Nginx is an open source Web server and a reverse proxy server. You can use nginx for a load balancing and/or as a proxy solution to run services from inside those machines through your host's single public IP address such as 202.54.1.1. In this post, I will explain how to install nginx as reverse proxy server for Apache+php5 domain called www.example.com and Lighttpd static asset domain called static.example.com. You need to type the following commands on vm00having an IP address 192.168.1.1 only.
DNS Setup
Make sure both www.example.com and static.example.com point to public IP address 202.54.1.1.
Install nginx server
Type the following command to install nginx web server:$ cd /tmp
$ wget http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
# rpm -iv nginx-release-rhel-6-0.el6.ngx.noarch.rpm
# yum install nginx
Sample outputs:
Loaded plugins: rhnplugin Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package nginx.x86_64 0:1.2.1-1.el6.ngx will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================= Package Arch Version Repository Size ========================================================================= Installing: nginx x86_64 1.2.1-1.el6.ngx nginx 331 k Transaction Summary ========================================================================= Install 1 Package(s) Total download size: 331 k Installed size: 730 k Is this ok [y/N]: y Downloading Packages: nginx-1.2.1-1.el6.ngx.x86_64.rpm | 331 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : nginx-1.2.1-1.el6.ngx.x86_64 1/1 ---------------------------------------------------------------------- Thanks for using NGINX! Check out our community web site: * http://nginx.org/en/support.html If you have questions about commercial support for NGINX please visit: * http://www.nginx.com/support.html ---------------------------------------------------------------------- Verifying : nginx-1.2.1-1.el6.ngx.x86_64 1/1 Installed: nginx.x86_64 0:1.2.1-1.el6.ngx Complete!
Configure the nginx web server as reverse proxy
Edit /etc/nginx/conf.d/default.conf, enter:# vi /etc/nginx/conf.d/default.conf
Add/correct as follows:
## Basic reverse proxy server ## ## Apache (vm02) backend for www.example.com ## upstream apachephp { server 192.168.1.11:80; #Apache1 } ## Lighttpd (vm01) backend for static.example.com ## upstream lighttpd { server 192.168.1.10:80; #Lighttpd1 } ## Start www.example.com ## server { listen 202.54.1.1:80; server_name www.example.com; access_log /var/log/nginx/log/www.example.access.log main; error_log /var/log/nginx/log/www.example.error.log; root /usr/share/nginx/html; index index.html index.htm; ## send request back to apache1 ## location / { proxy_pass http://apachephp; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ## End www.example.com ## ## START static.example.com ## server { listen 202.54.1.1:80; server_name static.example.com; access_log /var/log/nginx/log/static.example.com.access.log main; error_log /var/log/nginx/log/static.example.com.error.log; root /usr/local/nginx/html; index index.html; location / { proxy_pass http://lighttpd; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; proxy_set_header Host static.example.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ## END static.example.com ##
Turn on Nginx
Type the following commands:# chkconfig nginx on
# service nginx start
Configure firewall
Set firewall as follows:
- Drop all INPUT/OUTPUT chain traffic by default.
- Only open tcp port 202.54.1.1:80 and/or 443 on eth0 only.
- Set eth1 as trusted device so that communication take place between nginx reverse proxy and Apache/Lighttpd backend servers.
Run the following command to set and customize firewall as described above:# system-config-firewall-tui
You can edit /etc/sysconfig/iptables manually and set the firewall too. See our tutorial for more information.
/etc/sysctl.conf
Edit /etc/sysctl.conf as follows:
# Execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1 # IPv4 settings net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Increase system file descriptor limit to fs.file-max = 50000 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 # Ipv6 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1
Load new Linux kernel settings, run:# sysctl -p
See Linux Kernel /etc/sysctl.conf Security Hardening faq for detailed explanation of above directives.
Securing Nginx web server
See our previous blog post, "Top 20 Nginx WebServer Best Security Practices" for more information. Also, for more information on nginx, reverse proxy and ssl configuration see our previous tutorials: Source: http://www.cyberciti.biz/tips/using-nginx-as-reverse-proxy.html
