Reverse-proxy NGINX + Apache on Directadmin powered server with CB 2.x

Hello,

Neither nginx or apache require opcache. In a question whether or not to install opcache you should consider your own requirements and needs.
 
Hi,

I try switch to nginx_apache but have some problems:

1.

Code:
Restarting nginx.
Starting nginx: nginx: [emerg] ModSecurityConfig in /etc/nginx/nginx-modsecurity-enable.conf:2: Unknown command in config: <LocationMatch
                                                           [FAILED]

I have ./build modsecurity
what else I need?

2.
Code:
nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/directadmin/data/users/myuser/domains/mydomain.com.cert.combined") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
nginx: configuration file /etc/nginx/nginx.conf test failed

This error is related to have in one line "---- END CERTIFICATE -------- BEGIN CERTIFICATE -------
I fix this line in above *.cert.combined but after rewrte_confs everything is back. Why this file is broken? From which place it's taken?
 
Hello,

For #1, I've checked over the CB2 code, and it doesn't add any LocationMatch entries.. so I'm guessing it got there by some other means.
Try deleting that file, and then doing a
Code:
./build modsecurity

For #2, I've found the code that creates the .combined file, and it would be use your domain.com.cert, and the domain.com.cacert, to create domain.com.cert.combined.
So most likely the domain.com.cert doesn't have a trailing newline character.
I've added a \n in between the two for the next release:
https://www.directadmin.com/features.php?id=1815

The pre-release binaries should be available in a few minutes, if you'd like the fix now.

John
 
Thanks, I've rebuild modsecurity with cwaf comodo again and now seems to be ok.

Btw now I've another issue:

can't download generated in fly PDF files:

Code:
2015/12/10 11:06:33 [error] 24107#0: *306[B] upstream prematurely closed connection while reading upstream[/B], request: "POST /orders/invoices HTTP/1.1", upstream: "https://111.111.111.111:8081/orders/invoices"

edit: ok, it's related to modsecurity but where find what do this? in debug.log not found, addind to disabled domains nothing changes..
 
Last edited:
When we link a Ipv6 address to the ipv4 server address, nginx wont start.

Code:
an  4 14:22:22 web systemd: Starting The nginx HTTP and reverse proxy server...
Jan  4 14:22:22 web nginx: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan  4 14:22:22 web nginx: nginx: [emerg] bind() to [xxxx:xxxx:xxxx::x]:80 failed (99: Cannot assign requested address)
Jan  4 14:22:22 web nginx: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan  4 14:22:22 web systemd: nginx.service: control process exited, code=exited status=1
Jan  4 14:22:22 web systemd: Failed to start The nginx HTTP and reverse proxy server.
Jan  4 14:22:22 web systemd: Unit nginx.service entered failed state.
Jan  4 14:22:22 web systemd: nginx.service failed.
 
Code:
Jan 05 11:18:24 hosting1 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 05 11:18:24 hosting1 nginx[94766]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 05 11:18:24 hosting1 nginx[94766]: nginx: [emerg] bind() to [fe80::4b5:3eff:fe00:3c8]:80 failed (22: Invalid argument)
Jan 05 11:18:24 hosting1 nginx[94766]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jan 05 11:18:24 hosting1 systemd[1]: nginx.service: control process exited, code=exited status=1
Jan 05 11:18:24 hosting1 systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Jan 05 11:18:24 hosting1 systemd[1]: Unit nginx.service entered failed state.
Jan 05 11:18:24 hosting1 systemd[1]: nginx.service failed.

I also tried linking ipv6 with ipv4 but got a different error.
 
I try to install it and got

2016/02/04 00:25:02 [emerg] 11584#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11592#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11604#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11610#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:03 [alert] 4897#0: worker process 11584 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11592 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11604 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11610 exited with fatal code 2 and cannot be respawned
 
1 domain dont want nginx

Hi
i have installed this nginx_apache
1 domain of website not work good nginx.
i want set only work single domain with apache .
HOW can i set this ?

thanks.
 
016/02/04 00:25:02 [emerg] 11584#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11592#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11604#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:02 [emerg] 11610#0: eventfd() failed (38: Function not implemented)
2016/02/04 00:25:03 [alert] 4897#0: worker process 11584 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11592 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11604 exited with fatal code 2 and cannot be respawned
2016/02/04 00:25:03 [alert] 4897#0: worker process 11610 exited with fatal code 2 and cannot be respawned

This is 1.8 line bug, i just switch to 1.9 and all is OK.

Issue #2

I do http://help.directadmin.com/item.php?id=560, but now nginx redirect all trafic from webmail to first domain name not the webmail catalog. I add to my admin account domain 00000000.abc and make .httaccess redirect to webmail site, but this is not a proper solution. Any ideas why it works like it works?
 
Hello, i also updated from apache to apache_nginx hoping in some speed boost while browsing sites, update went fine, all sites are working, the only problem i noticed is that now images are loading slower than before (and sometimes some images fail to load).. any idea why ?
thanks.
 
Static content hits Nginx first. Why have it go to Nginx->Apache->ACLR->Nginx?

I altered the template for host to have:

location ~ \.php

Then the needed information for logging and proxy headers.

Now Nginx logs and serves all the static content and apache only serves PHP.

Why isn't it done that way? Is Nginx being used as a firewall/proxy is it being used to serve the static content faster?

btw here is my /template/custom/nginx_server.conf

|CUSTOM1|
|?DOCROOT=`HOME`/domains/`DOMAIN`/public_html|
|?REALDOCROOT=`HOME`/domains/`DOMAIN`/public_html|
|?OPEN_BASEDIR_PATH=`HOME`/:/tmp:/var/tmp:/usr/local/lib/php/|
server
{
|CUSTOM|

listen |IP|:|PORT_80|;
|MULTI_IP|

server_name |DOMAIN| www.|DOMAIN| |SERVER_ALIASES|;

access_log /var/log/nginx/domains/|DOMAIN|.log;
access_log /var/log/nginx/domains/|DOMAIN|.bytes bytes;
error_log /var/log/nginx/domains/|DOMAIN|.error.log;


root |DOCROOT|;

index index.php index.html index.htm;

|NGINX_PHP_CONF|

include /etc/nginx/nginx-security.conf;

|*if HAVE_NGINX_PROXY="1"|
location ~ \.php
{
|CUSTOM2|
|LOCATION_INSERT|
access_log off;

proxy_buffering |PROXY_BUFFERING|;
proxy_pass http://|IP|:|PORT_8080|;
proxy_set_header X-Client-IP $remote_addr;
proxy_set_header X-Accel-Internal /nginx_static_files;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nginx_static_files/
{
# access_log /var/log/nginx/access_log_proxy;
alias |DOCROOT|/;
internal;
}
|*else|
|NGINX_REDIRECTS|
|PROTECTED_DIRECTORIES|
|EXTRA_LOCATIONS|
|*endif|

|CUSTOM3|

include /etc/nginx/webapps.conf;

|CUSTOM4|
 
Last edited:
All true that you can't use apache for those static changes. But why would you want to?

1. Basic auth would still apply with the exception of images which in 99% of the cases that's not what you're trying to protect anyways.

2. Nginx can deal with the mod_rewrite challenges for static content. Again 99% of the time that's not why you'd use it.

3. Limit Access Per IP should be done by Nginx anyways. It's definitely more efficient at it while Apache actually suffers from dealing with http floods.

4. Perl might be a factor but you can easily alter my changes to include .pl files if you're still running a site from the 90's and using perl.

Again, this is about efficiency in using a Nginx as a reverse proxy if you're just going to forward the all content to Apache anyways. If that's the case...then why run Nginx at all? The whole point of using Nginx in front of Apache is for efficency in serving static content and having method to deal with bad traffic.

And sure, I understand my needs may be different than most but I'm a bit surprised this hasn't been brought up in discussion before now. Has anyone done any benchmarks with ACLR2 vs just using mod_remoteip? As far as I can tell aclr2 is suppose to replace mod_remoteip but it was written in 2012 before mod_remoteip was part of Apache Core. There isn't even good documentation on it. I also think ACLR, originally written for 1.3x, is an outdated concept model for Nginx proxy.

I really bring this up because my visitors were experiencing delays in page loading and ultimately I had to remove ACLR2. Now site works great and Nginx serves the static content directly. Nginx logs properly the static while all PHP goes to Apache and is logged properly.

Anyways, it's all just my thinking. Maybe it helps someone else around here.
 
I've posted my version of why the things are done this way and provided a link to John's reply. Thank you for sharing your view and opinion on the matter.

If you want that your idea will be implemented and added into Directadmin you might consider opening a ticket with Directadmin support or post a feature request here on the forums. As for myself I have servers with custom nginx installed, default nginx+apache installed by directadmin, customozied nginx installed by Directadmin.
 
Again, this is about efficiency in using a Nginx as a reverse proxy if you're just going to forward the all content to Apache anyways. If that's the case...then why run Nginx at all? The whole point of using Nginx in front of Apache is for efficency in serving static content and having method to deal with bad traffic.

I'd just like to say that it is not true. Requests are forwarded, but not the content. All the static content is still served by nginx. Nginx needs to forward requests to Apache, so that it'd know where it should look the static content into (after processing .htaccess it's clear). I agree that serving static content directly (without .htaccess) would be faster, and you can easily do that by modifying current nginx templates, however, the reason why it's done the way we have is to bring 100% compatibility, not 99% mentioned in your posts.
 
hi
Restarting nginx.
Starting nginx: nginx: [emerg] listen() to 138.201.112.35:80, backlog 511 failed (98: Address already in use)
nginx: [emerg] listen() to 127.0.0.1:80, backlog 511 failed (98: Address already in use)
nginx: [emerg] bind() to 31.25.89.11:80 failed (99: Cannot assign requested address)
[FAILED]
[root@server1 custombuild]#

what's problem ?
how can i fix it ?

thank's
 
Back
Top