The Nginx proxy server is an excellent addtion to the external face of any web-service. You can off-load some rewrite rules, route traffic to different back-ends and sanatise all requests before they hit the back-end.
Installation
Using either apt-get or emerge
~ # apt-get install nginx
On Gentoo there are loads of configurable modules, enable the ones you need - or all of them if you'd like. I find that these are the most useful: "http http-cache ipv6 pcre ssl" and then also add the NGINX_MODULES_HTTP to your liking. Lots to chose from here, get at least "browser charset fastcgi geo gzip proxy referer rewrite" Others you may be interested in are: "geo geoip memcached realip upload_progress"
~ # emerge -av nginx [ebuild N ] dev-libs/geoip-1.6.0-r1 USE="-city ipv6 -static-libs" [ebuild N ] www-servers/nginx-1.2.1 USE="-aio -debug http http-cache ipv6 -libatomic pcre -pcre-jit (-selinux) ssl -vim-syntax" NGINX_MODULES_HTTP="access -addition -ajp auth_basic -auth_pam -auth_request autoindex browser -cache_purge charset -dav -dav_ext -degradation -echo empty_gif fancyindex fastcgi -flv geo geoip -gunzip gzip gzip_static headers_more -image_filter limit_conn limit_req lua map memcached metrics -mogilefs mp4 -naxsi perl proxy -push_stream -random_index realip referer rewrite scgi -secure_link -security -slowfs_cache spdy split_clients ssi -sticky -stub_status -sub upload_progress -upstream_check upstream_ip_hash userid uwsgi -xslt" NGINX_MODULES_MAIL="-imap pop3 smtp" 702 kB
One of the first things is to isolate the user & group that Nginx runs as, we have a dedicated account for this purpose.
~ # useradd --comment 'Nginx' --shell /bin/false --home /dev/null nginx
Nginx Basics
Now lets make Nginx proxy request to our back-end Apache servers, that is - for our non-static assets.
Take a look in the /etc/nginx/nginx.conf file.
We listen on the external interface, port 80 & 443 (for SSL
# Logging is for chumps :p
error_log /dev/null crit;
user nginx;
worker_processes 8;
http {
server {
listen 80;
server_name edoceo.com;
include "rewrite.conf"
location / {
proxy_pass http://127.0.0.1:80;
}
}
}
http {
server {
listen 443;
server_name edoceo.com;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
include "rewrite.conf"
location / {
proxy_pass http://127.0.0.1:80;
}
}
}
Adjust as necessary for your environment.
Nginx SSL Configurations
Various SSL Configuration of nginx, show certificate chains if necessary and cipher specifications.
server {
listen 443 default_server ssl;
server_name edoceo.com;
# Enable the SSL Engine (< 0.7.14)
ssl on;
# The certificate or file.
ssl_certificate /etc/ssl/server.crt;
# A noDES key for the CRT
ssl_certificate_key /etc/ssl/server.key;
}
You may need to create the certificate chain, in which case you cat the certificates together.
cat server.crt ca-intermediate.crt > bundle.pem
ssl_certificate /etc/ssl/bundle.pem;
Nginx Example Rules
Here's a few examples of tricks we do with Nginx
Serve Static Files Locally
This shows three external paths to access the CSS, and dedicated paths for the other resources.
location /c {
root /var/www/css;
autoindex off;
}
location /css {
root /var/www/css;
autoindex off;
}
location /d7/css {
root /var/www/css;
autoindex off;
}
location /i {
root /var/www/images;
autoindex off;
}
location /j {
root /var/www/javascript;
autoindex off;
}
Force SSL
location ~* /admin {
rewrite (.*) https://$host$1 permanent;
}
location ~* /user {
rewrite (.*) https://$host$1 permanent;
}
Nginx Deployment Picture
Here's a pretty picture of how we typically deploy Nginx.