Side Channel

  • home
  • resources
Home

User login

What is OpenID?
  • Log in using OpenID
  • Cancel OpenID login
  • Create new account
  • Request new password

Navigation

  • Books
  • Feed aggregator

Recent blog posts

  • Ubuntu mirrors up and improved!
  • Google-jstemplate: Iterate object with unknown properties
  • nginx https proxypass for php apps
  • sugarcrm & memcache: Doing it Wrong
  • subversion and https in Ubuntu Karmic
  • Drupal: Views block delta converted to md5 hash
  • Ubuntu Server install requires PAE
  • Installing Drupal from command line
  • Drupal: Handling form field weight through CCK
  • minify javascript using Google Closure Compiler
more

angch's location

angch twitter

  • angch: Heading to Brunei. Business class for a change.
more

nginx

angch's picture

nginx https proxypass for php apps

angch — Tue, 09/02/2010 - 17:01

For various reasons (performance + clustering + slowloris protection), putting nginx in front of your apache+php application is a Good Thing. In addition to http, we usually let nginx fronting https for apache, so to simplify your load balanced php apps.

Some additional benefits of doing this:

  • This also enables you to serve multiple domains off a single IP (aka Named Based Virtual Hosts over https), something that Apache doesn't do very well. Your browser may complain loudly about mismatched https certs, though
  • HTTP referer hiding. If you have an internal custom site with less security, say http://private.home/ behind a firewall, you don't have to worry about users from the Internet accessing it, but any links from http://private.home/ to, say, http://www.bytecraft.com.my/ your browser will still leak the internal URL to the webmaster of the external site. Convert the internal site to https://private.home/ and all referers are not sent.

One downside is that the PHP app must realize that it is separated from the actual browser from itself. So the traditional way for checking the remote IP and whether a connection is https or not would not work. ($_SERVER['REMOTE_ADDR'] & $_SERVER['HTTPS'])

To fix this, there are two parts we must changed: get nginx to send additional headers, and get the PHP app to recognize the alternate headers.


1. nginx config

both http and https sections:

location / {
    proxy_pass http://10.0.0.1:80/; # Replace with your apache ip/port
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Scheme $scheme;
}
X-Forwarded-For and Scheme are the important ones here.


2. PHP

Highly dependant on your PHP app, but in general, search for $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTPS'].

Example snippet to force https connection (say, for the login page):

if (isset($_SERVER['HTTP_SCHEME']) && $_SERVER['HTTP_SCHEME'] == 'http') {
    header('Location: https://'.$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit;
}

  • https
  • nginx
  • php
  • angch's blog
  • 1 comment
angch's picture

nginx: turn off sendfile when serving content through nfs

angch — Tue, 08/09/2009 - 15:10

Protip: turn off sendfile in nginx if you're serving content via nfs.

You take a performance hit, but it's stabler overall.

Symptom: You use nfs, and nginx takes 100% CPU, nothing gets served, and dmesg or /var/log/messages contains:

... comm: nginx Not tainted...
... [do_sendfile....
... [sys_sendfile64+.....

  • nfs
  • nginx
  • sendfile
  • angch's blog
  • Add new comment
angch's picture

Self Signed Cert, cheat sheet.

angch — Thu, 21/05/2009 - 13:01

No encrypting ofs erver.key in the first place, so we have one less step. Commands:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.crt server.key > $myserver.pem
Apache config:
SSLEngine on
SSLCertificateFile $myserver.pem
SSLCertificateKeyFile $myserver.pem
nginx config:
ssl  on;
ssl_certificate $myserver.pem;
ssl_certificate_key $myserver.pem;

  • apache
  • https
  • nginx
  • openssl
  • ssl
  • angch's blog
  • Add new comment
angch's picture

nginx "bug"

angch — Thu, 07/08/2008 - 00:29

http://www.ruby-forum.com/topic/152435

Encountered weird bug when an Ubuntu Hardy apache returns 404 to nginx, nginx will add extra bytes to the content. Bug sounds exactly like described in the above link -- both Apache and nginx added a "Transfer-encoding: chunked" to the content, effectively encoding it twice. Not sure if the fault lies within Apache2's HTTP/1.0 handling of chunked transfer encoding, or nginx, but Igor Sysoev (the creator of nginx) whipped up a quick patch to fix it. "Be liberal in what you accept, and conservative in what you send."

  • apache
  • deb
  • nginx
  • ubuntu
  • angch's blog
  • Add new comment
  • Read more
  • 1 attachment
angch's picture

New site up.

angch — Wed, 06/08/2008 - 22:48

The redesigned official company site is up. Still lots of broken bits (IE 6 support broken, broken content, bad bandwidth optimization, content contains marketspeak and weaselwords). But anything's still better than the old site.

Odd nginx problems when 404 though: extra content added at the front and back.

  • bytecraft
  • drupal
  • nginx
  • www
  • angch's blog
  • Add new comment
Syndicate content


Creative Commons License

  • home
  • resources

Standard Disclaimer.