Simplified reverse proxying for web utilization nginx +zlib+pcre+ssl

Nginx or Engine X as pronounced is one of the popular webservers currently implemented powering at least 6% of web-servers around the globe. Features, like SNI server naming indication (SNI), allows users to host multiple SSL websites using a single IP. Costs of  hosting is minimized and also the cost of utilizing extra network cards and IP addresses.  It synchronizes user requests into one instance rather than call for a new thread that suits database intensive applications or web-based applications that include hosting, uploading or downloading of multiple files.  Engine X , can be written to work as a reverse proxy for an existing network server  with its inbuilt powerful scripting language that uses conditional logic for advanced configuration directives.

GeoIP (Ip-to-location services) network server configured with Nginx increases server security by zone blocking server info to the outside world. Network systems will run its operations with the main server not exposed to danger of malicious spam or  (DOS) attacks. SNI and GeoIP modules, needs perl and zlib libraries installed .

Perl Compatible Regular Expression (PCRE)

The library needed for compiling an Engine X on a linux server. The PCRE library is written to provide functions that enable regular expression pattern matching . PCRE has its own native API, as well as a set of wrapper functions that correspond to the POSIX regular expression API.

To install it pcre and pcre-devel you can use an Http mirror at sourcefourge.net.

sudo apt-get install libpcre3-dev

check it via subversion, but subversion must be installed in your system

svn co svn://vcs.exim.org/pcre/code/trunk pcre

pcre also needs compression algorithms provided by Zlib. Current Zlib packages are improved and undergone version fixes and portability improvements. install Zlib at terminal

sudo apt-get install zlib1g-dev

install the complete ssl package

sudo apt-get install libssl-dev

The compilation will need a GeoIP module to act as a database that maps external incoming requests based on their frequency; get the tarball from the source site.

cd usr/local/src
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
tar zxf GeoIP.tar.gz

cd GeoIP-1.4.8
./configure –prefix=/usr/local/geoip

make
make install

Nginx needs to know the location of the installed libraries.  The ldconfig command creates important links for most recent installed shared libraries are cached to linux most trusted directories being (/lib and /usr/lib)

use vi to edit the ld.so.conf

vim etc/ld.so.conf

Add to the top of the file the line:

/usr/local/geoip/lib/

Run ldconfig command to permanently cache the library:

ldconfig

Then download nginx:

wget http://nginx.org/download/nginx-1.3.7.tar.gz

tar -zxf nginx-1.3.7.tar.gz

install nginx with enabled modules SNI, GeoIP, and Real-IP

usr/local/src/nginx-1.3.7 ./configure
–user=nginx
–group=nginx
–with-http_ssl_module
–with-http_realip_module
–with-openssl=”/usr/local/src/openssl-1.0.0i/”
–with-openssl-opt=”enable-tlsext”
–with-http_secure_link_module
–with-http_random_index_module
–with-http_geoip_module
–with-ld-opt=”-Wl,-R,$HOME/apps/GeoIP/lib -L
$HOME/apps/GeoIP/lib”

Then finally install the server using the following commands

make
make install

Then configure the nginx.conf file after successful installation.

—————————————————————————————————————————————————
# Sets worker processes across CPUs (4 processors each w/ 4 cores totaling 16 cores)
# Usually 2 processes per core will suffice, as most operating systems at this time only utilize 2 cores per processor.
worker_processes  8;

pid /usr/local/nginx/logs/nginxlocal.pid;

# events module is used to define network-related directives, many of which are for performance
events {
# number of connections per worker process. 1024 represents 1 core. 4096
# would take advantage of up to 4 cores. The simultaneous connections to be
# served could be as high as 16,384.

worker_connections  4096;

#scales the server to reduce spawning threads while synchronizing requests across limited available threads.
use epoll;
}

#http block. Only one block allowed per conf. file
http {

#Uses the IP-to-location database downloaded from Maxmind
#This module is configured to only allow traffic from the US
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
US yes;

}

#global to all server blocks
#==========================================================================

# Set log paths
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error_log  /usr/local/nginx/logs/accesslocal.log;
access_log  /usr/local/nginx/logs/errorlocal.log;

# Set data/file types
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
include       mime.types;
default_type  application/octet-stream;
sendfile        on;
keepalive_timeout  65;

# Set proxy specifics and set variables (i.e., remote IP address)
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
proxy_redirect     off;

proxy_set_header   Host             $host;
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;

client_max_body_size       10m;
client_body_buffer_size    128k;

proxy_connect_timeout      90;
proxy_send_timeout         90;
proxy_read_timeout         90;

proxy_buffer_size          4k;
proxy_buffers              4 32k;
proxy_busy_buffers_size    64k;
proxy_temp_file_write_size 64k;

# Set SSL specifics
#^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ssl_session_timeout  5m;

ssl_protocols  TLSv1; #required by SNI
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;

ssl                  on;

# HTTPS server http://www.yourfirstdomain.com port 8080
#————————————————————————
server {

listen       10.1.10.136:443 ssl;
server_name  test.yourdomain.org;

#Set up your cert paths
ssl_certificate_key  /etc/httpd/ssl/apache/star_example_com.key;
ssl_certificate   /etc/httpd/ssl/apache/star_example_com.crt;

#Prevent any access other than to the path specified below
location / {
deny all;
}

location /testing {

if ($allowed_country = yes) {
proxy_pass   https://127.0.0.1:8080;
}
}

}

# HTTPS server test2.yourdomain.org port 8447
#————————————————————————
server {
listen       10.1.10.136:443 ssl;
server_name  test2.yourdomain.org;

ssl_certificate      /etc/httpd/ssl/apache/star_example_com.crt;
ssl_certificate_key  /etc/httpd/ssl/apache/star_example_com.key;

location / {
deny all;
}

location /testing {

if ($allowed_country = yes) {
proxy_pass         https://127.0.0.1:8447;
}

}

}}

Note you can use the above file as it is as it has been tested to work.

To alternate between running production and test configurations. To do the switching, the command below will tell EX which configuration file to use when launching:

/usr/local/nginx/sbin/./nginx -c /usr/local/nginx/conf/nginx.conf

To reload EX, use this command:

nginx -s reload

Advertisements

Comments are closed.

%d bloggers like this: