TL Tech Logo
We Solve Your Problems. Seriously, we actually do.
Home
About Us
Services
Stories
Contact Us
Tools
Info Center

  • Sections

    • Code
    • Howto
    • Tips

  • Recent Entries

    • Recovering from a Broken Partition Table
    • RewriteRule in htaccess vs httpd.conf
    • Running PHP through mod_fcgid
    • How They Got Your Password
    • Installing mod_reqtimeout on cPanel
    • Following the Hacker — passwords
    • Using Nginx as a reverse-proxy
    • Dead-simple templates in PHP
    • Tell-a-friend SPAM
    • PHP mail via SMTP

Using Nginx as a reverse-proxy

Sometimes the simplest way to deal with Apache problems and exploits is to install Nginx (“Engine X”) as a reverse-proxy in front of Apache.

The issue is that in its standard configuration, Apache dedicates one thread for each open connection, which increases the amount of overhead involved in each concurrent connection and decreases the number of simultaneous requests that Apache can serve. Newer server frameworks, such as Nginx, use more sophisticated techniques that allow it to serve thousands of concurrent requests with almost no overhead.

In reverse-proxy configuration, inbound connections get directly handled by Nginx. Presumably Nginx will be configured to directly handle or reject the bulk of the connections (such as malicious traffic) and pass the rest of the traffic over to Apache. Often this setup is temporary for the purpose of handling a DDoS attack or the like.

To set up such a configuration first download the latest source code package. Extract and install as usual.

tar -zxf nginx-*.tar.gz
cd nginx-*/
configure && make && sudo make install
# this by default installs to /usr/local/nginx/

Next edit your nginx.conf file to look something like this. Note that this is just a starting point; if you want to actually do something with nginx, you have to add that configuration as well. Replace 1.2.3.4 with your server’s IP address.

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  3;
    server {
        listen       1.2.3.4:81;
        server_name  nginx;
        location / {
            proxy_pass http://1.2.3.4:80;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_max_temp_file_size 0;
            proxy_connect_timeout      20;
            proxy_send_timeout         20;
            proxy_read_timeout         90;
            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;
        }
    }
}

Now, run the nginx binary: /usr/local/nginx/sbin/nginx.

Finally, redirect inbound port 80 traffic to port 81 to send it to nginx instead of Apache (again, change 1.2.3.4 to your IP).

iptables -t nat -I PREROUTING ! -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to :81

As one final note, Apache will now see all inbound traffic as coming from your own IP address instead of from the visitor. You can fix this by installing and configuring mod_rpaf for Apache. But that will have to be another post.

© 2006-2014 TL Tech Services LLC. All rights reserved. Contact us to inquire about republishing rights.