Reverse-proxy NGINX + Apache on Directadmin powered server with CB 2.x

Mattpl

Verified User
Joined
Jun 28, 2017
Messages
78
Location
ZS
Hi, I have change server conf. to ngix_apache (before apache) and build this conf. Website is runing but when I check loadtime in tools.pingdom I can see that pagesize increase from 2.5 MB to 3.8 MB and load time from 1.99 to 2.40s

In pagespeed insights I see thaht mod Gzip is not runing but using another tools to test gzip compression I see that gzip is ON
 
Last edited:

Paarsch

Verified User
Joined
Jun 9, 2017
Messages
17
Hi,

For some performance gain i decided to try the nginx_apache setup on one of our servers. Everything looks good and i went form 5 sec. load times to 2sec. load times.

i do however have a weird issue with some .htaccess rules. Since i mainly have WordPress installations running, we have a .htaccess in the wp-content folder only allowing certain filetypes:

Code:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js|ttf|otf|eot|pdf|woff|woff2)$">
	Allow from all
</Files>
On apache this would block the use of unknown or unwanted extensions. For some strange reason this does seem to block CSS when running the nginx_apache combination. When rummaging through the error logs i encounter a lot of these:

[Thu Sep 06 09:12:02.566458 2018] [access_compat:error] [pid 26002:tid 139701260252928] [client aa.bb.cc.dd:0] AH01797: client denied by server configuration: uri /wp-content/plugins/power-builder/framework/assets/js/frontend-builder-global-functions.js,qver=1.0.0.pagespeed.jm.as9jzpvBo3.js, referer: https://dmain.com/
[Thu Sep 06 09:12:02.593106 2018] [access_compat:error] [pid 26002:tid 139701243467520] [client aa.bb.cc.dd:0] AH01797: client denied by server configuration: uri /wp-content/plugins/tm-header-banner/cherry-framework/modules/cherry-ui-elements/inc/ui-elements/ui-select/assets/select2.js,qver=0.2.9.pagespeed.jm.iVZw-D3mI6.js, referer: https://domain.com/

Which is weird because the .js is allowed by the .htaccess rule. So, what could cause this weird behavior?
 

Mattpl

Verified User
Joined
Jun 28, 2017
Messages
78
Location
ZS
someone? I look at /etc/nginx/nginx-gzip.conf

and gzip is on
gzip on;
gzip_static on;
gzip_disable "msie6";
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/x$
gzip_buffers 16 8k;
but tools like pagespeedinsight etc. shows error about compression - " Turn od gzip compression"

Testing with Curl
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 Sep 2018 13:36:29 GMT
Connection: keep-alive
X-Powered-By: PHP/7.0.31
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
OK I have turn off CWAF and gzip is on
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
@Paarsch,

I guess pagespeed is the issue, did you try to disable pagespeed for testing?



@Mattpl,

Did you try to test with gtmetrix.com? Are those URLs to media files for which GZIP is not enabled are hosted on your server?

Let us know your real domain name, so that we could check it for you.
 

Mattpl

Verified User
Joined
Jun 28, 2017
Messages
78
Location
ZS
@Paarsch,

I guess pagespeed is the issue, did you try to disable pagespeed for testing?



@Mattpl,

Did you try to test with gtmetrix.com? Are those URLs to media files for which GZIP is not enabled are hosted on your server?

Let us know your real domain name, so that we could check it for you.
thanks :) I have write thaht problem solved :) I have turn off CWAF and Rules and gzip is on. You could check https://szukampracy.pl

Now I must try to opt TTFB, but I think thaht I have problem with scripts / mysql because another cms like WP have good TTFB ->http://blog.szukampracy.pl
Maybe do you have any idea how to check this? I try to use munin but have error after install from ssh root.

//
OK I have install yesterday munin and see thaht disk usage is very high, zEitEr Can you look at this stats?
 
Last edited:

Strator

Verified User
Joined
Jan 19, 2011
Messages
171
Sounded good, but didn't work unfortunately. I placed a copy of nginx-defaults.conf into custombuild/custom/nginx/conf/, then edited it accordingly and ran:

./build rewrite_confs

from the custombuild directory.

Nginx complained about those same definitions that I had commented out in the custom version of nginx-defaults.conf, and refused to start.
I revisited this once more and finally got it going. Turns out that I had the path wrong - it is NOT /usr/local/directadmin/custombuild/custom/ but rather /usr/local/directadmin/custombuild/configure/ - also, sind I have nginx set up as a reverse proxy, the full path is:

/usr/local/directadmin/custombuild/configure/nginx_reverse/conf

You don't need to move any files there, as they already live in that folder (if they don't, it's the wrong folder). Hope that helps someone.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
You should never modify anything under /usr/local/directadmin/custombuild/configure/, all custom changes should be done only under /usr/local/directadmin/custombuild/custom/, that's the only place where you can copy customized configs and they won't be overwritten by directadmin.

Directadmin will overwrite all your changes under /usr/local/directadmin/custombuild/configure/ with Directadmin/custombuild update.


Related:

- Add custom modules to nginx with custombuild 2.0
- Adding custom modules to apache for custombuild
- I wish to customize /etc/httpd/conf/httpd.conf and not have custombuild revert it
- Using custom configs for PhpMyAdmin, SquirrelMail and Roundcube
 

Strator

Verified User
Joined
Jan 19, 2011
Messages
171
You should never modify anything under /usr/local/directadmin/custombuild/configure/, all custom changes should be done only under /usr/local/directadmin/custombuild/custom/, that's the only place where you can copy customized configs and they won't be overwritten by directadmin.

Directadmin will overwrite all your changes under /usr/local/directadmin/custombuild/configure/ with Directadmin/custombuild update.


Related:

- Add custom modules to nginx with custombuild 2.0
- Adding custom modules to apache for custombuild
- I wish to customize /etc/httpd/conf/httpd.conf and not have custombuild revert it
- Using custom configs for PhpMyAdmin, SquirrelMail and Roundcube
Thanks for the heads up - now I think I finally understand how this works. So originally my only mistake was that I put the file into /nginx instead of /nginx_reverse. It is now in:

/usr/local/directadmin/custombuild/custom/nginx_reverse/conf

and everything works great. Thanks again!
 

Vibe

Verified User
Joined
Aug 3, 2005
Messages
111
Hi everyone,

I have been very interested in setting up a DA server with Apache+Nginx for quite a while (well before it was integrated in CustomBuild). Now that this available - what type of actual performance gains is everyone seeing? Since moving to Apache + PHP-FPM + Zend OPCache my server has been running great. Am I going to notice a dramatic change in performance by using Nginx?

My concern is that the performance gains may be offset by the ease of use and maintenance for Apache on its own. Bear in mind I am coming from Apache+Mod_PHP and have been rather slow to change :eek:. I host common CMS platforms as well as static HTML websites.

Thank you for any insight!
 

Strator

Verified User
Joined
Jan 19, 2011
Messages
171
My insights may not be that useful to you, but I've been using this setup for years and couldn't be happier. Maintenance is easy in my view, the main overhead is that things are a bit different and you do need to get used to that, but once you got used to the new setup, I think it isn't really more complicated. Can't really chime in on the performance gains, however, as the sites I run nowadays don't get that much traffic.

On the other hand - never change a winning team. If your server is already running great, you don't have much to gain. You'll put it some extra hours, and at the end all you'll get is a server that is still running great. :eek:
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,853
Location
GMT +7.00
Hey, the best way to get an answer is to try it yourself. Install a monitoring system: munin, zabbix, etc and wait a week or two to get enough information on how your server runs with Apache standalone. Then install NGINX in front of your Apache and run them together for a week or two and compare. You might share your results here.

If you expect to get your sites to work faster.... then NGINX+Apache might not give you any satisfaction here, as they hardly make your sites to work faster if you have heavy PHP scripts with many SQL queries running on every single user hit.

If you have many users with slow Internet then NGINX+Apache might decrease CPU load and RAM usage. If you have many static files, or use WP with on-disk caching, you might gain a performance improvement with NGINX+Apache.

Want to cache PHP scripts output with NGINX? You're welcome, but do not cache shopping carts, and pages for authenticated users.

If you want to stop SPAM-bots from posting to your web-forms, and/or limit concurrent connections per IP, then NGINX in front of Apache might help you significantly.

I have customers with servers who run NGINX only, NGINX+Apache, NGINX+Varnish+Apache, Apache only, LiteSpeed only servers. And the all cases reserve their own rights to exist.

And if a server with a single site is running fine with Apache only, we let it go. See the DA forums are running Apache/2, they don't use NGINX.

But if we have a server with many WP sites, which are brute-forced heavily, then we might install NGINX in front of Apache to add another layer of a protection and to stabilize the server and let the sites to work smoothly. We add much custom code in NGINX templates to reduce impact of attacking bots. If it works in our cases I might assume it will work in your case if you have the same situation... but if you run a video-streaming or gaming server, then it's different.

What is your use case? Why do you need NGINX?
 

Vibe

Verified User
Joined
Aug 3, 2005
Messages
111
Thank you Strator and zEitEr for your comments, I greatly appreciate it. I can see I will definitely need to spend some time thinking about the benefits and whether they apply to my situation.

zEitEr your advice is right on the mark as usual :). I currently run a mix of WordPress, Drupal and static HTML websites (no streaming/gaming) and am not experiencing any specific issues (e.g. low memory, slow response times etc.). However, I have been very interested in Nginx since I first learned of its capabilities - mainly for my customers benefit.

I have had several potential customers ask if I provide "WordPress Hosting" like some of the managed providers. I explain that aside from some of the advanced features (staging environment, automation etc.), the DA platform can provide very similar performance. This being the case I am always looking for ways of increasing overall performance. However, from what you have explained I can see that Nginx may or may not be the best for all use cases.

Your brute-force cutomizations for Nginx sound very intesting. Other than ConfigServer notifications for failed FTP/SMTP authentication attempts, I only receive messages due to excessive memory usage from WP sites. For some customers I have resolved this by disabling WP Cron and setting up a Cron job within DA. However, this isn't possible for everyone. I will definitely keep this in mind and be in touch if I decide to move forward with Nginx.

I definitely need to follow your advice and do some testing. I have a spare DA license and can spin up a VM to learn more about getting Nginx+Apache configured. This will give me a chance to see how everything works together and to see if it would apply to my situation.

Thank you both again for your comments and suggestions!
 

webwerken

New member
Joined
Jul 18, 2019
Messages
7
Problem with accessing roundcube after switching to nginx+apache

I have, as it seems, an old problem. These weekend I switched two of our boxes to use nginx_apache as the webserver. All was done via custombuild following these steps: https://forum.directadmin.com/showthread.php?t=49438
.
The servers run smoothly, but have only one issue. I can no longer access roundcube over the domain.
https://domain.com/roundcube gives me a 403
https://hostname/roundcube is working without issues.
Both boxes are as good as default and serve only a view sites.
I checked permissions which seem to be OK:

Code:
/var/
drwxrwxr-x. 10 webapps nginx 111 Apr 5 2018 www

/var/www/
drwxr-xr-x. 5 root root 120 Jul 18 10:51 html

/var/www/html/
lrwxrwxrwx 1 webapps webapps 19 Jul 17 19:37 roundcube -> roundcubemail-1.3.9
drwxr-xr-x 12 webapps webapps 283 Jul 17 19:37 roundcubemail-1.3.9
Been googling for half a day. But can't find a fix that works for me. Pleas tell me what I am missing.

Yeb
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
ok lets see here did you run: you might add in ./build dovecot too. to be sure. I assume you did all of this but to be sure I am asking.

cd /usr/local/directadmin/custombuild
./build update
./build update_da
./build set nginx_apache yes
./build set roundcube yes
./build nginx_apache
./build roundcube
./build dovecot_conf
./build rewrite_confs

You did all of this below? or maybe you don't want webmail.domain.com
https://help.directadmin.com/item.php?id=633
 

webwerken

New member
Joined
Jul 18, 2019
Messages
7
Hi bdacus01,

thanks for your input.
I already tried to fix it with rebuilds. Even did a .build all. But success.
I'm not interested in the subdomain thing. Just the default where the uri /webmail or /roundcube resolves in loading roundcube.

Yeb
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
In the previous post I was met to say But without success.:(
Humm you must have something missing then.
What is in your
Code:
cat /usr/local/directadmin/custombuild/options.conf
Your just on the generic build right no custom stuff yet?

You dont have mod security on do you? i think i read post where it was causing issues..
 
Last edited:

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
Apache options:


  • apache_ver - this option is used to choose the version of Apache. Install/update it using "./build apache". Possible values: 2.4 (default: 2.4).
  • apache_mpm - this option is used to choose the MPM (Multi-Processing Module) of Apache. MPM is chosen during "./build apache". Possible values: prefork, event, auto (default: auto). Auto option selects "Event" MPM if mod_php is not chosen as php1_mode, otherwise "Prefork" MPM is set.
  • mod_ruid2 - install/update mod_ruid2 Apache module using "./build mod_ruid2" or "./build all". Possible values: yes/no (default: yes (on FreeBSD: no)). It gets installed automatically if mod_ruid2 value is "yes" and php1/2/3/4_mode is set to "yes".
  • modsecurity - install/update ModSecurity - Web application firewall using "./build modsecurity", "./build apache", "./build nginx" or "./build all". Possible values: yes/no (default: no).
  • modsecurity_ruleset - chooses ModSecurity Rule Set to install when "./build modsecurity_rules", "./build modsecurity", "./build apache", "./build nginx" or "./build all d" is ran. Set to 'no' to use no ruleset (or to use a custom one, uploaded to custom/modsecurity/conf directory. Comodo option provides Comodo Rule Set for ModSecurity: https://modsecurity.comodo.com/. OWASP ModSecurity Core Rule Set: https://www.owasp.org/index.php/Cate...le_Set_Project. Add custom rules to custom/modsecurity/conf, they are added automatically to /etc/modsecurity.d after './build modsecurity' or './build modsecurity_ruleset' is ran.
  • Code:
    Nginx is not compatible with  Comodo Rule Set yet. Possible values: comodo/owasp/no. (default:  comodo).
 

webwerken

New member
Joined
Jul 18, 2019
Messages
7
First link you posted is about possible conflicts when running nginx. Not as a proxy.
Second link: Yes roundcube is set as the default mailapplication

And just to be complete. This is set in my options.conf file. Although I don't expect that to be the direction where the solution for my problem is to find. The servers are running fine. Even roundcube is running fine. The only problem is that the uri https://domain/webmail gives me a 403. Which points to permissions. But those look alright.

Code:
#PHP Settings
php1_release=7.3
php1_mode=php-fpm
php2_release=5.6
php2_mode=php-fpm
opcache=yes
htscanner=yes
php_ini=no
php_timezone=Europe/Amsterdam
php_ini_type=production
ioncube=no
zend=no
suhosin=no
x_mail_header=yes

#MySQL Settings
mysql=8.0
mysql_inst=mariadb
mysql_backup=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no

#WEB Server Settings
webserver=nginx_apache
modsecurity=no
modsecurity_ruleset=comodo
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
harden_symlinks_patch=yes
use_hostname_for_alias=auto
redirect_host=server10.infowerken.nl
redirect_host_https=no

#WEB Applications Settings
phpmyadmin=no
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no

#ClamAV-related Settings
clamav=yes
clamav_exim=yes
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

#Mail Settings
exim=yes
eximconf=yes
eximconf_release=4.5
blockcracking=no
easy_spam_fighter=no
spamd=no
dovecot=yes
dovecot_conf=yes
pigeonhole=no

#FTP Settings
ftpd=proftpd

#Statistics Settings
awstats=no
webalizer=yes

#CustomBuild Settings
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files.directadmin.com

#Cronjob Settings
cron=yes
cron_frequency=weekly
notifications=yes
da_autoupdate=no
updates=no
webapps_updates=no

#CloudLinux Settings
cloudlinux=no
cagefs=no

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=yes
new_pcre=no

cloudlinux_beta=no
sa_update=daily
modsecurity_uploadscan=no
http_methods=GET:HEAD:POST
litespeed_serialno=trial
userdir_access=no
mariadb=10.3
mysql_backup_gzip=yes
secure_php=yes
php3_release=no
php4_release=no
php3_mode=php-fpm
php4_mode=php-fpm
maildir_compress=no
mail_compress=no
imagick=yes
Both servers run on Centos 7.4
 
Top