July 30, 2012 at 16:12

Improving the security of the web application stack (LAMP virtualization, step 6/6)

Original author: Vivek Gite
  • Transfer

Configure and use nginx

We are completing the translation of a series of articles on the cyberciti.biz website  dedicated to the  virtualization of the LAMP stack . The final article will focus on installing and configuring the nginx reverse proxy.

nginx is an open-source product that is used not only as a web server or reverse proxy server. For its lightness and respect for resources, it is also used as a load balancer ( from a dumb round-ribbon to a more meaningful one, but everything is vague . Approx.) And / or as a proxy solution for organizing access to virtual network services established in the previous articles of the cycle, through one external host address, for example, through IP 202.54.1.1 (as it was discussed in the examples before).

In this article, we will figure out how to install nginx as a reverse proxy for the Apache + php5 server with the domain name www.example.com and the Lighttpd static server, which, in our example, is called static.example.com . We will make all the settings exclusively on the vm00 virtual server with the IP address 192.168.1.1 .

DNS setup

Make sure that both www.example.com and static.example.com point to the IP address 192.168.1.1 .

Install nginx server

Enter the following console commands to install nginx:
$ cd /tmp
$ wget http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
# rpm -iv nginx-release-rhel-6-0.el6.ngx.noarch.rpm
# yum install nginx

Example response in the server console:
Loaded plugins: rhnplugin
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 0:1.2.1-1.el6.ngx will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================
 Package      Arch          Version                   Repository    Size
=========================================================================
Installing:
 nginx        x86_64        1.2.1-1.el6.ngx           nginx        331 k
Transaction Summary
=========================================================================
Install       1 Package(s)
Total download size: 331 k
Installed size: 730 k
Is this ok [y/N]: y
Downloading Packages:
nginx-1.2.1-1.el6.ngx.x86_64.rpm                  | 331 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : nginx-1.2.1-1.el6.ngx.x86_64                          1/1
----------------------------------------------------------------------
Thanks for using nginx!
Check out our community web site:
* http://nginx.org/en/support.html
If you have questions about commercial support for nginx please visit:
* http://www.nginx.com/support.html
----------------------------------------------------------------------
  Verifying  : nginx-1.2.1-1.el6.ngx.x86_64                          1/1
Installed:
  nginx.x86_64 0:1.2.1-1.el6.ngx
Complete!


Configuring the nginx web server server as a reverse proxy

Edit the file /etc/nginx/conf.d/default.conf:
# vi /etc/nginx/conf.d/default.conf

By adding to it, or changing existing lines:
## Основной реверс-прокси сервер ##
## Apache (vm02) скрипт-сервер для www.example.com ##
upstream apachephp  {
      server 192.168.1.11:80; #Apache1
}
## Lighttpd (vm01) сервер статики для static.example.com ##
upstream lighttpd  {
      server 192.168.1.10:80; #Lighttpd1
}
## Начало настроек www.example.com ##
server {
    listen       202.54.1.1:80;
    server_name  www.example.com;
    access_log  /var/log/nginx/log/www.example.access.log  main;
    error_log  /var/log/nginx/log/www.example.error.log;
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    ## перенаправляем запросы apache1 ##
    location / {
     proxy_pass  http://apachephp;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header        Host            $host;
     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}
## Конец настроек www.example.com ##
## Начало настроек static.example.com ##
server {
   listen      202.54.1.1:80;
   server_name static.example.com;
   access_log  /var/log/nginx/log/static.example.com.access.log  main;
   error_log   /var/log/nginx/log/static.example.com.error.log;
   root        /usr/local/nginx/html;
   index       index.html;
   location / {
        proxy_pass  http://lighttpd;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header        Host            static.example.com;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
## Конец настроек static.example.com  ##


Turn on nginx

Enter the following commands:
# chkconfig nginx on
# service nginx start


Configure the firewall

Configure the following firewall settings:
  • Deny all inbound / outbound connections by default (Drop all INPUT / OUTPUT by default)
  • We open only tcp ports 80 and 443 (202.54.1.1:80 and / or 443 for eth0 )
  • Set eth1 as the only trusted device in communications between nginx reverse proxy and Apache / Lighttpd servers


To set these parameters, perform the following steps:
# system-config-firewall-tui

You can edit / etc / sysconfig / iptables manually and configure the firewall as well (read more in the article on cyberciti.biz )

/etc/sysctl.conf

Edit /etc/sysctl.conf as follows:
# Execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# IPv4 settings
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Increase system file descriptor limit to
fs.file-max = 50000
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Ipv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

Download the new Linux kernel settings with the following command:
# sysctl -p

For detailed information on the specified Linux kernel tuning directives, read the corresponding faq.

Nginx server security

See also the post “ Top 20 nginx Web Server Security Practices ”. Also, as additional materials about nginx, reverse proxy and SSL settings, see the lesson materials:


Top LAMP stack security practices

  1. Communication Encryption: Use ssh and vpns when setting up your virtual machines. Use the scp / sftp client to upload files to the server;
  2. Do you really need all the junk installed on the web server? Avoid installing unnecessary software and beware of compromise. Use RPM package managers such as yum, apt-get and / or dpkg to track installed software;
  3. Installing security updates is an important part in maintaining a healthy Linux server. Linux provides all the necessary software to keep the system up to date, and the procedure for moving from version to software version is made in the most convenient way. All security-related updates should be monitored and installed as early as possible;
  4. Grant the smallest required privileges to user accounts. Do not scatter ssh access to your server right and left;
  5. Read also the articles about the best practices for the security of the LAMP stack on cyberciti.biz:



Conclusion

I hope this guide will be a good help when setting up virtual machines, and the information will be useful enough so that you can start setting up your own web-stack on your CentOS / RHEL server yourself.



From a translator:
There are about 50 external links to cyberciti website materials in the article series. For my part, it would not be very honest to leave readers face to face with the English text (otherwise, we would read the translations). The suggestion is this: here are the top links that are mentioned most often in the translated material:

And 36 more links mentioned more than 0 times:
www.php.net/array
www.cyberciti.biz/faq/mysql-user-creation
www.cyberciti.biz/tips/open-source-project-management-software.html
www.cyberciti.biz/faq/linux-demilitarized -zone-howto
www.cyberciti.biz/faq/restart-httpd
www.cyberciti.biz/faq/how-do-i-start-and-stop-nfs-service
www.cyberciti.biz/faq/rhel-centos- fedora-keepalived-lvs-cluster-configuration
www.cyberciti.biz/tips/linux-laptop.html
www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports
www.cyberciti.biz / faq / linux-install-and-start-apache-httpd
www.cyberciti.biz/faq/rhel-fedora-centos-linux-temporarily-switchoff-selinux
www.cyberciti.biz/faq/linux-make-directory-command
www.cyberciti.biz/faq/howto-disable-httpd-selinux-security-protection
www.cyberciti.biz/tips/top-linux-monitoring-tools.html
www.php.net/isset
www.cyberciti.biz/tips /linux-iptables-examples.html
bash.cyberciti.biz/mysql/add-database-username-password-remote-host-access
dev.mysql.com/doc/refman/5.5/en
www.cyberciti.biz/faq/ tag / etcfstab
www.cyberciti.biz/faq/fedora-sl-centos-redhat6-enable-epel-repo
www.cyberciti.biz/faq/tag/etcsysconfigmemcached
www.cyberciti.biz/tips/my-10-unix-command -line-mistakes.html
www.cyberciti.biz/tips/download-email-client-for-linux-mac-osx-windows.html
www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening
www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html
www.cyberciti.biz/faq/linux-unix-bsd-wordpress-memcached-cache-plugin
www.cyberciti.biz/faq/howto-install-memcached-under-rhel-fedora-centos
www.cyberciti.biz/tips/tips-to-protect-linux-servers-physical-console-access.html
www.cyberciti. biz / faq / how-to-install-mysql-under-rhel
www.cyberciti.biz/tips/unix-linux-bsd-pydf-command-in-colours.html
www.cyberciti.biz/faq/howto-linux- unix-setup-nginx-ssl-proxy
www.cyberciti.biz/faq/how-to-mount-bind-partitions-filesystems-in-linux
www.cyberciti.biz/faq/rhel-fedora-linux-install-memcached- caching-system-rpm
www.phpmyadmin.net/home_page/index.php
www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial
www.cyberciti.biz/faq/stop-lighttpd-server

What is interesting for me now, i.e. what I plan to transfer in the coming days - in the lower list. If there is something that requires translation or dubbing and has such transcendental value as the reports of Yoshinori Matsunobu - suggest, we will read / translate.

O'Reilly MySQL Conference & Expo Is a Wrap // 2011 web
  • Linux and H / W optimizations - Yoshinori Matsunobu web
  • MySQL and Linux Tuning - Better Together .ppt web

Range of interests: server administration, optimization and monitoring of the LAMP stack. Virtualization, IaaS, KVM, xfs, NFS. Also interesting: hPHP (hip-hop PHP), Wordpress.

From you - a link to the material, from me - translation and bow.

If you know conferences other than (O'Reilly Velocity, NJ-LOPSA PICC, Tech Ed, LinuxCon) that publish materials / presentations / videos - tell us all, and we will choose topics for your / your taste and make translations.
Tags:

Also popular now: