Install Reverse Proxy Using NGNIX
=====
# yum -y groupremove "X Window System"
# x=$(yum list installed | egrep -i 'php|httpd|mysql|bind|dhclient|tftp|inetd|xinetd|ypserv|telnet-server|rsh-server|vsftpd|tcsh' | awk '{ print $1}')
# yum -y remove $x
# yum -y install bind-utils sysstat openssl-devel.x86_64 pcre-devel.x86_64 openssl097a.x86_64
# /usr/sbin/authconfig --passalgo=sha512 --update
# passwd root
# useradd nginx
# cd /opt
# wget http://sysoev.ru/nginx/nginx-0.8.33.tar.gz
# tar -zxvf nginx-0.8.33.tar.gz
# cd nginx-0.8.33
For with out ssl
# ./configure --without-http_autoindex_module --without-http_ssi_module --without-http_userid_module --without-http_auth_basic_module --without-http_geo_module --without-http_fastcgi_module --without-http_empty_gif_module --with-openssl=/lib64
=====For ssl ====
./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/sbin --with-debug --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --without-http_userid_module --without-http_auth_basic_module --without-http_geo_module --without-http_fastcgi_module --without-http_empty_gif_module
====
Sample outputs:
======
....
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
...
# make
# make install
#cd /usr/local/nginx/conf
#mv –rp nginx.conf nginx.conf.org
============================================
[root@revproxy conf]# vi nginx.conf
pid logs/nginx.pid;
user nginx nginx;
worker_processes 10;
events {
worker_connections 1024;
}
http {
default_type application/octet-stream;
## Common options ##
include options.conf;
## Proxy settings ##
include proxy.conf;
## lb domains ##
include domain.net.conf;
}
# root@revproxy conf]# vi options.conf
## Size Limits
client_body_buffer_size 128K;
client_header_buffer_size 1M;
client_max_body_size 1M;
large_client_header_buffers 8 8k;
## Timeouts
client_body_timeout 60;
client_header_timeout 60;
expires 24h;
keepalive_timeout 60 60;
send_timeout 60;
## General Options
ignore_invalid_headers on;
keepalive_requests 100;
limit_zone gulag $binary_remote_addr 5m;
recursive_error_pages on;
sendfile on;
server_name_in_redirect off;
server_tokens off;
## TCP options
tcp_nodelay on;
tcp_nopush on;
## Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.0;
gzip_min_length 0;
gzip_types text/plain text/css image/x-icon application/x-perl application/x-httpd-cgi;
gzip_vary on;
## Log Format
log_format main '$remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
[root@revproxy conf]# vi proxy.conf
## Proxy caching options
proxy_buffering on;
proxy_cache_min_uses 3;
proxy_cache_path /usr/local/nginx/proxy_temp/ levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000M;
proxy_cache_valid any 10m;
proxy_ignore_client_abort off;
proxy_intercept_errors on;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;
[root@revproxy conf]# vi domain.net.conf
## Connect to backend servers via LAN ##
## Reverse Proxy Load Balancer Logic ##
upstream domain {
server 192.168.26.39 weight=10 max_fails=3 fail_timeout=30s;
server 192.168.26.42 weight=10 max_fails=3 fail_timeout=30s;
# only comes alive when above two fails
server 192.168.1.23 weight=1 backup;
}
server {
access_log logs/access.log main;
error_log logs/error.log;
index index.html;
root /usr/local/nginx/html;
server_name subdomain.domain.net www.subdomain.domain.net;
## Only requests to our Host are allowed
if ($host !~ ^(subdomain.domain.net|www.subdomain.domain.net)$ ) {
return 444;
}
## redirect www to nowww
# if ($host = 'www.subdomain.domain.net' ) {
# rewrite ^/(.*)$ http://subdomain.domain.net/$1 permanent;
# }
## Only allow these request methods
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## PROXY - Web
location / {
proxy_pass http://192.168.26.39;
proxy_cache cache;
proxy_cache_valid 200 24h;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_ignore_headers Expires Cache-Control;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
access_log logs/access.log main;
error_log logs/error.log;
index index.html;
root /usr/local/nginx/html;
server_name revpro3.domain.net www.subdomain.domain.net.net;
## Only requests to our Host are allowed
if ($host !~ ^(subdomain.domain.net|www.subdomain.domain.net)$ ) {
return 444;
}
## redirect www to nowww
# if ($host = 'www.subdomain.domain.net' ) {
# rewrite ^/(.*)$ http://subdomain.domain.net/$1 permanent;
# }
## Only allow these request methods
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
### server port and name ###
listen 443;
server_name subdomain.domain.net;
### SSL log files ###
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
### SSL cert files ###
ssl on;
ssl_certificate ssl/star_domain_com.crt;
ssl_certificate_key ssl/domain.com.key;
### Add SSL specific settings here ###
keepalive_timeout 60;
### Limiting Ciphers ########################
# Uncomment as per your setup
#ssl_ciphers HIGH:!ADH;
#ssl_perfer_server_ciphers on;
#ssl_protocols SSLv3;
##############################################
### We want full access to SSL via backend ###
location / {
proxy_pass https://192.168.26.48;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
### Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
## PROXY - Web
location / {
proxy_pass http://192.168.26.42;
proxy_cache cache;
proxy_cache_valid 200 24h;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_ignore_headers Expires Cache-Control;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
server {
### server port and name ###
listen 443;
server_name subdomain.domain.net;
### SSL log files ###
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
### SSL cert files ###
ssl on;
ssl_certificate ssl/subdomain.domain.net;
ssl_certificate_key ssl/subdomain.domain.net.key;
### Add SSL specific settings here ###
keepalive_timeout 60;
### Limiting Ciphers ########################
# Uncomment as per your setup
#ssl_ciphers HIGH:!ADH;
#ssl_perfer_server_ciphers on;
#ssl_protocols SSLv3;
##############################################
### We want full access to SSL via backend ###
location / {
proxy_pass https://192.168.26.46;
### force timeouts if one of backend is died ##
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
### Set headers ####
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
### Most PHP, Python, Rails, Java App can use this header ###
proxy_set_header X-Forwarded-Proto https;
### By default we don't want to redirect it ####
proxy_redirect off;
}
}
# /usr/local/sbin/nginx –t test conffile
# /usr/local/sbin/nginx -s reload
# /usr/local/sbin/nginx
# pkill -9 nginx
# /usr/local/sbin/nginx
# /usr/local/nginx/sbin/nginx
# netstat -tulpn | grep :80
# echo ' /usr/local/nginx/sbin/nginx' >> /etc/rc.local
Keelpalivd
# cd /opt
# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz
# tar -zxvf keepalived-1.1.19.tar.gz
# cd keepalived-1.1.19
# yum -y install kernel-headers kernel-devel
388 ./configure --with-kernel-dir=/lib/modules/$(uname -r)/build
389 make && make install
390 cd /etc/sysconfig
391 ln -s /usr/local/etc/sysconfig/keepalived .
392 cd /etc/rc3.d/
393 ln -s /usr/local/etc/rc.d/init.d/keepalived S100keepalived
394 cd /etc/init.d/
395 ln -s /usr/local/etc/rc.d/init.d/keepalived .
396 cd /usr/local/etc/keepalived
397 cp keepalived.conf keepalived.conf.bak
vi keepalived.conf
vrrp_instance VI_1 {
interface eth0
state MASTER
virtual_router_id 51
priority 101 --- should set 100 in lb1(second failover mechine)
authentication {
auth_type PASS
auth_pass Add-Your-Password-Here
}
virtual_ipaddress {
192.168.26.47 dev eth0:1
}
}