Skip to content

Reverse Proxy with NGINX

Jump to bottom Edit New page
Jason Munro edited this page Jul 14, 2017 · 3 revisions

Try to use this for nginx running as a reverse proxy

  • Configure Nginx as Proxy for PHP Applications in a Sub-URI via SSL

Use the following to serve the PHP application [instance] via https://www.[my.domain]/[instance], with redirection from http://[instance].[my.domain] and http://www.[my.domain]/[instance]

Set the required variables:

$ setenv VIRTUAL_DOMAIN [my.domain]
$ setenv INSTANCE [instance]
$ setenv PROXY_CACHE_EXPIRY [validity of proxy cache with unit (m|h|d|w)]
$ setenv APPLICATION_SERVER www_php.jail.vlan
$ setenv APPLICATION_PORT [10000]
$ setenv SHORTCUT [shortcut]
$ setenv SHORTCUT_DOMAIN ${SHORTCUT}.${VIRTUAL_DOMAIN}

Replace placeholders in [brackets] as required. Increment APPLICATION_PORT by +1 for each instance, and keep it in sync with the PHP-FPM UID. Set PROXY_CACHE_EXPIRY to 0 to disable caching.

From within the jail, create the [instance]-specific http configuration file as follows:

$ echo "# handle ${INSTANCE} at /${INSTANCE}" > /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo "location /${INSTANCE} {" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' # redirect to https' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' return 301 https://$host$request_uri;' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo '}' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf

From within the jail, create the [instance]-specific https configuration file as follows:

$ echo "# handle ${INSTANCE} at /${INSTANCE}" > /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo "location /${INSTANCE} {" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " # add trailing slash to /${INSTANCE}" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " rewrite ^/${INSTANCE}"'$ https://$host/'"${INSTANCE}/ permanent;" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " # enable proxy cache" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " proxy_cache ${VIRTUAL_DOMAIN}_proxy_cache;" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " expires ${PROXY_CACHE_EXPIRY};" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo ' # try to serve static files from Nginx' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo ' try_files $uri $uri/ @'"${INSTANCE};" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo '}' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo "location @${INSTANCE} {" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo " proxy_pass http://${APPLICATION_SERVER}:${APPLICATION_PORT};" >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf
$ echo '}' >> /usr/local/etc/nginx/include/${VIRTUAL_DOMAIN}/https/${INSTANCE}.conf

We also want to redirect requests from http://[shortcut].my.domain to http://www.my.domain/[instance]

From within the jail, create the [instance]-specific vhosts file:

$ unsetenv VIRTUAL_DOMAIN INSTANCE APPLICATION_SERVER APPLICATION_PORT SHORTCUT SHORTCUT_DOMAIN

Try to use this for nginx serving PHP via FASTCGI

  • Configure nginx for Per-Instance Use Within a Virtual Domain

From within the jail, and for each instance, create include and root directories:

$ setenv INSTANCE [instance]
$ setenv VIRTUAL_DOMAIN [my.domain]
$ setenv APPLICATION_PORT [10000]
$ mkdir -p /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http /usr/local/etc/nginx/include/server /usr/local/etc/nginx/include/vhosts
$ mkdir -p /home/www_php/${VIRTUAL_DOMAIN}
$ chown root:www /home/www_php /home/www_php/${VIRTUAL_DOMAIN}
$ chmod 755 /home/www_php /home/www_php/${VIRTUAL_DOMAIN}

Replace placeholders in [brackets] with their appropriate values. Increment APPLICATION_PORT by +1 for every instance.

From within the jail, create the [instance]-specific vhosts configuration file as follows:

$ echo '# http virtual server settings' > /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo 'server {' >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo ' # define one of your virtual server as default to avoid erratically forwarded domain names' >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo " listen 127.0.1.106:${APPLICATION_PORT} default;">> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo " #listen 127.0.1.106:${APPLICATION_PORT};" >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo " server_name www.${VIRTUAL_DOMAIN};" >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo ' # include configuration files' >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo " include include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/*;" >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo '}' >> /usr/local/etc/nginx/include/vhosts/${INSTANCE}.${VIRTUAL_DOMAIN}

Configure one of your virtual domain servers as default to avoid erratically forwarded domain names in http headers.

From within the jail, create the server configuration file as follows:

$ echo "# user limits" > /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo "# define domain-specific zone which uses < 1 MByte to store session information" >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo 'limit_conn_zone $binary_remote_addr zone='"${INSTANCE}.${VIRTUAL_DOMAIN}:1m;" >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo '' >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo '# fastcgi cache setting' >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo '# set the fastcgi cache path and related parameters' >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo '# delete cache data, if not requested for 1 day, with maximum size of 128 Mbyte' >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}
$ echo "fastcgi_cache_path /var/tmp/nginx/fastcgi_cache_${INSTANCE}.${VIRTUAL_DOMAIN} levels=1:2 keys_zone=${INSTANCE}.${VIRTUAL_DOMAIN}_fastcgi_cache:100m inactive=60m max_size=128m;" >> /usr/local/etc/nginx/include/server/${INSTANCE}.${VIRTUAL_DOMAIN}

From within the jail, create the default http configuration file as follows:

$ echo '# set document root' > /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo "root /home/www_php/${VIRTUAL_DOMAIN};" >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo '' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo '# prohibit execution of hidden php code inside an uploaded file' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo ' location ~ ../..php$ {' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo ' return 403;' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf
$ echo '}' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/default.conf

From within the jail, create the [instance]-specific http configuration file as follows:

$ echo "# pass the PHP scripts for ${INSTANCE} to the FastCGI server" > /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo 'location ~ .php$ {' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' # Note: Set "cgi.fix_pathinfo = 0;" in php.ini' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' fastcgi_split_path_info ^(.+.php)(/.*)$;' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo " fastcgi_pass unix:/var/run/php-fpm_${INSTANCE}.${VIRTUAL_DOMAIN}/php-fpm_${INSTANCE}.${VIRTUAL_DOMAIN}.sock;" >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' fastcgi_index index.php;' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo " fastcgi_cache ${INSTANCE}.${VIRTUAL_DOMAIN}_fastcgi_cache;" >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' fastcgi_cache_valid 200 60m;' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo ' include fastcgi_params;' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf
$ echo '}' >> /usr/local/etc/nginx/include/${INSTANCE}.${VIRTUAL_DOMAIN}/http/${INSTANCE}.conf

###

>

Clone this wiki locally