i have apache 2.2.18 and there is heavy duty use of the following:
mod rewrite
mod geoip
mod security (with rules available in 2.6.0 for google safe browsing
checks etc)
mod evasive
php5 functionality with memcached + eaccelerator
for #1, i see from threads on this phorum that some rewriting
functionality is possible. i also see that in 1.0.3 the #2 of geoip is
possible.
but i am not sure about 3, 4 and 5. nginx does not support DDOS
protection right? also, will all the php5 modules work with pecl such as
memcached etc?
in trying to set up nginx, i have problem getting php to work. mod fcgi
– is there simple instruction about how to do, and how is the
performance when compared to apache+eaccelerator which opcode caches?
because of this functionality, i don’t want to move entire to nginx.
so i am trying this: nginx run on localhost on port 81. apache is main
front server on port 80. all static content from images folder need to
pass to nginx. i am trying this code in apache:
or ideally, over time i want to move entirely to nginx. so would
appreciate some experienced thought or guidance.
You should use 127.0.0.1:81 instead of 0.0.0.0:81.
However, it’s better to set nginx before Apache and all except
“/mysite/images” to the Apache.
nginx has not mod_security functionality.
There is some functionality similar to mod_evasive in limit_req.
On Fri, May 27, 2011 at 12:19:47PM -0400, pk899 wrote:
thanks for this. but before I try all this on a production server,
couple questions:
if this works with NGINX on port 81, can this work in the future on
port 80? So will nginx and apache both be on port 80? I doubt it but
want to confirm.
Apache may listen on 127.0.0.1:80, while nginx may listen on *:80.
secondly, do you have a production-ready sample of how to set up for
static serving? in apache for example, we set max-age, expires, gzip,
cache-control etc for static files and this is very handy. i read the
wiki manual for nginx and there’s a lot of options in nginx too (quite
impressive actually) but i would love to see a production recommended
sample of commands.
thanks for this. but before I try all this on a production server,
couple questions:
if this works with NGINX on port 81, can this work in the future on
port 80? So will nginx and apache both be on port 80? I doubt it but
want to confirm.
secondly, do you have a production-ready sample of how to set up for
static serving? in apache for example, we set max-age, expires, gzip,
cache-control etc for static files and this is very handy. i read the
wiki manual for nginx and there’s a lot of options in nginx too (quite
impressive actually) but i would love to see a production recommended
sample of commands.
The proxy_pass that you recommend above – this does a full 301
redirect to Apache!
This is really not the solution I am after.
So, back to my first question, how do I pass the baton from Apache
(which really needs to be my first front server because of all the
features) only for the static files to nginx?
how should i block remote_addr based on IP in a certain external
file?
It’s in your link: include /etc/nginx/block.conf;
But it’s not really nginx’s job to secure your server from attackers.
Use
iptables or similar for that.
to block xss or such type of injection attacks – any best practice
rules?
These are application-level problems (HTML, JS, SQL etc.) and are not
specific to your server software.
can i block based on “request_uri”? if some hosts are in it
(parameter) then block it.
can i block based on RBL checks? from spamhaus etc.
Not that I know of, and if you are deploying nginx for speed then this
is
the last job you want to give it. Block proxies/spammers at the
application
level where posting actually happens (e.g. in postcommentform.php), not
for
every HTTP request you receive.
The proxy_pass that you recommend above – this does a full 301
redirect to Apache!
This is really not the solution I am after.
So, back to my first question, how do I pass the baton from Apache
(which really needs to be my first front server because of all the
features) only for the static files to nginx?
Then you set up mod_proxy on Apache instead. But with all due respect I
think you’re after the wrong solution. You’re unlikely to gain any
performance like that, because you’re still making Apache do all the
work of
talking to clients and holding keepalives. This is where nginx beats the
pants of Apache.
Put nginx in front. Test it by starting it on port 81 as suggested
previously. When you’re happy, switch the ports (nginx on 80, proxying
to
Apache on 127.0.0.1:81).
On the server the “test.gif” file is at
“/home/MYDOMAIN/www/static/test.gif”.
Questions:
(1) What am I missing? Should the test.gif file be somewhere else?
Should I try this with some other URL instead of the one I mention
above?
(2) Also, if this worked, and I accepted Nginx to be at the front and
moved Apache to the background, isn’t it true that Apache would have to
pass back all processed output to Nginx?
(3) Even with “proxy_redirect off”, when I try http://MYDOMAIN.com:81,
it actually does a hard 301 redirect to my Apache server.
Thanks. The RBL checking in Apache (via mod security) can happen in very
specific manner. I could specify that they check only specific arguments
(the very precise “input” field in the html) in a very specific page
(“postcommentform.php”).
Similarly, sure, the application needs to be smartly coded to prevent
against injections. But mod_security enables blocking this at a much
earlier phase in the web transaction. And it’s easy to control this a
bit better at the hosting level.
Clearly, I am looking at nginx not only as a “speed option”, but as a
replacement for Apache. Several blogs online say that they have moved to
nginx. I am trying to see how. Apache is sadly bloated but thanks to
mod_security etc it’s a very, very practical modern solution.
Anyway, my setup above is not working either. Even just to use nginx as
merely a static server.
Thanks. The RBL checking in Apache (via mod security) can happen in very
specific manner. I could specify that they check only specific arguments
(the very precise “input” field in the html) in a very specific page
(“postcommentform.php”).
There is no module like this for nginx that I’m aware of but you can
probably find application-level libraries to do it. The fewer
conditionals
at the HTTP server level the better.
Similarly, sure, the application needs to be smartly coded to prevent
against injections. But mod_security enables blocking this at a much
earlier phase in the web transaction. And it’s easy to control this a
bit better at the hosting level.
If it’s important then leave it on Apache with your web application. It
will still do what it does upstream of nginx.
Clearly, I am looking at nginx not only as a “speed option”, but as a
replacement for Apache. Several blogs online say that they have moved to
nginx. I am trying to see how. Apache is sadly bloated but thanks to
mod_security etc it’s a very, very practical modern solution.
IMO its bloat is not helped by being piled with high with modules. This
is
where nginx comes in, and being relatively free of modules was one of
its
selling points for me.
On Sat, May 28, 2011 at 09:55:10AM -0400, pk899 wrote:
index index.htm index.php;
}
Questions:
(1) What am I missing? Should the test.gif file be somewhere else?
Should I try this with some other URL instead of the one I mention
above?
It looks like you don’t understand at least two basic things:
Location directive maps URI namespace to configuration.
That is, with your config /test.gif will be mapped to “location
/”, i.e. will be proxy_pass’ed to Apache. You want to request
something like /site/static/test.gif to be actually served by
nginx itself.
Root directive define root, and URI will be added to it to
map request to filesystem. I.e. with URI /site/static/test.gif
and root /home/MYDOMAIN/www/static you will end up with
“/home/MYDOMAIN/www/static/site/static/test.gif” filename.
If you want “/site/static/test.gif” to be mapped to
“/home/MYDOMAIN/www/static/test.gif” you have to use alias
directive instead.
(2) Also, if this worked, and I accepted Nginx to be at the front and
moved Apache to the background, isn’t it true that Apache would have to
pass back all processed output to Nginx?
Yes. And this is a huge win in many cases: Apache processes won’t
be bound by serving responses to slow clients.
(3) Even with “proxy_redirect off”, when I try http://MYDOMAIN.com:81,
it actually does a hard 301 redirect to my Apache server.
Directive proxy_redirect is to fix redirects returned by backend
server. By switching it off you merely said “don’t touch
anything” to nginx, and this is what it does. I.e. redirect is
returned by your Apache server (alternatively, it may be just your
browser’s cache from previous testing - check logs).
thanks igor and maxim. the proxy stuff is not working for me but i am so
liking the nginx server that i will follow your advice to not care about
mod security so much and just do application level checking in php.
my question: is there a simple guide to get php working on nginx when it
is already installed and running with apache as mod_php on the server?
while testing nginx i dont want to break already working functionality.
there are online guides for “fastcgi” but they are all different and
sometimes old syntax so they are confusing. is there a recommended
official config file that will cover the best practice for a production
server, including:
static files be served with “expires” or etags etc
php with all the modules installed on my server (memcache, etc)
secure php
i want to now just try nginx running on server:81 port and see if it can
do everything that apache does, if i move some of the functionality to
my php application (such as checking RBLs etc).
thanks so much.
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.