I have configured Nginx (frontend) + LAMP, multiple domains (virtual hosts).
Nginx listen on 80 port, Apache on 8080
this is my config for Nginx
server {
listen 80 default_server;
server_name _;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 10m;
}
location ~ ^/phpMyAdmin/(.*\.(js|css|gif|jpg|png))$ {
alias /usr/share/phpMyAdmin/$1;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|flv|rtf|js|swf|iso)$ {
root /var/www/html;
}
}
server {
listen 80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1000m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 10m;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|flv|rtf|js|swf|iso)$ {
root /var/www/example.com;
}
}
and this my conf Apache
Listen 8080
ServerName localhost
NameVirtualHost *:8080
<VirtualHost _default_:8080>
Options -Indexes
DocumentRoot /var/www/html
Alias /phpMyAdmin /usr/share/phpMyAdmin
</VirtualHost>
<VirtualHost *:8080>
DocumentRoot /var/www/example.com/
ServerName www.example.com
ServerAlias example.com
</VirtualHost>
How to deny access from example.com:8080 ?
example.com - nginx (frontend)
example.com:8080 - apache
and what do you think my mistakes in the config? Thank you in advance!
Either :
Listen on 127.0.0.1:8080 instead of *:8080
Or
Use firewalld on CentOS 7 or iptables on CentOS < 7 (except if you put iptables back on CentOS 7 of course).
Related
I have 2 nodejs applications running in my EC2 instance at PORT 3000 and 1337. What I want to achieve is
admin.mydomain.com
should be redirected to the application running on PORT 1337 and
mydomain.com www.mydomain.com
should be redirected to the application running on PORT 3000.
With my current nginx configuration I am getting a 502
map $subdomain $subdomain_port {
default 3000;
www 3000;
admin 1337;
}
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~^(?P<subdomain>.+?)\.historydiaries\.com$;
location / {
proxy_pass http://localhost:$subdomain_port;
proxy_redirect off;
}
ssl_certificate /etc/letsencrypt/live/historydiaries.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/historydiaries.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000” always;
}
You can achieve this using two different nginx conf
I will go with separate Nginx vhost configuration.
One for www.mydomain.com and another one for admin.mydomain.com
server {
listen 80;
server_name www.mydomain.com;
access_log /var/log/nginx/mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:3000/;
proxy_redirect off;
}
}
and
server {
listen 80;
server_name admin.mydomain.com;
access_log /var/log/nginx/admin.mydomain_access.log;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://localhost:1337/;
proxy_redirect off;
}
}
This just simple vhost configuration. You can add Let's Encrypt later when you need.
I have 2 web servers plus the nginx server as a reverse proxy. call them web1 web2 and nginx1.
web1 10.0.0.110 with abc.com, def.com
web2 10.0.0.120 with hij.com, klm.com
nginx1 10.0.0.125
Im trying to have 2 webservers behind 1 external IP
I have nothing in /etc/nginx/conf.d/
I have created conf files for each site in sites-available and linked them with symlinks to sites-enabled.
example file.
server {
listen 80;
server_name *.abc.com;
access_log off;
error_log off;
location / {
proxy_pass http://10.0.0.110/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
The problem is its not working correctly, it seems to want to direct all the sites to either server, it seems to be dependent on the last conf file I edit.
What am I doing wrong?
You'll need to provide a server directive per backend webserver. Here's an example of what should work for you (replacing the ellipsis with your additions):
server {
server_name abc.com def.com;
...
location / {
proxy_pass http://10.0.0.110/;
...
}
}
server {
server_name hij.com klm.com;
...
location / {
proxy_pass http://10.0.0.120/;
...
}
}
I believe i have it sorted, i needed to have the IP set
listen 10.0.0.125:80
And set the domain name correctly *.abc.com doesn't include abc.com, it only included all the subdomains.
so I changed it to
server_name .abc.com;
Just making one of these changes didn't solve my problem.
internet -> nginx -> apache-2.4
Remote_Addr prints 127.1.1.0 instead of client ip. I have apache behaind nginx with the following settings:
nginx.conf:
location / {
try_files $uri #apache;
}
location #apache {
internal;
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
location ~ .*\.(php|php5)?$ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
proxy.conf:
proxy_connect_timeout 300s;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
httpd.conf:
Listen 127.0.0.1:8080
Include conf/extra/httpd-remoteip.conf
httpd-remoteip.conf:
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
sed -i "s#LogFormat \"%h %l#LogFormat \"%h %a %l#" /usr/local/apache/conf/httpd.conf
I've followed a couple of examples for Django + nginx + wsgi + ssl, but I can't get them to work. I simply get an error in my browser than I can't connect.
I'm running two websites off the host. The config files are identical except for the ip addresses, server names, and directories.
When neither use SSL, they work fine. When I try to listen on 443 with one of them, I can't connect to either.
My config files are below, and any suggestions would be appreciated.
server{
listen xxx.xxx.xxx.xxx:80;
server_name sub.domain.com;
access_log /home/django/logs/nginx_customerdb_http_access.log;
error_log /home/django/logs/nginx_customerdb_http_error.log;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
}
location /site_media/ {
alias /home/django/customerdb_site_media/;
}
location /admin-media/ {
alias /home/django/django_admin_media/;
}
}
server{
listen xxx.xxx.xxx.xxx:443;
server_name sub.domain.com;
access_log /home/django/logs/nginx_customerdb_http_access.log;
error_log /home/django/logs/nginx_customerdb_http_error.log;
ssl on;
ssl_certificate sub.domain.com.crt;
ssl_certificate_key sub.domain.com.key;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol https;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
}
location /site_media/ {
alias /home/django/customerdb_site_media/;
}
location /admin-media/ {
alias /home/django/django_admin_media/;
}
}
<VirtualHost *:8080>
ServerName xxx.xxx.xxx.xxx
ServerAlias xxx.xxx.xxx.xxx
LogLevel warn
ErrorLog /home/django/logs/apache_customerdb_error.log
CustomLog /home/django/logs/apache_customerdb_access.log combined
WSGIScriptAlias / /home/django/customerdb/apache/django.wsgi
WSGIDaemonProcess customerdb_wsgi processes=4 threads=5
WSGIProcessGroup customerdb_wsgi
SetEnvIf X-Forwarded-Protocol "^https$" HTTPS=on
</VirtualHost>
UDPATE: the existence of two sites (on separate IPs) on the host is the issue. if i delete the other site, the setting above mostly work. doing so also brings up another issue: chrome doesn't accept the site as secure saying that some content is not encrypted.
[This should actually be a comment ...]
You should also set
proxy_set_header X-Forwarded-Protocol $scheme
To indicate to Django when connections are secure, otherwise your https links will get redirected to http, which is bad.
This will set http when it actually is http, and https when it's https.
I changed the server that listens on 80 to rewrite to https removed all the other directives.
I've just set up nginx to serve static request on one site, but I have lots of sites on my server and I wonder, should I right new nginx server configuration for all of them?
What I'm doing now. I have file with all virtual hosts entries for Apache with some-thing like this:
NameVirtualHost *:8080
<VirtualHost *:8080>
ServerName sky2high.net
DocumentRoot /home/mainsiter/data/www/sky2high.net
</VirtualHost>
<VirtualHost *:8080>
ServerName surdo.asmon.ru
DocumentRoot /home/surdo/data/www/surdo.asmon.ru
</VirtualHost>
<VirtualHost *:8080>
ServerName surdoserver.ru
DocumentRoot /home/surdo/data/www/surdoserver.ru
</VirtualHost>
I have this in apache's ports.conf:
Listen 8080
And so I've set up nginx to work with one site (sky2high.net), created next configure file (/etc/nginx/sites-enabled/sky2high.net):
server {
listen 80;
server_name sky2high.net www.sky2high.net;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
access_log /var/log/nginx.access_log;
location ~* \.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ {
root /home/mainsiter/data/www/sky2high.net/;
index index.php;
access_log off;
expires 30d;
}
location ~ /\.ht {
deny all;
}
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_redirect off;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
And it works fine for this domain, but of course another virtual hosts are broken.
So, the question is: is there ultimate config option for nginx, witch can help to handle all request, from all virtual hosts (domains) and serve them in the right way? I mean, option that allows not to write separete configure files for each virtual hosts (with all this doubled stuff like root and index options), but only one for all virtual hosts?
PS: should I move question to serverfault?
UPDATE:
Emm.. I wonder how is it works, but it is. I've made next config files:
/etc/nginx/nginx.conf
user www-data;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
and
/etc/nginx/sites-enabled/default
server {
listen 80;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection close;
proxy_pass_header Content-Type;
proxy_pass_header Content-Disposition;
proxy_pass_header Content-Length;
}
}
I do not understand how is it works, but it is...
UPDATE 2: or it doesn't work! I've looked to "top" in console and metioned that apache serves not only php request, but for static content either =(
What you do now is sending all the network traffic to 127.0.0.1:8080 without allowing Nginx to serve the static files.
What you should try is the following:
server {
listen 80;
server_name sky2high.net www.sky2high.net;
location / {
proxy_pass http://127.0.0.1:8080;
include /etc/nginx/conf.d/proxy.conf;
}
location ~* ^.+\.(jpg|jpeg|gif|png|ico|tgz|gz|pdf|rar|bz2|exe|ppt|txt|tar|mid|midi|wav|bmp|rtf) {
root /folder/to/static/files;
expires 90d;
}
location ~* ^.+\.(css|js)$ {
root /folder/to/static/files;
expires 30d;
}
And in proxy.conf you put the following:
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 8m;
client_body_buffer_size 256k;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 4k;
proxy_buffers 32 256k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 256k;
This should work for you
Just my two cents, in most cases it's not necessary to specify the listen 80.
Source: Nginx common Pitfalls