nginx

angch's picture

nginx https proxypass for php apps

For various reasons (performance + clustering + slowloris protection), putting nginx in front of your apache+php application is a Good Thing. In addition to http, we usually let nginx fronting https for apache, so to simplify your load balanced php apps.

Some additional benefits of doing this:

  • This also enables you to serve multiple domains off a single IP (aka Named Based Virtual Hosts over https), something that Apache doesn't do very well. Your browser may complain loudly about mismatched https certs, though
  • HTTP referer hiding. If you have an internal custom site with less security, say http://private.home/ behind a firewall, you don't have to worry about users from the Internet accessing it, but any links from http://private.home/ to, say, http://www.bytecraft.com.my/ your browser will still leak the internal URL to the webmaster of the external site. Convert the internal site to https://private.home/ and all referers are not sent.

One downside is that the PHP app must realize that it is separated from the actual browser from itself. So the traditional way for checking the remote IP and whether a connection is https or not would not work. ($_SERVER['REMOTE_ADDR'] & $_SERVER['HTTPS'])

To fix this, there are two parts we must changed: get nginx to send additional headers, and get the PHP app to recognize the alternate headers.


1. nginx config

both http and https sections:

location / {
    proxy_pass http://10.0.0.1:80/; # Replace with your apache ip/port
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Scheme $scheme;
}
X-Forwarded-For and Scheme are the important ones here.


2. PHP

Highly dependant on your PHP app, but in general, search for $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTPS'].

Example snippet to force https connection (say, for the login page):

if (isset($_SERVER['HTTP_SCHEME']) && $_SERVER['HTTP_SCHEME'] == 'http') {
    header('Location: https://'.$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit;
}

angch's picture

nginx: turn off sendfile when serving content through nfs

Protip: turn off sendfile in nginx if you're serving content via nfs.

You take a performance hit, but it's stabler overall.

Symptom: You use nfs, and nginx takes 100% CPU, nothing gets served, and dmesg or /var/log/messages contains:

... comm: nginx Not tainted...
... [do_sendfile....
... [sys_sendfile64+.....

angch's picture

Self Signed Cert, cheat sheet.

No encrypting ofs erver.key in the first place, so we have one less step. Commands:

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.crt server.key > $myserver.pem
Apache config:
SSLEngine on
SSLCertificateFile $myserver.pem
SSLCertificateKeyFile $myserver.pem
nginx config:
ssl  on;
ssl_certificate $myserver.pem;
ssl_certificate_key $myserver.pem;

angch's picture

nginx "bug"

http://www.ruby-forum.com/topic/152435

Encountered weird bug when an Ubuntu Hardy apache returns 404 to nginx, nginx will add extra bytes to the content. Bug sounds exactly like described in the above link -- both Apache and nginx added a "Transfer-encoding: chunked" to the content, effectively encoding it twice. Not sure if the fault lies within Apache2's HTTP/1.0 handling of chunked transfer encoding, or nginx, but Igor Sysoev (the creator of nginx) whipped up a quick patch to fix it. "Be liberal in what you accept, and conservative in what you send."

angch's picture

New site up.

The redesigned official company site is up. Still lots of broken bits (IE 6 support broken, broken content, bad bandwidth optimization, content contains marketspeak and weaselwords). But anything's still better than the old site.

Odd nginx problems when 404 though: extra content added at the front and back.

Syndicate content