Difference between revisions of "Nginx Reverse Proxy"
(→Scenario 2.se: with SSL: nginx and apache are installed on the same server.) |
|||
Line 162: | Line 162: | ||
rewrite (.+) https://sub.domain.com$1 permanent; | rewrite (.+) https://sub.domain.com$1 permanent; | ||
} | } | ||
− | + | ||
server { | server { | ||
listen 443; | listen 443; | ||
− | + | ||
server_name sub.domain.com; | server_name sub.domain.com; | ||
− | + | ||
ssl on; | ssl on; | ||
ssl_certificate /path/to/server.crt; | ssl_certificate /path/to/server.crt; | ||
ssl_certificate_key /path/to/server.key; | ssl_certificate_key /path/to/server.key; | ||
− | + | ||
location / { | location / { | ||
− | + | ||
proxy_pass http://localhost:8080; | proxy_pass http://localhost:8080; | ||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; | ||
Line 183: | Line 183: | ||
proxy_set_header X-Real-IP $remote_addr; | proxy_set_header X-Real-IP $remote_addr; | ||
proxy_pass_header Set-Cookie; | proxy_pass_header Set-Cookie; | ||
− | + | ||
} | } | ||
− | } | + | } |
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 15:16, 24 September 2018
Nginx reverse proxy for apache
Scenario 1: nginx installed on separate from apache server.
Apache server ip = 199.101.21.130 Nginx server ip = 199.101.20.10 We assuming that apache listen on default port 80. for more secure you can change it.
/etc/nginx/nginx.conf:
# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes 4; # error_log /var/log/nginx/error.log; #error_log /var/log/nginx/error.log notice; #error_log /var/log/nginx/error.log info; # pid /var/run/nginx.pid; # # events { worker_connections 1024; } # worker_rlimit_nofile 4096; # # http { include /etc/nginx/mime.types; default_type application/octet-stream; # log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # access_log /var/log/nginx/access.log main; # sendfile on; #tcp_nopush on; # #keepalive_timeout 0; keepalive_timeout 65; # #gzip on; # # Load config files from the /etc/nginx/conf.d directory # The default server is in conf.d/default.conf include /etc/nginx/conf.d/*.conf; # }
/etc/nginx/conf.d/default.conf Config:
# # The default server # upstream apachephp { server 199.101.21.130:80; #Apache1 } # # server { listen 199.101.20.10:80; server_name www.domain.com; # access_log /var/log/nginx/www.domain.access.log main; error_log /var/log/nginx/www.domain.error.log; root /usr/share/nginx/html; index index.html index.htm; # ## send request back to apache1 ## location / { proxy_pass http://apachephp; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
remember to restart and set to start automatically on boot nginx :
chkconfig nginx on service nginx start
Try to access website via nginx IP and after you can change the DNS A-record (set nginx IP instead of apache)
Scenario 2: nginx and apache are installed on the same server.
Step 1. Change the Apache default port from 80 to, for example, 8080.
Step 2. Install "rpaf" Apache module.This is need only for bypass reall visitor IP to apache.
(not neccessary , especially on Centos 7 - may be enough remote_ip; cehck with these commands: httpd -M | grep rpaf httpd -M | grep remoteip if at least one of these two commands you should not install anything. )
Step 3. Update nginx "server" config part (or virtualhost file )to something like this:
server { listen 80; server_name example.com; location / { proxy_pass http://localhost:8080; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Set-Cookie; } }
You may add limit per IP directives, this may help to mitigate simple DDoS attack. : Add the following lines to /etc/nginx/conf.d/default.conf:
# # The default server # /../ limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn_zone $server_name zone=perserver:10m; server { # /../ # ## send request back to apache1 ## location / { /../ limit_conn perip 20; limit_conn perserver 1000; } }
Scenario 2.se: with SSL: nginx and apache are installed on the same server.
Steps the same like in Scenario2, except the last one :
Step 3. Update nginx working server part or virtualhost to something like this:
server { listen 80; server_name sub.domain.com, www.sub.domain.com; rewrite (.+) https://sub.domain.com$1 permanent; } server { listen 443; server_name sub.domain.com; ssl on; ssl_certificate /path/to/server.crt; ssl_certificate_key /path/to/server.key; location / { proxy_pass http://localhost:8080; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_set_header Host $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Set-Cookie; } }