Template:Installation/Reverse proxy: Difference between revisions

From diaspora* project wiki
mNo edit summary
Line 24: Line 24:
   worker_connections  1024;
   worker_connections  1024;
}
}
http {
http {
   include      mime.types;
   include      mime.types;
   default_type  application/octet-stream;
   default_type  application/octet-stream;
Line 38: Line 36:
   gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
   gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
   gzip_disable      "MSIE [1-6]\.(?!.*SV1)";
   gzip_disable      "MSIE [1-6]\.(?!.*SV1)";
server_names_hash_bucket_size      128;
server_names_hash_bucket_size      128;
upstream thin_cluster {
upstream thin_cluster {
   server          0.0.0.0:3000;
   server          0.0.0.0:3000;
}
}
server {
server {
   listen      80;
   listen      80;
Line 51: Line 45:
   rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;
   rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;
}
}
server {
server {
   listen      443 default_server ssl;
   listen      443 default_server ssl;
   server_name  192.168.11.100 SERVERNAME.NET;
   server_name  192.168.11.100 SERVERNAME.NET;
   root        /home/diaspora/diaspora/public/;
   root        /home/diaspora/diaspora/public/;
   ssl on;
   ssl on;
   ssl_certificate      /etc/nginx/ssl-unified.crt;
   ssl_certificate      /etc/nginx/ssl-unified.crt;
   ssl_certificate_key  /etc/nginx/ssl.key;
   ssl_certificate_key  /etc/nginx/ssl.key;
   
  location /uploads/images {
location /uploads/images {
   expires 1d;
   expires 1d;
   add_header Cache-Control public;
   add_header Cache-Control public;
Line 69: Line 60:
   add_header Cache-Control public;
   add_header Cache-Control public;
   }
   }
location ~ .php$ {
location ~ .php$ {
     try_files $uri =404;
     try_files $uri =404;
Line 82: Line 72:
     include fastcgi_params;
     include fastcgi_params;
     }
     }
location / {
location / {
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Real-IP $remote_addr;
Line 91: Line 80:
   client_max_body_size 4M;
   client_max_body_size 4M;
   client_body_buffer_size 128K;
   client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
if (-f $request_filename/index.html) {
     rewrite (.*) $1/index.html break;
     rewrite (.*) $1/index.html break;
Line 103: Line 91:
   }
   }
}
}
   error_page 500 502 503 504 /50x.html;
   error_page 500 502 503 504 /50x.html;
   location = /50x.html {
   location = /50x.html {

Revision as of 16:30, 12 December 2014

Reverse proxy

You most likely have already a webserver running on port 80 (http) and 443 (https). It also should serve Diasporas static content and forward all other requests to Diaspora. Here are some example configurations to achieve that:

The reverse Proxy is quite Tricky if you have no idea what nginx does. ive searched the web and merged some configs, this one works for me, cut and paste replace SERVERNAME.NET for your domain name. and ofcourse the PATH for PUBLIC and Certifactes

Problem here is not really NGinX but centos AUDIT, it took me a LONG while to figure out that the AUDIT system was blocking requests Basically this fixed it (+ disabling all hidden firewalls and just enabling iptables)

cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mydiaspora


cat nginx.conf

worker_processes 1; daemon on; events {

 worker_connections  1024;

} http {

 include       mime.types;
 default_type  application/octet-stream;
 sendfile on;
 keepalive_timeout  65;
 gzip              on;
 gzip_http_version 1.0;
 gzip_comp_level   2;
 gzip_proxied      any;
 gzip_buffers      16 8k;
 gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 gzip_disable      "MSIE [1-6]\.(?!.*SV1)";

server_names_hash_bucket_size 128; upstream thin_cluster {

 server          0.0.0.0:3000;

} server {

 listen       80;
 server_name  192.168.11.100 SERVERNAME.NET ;
 rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;

} server {

 listen       443 default_server ssl;
 server_name  192.168.11.100 SERVERNAME.NET;
 root         /home/diaspora/diaspora/public/;
 ssl on;
 ssl_certificate      /etc/nginx/ssl-unified.crt;
 ssl_certificate_key  /etc/nginx/ssl.key;
location /uploads/images {
 expires 1d;
 add_header Cache-Control public;
 }
 location /assets {
 expires 1d;
 add_header Cache-Control public;
 }

location ~ .php$ {

   try_files $uri =404;
   fastcgi_split_path_info ^(.+\.php)(/.+)$;
   fastcgi_pass unix:/var/run/php5-fpm.sock;
   fastcgi_index index.php;
   fastcgi_buffers 8 16k;
   fastcgi_buffer_size 32k;
   fastcgi_connect_timeout 300;
   fastcgi_send_timeout 300;
   fastcgi_read_timeout 300;
   include fastcgi_params;
   }

location / {

 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
 proxy_set_header X-Forwarded-Proto https;
 proxy_redirect off;
 client_max_body_size 4M;
 client_body_buffer_size 128K;

if (-f $request_filename/index.html) {

   rewrite (.*) $1/index.html break;
 }
 if (-f $request_filename.html) {
   rewrite (.*) $1.html break;
 }
 if (!-f $request_filename) {
   proxy_pass http://thin_cluster;
   break;
 }

}

 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
 root html;
 proxy_pass http://localhost:3000;
 proxy_read_timeout 90;
 proxy_redirect http://localhost:3000 https://SERVERNAME.NET;

} } }