Newbie questions about nginx (moving from apache)

Hi

sorry for english.

i am on centos 64 bit server with cpanel and whm.

i have apache 2.2.18 and there is heavy duty use of the following:

  1. mod rewrite
  2. mod geoip
  3. mod security (with rules available in 2.6.0 for google safe browsing
    checks etc)
  4. mod evasive
  5. php5 functionality with memcached + eaccelerator

for #1, i see from threads on this phorum that some rewriting
functionality is possible. i also see that in 1.0.3 the #2 of geoip is
possible.

but i am not sure about 3, 4 and 5. nginx does not support DDOS
protection right? also, will all the php5 modules work with pecl such as
memcached etc?

in trying to set up nginx, i have problem getting php to work. mod fcgi
– is there simple instruction about how to do, and how is the
performance when compared to apache+eaccelerator which opcode caches?

because of this functionality, i don’t want to move entire to nginx.

so i am trying this: nginx run on localhost on port 81. apache is main
front server on port 80. all static content from images folder need to
pass to nginx. i am trying this code in apache:

ProxyRequests Off
ProxyPreserveHost On
ProxyPass /mysite/images http://0.0.0.0:81/
ProxyPassReverse / http://0.0.0.0:81/

But this is not working.

Nginx root folder is “/mysite/images”. And when I type in browser
http://MYDOMAIN.COM:81 then I can see the nginx working fine. the images
are there.

any idea about how i can make this setup work?

or ideally, over time i want to move entirely to nginx. so would
appreciate some experienced thought or guidance.

thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201449#msg-201449

On Fri, May 27, 2011 at 04:14:49AM -0400, pk899 wrote:

  1. mod security (with rules available in 2.6.0 for google safe browsing
    memcached etc?

http://MYDOMAIN.COM:81 then I can see the nginx working fine. the images
are there.

any idea about how i can make this setup work?

or ideally, over time i want to move entirely to nginx. so would
appreciate some experienced thought or guidance.

You should use 127.0.0.1:81 instead of 0.0.0.0:81.
However, it’s better to set nginx before Apache and all except
“/mysite/images” to the Apache.
nginx has not mod_security functionality.
There is some functionality similar to mod_evasive in limit_req.


Igor S.

thanks igor. wow, so fast reply.

how can i setup nginx “before apache”? will i have to change apache
port?

and what will the syntax look like. is there any simple guide? i have a
high traffic site so dont want to break the functionality.

thanks!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201454#msg-201454

On Fri, May 27, 2011 at 04:28:10AM -0400, pk899 wrote:

thanks igor. wow, so fast reply.

how can i setup nginx “before apache”? will i have to change apache
port?

and what will the syntax look like. is there any simple guide? i have a
high traffic site so dont want to break the functionality.

You should test nginx setup on 81 port passing request to Apache on 80:

server {
listen 81;
server_name your.domain.com;

root  /path/to/static;

location / {
    proxy_pass        http://127.0.0.1;
    proxy_set_header  Host  $host;
    proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
}

location /mysite/images/ {
}

}

You may need to add mod_rpaf to Apache to process client IPs passed
by nginx in X-Forwarded-For.


Igor S.

On Fri, May 27, 2011 at 12:19:47PM -0400, pk899 wrote:

thanks for this. but before I try all this on a production server,
couple questions:

  1. if this works with NGINX on port 81, can this work in the future on
    port 80? So will nginx and apache both be on port 80? I doubt it but
    want to confirm.

Apache may listen on 127.0.0.1:80, while nginx may listen on *:80.

  1. secondly, do you have a production-ready sample of how to set up for
    static serving? in apache for example, we set max-age, expires, gzip,
    cache-control etc for static files and this is very handy. i read the
    wiki manual for nginx and there’s a lot of options in nginx too (quite
    impressive actually) but i would love to see a production recommended
    sample of commands.

location /static/ {
root …
expires 30d;
gzip on;
gzip_static on;
}


Igor S.

thanks. i have reading about nginx a lot on the internet. and it seems
to me that many features of mod_security are available inside nginx.

i like this post:
http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/

my questions.

  1. how should i block remote_addr based on IP in a certain external
    file?
  2. to block xss or such type of injection attacks – any best practice
    rules?
  3. can i block based on “request_uri”? if some hosts are in it
    (parameter) then block it.
  4. can i block based on RBL checks? from spamhaus etc.

thanks!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201617#msg-201617

thanks for this. but before I try all this on a production server,
couple questions:

  1. if this works with NGINX on port 81, can this work in the future on
    port 80? So will nginx and apache both be on port 80? I doubt it but
    want to confirm.

  2. secondly, do you have a production-ready sample of how to set up for
    static serving? in apache for example, we set max-age, expires, gzip,
    cache-control etc for static files and this is very handy. i read the
    wiki manual for nginx and there’s a lot of options in nginx too (quite
    impressive actually) but i would love to see a production recommended
    sample of commands.

thanks!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201595#msg-201595

Some problems with your recommendation, Igor.

  1. There is no directive like “gzip_static”.

  2. The proxy_pass that you recommend above – this does a full 301
    redirect to Apache!

This is really not the solution I am after.

So, back to my first question, how do I pass the baton from Apache
(which really needs to be my first front server because of all the
features) only for the static files to nginx?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201728#msg-201728

On 27 May 2011 18:59, pk899 [email protected] wrote:

thanks. i have reading about nginx a lot on the internet. and it seems
to me that many features of mod_security are available inside nginx.

i like this post:
http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/

my questions.

  1. how should i block remote_addr based on IP in a certain external
    file?

It’s in your link: include /etc/nginx/block.conf;
But it’s not really nginx’s job to secure your server from attackers.
Use
iptables or similar for that.

  1. to block xss or such type of injection attacks – any best practice

rules?

These are application-level problems (HTML, JS, SQL etc.) and are not
specific to your server software.

  1. can i block based on “request_uri”? if some hosts are in it
    (parameter) then block it.

http://eng.eelcowesemann.nl/linux-unix/nginx/nginx-blocking/
Use $request_uri instead of $http_referer

  1. can i block based on RBL checks? from spamhaus etc.

Not that I know of, and if you are deploying nginx for speed then this
is
the last job you want to give it. Block proxies/spammers at the
application
level where posting actually happens (e.g. in postcommentform.php), not
for
every HTTP request you receive.

thanks!

On 28 May 2011 05:54, pk899 [email protected] wrote:

Some problems with your recommendation, Igor.

  1. There is no directive like “gzip_static”.

http://wiki.nginx.org/NginxHttpGzipStaticModule

  1. The proxy_pass that you recommend above – this does a full 301
    redirect to Apache!

This is really not the solution I am after.

So, back to my first question, how do I pass the baton from Apache
(which really needs to be my first front server because of all the
features) only for the static files to nginx?

Then you set up mod_proxy on Apache instead. But with all due respect I
think you’re after the wrong solution. You’re unlikely to gain any
performance like that, because you’re still making Apache do all the
work of
talking to clients and holding keepalives. This is where nginx beats the
pants of Apache.

Put nginx in front. Test it by starting it on port 81 as suggested
previously. When you’re happy, switch the ports (nginx on 80, proxying
to
Apache on 127.0.0.1:81).

Thomas

Thanks. But I am a bit confused, as the simple setup is not working from
port 81 (for testing):

server {
listen 81;
server_name MYDOMAIN.com www.MYDOMAIN.com;

location ^~ /site/static {
  root /home/MYDOMAIN/www/static;
  index index.htm index.php;
  expires       30d;
  gzip          on;
}

location / {
  proxy_pass      http://127.0.0.1:80/;
  proxy_redirect  off;

  proxy_set_header   Host             $host;
  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
}

}

Then I try in my browser this:
http://MYDOMAIN.com:81/test.gif

On the server the “test.gif” file is at
“/home/MYDOMAIN/www/static/test.gif”.

Questions:

(1) What am I missing? Should the test.gif file be somewhere else?
Should I try this with some other URL instead of the one I mention
above?

(2) Also, if this worked, and I accepted Nginx to be at the front and
moved Apache to the background, isn’t it true that Apache would have to
pass back all processed output to Nginx?

(3) Even with “proxy_redirect off”, when I try http://MYDOMAIN.com:81,
it actually does a hard 301 redirect to my Apache server.

What am I missing?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201787#msg-201787

Thanks. The RBL checking in Apache (via mod security) can happen in very
specific manner. I could specify that they check only specific arguments
(the very precise “input” field in the html) in a very specific page
(“postcommentform.php”).

Similarly, sure, the application needs to be smartly coded to prevent
against injections. But mod_security enables blocking this at a much
earlier phase in the web transaction. And it’s easy to control this a
bit better at the hosting level.

Clearly, I am looking at nginx not only as a “speed option”, but as a
replacement for Apache. Several blogs online say that they have moved to
nginx. I am trying to see how. Apache is sadly bloated but thanks to
mod_security etc it’s a very, very practical modern solution.

Anyway, my setup above is not working either. Even just to use nginx as
merely a static server.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201779#msg-201779

On 28 May 2011 15:55, pk899 [email protected] wrote:

 index index.htm index.php;

}

}

server {
listen 81;
server_name MYDOMAIN.com www.MYDOMAIN.com http://www.mydomain.com/;

root /home/MYDOMAIN/www;

location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /static/ {
index index.htm;
expires 30d;
gzip on;
gzip_static on;
}

}

On 28 May 2011 15:31, pk899 [email protected] wrote:

Thanks. The RBL checking in Apache (via mod security) can happen in very
specific manner. I could specify that they check only specific arguments
(the very precise “input” field in the html) in a very specific page
(“postcommentform.php”).

There is no module like this for nginx that I’m aware of but you can
probably find application-level libraries to do it. The fewer
conditionals
at the HTTP server level the better.

Similarly, sure, the application needs to be smartly coded to prevent
against injections. But mod_security enables blocking this at a much
earlier phase in the web transaction. And it’s easy to control this a
bit better at the hosting level.

If it’s important then leave it on Apache with your web application. It
will still do what it does upstream of nginx.

Clearly, I am looking at nginx not only as a “speed option”, but as a
replacement for Apache. Several blogs online say that they have moved to
nginx. I am trying to see how. Apache is sadly bloated but thanks to
mod_security etc it’s a very, very practical modern solution.

IMO its bloat is not helped by being piled with high with modules. This
is
where nginx comes in, and being relatively free of modules was one of
its
selling points for me.

Thanks.

So with this setup, this works:

http://mydomain.com:81/static/test.gif

But when I try this:

http://mydomain.com:81/static/test.gif

It physically redirects to http://mydomain.com.

How can I avoid this?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201792#msg-201792

Thomas L. Wrote:

  1. how should i block remote_addr based on IP in
    a certain external
    file?

It’s in your link: include /etc/nginx/block.conf;

Not correct. The “block.conf” as that guy mentions is only a collection
of rules.

I am asking if I can have a file that is full of host names or IPs, say
“blacklist.conf”. Then, I want to do something like this:

if ($request_uri ~* ("/blacklist.conf") ) {
return 403;
}

if ($remote_addr ~* ("/blacklist.conf") ) {
return 403;
}

This way I can keep easily adding or removing IPs/hosts from my
blacklist file instead of editing the nginx.conf file every time.

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201796#msg-201796

Because this forum does not allow editing, here’s my edit:

Thanks.

So with this setup, this works:

http://mydomain.com:81/static/test.gif

But when I try this:

http://mydomain.com:81/ (main site)

It physically redirects to http://mydomain.com.

How can I avoid this?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201793#msg-201793

Hello!

On Sat, May 28, 2011 at 09:55:10AM -0400, pk899 wrote:

  index index.htm index.php;
}

Questions:

(1) What am I missing? Should the test.gif file be somewhere else?
Should I try this with some other URL instead of the one I mention
above?

It looks like you don’t understand at least two basic things:

  1. Location directive maps URI namespace to configuration.
    That is, with your config /test.gif will be mapped to “location
    /”, i.e. will be proxy_pass’ed to Apache. You want to request
    something like /site/static/test.gif to be actually served by
    nginx itself.

See here for more details:

http://wiki.nginx.org/HttpCoreModule#location

  1. Root directive define root, and URI will be added to it to
    map request to filesystem. I.e. with URI /site/static/test.gif
    and root /home/MYDOMAIN/www/static you will end up with
    “/home/MYDOMAIN/www/static/site/static/test.gif” filename.

If you want “/site/static/test.gif” to be mapped to
“/home/MYDOMAIN/www/static/test.gif” you have to use alias
directive instead.

See here for more details:

http://wiki.nginx.org/HttpCoreModule#root
http://wiki.nginx.org/HttpCoreModule#alias

(2) Also, if this worked, and I accepted Nginx to be at the front and
moved Apache to the background, isn’t it true that Apache would have to
pass back all processed output to Nginx?

Yes. And this is a huge win in many cases: Apache processes won’t
be bound by serving responses to slow clients.

(3) Even with “proxy_redirect off”, when I try http://MYDOMAIN.com:81,
it actually does a hard 301 redirect to my Apache server.

Directive proxy_redirect is to fix redirects returned by backend
server. By switching it off you merely said “don’t touch
anything” to nginx, and this is what it does. I.e. redirect is
returned by your Apache server (alternatively, it may be just your
browser’s cache from previous testing - check logs).

Maxim D.

thanks igor and maxim. the proxy stuff is not working for me but i am so
liking the nginx server that i will follow your advice to not care about
mod security so much and just do application level checking in php.

my question: is there a simple guide to get php working on nginx when it
is already installed and running with apache as mod_php on the server?
while testing nginx i dont want to break already working functionality.

there are online guides for “fastcgi” but they are all different and
sometimes old syntax so they are confusing. is there a recommended
official config file that will cover the best practice for a production
server, including:

  1. static files be served with “expires” or etags etc
  2. php with all the modules installed on my server (memcache, etc)
  3. secure php

i want to now just try nginx running on server:81 port and see if it can
do everything that apache does, if i move some of the functionality to
my php application (such as checking RBLs etc).

thanks so much.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,201449,201911#msg-201911

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs