Idle Hacking » nginx

Configuring nginx to secure specific URL’s

taf2 — Sat, 31 Jan 2009 18:14:12 +0000

For many of the websites I work on we have to secure different parts of the website. The initial and simple approach would be to blanket the whole site with SSL. This really isn’t ideal, for the user or for performance. SSL puts more burden on the users browser as well as our web servers. For these reasons, it makes sense to secure only as much as is absolutely necessary. For example, when the user sends their authentication credentials, it’s important to secure the form POST. It is not necessary to secure the HTML form where the user types their credentials, since that information is already local to the users browser. In this sense, you can avoid securing the /login page and instead secure the /authenticate POST. Then depending on whether the information the user has authenticated to view is private or not – decide to either SSL encrypt or not. This all of course assumes that the majority of the data each user views is public.

Back to some of the common cases for the last few sites I’ve worked on. We had an /admin area of the site and a public area of the site. For users logging in, we secure the POST /admin/verify, but after that we want them to be redirected back to normal HTTP. We also don’t want normal users coming to the public site using HTTPS inadvertently. Trying to access the site using HTTPS will redirect users back to HTTP. One could argue that for the appearance of security it’s a good idea to server the login page using SSL. I think this is a fine argument, but also think that is really an issue of usablity research not security…

To run a secure SSL enabled nginx you need to setup 2 virtual hosts. One to serve up content using HTTPS and the normal one to serve content using HTTP. There are many good tutorials on how to do this. What I had a hard time finding was details on how to control the redirects to specific request path. Here’s how we were able to configure the sites to force HTTP in the normal cases and for the special cases force HTTPS.

server {
  listen     443;
  server_name  clientsite1.com
  ssl    on;
  ssl_certificate     /etc/nginx/certs/client1.crt;
  ssl_certificate_key /etc/nginx/private/client1.key;

  location /admin/verify {
    index  index.html index.htm;
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect false;
    proxy_pass http://client1;
  }
  location / {
    rewrite ^/(.*) http://clientsite1.com/$1 permanent;
  }
}
server {
  listen     80;
  server_name  clientsite1.com;
  location / {
    rewrite ^/admin/verify(.*) https://clientsite1.com/admin/verify$1 permanent;
    # the usual proxy configuration goes here...
  }
}

When a user requests /admin/verify over HTTP the request is matched by the single rewrite in the / location block for the virtual host listening on port 80. When the redirected request for /admin/verify over HTTPS is received by the virtual host listening on port 443, it proxies the request to our upstream server. For any, request not matched by the location blocks before location / in the 443 server, it will redirect back to the HTTP host. You have to be careful not to get the matches or rewrites mixed up or you may end up in a never ending loop. Otherwise, this solution works great for controlling SSL and non-SSL parts of a website.

Nginx and wordpress with apache

taf2 — Thu, 11 Dec 2008 19:21:44 +0000

I was getting quiet a bit of traffic on another wordpress site, I’ve been running. I had apache running php and this started to become an issue. I could upgrade the hardware, but it didn’t seem right – because really it’s not that much traffic… So, I decided to see if I could put nginx in front of apache. Here’s what I have now and it’s working out pretty well with the help of one little note from Millarian.

  location / {
    index  index.html index.htm;

    proxy_redirect     off;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    if ($request_method != GET) {
      proxy_pass http://apache;
      break;
    }

    if ( $request_filename ~* .*\.php) {
      proxy_pass http://apache;
      break;
    }

    # check if the file exists and serve it
    if (-f $request_filename) {
      access_log    off;
      expires       10d;

      break;
    }

    if (!-f $request_filename) {
      proxy_pass http://apache;
      break;
    }
  }

Now all static file’s are served directly by nginx. Dynamic requests are passed to apache. I was also able to reduce the value of MaxClients, on the server to avoid running out of memory. MaxClients in apache controls the number of server processes allowed to start. With PHP running each apache process can be as large as 30 – 60 megs per process. This value in fedora core, is set to 256 by default.

nginx rpms

taf2 — Wed, 07 May 2008 12:24:00 +0000

Well now isn’t this nice…

nginx.spec

Summary: nginx 'engine x' is a HTTP server and mail proxy server
Name: nginx
Version: 0.6.30
Release: 1
Source0: %{name}-%{version}.tar.gz
License: MIT
Group: Applications/Internet
Buildroot: %{_tmppath}/%{name}-%{version}-root
Requires: bash
%description
  nginx has been running for more than three years on many heavily loaded Russian sites including Rambler (RamblerMedia.com).
  In March 2007 about 20% of all Russian virtual hosts were served or proxied by nginx.
  According to Google Online Security Blog year ago nginx served or proxied about 4% of all Internet virtual hosts, although Netcraft showed much less percent.
  According to Netcraft in March 2008 nginx served or proxied 1 million virtual hosts.
%prep
%setup -q
%build
./configure --prefix=/opt/local/
make
%install
rm -rf $RPM_BUILD_ROOT/opt/local/
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/opt/local/conf/vhosts
touch $RPM_BUILD_ROOT/opt/local/conf/vhosts/blank.conf
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
/opt/local/sbin/nginx
/opt/local/logs
%doc /opt/local/html
%doc /opt/local/conf

auto/install

# Copyright (C) Igor Sysoev

if [ $USE_PERL = YES ]; then

    cat << END                                                >> $NGX_MAKEFILE

install_perl_modules:
  cd $NGX_OBJS/src/http/modules/perl && make install
END

    NGX_INSTALL_PERL_MODULES=install_perl_modules

fi

cat << END                                                    >> $NGX_MAKEFILE

install:  $NGX_OBJS${ngx_dirsep}nginx${ngx_binext}  \
    $NGX_INSTALL_PERL_MODULES
  test -d '\$(DESTDIR)$NGX_PREFIX' || mkdir -p '\$(DESTDIR)$NGX_PREFIX'

  test -d '\$(DESTDIR)`dirname "$NGX_SBIN_PATH"`' \
    || mkdir -p '\$(DESTDIR)`dirname "$NGX_SBIN_PATH"`'
  test ! -f '\$(DESTDIR)$NGX_SBIN_PATH' || mv '\$(DESTDIR)$NGX_SBIN_PATH' '\$(DESTDIR)$NGX_SBIN_PATH.old'
  cp $NGX_OBJS/nginx '\$(DESTDIR)$NGX_SBIN_PATH'

  test -d '\$(DESTDIR)$NGX_CONF_PREFIX' || mkdir -p '\$(DESTDIR)$NGX_CONF_PREFIX'

  cp conf/koi-win '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/koi-utf '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/win-utf '\$(DESTDIR)$NGX_CONF_PREFIX'

  test -f '\$(DESTDIR)$NGX_CONF_PREFIX/mime.types' \
    || cp conf/mime.types '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/mime.types '\$(DESTDIR)$NGX_CONF_PREFIX/mime.types.default'

  test -f '\$(DESTDIR)$NGX_CONF_PREFIX/fastcgi_params' \
    || cp conf/fastcgi_params '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/fastcgi_params '\$(DESTDIR)$NGX_CONF_PREFIX/fastcgi_params.default'

  test -f '\$(DESTDIR)$NGX_CONF_PATH' || cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX'
  cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX/nginx.conf.default'

  test -d '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' \
    || mkdir -p '\$(DESTDIR)`dirname "$NGX_PID_PATH"`'

  test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' || \
    mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`'

  test -d '\$(DESTDIR)$NGX_PREFIX/html' || cp -r html '\$(DESTDIR)$NGX_PREFIX'
END

if test -n "\$(DESTDIR)$NGX_ERROR_LOG_PATH"; then
    cat << END                                                >> $NGX_MAKEFILE

  test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' || \
    mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`'
END

fi