| Author |
|
jimski
Joined: 18 Jan 2014
Posts: 196
Location: USSA
|
|
| Back to top |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
 Posted: Sat 15 Feb '14 14:35 Post subject: |
 |
|
We could test it with: http://www.webpagetest.org/
Test it without the proxy and with to see if there is an improvement to TTFB and such.
Regarding the configuration C0nw0nk posted in: http://www.apachelounge.com/viewtopic.php?p=26891#26891
I suppose we need to replace domain.com with our domain name?
Should we replace: c:/server/websites/ps/public_www with our apache htdocs?
How to do this when hosting multiple virtual hosts?
I suppose this code:
| Code: | }
location ~ ^/(xampp|security|phpmyadmin|licenses|webalizer|server-status|server-info|cpanel|configuration.php) {
#deny all;
return 404;
} |
Blocks access to any folder with the name xampp,security,etc?
Removing it would disable this block, correct?
How can we bind it to specific Ipv4 and 6 addresses?
What happens to mod security and other security measures made in Apache when using Nginx as a cache proxy?
Would is still block bad agents?
I assume Nginx 1.5.10 for Windows was used? (nginx-1.5.10.zip) |
|
| Back to top |
|
jimski
Joined: 18 Jan 2014
Posts: 196
Location: USSA
|
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sat 15 Feb '14 16:27 Post subject: |
|
|
Yes its security but because nginx accesses apache on local host when i noticed allot of people used local host / 127.0.0.1 in there apache configuration, So nginx was bypassing the apache rules because nginx is run on the localhost and granting access to them, So the best way around this is to redirect them to a 404 does not exsist page or deny them access all together. (Basically if you call any localhost configuration in apache remove it or think about changing it, Or you can just imply my security rules to block them from the front end.)
And yes where ever the root of your site is just change the file paths to match your website root.
| Code: | | c:/website/ps/public_www |
The way you must have it setup is apache to run as backend on a different port. I use port :8000.
Then for Nginx to always run on port :80. If you have multiple virtual hosts for nginx just place them between the server configuration lines.
It should look like this for multiple virtual hosts
| Code: | server {
listen 80;
server_name domain1.com www.domain1.com;
root c:/server/websites/ps/public_www;
#####Place everything for that host here roots configs etc######
}
server {
listen 80;
server_name domain2.com www.domain2.com;
root c:/server/websites/ps/public_www;
#####Place everything for that host here roots configs etc######
}
server {
listen 80;
server_name domain3.com www.domain3.com;
root c:/server/websites/ps/public_www;
#####Place everything for that host here roots configs etc######
}
server {
listen 80;
server_name domain4.com www.domain4.com;
root c:/server/websites/ps/public_www;
#####Place everything for that host here roots configs etc######
} |
I think i will write a post up on how to setup nginx with apache and share my configs that i use in production to sort out this issue it is a complex setup but extremely effective when running.
It will take a while for me to write it up the last long security setup for windows i wrote up was for a gaming system on steam in source mod servers on windows. http://forums.alliedmods.net/showthread.php?t=189327
Since this forum does not let me upload pictures i will use photobucket i recon.
The other note i will add about nginx compared to apache what i believe makes it so much better is that apache runs on threads. (No such thing as a non threaded apache server).
But nginx relies on an event-driven (asynchronous) architecture, instead of threads, to handle requests making it handle every request more efficiently what is why all top dog sites or high traffic fast websites use it. |
|
| Back to top |
|
jimski
Joined: 18 Jan 2014
Posts: 196
Location: USSA
|
| Posted: Sat 15 Feb '14 18:48 Post subject: |
|
|
On windows x64 Nginx is crippled because of lack support for caching due to ASLR.
Even though on newer windows x64 Address Space Layout Randomization (ASLR) can be disabled Nginx still can't use cache. If you want to experiment here is utility to disable ASLR:
http://www.microsoft.com/en-us/download/details.aspx?id=29851
Last edited by jimski on Sun 16 Feb '14 4:27; edited 1 time in total |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sat 15 Feb '14 18:57 Post subject: |
|
|
where did you find that out from jimski my nginx is 32bit i never noticed any issues with caching ? I do run it on a 64bit system too.
Edit : I see but its windows vista and later versions not windows 2008 and earlier.
| Quote: | | The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions. |
http://nginx.org/en/docs/windows.html |
|
| Back to top |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
| Posted: Sun 16 Feb '14 1:29 Post subject: |
|
|
| C0nw0nk wrote: | where did you find that out from jimski my nginx is 32bit i never noticed any issues with caching ? I do run it on a 64bit system too.
Edit : I see but its windows vista and later versions not windows 2008 and earlier.
| Quote: | | The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions. |
http://nginx.org/en/docs/windows.html |
2008 is based on Vista. 2008 R2 is based on 7, etc |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sun 16 Feb '14 2:52 Post subject: |
|
|
| gijs wrote: | | C0nw0nk wrote: | where did you find that out from jimski my nginx is 32bit i never noticed any issues with caching ? I do run it on a 64bit system too.
Edit : I see but its windows vista and later versions not windows 2008 and earlier.
| Quote: | | The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions. |
http://nginx.org/en/docs/windows.html |
2008 is based on Vista. 2008 R2 is based on 7, etc |
Is there a method for testing this i dont see any problems with my open file cache ? |
|
| Back to top |
|
jimski
Joined: 18 Jan 2014
Posts: 196
Location: USSA
|
| Posted: Sun 16 Feb '14 4:25 Post subject: |
|
|
I was talking about fastcgi cache. Yes, you can test it by adding these lines to nginx.conf in the section http { :
| Code: |
http {
fastcgi_cache_path /path/to/cache levels=1:2
keys_zone=NAME:10m
inactive=5m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
server {
location / {
fastcgi_pass 127.0.0.1:9000;
fastcgi_cache NAME;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
}
}
}
|
Start nginx and fastcgi from the command prompt to see messages. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sun 16 Feb '14 17:02 Post subject: |
|
|
| jimski wrote: | I was talking about fastcgi cache. Yes, you can test it by adding these lines to nginx.conf in the section http { :
| Code: |
http {
fastcgi_cache_path /path/to/cache levels=1:2
keys_zone=NAME:10m
inactive=5m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
server {
location / {
fastcgi_pass 127.0.0.1:9000;
fastcgi_cache NAME;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
}
}
}
|
Start nginx and fastcgi from the command prompt to see messages. |
Since my setup uses apache as a backend i only use the open file cache.
| Code: | open_file_cache max=900000 inactive=10m;
open_file_cache_valid 20m;
open_file_cache_min_uses 1;
open_file_cache_errors on; |
http://wiki.nginx.org/HttpCoreModule#open_file_cache
http://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache |
|
| Back to top |
|
gijs
Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
|
| Posted: Sun 23 Feb '14 0:17 Post subject: |
|
|
| C0nw0nk wrote: |
Yes its security but because nginx accesses apache on local host when i noticed allot of people used local host / 127.0.0.1 in there apache configuration, So nginx was bypassing the apache rules because nginx is run on the localhost and granting access to them, So the best way around this is to redirect them to a 404 does not exsist page or deny them access all together. (Basically if you call any localhost configuration in apache remove it or think about changing it, Or you can just imply my security rules to block them from the front end.)
|
Okay, does apache by default ignore .htaccess and modsecurity rules on 127.0.0.1?
If I don't have that problem, will nginx be using the same security settings I have for apache(.htaccess, mod security)
| Quote: |
I think i will write a post up on how to setup nginx with apache and share my configs that i use in production to sort out this issue it is a complex setup but extremely effective when running.
It will take a while for me to write it up the last long security setup for windows i wrote up was for a gaming system on steam in source mod servers on windows. http://forums.alliedmods.net/showthread.php?t=189327
|
That would be greatly appreciated, please describe with kind of steps have to be done to setup nginx in front of Apache. and the cons and pro's of this.
What kind of performance improvement do you expect on a low traffic server from making this switch?
My site already loads pretty damn quick, but perhaps SPDY from nginx will make it even better.[/quote] |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Sun 23 Feb '14 11:29 Post subject: |
|
|
| gijs wrote: | | C0nw0nk wrote: |
Yes its security but because nginx accesses apache on local host when i noticed allot of people used local host / 127.0.0.1 in there apache configuration, So nginx was bypassing the apache rules because nginx is run on the localhost and granting access to them, So the best way around this is to redirect them to a 404 does not exsist page or deny them access all together. (Basically if you call any localhost configuration in apache remove it or think about changing it, Or you can just imply my security rules to block them from the front end.)
|
Okay, does apache by default ignore .htaccess and modsecurity rules on 127.0.0.1?
If I don't have that problem, will nginx be using the same security settings I have for apache(.htaccess, mod security)
| Quote: |
I think i will write a post up on how to setup nginx with apache and share my configs that i use in production to sort out this issue it is a complex setup but extremely effective when running.
It will take a while for me to write it up the last long security setup for windows i wrote up was for a gaming system on steam in source mod servers on windows. http://forums.alliedmods.net/showthread.php?t=189327
|
That would be greatly appreciated, please describe with kind of steps have to be done to setup nginx in front of Apache. and the cons and pro's of this.
What kind of performance improvement do you expect on a low traffic server from making this switch?
My site already loads pretty damn quick, but perhaps SPDY from nginx will make it even better. |
Post your mod_security config / rules to see if they correspond with the localhost setup.
For a low traffic site i wouldnt worry id say when your traffic flow reaches 200,000 or more a day consider it.
Rules like this in apache are what nginx caused security flaws with because nginx runs on localhost as a proxy.
| Code: | <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
Allow from ::1 127.0.0.0/8 \
fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
81.196.40.94/32
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch> |
So to fix that problem we just tell it to deny from all or redirect them to a custom error document.
| Code: | <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
Order deny,allow
Deny from all
ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var
</LocationMatch> |
Or better yet if you need some things in those configs like phpmyadmin. Just add my nginx rules.(Change the ip address ofcourse)
| Code: | location ~ ^/(xampp|security|phpmyadmin|licenses|webalizer|server-status|server-info|cpanel|configuration.php) {
#deny all;
#allow 192.168.1.0/24;
return 404;
} |
|
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Sun 25 May '14 19:20 Post subject: |
|
|
| Hello, I was following this with interest but it seems not to go any further due to limits with nginx on Windows, I'd like to point you to a fully developed version which has all original issues solved after nearly a year of development, have a look here http://nginx-win.ecsds.eu/ if there are any questions or issues we'd be happy to assist. |
|
| Back to top |
|
CamaroSS
Joined: 24 Jan 2013
Posts: 78
Location: RF, Tver
|
| Posted: Mon 26 May '14 9:13 Post subject: |
|
|
| That's very interesting, assuming the connection limit has been raised from the uncomfortable 1024. |
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Mon 26 May '14 18:45 Post subject: |
|
|
| It has and can be raised 10 fold to what is used at the moment (16k) tests over time have shown the current max is enough given how nginx pool recycling works plus our registry settings to easily handle a 10g aix link. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Mon 26 May '14 20:48 Post subject: |
|
|
Wow thanks ng4win!  Looking forward to testing this very vigorously and thoroughly!
I have a few questions does it let me work with MP4 comercial features of Nginx since i realy want to use the commercial features.
http://nginx.org/en/docs/http/ngx_http_mp4_module.html#mp4_limit_rate_after
But a comercial subscription costs like £1k a month!! If they honnestly think i or anyone is going to pay that unless you are youtube or something they are crazy.
Aswell as in the known issues section.
http://nginx.org/en/docs/windows.html#known_issues
Have you fixed the cache problem.
| Quote: | | The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions. |
|
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Mon 26 May '14 22:31 Post subject: |
|
|
We're not nginx, we don't have a commercial version, what you get here for commercial support are custom builds, changes and anything else which isn't in the 2 standard releases. For Linux you need to talk to nginx Inc. We're Windows only.
All Windows issues which nginx inc. have listed are solved, DEP and ASLR compliant, SDPY, multiple workers actually work, etc... see site and the Readme for all the features.
rTmp is included for streaming which uses its own settings. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
ng4win
Joined: 25 May 2014
Posts: 78
|
| Posted: Tue 27 May '14 10:38 Post subject: |
|
|
If the code is kept out of public view its simply not possible to port it, we're not going to invent code, it has to be there (working or not) or by way of a module. Syslog is a good example here when it made its way to public code.
Pagespeed has a low priority, we believe this is a solution for crappy coding and crappy tools, a site cleanup and tuneup would gain much more then pagespeed can ever do. Secondly it depends on a library which is extremely difficult to port.
Yes it is, but that tweet is about syslog being able to handle c100k without loosing any logging, our build should be able to handle c1000k+ |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Tue 27 May '14 13:47 Post subject: |
|
|
wow 1million concurrent connections seems like a bit much  and unstable.
Is there a max keep alive requests or are all the limits on your versions the same as in the nginx.org wiki ?, Sorry for asking so many questions just want to be sure because trying it, Works fine.
But as soon as i put it on my production server(s) i just want to be sure it does not go tits up. |
|
| Back to top |
|
