Sunday, July 31, 2011

Install Reverse Proxy Using NGNIX

=====
Install Reverse Proxy Using NGNIX
=====

# yum -y groupremove "X Window System"
# x=$(yum list installed | egrep -i 'php|httpd|mysql|bind|dhclient|tftp|inetd|xinetd|ypserv|telnet-server|rsh-server|vsftpd|tcsh' | awk '{ print $1}')
# yum -y remove $x
# yum -y install bind-utils sysstat openssl-devel.x86_64 pcre-devel.x86_64 openssl097a.x86_64
# /usr/sbin/authconfig --passalgo=sha512 --update
# passwd root

# useradd nginx

# cd /opt
# wget http://sysoev.ru/nginx/nginx-0.8.33.tar.gz

# tar -zxvf nginx-0.8.33.tar.gz
# cd nginx-0.8.33

For with out ssl

# ./configure --without-http_autoindex_module --without-http_ssi_module --without-http_userid_module --without-http_auth_basic_module --without-http_geo_module --without-http_fastcgi_module --without-http_empty_gif_module --with-openssl=/lib64

=====For ssl ====

./configure --prefix=/usr/local/nginx --sbin-path=/usr/local/sbin --with-debug --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --without-http_userid_module --without-http_auth_basic_module --without-http_geo_module --without-http_fastcgi_module --without-http_empty_gif_module

====

Sample outputs:

======

....

nginx path prefix: "/usr/local/nginx"

nginx binary file: "/usr/local/nginx/sbin/nginx"

nginx configuration prefix: "/usr/local/nginx/conf"

nginx configuration file: "/usr/local/nginx/conf/nginx.conf"

nginx pid file: "/usr/local/nginx/logs/nginx.pid"

nginx error log file: "/usr/local/nginx/logs/error.log"

nginx http access log file: "/usr/local/nginx/logs/access.log"

nginx http client request body temporary files: "client_body_temp"

nginx http proxy temporary files: "proxy_temp"

nginx http fastcgi temporary files: "fastcgi_temp"

...

# make
# make install

#cd /usr/local/nginx/conf

#mv –rp nginx.conf nginx.conf.org

============================================

[root@revproxy conf]# vi nginx.conf

pid logs/nginx.pid;

user nginx nginx;

worker_processes 10;


events {

worker_connections 1024;

}


http {

default_type application/octet-stream;


## Common options ##

include options.conf;


## Proxy settings ##

include proxy.conf;


## lb domains ##

include domain.net.conf;

}


# root@revproxy conf]# vi options.conf

## Size Limits

client_body_buffer_size 128K;

client_header_buffer_size 1M;

client_max_body_size 1M;

large_client_header_buffers 8 8k;


## Timeouts

client_body_timeout 60;

client_header_timeout 60;

expires 24h;

keepalive_timeout 60 60;

send_timeout 60;


## General Options

ignore_invalid_headers on;

keepalive_requests 100;

limit_zone gulag $binary_remote_addr 5m;

recursive_error_pages on;

sendfile on;

server_name_in_redirect off;

server_tokens off;


## TCP options

tcp_nodelay on;

tcp_nopush on;


## Compression

gzip on;

gzip_buffers 16 8k;

gzip_comp_level 6;

gzip_http_version 1.0;

gzip_min_length 0;

gzip_types text/plain text/css image/x-icon application/x-perl application/x-httpd-cgi;

gzip_vary on;

## Log Format

log_format main '$remote_addr $host $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" "$http_user_agent" '

'"$gzip_ratio"';

[root@revproxy conf]# vi proxy.conf

## Proxy caching options

proxy_buffering on;

proxy_cache_min_uses 3;

proxy_cache_path /usr/local/nginx/proxy_temp/ levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000M;

proxy_cache_valid any 10m;

proxy_ignore_client_abort off;

proxy_intercept_errors on;

proxy_next_upstream error timeout invalid_header;

proxy_redirect off;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_connect_timeout 60;

proxy_send_timeout 60;

proxy_read_timeout 60;

[root@revproxy conf]# vi domain.net.conf

## Connect to backend servers via LAN ##

## Reverse Proxy Load Balancer Logic ##

upstream domain {

server 192.168.26.39 weight=10 max_fails=3 fail_timeout=30s;

server 192.168.26.42 weight=10 max_fails=3 fail_timeout=30s;

# only comes alive when above two fails

server 192.168.1.23 weight=1 backup;

}


server {

access_log logs/access.log main;

error_log logs/error.log;

index index.html;

root /usr/local/nginx/html;

server_name subdomain.domain.net www.subdomain.domain.net;


## Only requests to our Host are allowed

if ($host !~ ^(subdomain.domain.net|www.subdomain.domain.net)$ ) {

return 444;

}


## redirect www to nowww

# if ($host = 'www.subdomain.domain.net' ) {

# rewrite ^/(.*)$ http://subdomain.domain.net/$1 permanent;

# }


## Only allow these request methods

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

return 444;

}


## PROXY - Web

location / {

proxy_pass http://192.168.26.39;

proxy_cache cache;

proxy_cache_valid 200 24h;

proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

proxy_ignore_headers Expires Cache-Control;


proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

# redirect server error pages to the static page /50x.html

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root html;

}

}


server {

access_log logs/access.log main;

error_log logs/error.log;

index index.html;

root /usr/local/nginx/html;

server_name revpro3.domain.net www.subdomain.domain.net.net;


## Only requests to our Host are allowed

if ($host !~ ^(subdomain.domain.net|www.subdomain.domain.net)$ ) {

return 444;

}


## redirect www to nowww

# if ($host = 'www.subdomain.domain.net' ) {

# rewrite ^/(.*)$ http://subdomain.domain.net/$1 permanent;

# }


## Only allow these request methods

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

return 444;

}

# redirect server error pages to the static page /50x.html

error_page 500 502 503 504 /50x.html;

location = /50x.html {

root html;

}

}



server {

### server port and name ###

listen 443;

server_name subdomain.domain.net;


### SSL log files ###

access_log logs/ssl-access.log;

error_log logs/ssl-error.log;


### SSL cert files ###

ssl on;

ssl_certificate ssl/star_domain_com.crt;

ssl_certificate_key ssl/domain.com.key;

### Add SSL specific settings here ###

keepalive_timeout 60;


### Limiting Ciphers ########################

# Uncomment as per your setup

#ssl_ciphers HIGH:!ADH;

#ssl_perfer_server_ciphers on;

#ssl_protocols SSLv3;

##############################################

### We want full access to SSL via backend ###

location / {

proxy_pass https://192.168.26.48;

### force timeouts if one of backend is died ##

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;


### Set headers ####

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


### Most PHP, Python, Rails, Java App can use this header ###

proxy_set_header X-Forwarded-Proto https;



## PROXY - Web

location / {

proxy_pass http://192.168.26.42;

proxy_cache cache;

proxy_cache_valid 200 24h;

proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

proxy_ignore_headers Expires Cache-Control;


proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

server {

### server port and name ###

listen 443;

server_name subdomain.domain.net;


### SSL log files ###

access_log logs/ssl-access.log;

error_log logs/ssl-error.log;


### SSL cert files ###

ssl on;

ssl_certificate ssl/subdomain.domain.net;

ssl_certificate_key ssl/subdomain.domain.net.key;

### Add SSL specific settings here ###

keepalive_timeout 60;


### Limiting Ciphers ########################

# Uncomment as per your setup

#ssl_ciphers HIGH:!ADH;

#ssl_perfer_server_ciphers on;

#ssl_protocols SSLv3;

##############################################

### We want full access to SSL via backend ###

location / {

proxy_pass https://192.168.26.46;

### force timeouts if one of backend is died ##

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;


### Set headers ####

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


### Most PHP, Python, Rails, Java App can use this header ###

proxy_set_header X-Forwarded-Proto https;


### By default we don't want to redirect it ####

proxy_redirect off;

}

}


# /usr/local/sbin/nginx –t test conffile

# /usr/local/sbin/nginx -s reload

# /usr/local/sbin/nginx

# pkill -9 nginx

# /usr/local/sbin/nginx


# /usr/local/nginx/sbin/nginx
# netstat -tulpn | grep :80
# echo ' /usr/local/nginx/sbin/nginx' >> /etc/rc.local



Keelpalivd

# cd /opt
# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz
# tar -zxvf keepalived-1.1.19.tar.gz
# cd keepalived-1.1.19

# yum -y install kernel-headers kernel-devel

388 ./configure --with-kernel-dir=/lib/modules/$(uname -r)/build

389 make && make install

390 cd /etc/sysconfig

391 ln -s /usr/local/etc/sysconfig/keepalived .

392 cd /etc/rc3.d/

393 ln -s /usr/local/etc/rc.d/init.d/keepalived S100keepalived

394 cd /etc/init.d/

395 ln -s /usr/local/etc/rc.d/init.d/keepalived .

396 cd /usr/local/etc/keepalived

397 cp keepalived.conf keepalived.conf.bak

vi keepalived.conf

vrrp_instance VI_1 {

interface eth0

state MASTER

virtual_router_id 51

priority 101 --- should set 100 in lb1(second failover mechine)

authentication {

auth_type PASS

auth_pass Add-Your-Password-Here

}

virtual_ipaddress {

192.168.26.47 dev eth0:1

}

}


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)