HOWTO: Using Nginx - best practices!

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
903
Looks like you don't understand a fronted-backend architecture principles and a fast web servers ideology.
That answer is what is known as a "smoke screen" folks. These are basic to 99% of DirectAdmin deployments:
1. ALL the normal functionality of Apache available, including .htaccess.
2. The performance and reliability of CLI with PHP.
3. Single physical server environment.

If you don't have a method to improve efficiency of that environment, you are playing with an empty hand.
 

stepan007

Verified User
Joined
Aug 8, 2009
Messages
14
On the end of the manual I have problem:
Code:
[root@sr /]# /sbin/iptables -t nat -A PREROUTING -p tcp -s ! MyServerIP --dport 80 -j REDIRECT --to-ports 81
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
So please help me. What I should do, please step-by-step manual... :)
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
On the end of the manual I have problem:
Code:
[root@sr /]# /sbin/iptables -t nat -A PREROUTING -p tcp -s ! MyServerIP --dport 80 -j REDIRECT --to-ports 81
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
So please help me. What I should do, please step-by-step manual... :)

Look likes you don't have iptable_nat module loaded in the kernel.
By default this module comes in all Linuxes ( at least with CentOS\Debian systems exact )

What linux distro are you using ? Do you using VPS (virtual server) or psychical machine?
And plz post the output of this command:
Code:
lsmod |grep ipt
 
Last edited:

stepan007

Verified User
Joined
Aug 8, 2009
Messages
14
I've physical server, distr - CentOS 5.3, Linux kernel 2.6.25.10.

Can it be possible somehow other to do redirect? I tried "rinetd" - but httpd does not start, port in use.

/sbin/lsmod |grep ipt displays nothing.

PS
[root@sr /]# /sbin/modprobe iptables_nat
FATAL: Module iptables_nat not found.

PPS do not quite know how to work with the kernel of linux ...
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
I've physical server, distr - CentOS 5.3, Linux kernel 2.6.25.10.

/sbin/lsmod |grep ipt displays nothing.

[root@sr /]# /sbin/modprobe iptables_nat
FATAL: Module iptables_nat not found.

kernel 2.6.25.10 is not the centos kernel.
Looks like you have a custom-made kernel with misconfiguration of iptables.
This is highly not recommended to use a source-installed custom kernels on working servers.

http://wiki.centos.org/HowTos/Custom_Kernel
 

meto

Verified User
Joined
Sep 14, 2009
Messages
55
Could you post some quick tutorial on how to make symlinks for all domains/subdomains like /home/vhosts/domain.com?
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
Could you post some quick tutorial on how to make symlinks for all domains/subdomains like /home/vhosts/domain.com?


you just need to define a real path to your domains in nginx.conf.
 

meto

Verified User
Joined
Sep 14, 2009
Messages
55
I know that, but easier would be to grab domain from address and try to fetch images and static files based on domain. That way you dont have to add every domain you want...
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
I know that, but easier would be to grab domain from address and try to fetch images and static files based on domain. That way you dont have to add every domain you want...

If you mean setting up dynamically root path for domain via set $host directive, it's also possible. But I think that things like this are advanced hacks where very light to do a mistakes.
So I don't suggest this for average users.
For particular hosting domain proxing all requests to apache is good schema.
For heavy loaded domains you just need to create a separate nginx server definition.
Also there are a lot of situations where apache rewrites (to static files) are used. It may be quite hard to debug failures with them.

In the end I think
"More simple is the best".

If you wish, you also could create nginx confing for each domain dynamically by
directadmin domain_create_post.sh script
http://help.directadmin.com/?query=domain_create_post
 

meto

Verified User
Joined
Sep 14, 2009
Messages
55
...
In the end I think
"More simple is the best".
...
On the contrary, one regex and you have your domain, when you stuck on error you proxy to apache, quite convenient. I have much experience with nginx and this schema is proven to work (previously with Plesk). I know that's better to have dedicated nginx configs per domain, but the clue is to fetch as much static files as possible for best performance.

We don't have open, shared hosting, and our environment is controlled enough to do those tricks. :)

If that's up to me only, we'd have only nginx + php-fpm environment, as you said - the simpler the better
 

Katie

New member
Joined
Nov 4, 2009
Messages
2
Location
United States
HOWTO Using Nginx best practices

There seems to be a bug in the parser, Ive got a vhost entry in an apache httpd.conf, but its got loads of domain pointers in the serveralias, so has about 4-5 server alias entries. The parser only manages about 5 pointers. I tried adding them manually, but whenever I start nginx using the script, it overwrites my conf file.
 

pera

Verified User
Joined
Jul 29, 2004
Messages
97
Location
Sweden / Varberg
Multi IP problem

I have many Ip on server. But nginx works on one. For now I am using all user on same IP :-(
The firewall:

/sbin/iptables -t nat -A PREROUTING -p tcp -s ! IP1 --dport 80 -j REDIRECT --to-ports 81
/sbin/iptables -t nat -A PREROUTING -p tcp -s ! IP2 --dport 80 -j REDIRECT --to-ports 81

Actualy the site is workin as:

siteonip2.com:81
but not as
siteonip2.com

so It have to do with the firewall right?

can I check if IP2 is redirected?

Thanks for any sugestions...
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
Please note, that IP1, IP2 are just variables. You should replace them for valid server IP address.

Please show the output of next command:
Code:
# iptables -L -n -t nat


to verify that iptables redirecting is working correctly.

if you have only one ip address, where all users are served, you could simply add such rule:
Code:
iptables -t nat  -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 81
 

pera

Verified User
Joined
Jul 29, 2004
Messages
97
Location
Sweden / Varberg
only shi...
I am using configserv, and there I put in one file:

/sbin/iptables -t nat -A PREROUTING -p tcp -s ! 188.53.35.67 --dport 80 -j REDIRECT --to-ports 81
/sbin/iptables -t nat -A PREROUTING -p tcp -s ! 188.53.35.96 --dport 80 -j REDIRECT --to-ports 81


but the command iptables -L -n -t nat

show me everything I have ever try to put in that file :-(
bunch of **** need to clear that out...

I have obout 15 IP for that server ...

So I need to clean out what "iptables -L -n -t nat" shows me and then put backu for 15 different IP.

do that fast with no errors .... or late at night ... have some users there.
 

pera

Verified User
Joined
Jul 29, 2004
Messages
97
Location
Sweden / Varberg
how I make it work with many IP on server

How I get it to work :)

http://security.maruhn.com/
Read that... Internet magic...

Thanks paix
The command
iptables -L -n -t nat
show what rules you have!

/etc/init.d/iptables stop
/etc/init.d/iptables start
or
/etc/init.d/iptables restart
will erase all roule, but you know that already :)

if you are using ConFig Serv Firewall and putting
roule in the file csfpost.sh
Then every time you restart CSF you will have one more roule... you can se that in
iptables -L -n -t nat

I used this roule:

iptables -t nat -A PREROUTING -p tcp -d 188.35.35.67 --dport 80 -j DNAT --to 188.35.35.67:81

that means only sites with that ip will go trough nginx Site on other IP will go direct to apache...

when you add one more ip To the firewall ... to go to port 81... you must have that ip configured in nginx.conf
otherwise you will get page not found....

Hope I help someone...
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
It's fine that you have found the problem and fixed it!

You could manage your firewall by a simple script.
Check
http://wiki.centos.org/HowTos/Network/IPTables

Just belive me, it's a really nice, more times easy then using
awful third-party things, iptables-rule generators etc.

Sure, to get all benefits from unix\linux you have to take attention to docs and understand what are you doing and how this working,
but eventually you will became understand the magic of unix :)

Unix fundamental rule KISS (keep it simple, stupid).

PS. the root cause of your problem as I could suggest is next:
your CSF just doesn't flush the NAT table during restart.
It simply could be done by this comand during firewall-script restart
Code:
/sbin/iptables -t nat -F

Good luck! :)
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
I used this roule:

Code:
iptables -t nat -A PREROUTING -p tcp  -d 188.35.35.67 --dport 80  -j DNAT --to 188.35.35.67:81

that means only sites with that ip will go trough nginx Site on other IP will go direct to apache...

Excellent!
this is another way to do the some.

But in this case server may redirect himself too. (i.e. if you send some request from command line of your server to the site located on your server too).
Any way, if it's working for you - then all right!
Nice! :)
 

sysadm

Verified User
Joined
Jun 8, 2004
Messages
13
Thank you paix,

I would to ask do you have any experience about setting up ngnix frontend on external server?

I mean this situation: Apache is still listening on 80 port on directadmin server ("real-ip module" is loaded). Ngnix uses other dedicated server so it could also listening on 80 port. Both of them are in the same subnet behind the router.
In this situation ngnix couldn't bind itself on the same IP address as Apache could.

So pf firewall on the router should do this redirect:
rdr pass inet proto tcp from any to <directadmin_server_multilple_ips> port 80 -> <ngnix_server_one_ip> port 80

Now we need to enforce ngnix to connect to the right Apache's IP on directadmin server.... Anyone experienced?

Best regards,
sysadm
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,252
Location
GMT +7.00
I would to ask do you have any experience about setting up ngnix frontend on external server?

I've got some.

If you set up NGINX on a dedicated IP, make sure that A record for every domain in DNS points to that dedicated server with that IP of it, and no iptables is required anymore.

Are you sure, you really want it? What benefits are you going to get from it?

Firstly, you might need to use iptables on a server with directadmin in order to deny direct connections to it on port 80 from all except the IP of server with NGINX.

Secondly, you might need to enable SSL on NGINX server in this case, of course if you use any SSL certs. Because as soon as you change IP in A record for domains, NGINX should listen both 80 and 443 ports.
 

paix

Verified User
Joined
Oct 31, 2006
Messages
55
Location
ua
So pf firewall on the router should do this redirect:
rdr pass inet proto tcp from any to <directadmin_server_multilple_ips> port 80 -> <ngnix_server_one_ip> port 80

Now we need to enforce ngnix to connect to the right Apache's IP on directadmin server.... Anyone experienced?

I suggest to simplify the scheme.
Actually you can install nginx on your gateway server, and skip the step with pf forwarding. I have such scheme. Works well. Multiple domains are proxied to internal network.

At nginx you just have to define the corresponding virtual-hosts sections.

something like this:

Code:
server {
        listen     80;
        server_name _SAMPLE_  ;
        access_log  /var/log/nginx/_SAMPLE_.access.log  main;
        location / {
            proxy_pass              http://_IP_:8180;
        }
}

server {
        listen     80;
        server_name SAMPLE2  ABC XYZ   ;
        access_log  /var/log/nginx/SAMPLE2_scope_.access.log  main;
        location / {
            proxy_pass              http://_backend_ip2_:80;
        }
}
 
Top