Your SlideShare is downloading. ×
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops

5,864

Published on

NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops

NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup - cloudwebops

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,864
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
49
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. NGINX reverse proxy in front of Apache:hardened, high performance dedicatedserver setuphttp://dangerousprototypes.com/docs/NGINX_reverse_proxy_in_front_of_Apache:_hardened,_high_performance_dedicated_server_setupAboutWe setup our previous dedicated server after leaving the Laughing Squid Cloud service.It worked ok for about 6months, but then our amateur setup started falling over. Once ortwice a week at first, and then every day.Something had to be done, and by someone more professional than us. Arhi recommendedAlex at CloudWebOps.com. Alex did our complete server setup, migration, and hardening ata very reasonable price.Here are the main features of the setup: . Main dedicated server running Linux, Apache, MySQL, and PHP, with a nginx reverse proxy server running in front of everything . Secondary Amazon leased server with Munin server monitoring . Multiple daily backups to Jungle Disk encrypted backup service . Daily SQL database backups to third backup serverIf you need a Linux server setup and hardening, you should check out Alex. He went aboveand beyond, and helped us every step of the way. He even documented the server install onthis wiki page - you can try to DIY, but we think the professional setup Alex did was worthit.OverviewNGINX reverse proxy in front of Apache-HTOP screenshotWhen the traffic is too high, Apache generate many high CPU processes and consume toomuch memory.This situation cause server to crash. Apache is a reliable HTTP server that
  • 2. still holds more than 66% of the web server market, according toW3Techs, but it was notdesigned with performance or scalability in mind.You can speed up your current HTTP server by installing a reverse proxy server in front ofit. A reverse proxy fetches resources from one or more servers and returns them to theclient as if they originated from the proxy server itself.We will use web server Nginx, Apache serve all dynamic content and Nginx handle all staticfiles without consuming lots of system resources, combining the benefits of both servers.HardwareDedicated Server EX 4 . Intel® Core™ i7-2600 Quadcore . RAM 16 GB DDR3 RAM . Hard disks 2 x 3 TB SATA 6 Gb/s HDD 7200 rpm . NIC1 GBit OnBoard connected at 100 MBit . Traffic 10TB/monthlyOperating System: . Debian-60-squeeze-64-minimal (Hetzner image)Basic server setup - LAMPDebian OS - upgrade to latest packages # apt-get update # apt-get upgradePackages installationApache # apt-get install apache2 # a2enmod rewrite # /etc/init.d/apache2 restartconfiguration: # nano /etc/apache2/sites-enabled/000-default (default webroot directory: /var/www/)check configuration: # apachectl -tAfter enabling, disabling, or modifying any part of your Apache configuration, you will needto reload or restart the Apache configuration again with command:
  • 3. # /etc/init.d/apache2 reload or # /etc/init.d/apache2 restartPHP # apt-get install php5 php-pear php5-suhosin php5-mysqlconfiguration: edit /etc/php5/apache2/php.ini Make sure that the following values areset, and relevant lines are uncommented (comments are lines beginning with a semi-colon(;)):max_execution_time = 60memory_limit = 128Merror_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERRORdisplay_errors = Offlog_errors = Onerror_log = /var/log/php5.logregister_globals = OffTo apply PHP configuration changes Apache need to be restarted: # /etc/init.d/apache2 restartMySQL # apt-get install mysql-serverDuring the installation, you will be prompted for a password. Choose something secure andrecord it for future reference. At this point, MySQL should be ready to configure and run.While you shouldnt need to change the configuration file, note that it is located at/etc/mysql/my.cnf for future reference.ProFTPD # apt-get install proftpdselect: standalone modeconfiguration:
  • 4. # nano /etc/proftpd/proftpd.confcheck configuration: # proftpd -tAfter modifying any part of your ProFTPD configuration, you will need to restart the ProFTPDservice: # /etc/init.d/proftpd restartPostfix # apt-get install postfixselect: internet siteconfiguration: # nano /etc/postfix/main.cf # nano /etc/postfix/master.cfAfter modifying any part of your Postfix configuration, you will need to restart service: # /etc/init.d/postfix restartList of all installed packages for new installation # dpkg --get-selections > all-installed-software.log # dpkg --set-selections < all-installed-software.log # dselect (select i -install)References: . http://www.debian.org/ . http://httpd.apache.org/docs/2.2/ . http://dev.mysql.com/doc/ . http://www.php.net/docs.php . http://www.proftpd.org/docs/ . http://www.postfix.org/documentation.html . http://library.linode.com/lamp-guides/debian-6-squeeze . http://www.cyberciti.biz/tips/linux-get-list-installed-software-reinstallation-restore.html
  • 5. Advanced server setup - NGINXInstallationUsing repo for Nginx 1.0.11 last stable. For the main Dotdeb repository add these two linesto: /etc/apt/sources.list file # deb http://packages.dotdeb.org stable all # deb-src http://packages.dotdeb.org stable allThen fetch the appropriate GnuPG key # wget http://www.dotdeb.org/dotdeb.gpg # cat dotdeb.gpg | sudo apt-key add - # apt-get update # apt-get install nginxConfigurationStop the Nginx server if it was started automatically by the package manager and create anew nginx.conf configuration file – installed in /etc/nginx/ by default – by pasting thefollowing and adjusting the paths to those of your installation:user www-data; #change to the same user apache runs asworker_processes 8; #change to the number of your CPUs/Coresworker_rlimit_nofile 8192;error_log /var/log/nginx/error.log;pid /var/run/nginx.pid;events { worker_connections 1024; use epoll; accept_mutex off;}http { server_names_hash_bucket_size 64; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; sendfile on; tcp_nopush on; keepalive_timeout 65; # reverse proxy options proxy_redirect off; proxy_set_header Host $host;
  • 6. proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # gzip compression options gzip on; gzip_http_version 1.0; gzip_comp_level 6; gzip_min_length 0; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/xml text/javascript application/xml application/xml+rss application/javascript application/json; gzip_disable "MSIE [1-6]."; gzip_vary on; # include virtual hosts configuration include /etc/nginx/virtual.d/*.conf;}Nginx should run as the same user Apache runs, to avoid file permission problems.Besides the proxy setup this configuration file includes some generic performance tuning,such as use epoll as the event model method, which works effectively on Linux 2.6+kernels. This works in tandem with the next line, accept_mutex off, to improve performancea bit more. Enabling sendfile allows nginx to use the kernel’s sendfile support to sendfiles to the client regardless of their contents. This can help with large static files, suchas images, that have no need for a multiple request/confirmation system to be served.Enabling gzip compression for static files can make a big performance difference. The linesstarting with gzip enable compression for common web files, such as .css and .js files, onsupported browsers.Apache reverse proxy forward module(mod_rpaf)If you check the Apache access log files you should see that all incoming requests arecoming from 127.0.0.1. To fix this you need to install mod_rpaf, the reverse proxy addforward module for Apache. # apt-get install libapache2-mod-rpafcheck content of /etc/apache2/mods-enabled/rpaf.conf :<IfModule mod_rpaf.c>RPAFenable OnRPAFsethostname OnRPAFproxy_ips 127.0.0.1</IfModule>restart apache: # /etc/init.d/apache2 restart
  • 7. Apache configuration (behind Nginx)Nginx now acts as the front-end web server – waiting for requests on port 80 – youneed to configure Apache to listen on a different port (8080 in this case) and preferablyonly on localhost, open the file /etc/apache2/ports.conf and change the line Listen80 to Listen 127.0.0.1:8080, if you use name-based virtual hosts you should have alineNameVirtualHost *:80 in the same file. Change that to NameVirtualHost *:8080.If you have configured Keep-Alive support in Apache you should disable it since it isalready enabled in Nginx. Change KeepAlive On to KeepAlive Off in/etc/apache2/apache2.conf . You can also disable the mod_deflate module since Nginx alreadyprovides gzip compression.nginx referer denialIn /etc/nginx/nginx.conf there is a list of words to deny in URLs. If URL contains thesewords, all referred links will not load. This causes missing images and stylesheets, andevery link from that page to another on the same site will come up blank.## Deny certain Referers (case insensitive)## The ~* makes it case insensitive as opposed to just a ~if ($http_referer ~* (babes|...|zippo) ) { return 444; }Just remove a word if you notice a problem and restart nginx with /etc/init.d/nginxrestartReferences . http://wiki.nginx.org/ . http://tumblr.intranation.com/post/766288369/using-nginx-reverse-proxy . http://www.djm.org.uk/wordpress-nginx-reverse-proxy-caching-setup/ . http://www.djm.org.uk/fauna-flora-nginx-reverse-proxy-results/ . http://syslog.tv/2011/09/30/nginx-config-for-reverse-proxying-wordpress-wp-super- cache-and-keeping-the-load-off-apache2/WordPress, MediaWiki, phpBB tweaksWordPressWordPress Nginx proxy cache integrator Enables your blog to work properly with an nginxfrontend static proxy cache. ASTRONOMICAL performance is yours!MediaWikiFix for mediawiki rewrite problem - double /docs/docs for example. $wgServer = http://dangerousprototypes.com;The right setting in LocalSettings.php. $wgServer = http://dangerousprototypes.com/docs/This solution did not work for us.phpBB
  • 8. Fixing incorrect cookie settings in phpBB . Hint: to let users login after the update without clearing cookies, change the name of the phpBB3 cookie in the administrative control panel.Hardening Referencessysctl.conf securityhttp://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/tmp directory hardening . http://www.modmysite.com/security-server-administration/10725.htm . http://www.mokonamodoki.com/mounting-tmp-and-var-tmp-as-a-separate-file-systemRootKit hunter . http://www.debian-tutorials.com/security/how-to-install-and-use-rkhunterCSF firewall & LFD - Anti-DOS, Brute force detection and prevention, Portscan detection and prevention, Root logger . http://configserver.com/cp/csf.html . http://blog.eukhost.com/webhosting/features-and-installation-procedure-of-csf- configserver-security-firewall/Securing SSH server . http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.htmlLog analysis . http://library.linode.com/server-monitoring/logwatch/debian-5-lennyFTP hardening . http://www.cyberciti.biz/tips/linux-installing-configuring-proftpd-ftp-server.htmlApache mod_security . http://www.pc-freak.net/blog/tightening-php-security-on-apache-2-2-with- modsecurity2-on-debian-lenny-linux/MonitoringAWS EC2 micro(Tokyo)- Remote Nagios and Munin server . http://aws.amazon.com/free/Pingdom . http://www.pingdom.com/a3/ReferencesNagios . http://www.kernelhardware.org/nagios-nrpe-to-monitor-remote-linux-server/
  • 9. . http://library.linode.com/server-monitoring/nagios/debian-5-lennyMunin . http://library.linode.com/server-monitoring/munin/debian-6-squeezeBackups!!!Second HDD synchronizationDatabase dumpOffsite encrypted backups - Jungle DiskOffsite encrypted backups on AWS EC3 or Rackspace Cloud Files . https://www.jungledisk.com/business/server/features/ . http://decomplexification.com/2011/08/11/backup-your-servers-jungle-disk-server- edition/

×