HOWTO: Using Nginx - best practices!

Looks like you don't understand a fronted-backend architecture principles and a fast web servers ideology.
That answer is what is known as a "smoke screen" folks. These are basic to 99% of DirectAdmin deployments:
1. ALL the normal functionality of Apache available, including .htaccess.
2. The performance and reliability of CLI with PHP.
3. Single physical server environment.

If you don't have a method to improve efficiency of that environment, you are playing with an empty hand.
 
On the end of the manual I have problem:
Code:
[root@sr /]# /sbin/iptables -t nat -A PREROUTING -p tcp -s ! MyServerIP --dport 80 -j REDIRECT --to-ports 81
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
So please help me. What I should do, please step-by-step manual... :)
 
On the end of the manual I have problem:
Code:
[root@sr /]# /sbin/iptables -t nat -A PREROUTING -p tcp -s ! MyServerIP --dport 80 -j REDIRECT --to-ports 81
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
So please help me. What I should do, please step-by-step manual... :)

Look likes you don't have iptable_nat module loaded in the kernel.
By default this module comes in all Linuxes ( at least with CentOS\Debian systems exact )

What linux distro are you using ? Do you using VPS (virtual server) or psychical machine?
And plz post the output of this command:
Code:
lsmod |grep ipt
 
Last edited:
I've physical server, distr - CentOS 5.3, Linux kernel 2.6.25.10.

Can it be possible somehow other to do redirect? I tried "rinetd" - but httpd does not start, port in use.

/sbin/lsmod |grep ipt displays nothing.

PS
[root@sr /]# /sbin/modprobe iptables_nat
FATAL: Module iptables_nat not found.

PPS do not quite know how to work with the kernel of linux ...
 
I've physical server, distr - CentOS 5.3, Linux kernel 2.6.25.10.

/sbin/lsmod |grep ipt displays nothing.

[root@sr /]# /sbin/modprobe iptables_nat
FATAL: Module iptables_nat not found.

kernel 2.6.25.10 is not the centos kernel.
Looks like you have a custom-made kernel with misconfiguration of iptables.
This is highly not recommended to use a source-installed custom kernels on working servers.

http://wiki.centos.org/HowTos/Custom_Kernel
 
Could you post some quick tutorial on how to make symlinks for all domains/subdomains like /home/vhosts/domain.com?
 
Could you post some quick tutorial on how to make symlinks for all domains/subdomains like /home/vhosts/domain.com?


you just need to define a real path to your domains in nginx.conf.
 
I know that, but easier would be to grab domain from address and try to fetch images and static files based on domain. That way you dont have to add every domain you want...
 
I know that, but easier would be to grab domain from address and try to fetch images and static files based on domain. That way you dont have to add every domain you want...

If you mean setting up dynamically root path for domain via set $host directive, it's also possible. But I think that things like this are advanced hacks where very light to do a mistakes.
So I don't suggest this for average users.
For particular hosting domain proxing all requests to apache is good schema.
For heavy loaded domains you just need to create a separate nginx server definition.
Also there are a lot of situations where apache rewrites (to static files) are used. It may be quite hard to debug failures with them.

In the end I think
"More simple is the best".

If you wish, you also could create nginx confing for each domain dynamically by
directadmin domain_create_post.sh script
http://help.directadmin.com/?query=domain_create_post
 
...
In the end I think
"More simple is the best".
...
On the contrary, one regex and you have your domain, when you stuck on error you proxy to apache, quite convenient. I have much experience with nginx and this schema is proven to work (previously with Plesk). I know that's better to have dedicated nginx configs per domain, but the clue is to fetch as much static files as possible for best performance.

We don't have open, shared hosting, and our environment is controlled enough to do those tricks. :)

If that's up to me only, we'd have only nginx + php-fpm environment, as you said - the simpler the better
 
HOWTO Using Nginx best practices

There seems to be a bug in the parser, Ive got a vhost entry in an apache httpd.conf, but its got loads of domain pointers in the serveralias, so has about 4-5 server alias entries. The parser only manages about 5 pointers. I tried adding them manually, but whenever I start nginx using the script, it overwrites my conf file.
 
Multi IP problem

I have many Ip on server. But nginx works on one. For now I am using all user on same IP :-(
The firewall:

/sbin/iptables -t nat -A PREROUTING -p tcp -s ! IP1 --dport 80 -j REDIRECT --to-ports 81
/sbin/iptables -t nat -A PREROUTING -p tcp -s ! IP2 --dport 80 -j REDIRECT --to-ports 81

Actualy the site is workin as:

siteonip2.com:81
but not as
siteonip2.com

so It have to do with the firewall right?

can I check if IP2 is redirected?

Thanks for any sugestions...
 
Please note, that IP1, IP2 are just variables. You should replace them for valid server IP address.

Please show the output of next command:
Code:
# iptables -L -n -t nat


to verify that iptables redirecting is working correctly.

if you have only one ip address, where all users are served, you could simply add such rule:
Code:
iptables -t nat  -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 81
 
only shi...
I am using configserv, and there I put in one file:

/sbin/iptables -t nat -A PREROUTING -p tcp -s ! 188.53.35.67 --dport 80 -j REDIRECT --to-ports 81
/sbin/iptables -t nat -A PREROUTING -p tcp -s ! 188.53.35.96 --dport 80 -j REDIRECT --to-ports 81


but the command iptables -L -n -t nat

show me everything I have ever try to put in that file :-(
bunch of **** need to clear that out...

I have obout 15 IP for that server ...

So I need to clean out what "iptables -L -n -t nat" shows me and then put backu for 15 different IP.

do that fast with no errors .... or late at night ... have some users there.
 
how I make it work with many IP on server

How I get it to work :)

http://security.maruhn.com/
Read that... Internet magic...

Thanks paix
The command
iptables -L -n -t nat
show what rules you have!

/etc/init.d/iptables stop
/etc/init.d/iptables start
or
/etc/init.d/iptables restart
will erase all roule, but you know that already :)

if you are using ConFig Serv Firewall and putting
roule in the file csfpost.sh
Then every time you restart CSF you will have one more roule... you can se that in
iptables -L -n -t nat

I used this roule:

iptables -t nat -A PREROUTING -p tcp -d 188.35.35.67 --dport 80 -j DNAT --to 188.35.35.67:81

that means only sites with that ip will go trough nginx Site on other IP will go direct to apache...

when you add one more ip To the firewall ... to go to port 81... you must have that ip configured in nginx.conf
otherwise you will get page not found....

Hope I help someone...
 
It's fine that you have found the problem and fixed it!

You could manage your firewall by a simple script.
Check
http://wiki.centos.org/HowTos/Network/IPTables

Just belive me, it's a really nice, more times easy then using
awful third-party things, iptables-rule generators etc.

Sure, to get all benefits from unix\linux you have to take attention to docs and understand what are you doing and how this working,
but eventually you will became understand the magic of unix :)

Unix fundamental rule KISS (keep it simple, stupid).

PS. the root cause of your problem as I could suggest is next:
your CSF just doesn't flush the NAT table during restart.
It simply could be done by this comand during firewall-script restart
Code:
/sbin/iptables -t nat -F

Good luck! :)
 
I used this roule:

Code:
iptables -t nat -A PREROUTING -p tcp  -d 188.35.35.67 --dport 80  -j DNAT --to 188.35.35.67:81

that means only sites with that ip will go trough nginx Site on other IP will go direct to apache...

Excellent!
this is another way to do the some.

But in this case server may redirect himself too. (i.e. if you send some request from command line of your server to the site located on your server too).
Any way, if it's working for you - then all right!
Nice! :)
 
Thank you paix,

I would to ask do you have any experience about setting up ngnix frontend on external server?

I mean this situation: Apache is still listening on 80 port on directadmin server ("real-ip module" is loaded). Ngnix uses other dedicated server so it could also listening on 80 port. Both of them are in the same subnet behind the router.
In this situation ngnix couldn't bind itself on the same IP address as Apache could.

So pf firewall on the router should do this redirect:
rdr pass inet proto tcp from any to <directadmin_server_multilple_ips> port 80 -> <ngnix_server_one_ip> port 80

Now we need to enforce ngnix to connect to the right Apache's IP on directadmin server.... Anyone experienced?

Best regards,
sysadm
 
I would to ask do you have any experience about setting up ngnix frontend on external server?

I've got some.

If you set up NGINX on a dedicated IP, make sure that A record for every domain in DNS points to that dedicated server with that IP of it, and no iptables is required anymore.

Are you sure, you really want it? What benefits are you going to get from it?

Firstly, you might need to use iptables on a server with directadmin in order to deny direct connections to it on port 80 from all except the IP of server with NGINX.

Secondly, you might need to enable SSL on NGINX server in this case, of course if you use any SSL certs. Because as soon as you change IP in A record for domains, NGINX should listen both 80 and 443 ports.
 
So pf firewall on the router should do this redirect:
rdr pass inet proto tcp from any to <directadmin_server_multilple_ips> port 80 -> <ngnix_server_one_ip> port 80

Now we need to enforce ngnix to connect to the right Apache's IP on directadmin server.... Anyone experienced?

I suggest to simplify the scheme.
Actually you can install nginx on your gateway server, and skip the step with pf forwarding. I have such scheme. Works well. Multiple domains are proxied to internal network.

At nginx you just have to define the corresponding virtual-hosts sections.

something like this:

Code:
server {
        listen     80;
        server_name _SAMPLE_  ;
        access_log  /var/log/nginx/_SAMPLE_.access.log  main;
        location / {
            proxy_pass              http://_IP_:8180;
        }
}

server {
        listen     80;
        server_name SAMPLE2  ABC XYZ   ;
        access_log  /var/log/nginx/SAMPLE2_scope_.access.log  main;
        location / {
            proxy_pass              http://_backend_ip2_:80;
        }
}
 
Back
Top