Idle Hacking

For many of the websites I work on we have to secure different parts of the website.  The initial and simple approach would be to blanket the whole site with SSL.   This really isn’t ideal, for the user or for performance.  SSL puts more burden on the users browser as well as our web servers.   For these reasons, it makes sense to secure only as much as is absolutely necessary.  For example, when the user sends their authentication credentials, it’s important to secure the form POST.  It is not necessary to secure the HTML form where the user types their credentials, since that information is already local to the users browser.  In this sense, you can avoid securing the /login page and instead secure the /authenticate POST.  Then depending on whether the information the user has authenticated to view is private or not – decide to either SSL encrypt or not.  This all of course assumes that the majority of the data each user views is public.
Read more…

Software nginx, ssl

I was getting quiet a bit of traffic on another wordpress site, I’ve been running.  I had apache running php and this started to become an issue.  I could upgrade the hardware, but it didn’t seem right – because really it’s not that much traffic…  So, I decided to see if I could put nginx in front of apache.  Here’s what I have now and it’s working out pretty well with the help of one little note from Millarian.

  location / {
    index  index.html index.htm;

    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    if ($request_method != GET) {
      proxy_pass http://apache;
      break;
    }

    if ( $request_filename ~* .*\.php) {
      proxy_pass http://apache;
      break;
    }

    # check if the file exists and serve it
    if (-f $request_filename) {
      access_log    off;
      expires       10d;

      break;
    }

    if (!-f $request_filename) {
      proxy_pass http://apache;
      break;
    }
  }

Now all static file’s are served directly by nginx.  Dynamic requests are passed to apache.  I was also able to reduce the value of MaxClients, on the server to avoid running out of memory.  MaxClients in apache controls the number of server processes allowed to start.  With PHP running each apache process can be as large as 30 – 60 megs per process.  This value in fedora core, is set to 256 by default.

Software apache, nginx, wordpress

Well now isn’t this nice…

nginx.spec

Summary: nginx 'engine x' is a HTTP server and mail proxy server
Name: nginx
Version: 0.6.30
Release: 1
Source0: %{name}-%{version}.tar.gz
License: MIT
Group: Applications/Internet
Buildroot: %{_tmppath}/%{name}-%{version}-root
Requires: bash
%description
  nginx has been running for more than three years on many heavily loaded Russian sites including Rambler (RamblerMedia.com).
  In March 2007 about 20% of all Russian virtual hosts were served or proxied by nginx.
  According to Google Online Security Blog year ago nginx served or proxied about 4% of all Internet virtual hosts, although Netcraft showed much less percent.
  According to Netcraft in March 2008 nginx served or proxied 1 million virtual hosts.
%prep
%setup -q
%build
./configure --prefix=/opt/local/
make
%install
rm -rf $RPM_BUILD_ROOT/opt/local/
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/opt/local/conf/vhosts
touch $RPM_BUILD_ROOT/opt/local/conf/vhosts/blank.conf
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
/opt/local/sbin/nginx
/opt/local/logs
%doc /opt/local/html
%doc /opt/local/conf

auto/install

# Copyright (C) Igor Sysoev

if [ $USE_PERL = YES ]; then

    cat << END                                                >> $NGX_MAKEFILE

install_perl_modules:
  cd $NGX_OBJS/src/http/modules/perl && make install
END

    NGX_INSTALL_PERL_MODULES=install_perl_modules

fi

cat << END                                                    >> $NGX_MAKEFILE

install:  $NGX_OBJS${ngx_dirsep}nginx${ngx_binext}  \
    $NGX_INSTALL_PERL_MODULES
  test -d '\$(DESTDIR)$NGX_PREFIX' || mkdir -p '\$(DESTDIR)$NGX_PREFIX'

  test -d '\$(DESTDIR)`dirname "$NGX_SBIN_PATH"`' \
    || mkdir -p '\$(DESTDIR)`dirname "$NGX_SBIN_PATH"`'
  test ! -f '\$(DESTDIR)$NGX_SBIN_PATH' || mv '\$(DESTDIR)$NGX_SBIN_PATH' '\$(DESTDIR)$NGX_SBIN_PATH.old'
  cp $NGX_OBJS/nginx '\$(DESTDIR)$NGX_SBIN_PATH'

  test -d '\$(DESTDIR)$NGX_CONF_PREFIX' || mkdir -p '\$(DESTDIR)$NGX_CONF_PREFIX'

  cp conf/koi-win '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/koi-utf '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/win-utf '\$(DESTDIR)$NGX_CONF_PREFIX'

  test -f '\$(DESTDIR)$NGX_CONF_PREFIX/mime.types' \
    || cp conf/mime.types '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/mime.types '\$(DESTDIR)$NGX_CONF_PREFIX/mime.types.default'

  test -f '\$(DESTDIR)$NGX_CONF_PREFIX/fastcgi_params' \
    || cp conf/fastcgi_params '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/fastcgi_params '\$(DESTDIR)$NGX_CONF_PREFIX/fastcgi_params.default'

  test -f '\$(DESTDIR)$NGX_CONF_PATH' || cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX/nginx.conf.default'

  test -d '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' \
    || mkdir -p '\$(DESTDIR)`dirname "$NGX_PID_PATH"`'

  test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' || \
    mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`'

  test -d '\$(DESTDIR)$NGX_PREFIX/html' || cp -r html '\$(DESTDIR)$NGX_PREFIX'
END

if test -n "\$(DESTDIR)$NGX_ERROR_LOG_PATH"; then
    cat << END                                                >> $NGX_MAKEFILE

  test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' || \
    mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`'
END

fi

Software nginx, rpm