Template:Installation/Reverse proxy: Difference between revisions

From diaspora* project wiki
No edit summary
Line 5: Line 5:
* '''Apache''': https://gist.github.com/719014
* '''Apache''': https://gist.github.com/719014
* '''Nginx''': https://gist.github.com/1355430
* '''Nginx''': https://gist.github.com/1355430
The reverse Proxy is quite Tricky if you have no idea what nginx does.
ive searched the web and merged some configs, this one works for me,
cut and paste replace SERVERNAME.NET for your domain name. and ofcourse the PATH for PUBLIC and Certifactes
Problem here is not really NGinX but centos AUDIT, it took me a LONG while to figure out
that the AUDIT system was blocking requests
Basically this fixed it (+ disabling all hidden firewalls and just enabling iptables)
cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mydiaspora
cat nginx.conf
worker_processes 1;
daemon on;
events {
  worker_connections  1024;
}
http {
  include      mime.types;
  default_type  application/octet-stream;
  sendfile on;
  keepalive_timeout  65;
  gzip              on;
  gzip_http_version 1.0;
  gzip_comp_level  2;
  gzip_proxied      any;
  gzip_buffers      16 8k;
  gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_disable      "MSIE [1-6]\.(?!.*SV1)";
server_names_hash_bucket_size      128;
upstream thin_cluster {
  server          0.0.0.0:3000;
}
server {
  listen      80;
  server_name  192.168.11.100 SERVERNAME.NET ;
  rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;
}
server {
  listen      443 default_server ssl;
  server_name  192.168.11.100 SERVERNAME.NET;
  root        /home/diaspora/diaspora/public/;
  ssl on;
  ssl_certificate      /etc/nginx/ssl-unified.crt;
  ssl_certificate_key  /etc/nginx/ssl.key;
location /uploads/images {
  expires 1d;
  add_header Cache-Control public;
  }
  location /assets {
  expires 1d;
  add_header Cache-Control public;
  }
location ~ .php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    include fastcgi_params;
    }
location / {
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto https;
  proxy_redirect off;
  client_max_body_size 4M;
  client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
    rewrite (.*) $1/index.html break;
  }
  if (-f $request_filename.html) {
    rewrite (.*) $1.html break;
  }
  if (!-f $request_filename) {
    proxy_pass http://thin_cluster;
    break;
  }
}
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
  root html;
  proxy_pass http://localhost:3000;
  proxy_read_timeout 90;
  proxy_redirect http://localhost:3000 https://SERVERNAME.NET;
}
}
}

Revision as of 16:29, 12 December 2014

Reverse proxy

You most likely have already a webserver running on port 80 (http) and 443 (https). It also should serve Diasporas static content and forward all other requests to Diaspora. Here are some example configurations to achieve that:

The reverse Proxy is quite Tricky if you have no idea what nginx does. ive searched the web and merged some configs, this one works for me, cut and paste replace SERVERNAME.NET for your domain name. and ofcourse the PATH for PUBLIC and Certifactes

Problem here is not really NGinX but centos AUDIT, it took me a LONG while to figure out that the AUDIT system was blocking requests Basically this fixed it (+ disabling all hidden firewalls and just enabling iptables)

cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mydiaspora


cat nginx.conf

worker_processes 1; daemon on; events {

 worker_connections  1024;

}

http {

 include       mime.types;
 default_type  application/octet-stream;
 sendfile on;
 keepalive_timeout  65;
 gzip              on;
 gzip_http_version 1.0;
 gzip_comp_level   2;
 gzip_proxied      any;
 gzip_buffers      16 8k;
 gzip_types        text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 gzip_disable      "MSIE [1-6]\.(?!.*SV1)";

server_names_hash_bucket_size 128;

upstream thin_cluster {

 server          0.0.0.0:3000;

}


server {

 listen       80;
 server_name  192.168.11.100 SERVERNAME.NET ;
 rewrite      ^(.*) https://SERVERNAME.NET$1 permanent;

}

server {

 listen       443 default_server ssl;
 server_name  192.168.11.100 SERVERNAME.NET;
 root         /home/diaspora/diaspora/public/;
 ssl on;
 ssl_certificate      /etc/nginx/ssl-unified.crt;
 ssl_certificate_key  /etc/nginx/ssl.key;

location /uploads/images {

 expires 1d;
 add_header Cache-Control public;
 }
 location /assets {
 expires 1d;
 add_header Cache-Control public;
 }

location ~ .php$ {

   try_files $uri =404;
   fastcgi_split_path_info ^(.+\.php)(/.+)$;
   fastcgi_pass unix:/var/run/php5-fpm.sock;
   fastcgi_index index.php;
   fastcgi_buffers 8 16k;
   fastcgi_buffer_size 32k;
   fastcgi_connect_timeout 300;
   fastcgi_send_timeout 300;
   fastcgi_read_timeout 300;
   include fastcgi_params;
   }

location / {

 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
 proxy_set_header X-Forwarded-Proto https;
 proxy_redirect off;
 client_max_body_size 4M;
 client_body_buffer_size 128K;

if (-f $request_filename/index.html) {

   rewrite (.*) $1/index.html break;
 }
 if (-f $request_filename.html) {
   rewrite (.*) $1.html break;
 }
 if (!-f $request_filename) {
   proxy_pass http://thin_cluster;
   break;
 }

}

 error_page 500 502 503 504 /50x.html;
 location = /50x.html {
 root html;
 proxy_pass http://localhost:3000;
 proxy_read_timeout 90;
 proxy_redirect http://localhost:3000 https://SERVERNAME.NET;

} } }