Socket RPC with Tornado in an established Apache/PHP environment - apache

We've got an establish Apache/PHP site, with a Flash front-end. We're going to start to need to implement some sort of socket communication, or 'long-polling', to push updates to the flash app. Since this obviously isn't going to be a good situation for Apache, or PHP, I'd like to use Tornado for this aspect of the functionality, but I also don't want to run Tornado on another port, since the Flash app will be running on the client machine, we don't want to have to deal with restrictive firewalls blocking the socket connections.
Ideally I'd like to run a proxy which can forward most requests to Apache, and other requests to Tornado. I saw some suggestions for using Apache as the first-contact proxy, forward requests to Tornado when necessary, but I've also seen this discounts a lot of the async capabilities of Tornado.
I thought, why no use Tornado as the first-contact for port 80 and have it proxy back to Apache? I couldn't find anything on this at all and am wondering if this is even possible?
Another option would be to use something like lighttpd as the proxy and have it decide whether to pass things along to Apache or to Tornado, but does this kind of setup make sense? Or what about Nginx?
Any suggestions, advice or corrections on my understanding of things would be greatly appreciated!

This is called a reverse proxy and it's very easy to configure nginx to perform this. (lighttpd should also be able to do this job well, but I have no experience using it).
The tornado documentation has an example nginx configuration
One thing to note when using a reverse proxy is that the connection to your upstream server will now be originating from the proxy, not the client. The de facto standard is to put information about the original request in certain http headers. In the example from the tornado docs, the X-Real-IP header is set to the IP of the original client and X-Scheme is set to the scheme of the original request (http/https for example).
This may require some modifications to your upstream server. With tornado this is done by constructing the HTTPServer with the xheaders argument set to True. This will instruct the server to try and pull the IP address and scheme from the X-headers. Note that if you use this with a server that isn't behind a reverse proxy that sets the appropriate headers than you are open to IP Address spoofing.

Related

Apache forward Websocket to Golang

The most part of my website is delivered with PHP and Apache,
which works just fine.
However I want to use Websocket for a page (or multiple pages).
For the Websocket communication I want to use golang.
To not let the clients run into any firewall problems Websocket should use the normal webport.
(443 that is in this case - for the SSL version of Websocket).
Because Apache is already listening on that port, I need it to forward Websocket requests (or requests to a specific URL) to my golang program.
(A single golang program must listen to all incoming websocket connections, to allow for easy communication between them.)
Is there a way to achieve that?
one of the web servers must proxy for the other. So you need to either configure Apache to proxy requests to your Golang program, or incorporate a reverse proxy into your golang program to deal with the Apache content.
It's probably easier to configure Apache as a proxy than include the reverse proxy into your Golang code, but there is a standard lib for it: http://golang.org/pkg/net/http/httputil/

How do I correctly proxy https traffic?

I'm trying to set up a proxy server that can handle both http and https traffic without prompting the browser about certificates (just like tunlr.net).
So far I've tried to use Squid and Nginx.
While handling regular http traffic is a walk in the park, https is proving very difficult.
Can anybody point me in the right direction?
I think you should use a socks proxy not an http proxy, just like doing ssh tunnels, I used one on my vps, a package called dante the set up is kinda tricky but it really does the trick.
The package is available by default in ubuntu's repositories, and I assume probably other distros too.
Search on google on how to configure dante, and make sure you don't use a standard port, and even better use authentication to use the proxy, you don't want random people using your server as their proxy.
I just figured it out, turns out you don't need to set the https_port directive, only the http_port.

Accessing socket.io server via Apache served pages

I hope this doesn't come across as a terribly silly question, but I'm learning how to implement a socket.io server for my website to produce real-time applications, but my problem is that I can't figure out how to implement said applications in an Apache served environment. Currently, when I run node server.js to start my socket.io server, I have to access it by visiting http://localhost:XXXX where XXXX is whatever port I attach it to, naturally. I don't want my website to be forced to be viewed on an alternate port like this, but I obviously can't attach the server to port 80 since Apache is listening on that.
Obviously a natural solution would be to stop the Apache service and then node the server on port 80 that way to avoid a collision, but I don't want to sacrifice all of the functionality that Apache offers. Basically, I want to continue to serve my website via Apache on port 80, and integrate certain aspects of real-time applications via socket.io on port 3000, let's say.
Is there a way to do this that avoid the things I don't want? Those things being 1) having users access my site with :3000 in the URL, 2) disabling Apache, 3) using iframes.
Thanks in advance.
Generally, you should be able to hide Node.js with mod_proxy. A bit of searching turned up this: https://github.com/sindresorhus/guides/blob/master/run-node-server-alongside-apache.md (old link died, this is a new one)
However, Socket.io can be a bit finicky (https://github.com/LearnBoost/socket.io/issues/25), so you may have problems with it specifically.
As that ticket is a bit old, it's worth a shot. Just don't be surprised if you have problems. You're next bet after that is bind Node.js toport 80 and have it act as a reverse proxy for Apache with https://github.com/nodejitsu/node-http-proxy (still under a fair bit of development).
The optimal solution would be run it on it's own server and just have you're socket traffic go to socket.example.com or something like that.
Socket.io has multiple transport mechanisms. Some of them don't work if you run Apache as reverse proxy, but some do. Transports that don't work are websocket and flash, but xhr-polling and jsonp-polling should work.
Here's an example on setting the transports configuration option for socket.io:
var io = require("socket.io").listen(server);
io.set("transports", ["xhr-polling", "jsonp-polling"]);
On my Apache I'm using the normal name based virtual hosts and reverse proxy setup and with these transports the socket.io seems to be working.

disable request buffering in nginx

It seems that nginx buffers requests before passing it to the updstream server,while it is OK for most cases for me it is very bad :)
My case is like this:
I have nginx as a frontend server to proxy 3 different servers:
apache with a typical php app
shaveet(a open source comet server) built by me with python and gevent
a file upload server built again with gevent that proxies the uploads to rackspace cloudfiles
while accepting the upload from the client.
#3 is the problem, right now what I have is that nginx buffers all the request and then sends that to the file upload server which in turn sends it to cloudfiles instead of sending each chunk as it gets it (those making the upload faster as i can push 6-7MB/s to cloudfiles).
The reason I use nginx is to have 3 different domains with one IP if I can't do that I will have to move the fileupload server to another machine.
As soon as this [1] feature is implemented, Nginx is able to act as reverse proxy without buffering for uploads (bug client requests).
It should land in 1.7 which is the current mainline.
[1] http://trac.nginx.org/nginx/ticket/251
Update
This feature is available since 1.7.11 via the flag
proxy_request_buffering on | off;
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering
According to Gunicorn, they suggest you use nginx to actually buffer clients and prevent slowloris attacks. So this buffering is likely a good thing. However, I do see an option further down on that link I provided where it talks about removing the proxy buffer, it's not clear if this is within nginx or not, but it looks as though it is. Of course this is under the assumption you have Gunicorn running, which you do not. Perhaps it's still useful to you.
EDIT: I did some research and that buffer disable in nginx is for outbound, long-polling data. Nginx states on their wiki site that inbound requests have to be buffered before being sent upstream.
"Note that when using the HTTP Proxy Module (or even when using FastCGI), the entire client request will be buffered in nginx before being passed on to the backend proxied servers. As a result, upload progress meters will not function correctly if they work by measuring the data received by the backend servers."
Now available in nginx since version nginx-1.7.11.
See documentation
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering
To disable buffering the upload specify
proxy_request_buffering off;
I'd look into haproxy to fulfill this need.

How to put up an off-the-shelf https to http gateway?

I have an HTTP server which is in our internal network and accessible only from inside it. I would like to put another server that would listen to an HTTPS port accessible from outside, and forward the requests to that HTTP server (and send back the responses via HTTPS). I know that there are several ways to do this with some programming involved (and I myself made a temporary solution with Tomcat and a very simple servlet I wrote), but is there a way to do the same just plugging parts already made (like Apache + modules)?
This is the sort of use-case that stunnel is designed for. There is a specific example of using stunnel to wrap an HTTP server.
You should consider whether this is really a good idea, though. Web applications designed for use inside a corporate firewall are often fairly lax about security. Merely encrypting the connections prevents casual eavesdropping, but does not secure the site. If an attacker finds your outward facing server and starts connecting to it, they can still try to find exploitable flaws in the web service (SQL injection, cross-site scripting, etc).
With Apache look into mod_proxy.
Apache 2.2 mod_proxy docs
Apache 2.0 mod_proxy docs