Template:Installation/Reverse proxy: Difference between revisions
m (→Reverse proxy) |
mNo edit summary |
||
| Line 24: | Line 24: | ||
worker_connections 1024; | worker_connections 1024; | ||
} | } | ||
http { | http { | ||
include mime.types; | include mime.types; | ||
default_type application/octet-stream; | default_type application/octet-stream; | ||
| Line 38: | Line 36: | ||
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; | gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; | ||
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; | gzip_disable "MSIE [1-6]\.(?!.*SV1)"; | ||
server_names_hash_bucket_size 128; | server_names_hash_bucket_size 128; | ||
upstream thin_cluster { | upstream thin_cluster { | ||
server 0.0.0.0:3000; | server 0.0.0.0:3000; | ||
} | } | ||
server { | server { | ||
listen 80; | listen 80; | ||
| Line 51: | Line 45: | ||
rewrite ^(.*) https://SERVERNAME.NET$1 permanent; | rewrite ^(.*) https://SERVERNAME.NET$1 permanent; | ||
} | } | ||
server { | server { | ||
listen 443 default_server ssl; | listen 443 default_server ssl; | ||
server_name 192.168.11.100 SERVERNAME.NET; | server_name 192.168.11.100 SERVERNAME.NET; | ||
root /home/diaspora/diaspora/public/; | root /home/diaspora/diaspora/public/; | ||
ssl on; | ssl on; | ||
ssl_certificate /etc/nginx/ssl-unified.crt; | ssl_certificate /etc/nginx/ssl-unified.crt; | ||
ssl_certificate_key /etc/nginx/ssl.key; | ssl_certificate_key /etc/nginx/ssl.key; | ||
location /uploads/images { | |||
location /uploads/images { | |||
expires 1d; | expires 1d; | ||
add_header Cache-Control public; | add_header Cache-Control public; | ||
| Line 69: | Line 60: | ||
add_header Cache-Control public; | add_header Cache-Control public; | ||
} | } | ||
location ~ .php$ { | location ~ .php$ { | ||
try_files $uri =404; | try_files $uri =404; | ||
| Line 82: | Line 72: | ||
include fastcgi_params; | include fastcgi_params; | ||
} | } | ||
location / { | location / { | ||
proxy_set_header X-Real-IP $remote_addr; | proxy_set_header X-Real-IP $remote_addr; | ||
| Line 91: | Line 80: | ||
client_max_body_size 4M; | client_max_body_size 4M; | ||
client_body_buffer_size 128K; | client_body_buffer_size 128K; | ||
if (-f $request_filename/index.html) { | if (-f $request_filename/index.html) { | ||
rewrite (.*) $1/index.html break; | rewrite (.*) $1/index.html break; | ||
| Line 103: | Line 91: | ||
} | } | ||
} | } | ||
error_page 500 502 503 504 /50x.html; | error_page 500 502 503 504 /50x.html; | ||
location = /50x.html { | location = /50x.html { | ||
Revision as of 16:30, 12 December 2014
Reverse proxy
You most likely have already a webserver running on port 80 (http) and 443 (https). It also should serve Diasporas static content and forward all other requests to Diaspora. Here are some example configurations to achieve that:
- Apache: https://gist.github.com/719014
- Nginx: https://gist.github.com/1355430
The reverse Proxy is quite Tricky if you have no idea what nginx does. ive searched the web and merged some configs, this one works for me, cut and paste replace SERVERNAME.NET for your domain name. and ofcourse the PATH for PUBLIC and Certifactes
Problem here is not really NGinX but centos AUDIT, it took me a LONG while to figure out that the AUDIT system was blocking requests Basically this fixed it (+ disabling all hidden firewalls and just enabling iptables)
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mydiaspora
cat nginx.conf
worker_processes 1; daemon on; events {
worker_connections 1024;
} http {
include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; gzip on; gzip_http_version 1.0; gzip_comp_level 2; gzip_proxied any; gzip_buffers 16 8k; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_disable "MSIE [1-6]\.(?!.*SV1)";
server_names_hash_bucket_size 128; upstream thin_cluster {
server 0.0.0.0:3000;
} server {
listen 80; server_name 192.168.11.100 SERVERNAME.NET ; rewrite ^(.*) https://SERVERNAME.NET$1 permanent;
} server {
listen 443 default_server ssl;
server_name 192.168.11.100 SERVERNAME.NET;
root /home/diaspora/diaspora/public/;
ssl on;
ssl_certificate /etc/nginx/ssl-unified.crt;
ssl_certificate_key /etc/nginx/ssl.key;
location /uploads/images {
expires 1d;
add_header Cache-Control public;
}
location /assets {
expires 1d;
add_header Cache-Control public;
}
location ~ .php$ {
try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_buffers 8 16k; fastcgi_buffer_size 32k; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; include fastcgi_params; }
location / {
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 4M; client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://thin_cluster;
break;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
proxy_pass http://localhost:3000;
proxy_read_timeout 90;
proxy_redirect http://localhost:3000 https://SERVERNAME.NET;
} } }