Sometimes the simplest way to deal with Apache problems and exploits is to install Nginx (“Engine X”) as a reverse-proxy in front of Apache.
The issue is that in its standard configuration, Apache dedicates one thread for each open connection, which increases the amount of overhead involved in each concurrent connection and decreases the number of simultaneous requests that Apache can serve. Newer server frameworks, such as Nginx, use more sophisticated techniques that allow it to serve thousands of concurrent requests with almost no overhead.
In reverse-proxy configuration, inbound connections get directly handled by Nginx. Presumably Nginx will be configured to directly handle or reject the bulk of the connections (such as malicious traffic) and pass the rest of the traffic over to Apache. Often this setup is temporary for the purpose of handling a DDoS attack or the like.
To set up such a configuration first download the latest source code package. Extract and install as usual.
tar -zxf nginx-*.tar.gz
cd nginx-*/
configure && make && sudo make install
# this by default installs to /usr/local/nginx/
Next edit your nginx.conf
file to look something like this. Note that this is just a starting point; if you want to actually do something with nginx, you have to add that configuration as well. Replace 1.2.3.4
with your server’s IP address.
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 3;
server {
listen 1.2.3.4:81;
server_name nginx;
location / {
proxy_pass http://1.2.3.4:80;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
proxy_connect_timeout 20;
proxy_send_timeout 20;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}
Now, run the nginx binary: /usr/local/nginx/sbin/nginx
.
Finally, redirect inbound port 80 traffic to port 81 to send it to nginx instead of Apache (again, change 1.2.3.4
to your IP).
iptables -t nat -I PREROUTING ! -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to :81
As one final note, Apache will now see all inbound traffic as coming from your own IP address instead of from the visitor. You can fix this by installing and configuring mod_rpaf
for Apache. But that will have to be another post.