Setting up and using nginx

We are completing the translation of a cycle of cyberciti.biz articles on the virtualization of the LAMP stack . Speech in the final material will be about installing and configuring reverse proxy nginx.

nginx is an open-source product used not only as a web server or reverse proxy server. For its lightness and respect for resources, it is also used as a load balancer ( from a dull round-ribbon, to a more meaningful one, but everything is vaguely commented) and / or as a proxy solution for accessing virtual network services , established in previous articles of the cycle, through a single external host address, for example, through IP 202.54.1.1 (as was considered in the examples before).

In this article we will figure out how to set up nginx as a reverse proxy server for an Apache + php5 server with the domain name www.example.com and a static server Lighttpd, which, in our example, is called static.example.com . We will make all settings exclusively on the virtual server vm00 with the IP address 192.168.1.1 .

DNS setup

Make sure that both www.example.com and static.example.com point to the IP address 192.168.1.1 .
')

Installing the nginx server

Enter the following console commands to install nginx:

$ cd /tmp $ wget http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm # rpm -iv nginx-release-rhel-6-0.el6.ngx.noarch.rpm # yum install nginx 

Example response in the server console:

 Loaded plugins: rhnplugin Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package nginx.x86_64 0:1.2.1-1.el6.ngx will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================= Package      Arch          Version                   Repository    Size ========================================================================= Installing: nginx        x86_64        1.2.1-1.el6.ngx           nginx        331 k Transaction Summary ========================================================================= Install       1 Package(s) Total download size: 331 k Installed size: 730 k Is this ok [y/N]: y Downloading Packages: nginx-1.2.1-1.el6.ngx.x86_64.rpm                  | 331 kB     00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum.  Installing : nginx-1.2.1-1.el6.ngx.x86_64                          1/1 ---------------------------------------------------------------------- Thanks for using nginx! Check out our community web site: * http://nginx.org/en/support.html If you have questions about commercial support for nginx please visit: * http://www.nginx.com/support.html ----------------------------------------------------------------------  Verifying  : nginx-1.2.1-1.el6.ngx.x86_64                          1/1 Installed:  nginx.x86_64 0:1.2.1-1.el6.ngx Complete! 

Configuring the nginx web server as reverse proxy

Edit the /etc/nginx/conf.d/default.conf file:

 # vi /etc/nginx/conf.d/default.conf 

Adding to it, or changing existing lines:

 ##  -  ## ## Apache (vm02) -  www.example.com ## upstream apachephp  {      server 192.168.1.11:80; #Apache1 } ## Lighttpd (vm01)    static.example.com ## upstream lighttpd  {      server 192.168.1.10:80; #Lighttpd1 } ##   www.example.com ## server {    listen       202.54.1.1:80;    server_name  www.example.com;     access_log  /var/log/nginx/log/www.example.access.log  main;    error_log  /var/log/nginx/log/www.example.error.log;    root   /usr/share/nginx/html;    index  index.html index.htm;     ##   apache1 ##    location / {     proxy_pass  http://apachephp;     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;     proxy_redirect off;     proxy_buffering off;     proxy_set_header        Host            $host;     proxy_set_header        X-Real-IP       $remote_addr;     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;   } } ##   www.example.com ## ##   static.example.com ## server {   listen      202.54.1.1:80;   server_name static.example.com;   access_log  /var/log/nginx/log/static.example.com.access.log  main;   error_log   /var/log/nginx/log/static.example.com.error.log;   root        /usr/local/nginx/html;   index       index.html;    location / {        proxy_pass  http://lighttpd;        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;        proxy_redirect off;        proxy_buffering off;        proxy_set_header        Host            static.example.com;        proxy_set_header        X-Real-IP       $remote_addr;        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;    } } ##   static.example.com  ## 

Turn on nginx

Enter the following commands:

 # chkconfig nginx on # service nginx start 

Configure the firewall

Set the following firewall settings:

• Disable all INCOMING / OUTGOING connections by default (Drop all INPUT / OUTPUT by default)
• Open only tcp ports 80 and 443 (202.54.1.1:80 and / or 443 for eth0 )
• We set eth1 as the only trusted device in communications between reverse proxy nginx and Apache / Lighttpd servers

To set these parameters, perform the following actions:

 # system-config-firewall-tui 

You can edit / etc / sysconfig / iptables manually and also configure the firewall (see additionally in the article on the cyberciti.biz website )

/etc/sysctl.conf

Edit /etc/sysctl.conf as follows:

 # Execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1 # IPv4 settings net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Increase system file descriptor limit to fs.file-max = 50000 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 # Ipv6 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 

Load the new Linux kernel settings with the following command:

 # sysctl -p 

For detailed information about the specified Linux kernel configuration directives, read the corresponding faq.

Nginx server security

See also the post “ Top-20 practices of nginx web server security ”. Also, as additional materials on nginx, reverse proxy and SSL settings, see the lesson materials:

• CentOS / Redhat Linux: Installing Keepalive for Failover Web Cluster
• nginx: Installing a balanced SSL reverse proxy (Load Balanced SSL Proxy)

Top safety practices LAMP stack

1. Communication encryption: use ssh and vpns when setting up your virtual machines. Use the scp / sftp client to upload files to the server;
2. Do you really need all the trash installed on a web server? Avoid installing unnecessary software and avoid compromise. Use RPM package managers such as yum, apt-get, and / or dpkg to track installed software;
3. Installing security updates is an important part in maintaining the Linux server. Linux provides all the necessary software for keeping the system up to date, and the procedure for switching from version to software version has been done in the most convenient way. All security updates should be monitored and installed as early as possible;
4. Give the least privilege needed to user accounts. Do not throw ssh-access to your server right and left;
5. Also, read the best practices in LAMP stack security at cyberciti.biz:

• 20 tricks to improve security on Linux-servers
• Top 25 PHP Security Configuration Practices for System Admins
• Top-20 best practices security nginx-server
• Top-20 OpenSSH Server Security Best Practices
• Tips for protecting physical access to the Linux server console

Conclusion

I hope this guide will be a good help in setting up virtual machines, and the information will be sufficiently useful so that you can start setting up your own web-stack on your CentOS / RHEL server yourself.

• Prologue
• Step # 1: Setup / Installation: NFS File Server
• Step 2: Setup / Installation: MySQL Database Server
• Step 3: Configure / Install: Memcached Caching Server
• Step # 4: Setup / Installation: Apache + php5 web server application
• Step 5: Configure / Install: Lighttpd Web Server for Static Assets
• Step # 6: Setup / Installation: nginx reverse (reverse) proxy server

From the translator:
The series of articles contains about 50 external links to cyberciti materials. For my part, it would not be very honest to leave readers alone with the English text (otherwise, we would read the translations). The sentence is: here are the top links that are mentioned most often in the translated material:

• A couple of lines about running iptables
• Installing nfsv4 server on CentOS / RHEL
• yum package manager : basic commands
• 25 top practices for improving PHP security for system administrators
• 20 best tricks to improve the security of nginx-servers
• Creating a new user account in linux
• Top 20 best practices to improve security OpenSSH-server
• A couple of lines about changing the kernel sysctl parameters
• A couple of lines on expanding the range of available IP ports
• nginx as reverse proxy
• How to increase the maximum number of file descriptors (FD)

What is interesting to me now, i.e. what I plan to translate in the next few days - in the lower list. If there is something that requires translation or dubbing and has such exorbitant value as the reports of Yoshinori Matsunobu - offer, we will read / translate.

O'Reilly MySQL Conference & Expo Is a Wrap // 2011 web

• Linux and H / W optimizations - Yoshinori Matsunobu web
• MySQL and Linux Tuning - Better Together .ppt web

Interests: server administration, optimization and monitoring of the LAMP stack. Virtualization, IaaS, KVM, xfs, NFS. It is also interesting: hPHP (hip-hop PHP), Wordpress.

From you - a link to the material, from me - a translation and a bow.

If you know conferences other than (O'Reilly Velocity, NJ-LOPSA PICC, Tech Ed, LinuxCon), publish materials / presentations / videos - tell us all, and we will choose topics to your / your taste and do translations.