Konfiguracja NGINX

    apt-get install nginx-extras

#################################
# Centrala Baza Danych Autosanu #
#  cbda.autosan.pl proxy ssl    #
#  for IBM websphere server     #
#################################upstream cbda_proxy_ssl {
    server 172.16.4.56:80;
}
server {
    listen 82.177.196.204:80;
    server_name cbda.autosan.pl;
    return 301 https://$server_name$request_uri;
    access_log /var/log/nginx/access.cbda.autosan.pl.log;
    error_log  /var/log/nginx/error.cbda.autosan.pl.log;
    more_clear_headers   "Content-Type: ";
    more_clear_headers   "Accept-Ranges: ";
    more_clear_headers   "Content-Length: ";}server {
    listen 82.177.196.204:443 ssl;
    server_name cbda.autosan.pl;
    access_log /var/log/nginx/access.cbda.autosan.pl-ssl.log;
    error_log  /var/log/nginx/error.cbda.autosan.pl-ssl.log;
    more_clear_headers   "Content-Type: ";
    more_clear_headers   "Accept-Ranges: ";
    more_clear_headers   "Content-Length: ";    ssl on;
    ssl_certificate         /etc/ssl/certs/cbda.autosan.pl.cert;
    ssl_certificate_key     /etc/ssl/private/cbda.autosan.pl.key;
    ssl_trusted_certificate /etc/ssl/certs/autosan.pl-cacert.crt;    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;    ssl_prefer_server_ciphers       on;
    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                     ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;    add_header Strict-Transport-Security "max-age=31536000";    location / {
        if ($remote_addr ~ "^(82.177.196.192/27)$")
           { proxy_pass http://cbda_proxy_ssl; }
           rewrite ^/   https://cbda.autosan.pl/service/service;
    }    location ~^(/service|/resources|/images|/primefaces_resource) {
        proxy_pass http://cbda_proxy_ssl;
        error_page 404 = /404.html;        #proxy_set_header Host $host;
        #proxy_set_header X-Real-IP $remote_addr;
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header X-Forwarded-Proto $scheme;
    }
    location @badip {
    return 301 $scheme://example.com/some-page;
    }    error_page 500 502 503 504 /50x.html;}

Load Balancing - Rozkład ruchu na kilka serwerów
Używamy modułu upstream by zdefiniować kilka serwerów serwujących naszą stronę. Następnie dla bloku "serwer" przekazujemy połączenia tym serwerom za pomocą
proxy_pass http://NAZWA_LISTY_UPSTREAMhttp {
    upstream myproject {
        server 127.0.0.1:8000 weight=3;
        server 127.0.0.1:8001;
        server 127.0.0.1:8002;    
        server 127.0.0.1:8003;
    }    server {
        listen: 80;
        server_name: www.domain.com;
        location / {
            proxy_pass http://myproject;
        }
    }
}
VirtualHost

Dlahttp różnych{
    server katalogów można przypisać domenę za pomocą {
        listen          80;
        server_name     www. Konfiguracja dla poszczególnych serwerów zawiera się w blokach "server". 
Można też dołączać (include) pliki konfiguracyjne dla poszczególnych virtual hostówdomain1.com;
        access_log      logs/domain1.access.log Oto przykład dwóch virtualhostów serwujących pliki statyczne:main;
http {
    server {
        listen          80;
        server_name     www.domain1.com;
        access_log      logs/domain1.access.log main;
        location / {
            index index.html;
            root  /var/www/domain1.com/htdocs;
        }
    }    server {
        listen          80;
        server_name     www.domain2.com;
        access_log      logs/domain2.access.log main;        location / {
            index index.html;
            root  /var/www/domain2.com/htdocs;
        }
    }
}

Serwer dla statycznych plików Oto pełna konfiguracja dla prostego serwera serwującego statyczną treść:

Serwer dla statycznych plików

Otouser  www-data pełna konfiguracja dla prostego serwera serwującego statyczną treść:www-data;
worker_processes  2;
user  www-data www-data;
worker_processes  2;
error_log  logs/error.log;pid        logs/nginx.pid;events {
    worker_connections  1024;
}http {
    include       conf/mime.types;
    default_type  application/octet-stream;    log_format  main  '$remote_addr - $remote_user [$time_local] $status '
                      '"$request" $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "http_x_forwarded_for"';    access_log  logs/access.log  main;    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay    on;    server {
        listen       80;        server_name  moja-domena.com www.inna-domena.com;        access_log  logs/host.access.log  main;        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}
PHP poprzez FastCGI

Nginx nie uruchamia sam procesów FastCGI i trzeba to zrobić innym programem. By dodać obsługę PHP należy do "location" ~ naszej\.php$ konfiguracji dodać{
   fastcgi_pass   127.0.0.1:12345;
   fastcgi_index  index.php;
location ~ \.php$ {
   fastcgi_pass   127.0.0.1:12345;
   fastcgi_index  index.php;
   fastcgi_param  SCRIPT_FILENAME  /usr/local/nginx/html$fastcgi_script_name;
   fastcgi_param  QUERY_STRING     $query_string;
   fastcgi_param  REQUEST_METHOD   $request_method;
   fastcgi_param  CONTENT_TYPE     $content_type;
   fastcgi_param  CONTENT_LENGTH   $content_length;
 }
Pełna konfiguracja:
user www-data
user  www-data www-data;
worker_processes  2;
error_log logs/error.log debug;pid logs/nginx.pid;events { worker_connections 1024; }http { include conf/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; server { listen 80; server_name moja-domena.com www.server-name.com; access_log logs/host.access.log main; location / { root html; index index.html index.htm index.php; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_pass 127.0.0.1:12345; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; } } } DokuWiki
  server pod{
        listen       80;
        server_name  _ Nginx
Oto*;
        port_in_redirect przykładoff;
        optimize_server_names z wiki skryptu wraz z regułami rewrite:off;
  server {
        listen       80;
        server_name  _ *;
        port_in_redirect off;
        optimize_server_names off;
        access_log  /var/log/nginx/localhost.access.log;        rewrite ^(/dokuwiki/)_media/(.*) $1lib/exe/fetch.php?media=$2 last;
        rewrite ^(/dokuwiki/)_detail/(.*) $1lib/exe/detail.php?media=$2 last;
        rewrite ^(/dokuwiki/)_export/(+)/(.*) $1doku.php?do=export_$2&id=$3 last;        location / {
            root   /var/www;
            index  index.html index.htm index.php;
        }        location /dokuwiki/ {
            if (!-f $request_filename) {
                rewrite ^(/dokuwiki/)(.*)?(.*)  $1doku.php?id=$2&$3 last;
                rewrite ^(/dokuwiki/)$ $1doku.php last;
            }
        }        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /var/www;
        }        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:8888;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /var/www$fastcgi_script_name;
            include        /etc/nginx/fastcgi_params;
        }
    }

WebDAV

SynopsisThis module adds the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE.This module is not compiled by default. It is necessary to enable it at compile-time via./configure --with-http_dav_moduleExample:location / {
  root     /data/www;
  client_body_temp_path  /data/client_temp;  dav_methods  PUT DELETE MKCOL COPY MOVE;  create_full_put_path   on;
  dav_access             group:rw  all:r;  limit_except  GET {
    allow  192.168.1.0/32;
    deny   all;
  }
}Edit section: Directives Directives
Edit section: dav access dav_accesssyntax: dav_access user:permissions [users:permissions] ...default: dav_access user:rwcontext: http, server, locationThis directive assigns access rights for file and directories, for example:dav_access user:rw group:rw all:r;If assigning any permissions for groups or all, then it's not necessary to indicate permissions for user:dav_access group:rw all:r;Edit section: dav methods dav_methodssyntax: dav_methods [off|put|delete|mkcol|copy|move] ...default: dav_methods offcontext: http, server, locationThis directive enables specified HTTP and WebDAV methods. Setting it to off disables all methods, ignoring the remaining parameters.For the PUT method the destination file must reside on the same partition as the directory where the temporary file is stored (given by directive client_body_temp_path in the location section).When a file is created using the PUT method it is possible to assign the modification date by setting the Date header.
Edit section: create full put path create_full_put_pathsyntax: create_full_put_path on|offdefault: create_full_put_path offcontext: http, server, locationBy default, the PUT method can only create files within existing directories. This directive permits creating all necessary intermediate directories.

Reverse proxy, X-Forwarded-For i prawdziwy IPek

Gdy używamy haproxy (czy jakiegokolwiek innego proxy) pojawia się mały problem, mianowicie backend widzi wszystkie połączenia jako pochodzące z IP maszyny. Jest to problemem przy logowaniu oraz dla niektórych aplikacji. Większość serwerów WWW ma moduł który pozwala na “odzyskanie” IPka z nagłówka “X-Forwarded-For”. Oczywiście Twoje proxy musi umieć przekazywać taki nagłówek ale większość robi to domyślnie albo potrafi po włączeniu odpowiednich opcji (np. haproxy: option forwardfor except 127.0.0.1)Tak na szybko:Lighttpd:server.modules              = (
            "mod_access",
            "mod_alias",
            "mod_accesslog",
            "mod_extforward",
            "mod_expire",
            "mod_compress",
            "mod_rewrite",
            "mod_extforward",
)extforward.headers = ("X-Forwarded-For")
extforward.forwarder = ("127.0.0.1" => "trust")extforward musi być po mod_accesslog, inaczej logi nie będą widzieć tego “prawdziwego” IPka (tak wiem, dziwne)
Apache# aptitude install libapache2-mod-rpaf(w debianie uruchamia się automatycznie z konfigiem “ufającym” 127.0.0.1, jak Twoje proxy jest gdzie indziej zmień w /etc/apache2/mods-available/rpaf.conf)
Nginx    set_real_ip_from 127.0.0.1;
    real_ip_header X-Forwarded-For;wymaga nginxa ze squeeze, w lennym jest trochę za stary

Speedtest z Nginx

Wymaga zainstalowania pakietu fcgiwrap

  aptitude install fcgiwrap

dodanie w konfiguracji nginxa (/etc/nginx/sites-enabled/default) takiego fragmentu kodu:

# smokeping
        location /smokeping/ {
                index smokeping.cgi;
                gzip off;
                if ($uri ~ "/smokeping/smokeping.cgi") {
                        fastcgi_pass unix:/var/run/fcgiwrap.socket;
                }
                include fastcgi_params;
        }

Zlinkowanie smokepinga do roota nginxa:

   ln -s /usr/share/smokeping/www /var/www/smokeping
   ln -s /usr/share/smokeping/cgi-bin/smokeping.cgi /var/www/smokeping/

Load balancer

Using Nginx as a load balancer30 December 2009Here’s a look at how nginx does basic load balancing :upstream  yoursite  {
   server   yoursite1.yoursite.com;
   server   yoursite2.yoursite.com;
}server {
   server_name www.yoursite.com;
   location / {
      proxy_pass  http://yoursite;
   }
}This configuration will send 50% of the requests for www.yoursite.com to yoursite1.yoursite.com and the other 50% to yoursite2.yoursite.com.
ip_hashYou can specify the ip_hash directive that guarantees the client request will always be transferred to the same server.
If this server is considered inoperative, then the request of this client will be transferred to another server.upstream  yoursite  {
   ip_hash;
   server   yoursite1.yoursite.com;
   server   yoursite2.yoursite.com;
}downIf one of the servers must be removed for some time, you must mark that server as down.upstream  yoursite  {
   ip_hash;
   server   yoursite1.yoursite.com down;
   server   yoursite2.yoursite.com;
}weightIf you add a weight tag onto the end of the server definition you can modify the percentages of the requests send to the servers.
When there’s no weight set, the weight is equal to one.upstream  yoursite  {
   server   yoursite1.yoursite.com weight=4;
   server   yoursite2.yoursite.com;
}This configuration will send 80% of the requests to yoursite1.yoursite.com and the other 20% to yoursite2.yoursite.com.note: It’s not possible to combine ip_hash and weight directives.
max_fails and fail_timeoutmax_fails is a directive defining the number of unsuccessful attempts in the 
time period defined by fail_timeout before the server is considered inoperative. 
If not set, the number of attempts is one. A value of 0 turns off this check.
If fail_timeout is not set the time is 10 seconds.upstream  yoursite  {
   server   yoursite1.yoursite.com;
   server   yoursite2.yoursite.com max_fails=3  fail_timeout=30s;
}In this configuration nginx will consider yoursite2.yoursite.com as inoperative 
if a request fails 3 times with a 30s timeout.
backupIf the non-backup servers are all down or busy, the server(s) with the backup directive will be used.upstream  yoursite  {
   server   yoursite1.yoursite.com max_fails=3;
   server   yoursite2.yoursite.com max_fails=3;
   server   yoursite3.yoursite.com backup;
}This configuration will send 50% of the requests for www.yoursite.com to yoursite1.yoursite.com and the other 50% to yoursite2.yoursite.com.
If yoursite1.yoursite.com and yoursite2.yoursite.com both fails 3 times the requests will be send to yoursite3.yoursite.com.http://wiki.nginx.org/HttpUpstreamModule