(/var/log/nginx/vhost-error_log).
error_log file [ debug | info | notice | warn | error | crit ]
Disabling error logging
error_log /dev/null crit;
access_log
access_log path [format [buffer=size]]|off
access_log /usr/local/apache/domlogs/YOURDOMAIN.COM-bytes_log bytes_log; access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined; |
proxy_pass
This directive sets the address of the proxied server and the URI to which location will be mapped.
- Target address may be given as Hostname|IP:PORT|Backend, for example:
proxy_pass http://ws2:example.com:8081/; proxy_pass http://10.0.1.1:8080/; proxy_pass backend; |
root
This is equivalent to DocumentRoot in Apache. Used in location blocks to serve matched content from this document root.
root /srv/web/example.com/htdocs/;
Location Block
location [=|~|~*|^~|@] /uri/ { ... };
Case-Insensitive
location ~* /images/ { ... };
Case-Sensitive
location ~ /images/ { ... };
Match "/"
location = / { ... };
Match everything
location / { ... };
Regex Matching
location ~* \.(bmp|gif|jpe?g|png|tiff)$ { root /srv/web/cdn.example.com/images/; }; location ~* \.(swf|(j|cs)s)$ { root /srv/web/cdn.example.com/lib/; }; |
VirtualHost Equivalents
server { error_log /var/log/nginx/error_log warn; access_log /usr/local/apache/domlogs/YOURDOMAIN.COM.com-bytes_log bytes_log; access_log /usr/local/apache/domlogs/YOURDOMAIN.COM combined; listen 80; server_name YOURDOMAIN.COM WWW.YOURDOMAIN.COM; # Redirect media file or static content extensions to a specific document_root location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|htm|html|js|css)$ { root /home/user/public_html; } location / { client_max_body_size 10m; client_body_buffer_size 128k; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; # fixes upstream response buffering warning proxy_buffers 16 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_connect_timeout 30s; proxy_redirect http://www.YOURDOMAIN.COM:8081 http://www.YOURDOMAIN.COM; proxy_redirect http://YOURDOMAIN.COM:8081 http://YOURDOMAIN.COM; proxy_pass http://IP_ADDRESS:8081/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } |
Main Configuration
Log Format
log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; |
Timeouts
client_header_timeout 10; client_body_timeout 10; send_timeout 30; keepalive_timeout 40 20; |
Socket settings
connection_pool_size 8192; client_header_buffer_size 4k; large_client_header_buffers 8 8k; request_pool_size 8k; |
Character Encoding
charset utf-8; source_charset utf-8; |
Security
server { server_name _; return 444; } server_tokens off; ignore_invalid_headers on; server_name_in_redirect off; |
Performance
sendfile off; postpone_output 0; tcp_nopush on; tcp_nodelay off; |
GZIP Compression
gzip on; gzip_comp_level 4; gzip_min_length 1100; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_buffers 16 8k; |
Output Buffering
output_buffers 8 32k; |
DirectoryIndex Equivalent
index index.html index.php;
Upstream Example
upstream backend { ip_hash; server 172.16.10.4:8080 weight=5 max_fails=3 fail_timeout=30; server 172.16.10.3:8080 weight=4 max_fails=5 fail_timeout=45; server 172.16.10.2:8080 weight=3 max_fails=7 fail_timeout=60 down; server 172.16.10.1:8080 weight=2 max_fails=9 fail_timeout=90; } |
NGINX & CloudFlare
HttpRealIpModule
|
You can now get the real-time updated list of backend IPs from CloudFlare here |
http://wiki.nginx.org/NginxHttpRealIpModule
set_real_ip_from 204.93.240.0/24; set_real_ip_from 204.93.177.0/24; set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.22.200.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; real_ip_header CF-Connecting-IP; |
Troubleshooting
.xml ISE 500
Remove XML being handled by nginx if the back end of the customer's site uses xml files for configurations.
Status Page
- Requires --with-http_stub_status_module flag at compile time.
server { listen 80; server_name 0.0.0.0; location /nginx_status { stub_status on; access_log off; allow MANAGEMENT_IP; } } |
Then restart NGINX with:
| Terminal |
| localhost:~ $ nginx -s reload |
- MANAGEMENT_IP then becomes authorized to view http://YOURDOMAIN.COM/nginx_status
Status Page Details
Active connections: 17802 server accepts handled requests 219633918 2198306548 21970465 Reading: 195 Writing: 1979 Waiting: 850
Status Stub Variables
| Key | Value |
|---|---|
| active connections | # of open connections +backends |
| reading | # of sockets currently reading request headers |
| writing | # of sockets currently reading request body, processing a request, or in response phase |
| waiting | # of active keep-alive sockets |
Reverse Proxy & Load Balancer
Upstream (proxy/load_balancer)
Context: http
http://wiki.nginx.org/HttpUpstreamModule
upstream backend { # If upstreaming to >1 servers, uncomment next line # ip_hash; server 172.16.10.4:8080; server 172.16.10.3:8080; server 172.16.10.2:8080; server 172.16.10.1:8080; } server { location / { proxy_pass http://backend; } } |
LimitZone (DoS Prevention)
Context: http
http { # limit_zone <zone_name> <$variable> <max_zone_sizeM> limit_zone limit0 $binary_remote_addr 10m; server { location /download/ { # limit_conn <zone_name> <max_clients_per_ip> limit_conn limit0 4; } } } |
Apache Rewrites to NGINX Rewrites
http://www.anilcetin.com/convert-apache-htaccess-to-nginx/
Examples
#rewrite /page200.html to /page.php?id=200 rewrite ^/page([0-9]+)\.html$ /page.php?id=$1 last; # rewrite /profile/user15 to /profile.php?user=user15 rewrite ^/profile/([A-Za-z0-9]{4,12})$ /profile.php?user=$1 last; |
SpawnFCGI Script
#! /bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin NAME=spawn-fcgi-php PID=/var/run/fcgi.pid NCHILDREN=100 BINDIP=127.0.0.1 BINDPORT=10001 BINDUSER=nobody BINDGROUP=nobody DAEMON=/usr/bin/spawn-fcgi DAEMON_OPTS="-f /usr/bin/php -C $NCHILDREN -a $BINDIP -p $BINDPORT -u $BINDUSER -g $BINDGROUP -P $PID" test -x $DAEMON || exit 0 set -e case "$1" in start) echo "Starting $NAME: " $DAEMON $DAEMON_OPTS echo "OK" ;; stop) echo "Stopping $NAME: " kill -15 `cat $PID` rm -f $PID echo "OK" ;; restart) echo "Stopping $NAME: " kill -15 `cat $PID` rm -f $PID echo "OK" sleep 3 echo "Starting $NAME: " $DAEMON $DAEMON_OPTS echo "OK" ;; *) echo "USAGE: /etc/init.d/$NAME {start|stop|restart}" >&2 exit 1 ;; esac exit 0 |
PHP Configuration
The easiest way to get PHP working under NGINX, is to install and configure PHP-CGI, usually used in a FastCGI setup. php-cgi usually runs locally via a UNIX Socket, or via TCP on loopback interface at 127.0.0.1:9000.
The following configuration block is meant to pass PHP script requests to a FastCGI listener for processing:
|
<syntaxhighlight lang="bash"> location ~* \.php$ { include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
error_page 404 /404page.html; # return default 404
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
# If you used php-fpm installed as a TCP service, change the above to:
# fastcgi_pass 127.0.0.1:9000
# If you have more than one fcgi listener open, you can create an upstream backend, and use
# fastcgi_pass backend;
# Example:
# upstream backend {
# server 127.0.0.1:9000;
# server 127.0.0.1:9001;
# }
} </syntaxhighlight> |
NGINX is part of a series on administration.
