* Removed images from gzip_types. Added reverse proxy setup. PHP uses

upstream now.
perusio · Mar 1, 2011 · 0cfd85e · 0cfd85e
1 parent c58dc02
commit 0cfd85e
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -43,7 +43,11 @@
       [Strict Transport Security](http://www.cromium.org/sts "STS")
       for protecting against MiTM attacks like
       [sslstrip](http://www.thoughtcrime.org/software/sslstrip/ "SSL strip script").
-   7. IPv6 and IPv4 support.   
+   7. IPv6 and IPv4 support.
+
+   8. Possibility of using **Apache** as a backend for dealing with
+      PHP. Meaning using Nginx as
+      [reverse proxy](http://wiki.nginx.org/HttpProxyModule "Nginx Proxy Module").
 
 ## Basic Auth and HTTPS
 
@@ -77,6 +81,15 @@
    then accordingly change its name in the virtual host config
    file, `chive.example.com` or `secure.chive.example.com`.
 
+## Nginx as a Reverse Proxy: Proxying to Apache for PHP
+
+   If you **absolutely need** to use the rather _bad habit_ of
+   deploying web apps relying on `.htaccess`, or you just want to use
+   Nginx as a reverse proxy. The config allows you to do so. Note that
+   this provides some benefits over using only Apache, since Nginx is
+   much faster than Apache. Furthermore you can use the proxy cache
+   and/or use Nginx as a load balancer.    
+
 ## Installation
 
    1. Move the old `/etc/nginx` directory to `/etc/nginx.old`.
@@ -92,7 +105,23 @@
 
    4. Setup the PHP handling method. It can be:
 
-      + Upstream HTTP server like Apache with mod_php
+      + Upstream HTTP server like Apache with mod_php. To use this
+        method comment out the `include upstream_phpcgi.conf;`
+        line in `nginx.conf` and uncomment the lines:
+
+            include reverse_proxy.conf;
+            include upstream_phpapache.conf;
+
+        Now you must set the proper address and port for your
+        backend(s) in the `upstream_phpapache.conf`. By default it
+        assumes the loopback `127.0.0.1` interface on port
+        `8080`. Adjust accordingly to reflect your setup.
+
+        Comment out **all**  `fastcgi_pass` directives in either
+        `drupal_boost.conf` or `drupal_boost_drush.conf`, depending
+        which config layout you're using. Uncomment out all the
+        `proxy_pass` directives. They have a comment around them,
+        stating these instructions.
 
       + FastCGI process using php-cgi. In this case an
         [init script](https://github.com/perusio/php-fastcgi-debian-script

diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,4 @@
-# -*- mode: conf; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
 user www-data;
 worker_processes  4;
 
@@ -49,6 +49,9 @@ http {
 
     ## Reset lingering timed out connections. Deflect DDoS.
     reset_timedout_connection on;
+
+    ## Body size.
+    client_max_body_size 10m;
 
     ## TCP options.
     tcp_nodelay        on;
@@ -60,7 +63,7 @@ http {
     gzip_comp_level   1;
     gzip_http_version 1.1;
     gzip_min_length   10;
-    gzip_types        text/plain text/css image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
+    gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
     gzip_vary         on;
     gzip_proxied      any; # Compression for all requests.
     ## No need for regexps. See
@@ -74,6 +77,13 @@ http {
     ## Hide the Nginx version number.
     server_tokens off;
 
+    ## Use a SSL/TLS cache for SSL session resume. This needs to be
+    ## here (in this context, for session resumption to work. See this
+    ## thread on the Nginx mailing list:
+    ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
     ## For the filefield_nginx_progress module to work. From the
     ## README. Reserve 1MB under the name 'uploads' to track uploads.
     upload_progress uploads 1m;
@@ -83,6 +93,14 @@ http {
     ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
     add_header X-Frame-Options sameorigin;
 
+    ## Include the upstream servers for PHP FastCGI handling config.
+    include upstream_phpcgi.conf;
+
+    ## Include the upstream servers for Apache handling the PHP
+    ## processes. In this case Nginx functions as a reverse proxy.
+    #include reverse_proxy.conf;
+    #include upstream_phpapache.conf;
+
     ## Include all vhosts. 
     include /etc/nginx/sites-enabled/*;
 }
diff --git a/reverse_proxy.conf b/reverse_proxy.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+
+### Configuration for reverse proxy. Passing the necessary headers to
+### the backend. Nginx doesn't tunnel the connection, it opens a new
+### one. Hence whe need to send these headers to the backend so that
+### the client(s) IP is available to them. The host is also sent.
+
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $http_host; 
diff --git a/sites-available/chive.example.com b/sites-available/chive.example.com
@@ -64,7 +64,7 @@ server {
             fastcgi_param PATH_INFO $path_info;
             ## Passing the request upstream to the FastCGI
             ## listener.
-            fastcgi_pass unix:/tmp/php-cgi/php-cgi.socket;
+            fastcgi_pass phpcgi;
         }
 
         ## Protect these locations. Replicating the .htaccess

diff --git a/sites-available/secure.chive.example.com b/sites-available/secure.chive.example.com
@@ -90,7 +90,7 @@ server {
             fastcgi_param PATH_INFO $path_info;
             ## Passing the request upstream to the FastCGI
             ## listener.
-            fastcgi_pass unix:/tmp/php-cgi/php-cgi.socket;
+            fastcgi_pass php-cgi;
         }
 
         ## Protect these locations. Replicating the .htaccess

diff --git a/upstream_phpapache.conf b/upstream_phpapache.conf
@@ -0,0 +1,8 @@
+# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+
+### Upstream configuration for Apache functioning has a PHP handler.
+
+## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule.
+upstream phpapache {
+    server 127.0.0.1:8080;
+}
diff --git a/upstream_phpcgi.conf b/upstream_phpcgi.conf
@@ -0,0 +1,8 @@
+# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
+
+### Upstream configuration for PHP FastCGI.
+
+## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule.
+upstream phpcgi {
+    server unix:/tmp/php-cgi/php-cgi.socket;
+}