From b1b67e0d997cf1f5715417244724ff21e8a59eae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20P=2E=20P=2E=20Almeida?= Date: Sun, 23 Oct 2011 03:51:27 +0100 Subject: [PATCH] * Major refactoring of the config. Upstream fallbacks. Nginx status and more. --- cron_allowed_hosts.conf | 10 +++++ nginx.conf | 18 ++++++++- nginx_status_allowed_hosts.conf | 10 +++++ nginx_status_vhost.conf | 16 ++++++++ php_fpm_status_vhost.conf | 47 +++++++++++++++++++++++- sites-available/drupal.conf | 2 + sites-available/drupal_boost.conf | 2 + sites-available/drupal_cron_update.conf | 15 +++----- sites-available/drupal_spaces.conf | 2 + sites-available/drupal_spaces_boost.conf | 2 + sites-available/example.com.conf | 42 +++++++++++++++++---- upstream_phpapache.conf | 27 +++++++++++++- upstream_phpcgi.conf | 8 ---- upstream_phpcgi_tcp.conf | 33 +++++++++++++++++ upstream_phpcgi_unix.conf | 34 +++++++++++++++++ 15 files changed, 238 insertions(+), 30 deletions(-) create mode 100644 cron_allowed_hosts.conf create mode 100644 nginx_status_allowed_hosts.conf create mode 100644 nginx_status_vhost.conf delete mode 100644 upstream_phpcgi.conf create mode 100644 upstream_phpcgi_tcp.conf create mode 100644 upstream_phpcgi_unix.conf diff --git a/cron_allowed_hosts.conf b/cron_allowed_hosts.conf new file mode 100644 index 00000000..cd2d30ab --- /dev/null +++ b/cron_allowed_hosts.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration file for specifying which hosts can invoke Drupal's +### cron. This only applies if you're not using drush to run cron. + +geo $not_allowed_cron { + default 1; + ## Add your set of hosts. + 127.0.0.1 0; # allow the localhost + 192.168.1.0/24 0; # (V)LAN hosts allowed +} diff --git a/nginx.conf b/nginx.conf index 78b5f14f..067570ee 100644 --- a/nginx.conf +++ b/nginx.conf @@ -98,10 +98,16 @@ http { ## Enable clickjacking protection in modern browsers. Available in ## IE8 also. See ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header - add_header X-Frame-Options sameorigin; + add_header X-Frame-Options SAMEORIGIN; ## Include the upstream servers for PHP FastCGI handling config. - include upstream_phpcgi.conf; + ## This one uses the FCGI process listening on TCP sockets. + include upstream_phpcgi_tcp.conf; + + ## Include the upstream servers for PHP FastCGI handling + ## configuration. This setup uses UNIX sockets for talking with the + ## upstream. + #include upstream_phpcgi_unix.conf; ## Include the upstream servers for Apache handling the PHP ## processes. In this case Nginx functions as a reverse proxy. @@ -112,6 +118,14 @@ http { ## Uncomment to enable if you're running php-fpm. #include php_fpm_status_allowed_hosts.conf; + ## Include the Nginx stub status allowed hosts configuration block. + include nginx_status_allowed_hosts.conf; + + ## If you want to run cron using Drupal cron.php. i.e., you're not + ## using drush then uncomment the line below. Specify in + ## cron_allowed_hosts.conf which hosts can invole cron. + # include cron_allowed_hosts.conf; + ## Include blacklist for bad bot and referer blocking. include blacklist.conf; diff --git a/nginx_status_allowed_hosts.conf b/nginx_status_allowed_hosts.conf new file mode 100644 index 00000000..d2713d48 --- /dev/null +++ b/nginx_status_allowed_hosts.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Configuration of nginx stub status page. Here we define the +### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule + +geo $dont_show_nginx_status { + default 1; + 127.0.0.1 0; # allow on the loopback + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/nginx_status_vhost.conf b/nginx_status_vhost.conf new file mode 100644 index 00000000..3b531e4d --- /dev/null +++ b/nginx_status_vhost.conf @@ -0,0 +1,16 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### The configuration for Nginx status page. As described in +### http://wiki.nginx.org/HttpStubStatusModule. + +### php-fpm provides a status and a heartbeat page that is served through the web server. +### Here's an example configuration for them. + +## Get the nginx status. +location /nginx_status { + if ($dont_show_nginx_status) { + return 404; + } + stub_status on; + access_log off; +} diff --git a/php_fpm_status_vhost.conf b/php_fpm_status_vhost.conf index 44625d7d..28eb616e 100644 --- a/php_fpm_status_vhost.conf +++ b/php_fpm_status_vhost.conf @@ -6,7 +6,6 @@ ### php-fpm provides a status and a heartbeat page that is served through the web server. ### Here's an example configuration for them. - ## The status page is at /fpm-status. Only local access is ## allowed. Non authorized access returns a 404 through the error_page ## directive. @@ -14,17 +13,61 @@ location = /fpm-status { if ($dont_show_fpm_status) { return 404; } + fastcgi_pass phpcgi; +} +## The ping page is at /ping and returns the string configured at the php-fpm level. +## Also only local network connections (loopback and LAN) are permitted. +location = /ping { + if ($dont_show_fpm_status) { + return 404; + } fastcgi_pass phpcgi; } +## This is for the second pool. It assumes that you've configured +## php-fpm to have two pools and the URIs configured for the status +## and ping pages are as specified below. Zwei is 2 in german. + +## The status page is at /fpm-status. Only local access is +## allowed. Non authorized access returns a 404 through the error_page +## directive. +location = /fpm-status-zwei { + if ($dont_show_fpm_status) { + return 404; + } + fastcgi_pass phpcgi; +} ## The ping page is at /ping and returns the string configured at the php-fpm level. ## Also only local network connections (loopback and LAN) are permitted. -location = /ping { +location = /ping-zwei { + if ($dont_show_fpm_status) { + return 404; + } + fastcgi_pass phpcgi; +} + +## This is for the third pool that acts as backup. It assumes that +## you've configured php-fpm to have two pools and the URIs configured +## for the status and ping pages are as specified below. Drei is 3 in +## german. + +## The status page is at /fpm-status. Only local access is +## allowed. Non authorized access returns a 404 through the error_page +## directive. +location = /fpm-status-drei { if ($dont_show_fpm_status) { return 404; } + fastcgi_pass phpcgi; +} +## The ping page is at /ping and returns the string configured at the php-fpm level. +## Also only local network connections (loopback and LAN) are permitted. +location = /ping-drei { + if ($dont_show_fpm_status) { + return 404; + } fastcgi_pass phpcgi; } diff --git a/sites-available/drupal.conf b/sites-available/drupal.conf index f9ff71fe..dc3e8465 100644 --- a/sites-available/drupal.conf +++ b/sites-available/drupal.conf @@ -136,6 +136,8 @@ location / { ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location = /index.php { + ## This enables a fallback for whenever the 'default' upstream fails. + error_page 502 504 @fallback; fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. diff --git a/sites-available/drupal_boost.conf b/sites-available/drupal_boost.conf index 33cfee10..69c1149e 100644 --- a/sites-available/drupal_boost.conf +++ b/sites-available/drupal_boost.conf @@ -172,6 +172,8 @@ location @no_cache { ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location = /index.php { + ## This enables a fallback for whenever the 'default' upstream fails. + error_page 502 504 @fallback; fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. diff --git a/sites-available/drupal_cron_update.conf b/sites-available/drupal_cron_update.conf index 5e6772a3..55500e97 100644 --- a/sites-available/drupal_cron_update.conf +++ b/sites-available/drupal_cron_update.conf @@ -9,17 +9,17 @@ location = /xmlrpc.php { #proxy_pass http://phpapache; } - ## Restrict cron access to a specific host. location = /cron.php { - allow 127.0.0.1; - allow 192.168.1.0/24; + ## If not allowed to run cron then issue a 404 and redirect to the + ## site root. + if ($not_allowed_cron) { + return 404 /; + } fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; - error_page 403 =404; - deny all; } ## Run the update from the web interface with Drupal 7. @@ -31,13 +31,10 @@ location = /authorize.php { } location = /update.php { - auth_basic "Restricted Access"; # auth realm + auth_basic "Restricted Access"; # auth realm auth_basic_user_file .htpasswd-users; # htpasswd file fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; } - - - diff --git a/sites-available/drupal_spaces.conf b/sites-available/drupal_spaces.conf index b316d914..b6b82f8d 100644 --- a/sites-available/drupal_spaces.conf +++ b/sites-available/drupal_spaces.conf @@ -141,6 +141,8 @@ location / { ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location = /index.php { + ## This enables a fallback for whenever the 'default' upstream fails. + error_page 502 504 @fallback; fastcgi_pass phpcgi; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. diff --git a/sites-available/drupal_spaces_boost.conf b/sites-available/drupal_spaces_boost.conf index 6038f328..774a1bc6 100644 --- a/sites-available/drupal_spaces_boost.conf +++ b/sites-available/drupal_spaces_boost.conf @@ -171,6 +171,8 @@ location @cache { ## Restrict access to the strictly necessary PHP files. Reducing the ## scope for exploits. Handling of PHP code and the Drupal event loop. location = /index.php { + ## This enables a fallback for whenever the 'default' upstream fails. + error_page 502 504 @fallback; fastcgi_pass phpcgi; # To use Apache for serving PHP uncomment the line bellow and # comment out the above. diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf index 840430a2..729e2e47 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf @@ -11,12 +11,11 @@ server { } # server domain return. - ## HTTP server. server { listen [::]:80; server_name example.com; - limit_conn arbeit 16; + limit_conn arbeit 32; ## Access and error logs. access_log /var/log/nginx/example.com_access.log; @@ -36,6 +35,14 @@ server { root /var/www/sites/example.com; index index.php; + ## If you're using a Nginx version greater or equal to 1.1.4 then + ## you can use keep alive connections to the upstream be it + ## FastCGI or Apache. If that's not the case comment out the line below. + fastcgi_keep_conn on; # keep alive to the FCGI upstream + + ## Uncomment if you're proxying to Apache for handling PHP. + #proxy_http_version 1.1; # keep alive to the Apache upstream + ################################################################ ### Generic configuration: for most Drupal 6 and Drupal 7 sites. ################################################################ @@ -83,7 +90,6 @@ server { ################################################################# #include sites-available/drupal_cron_update.conf; - ## For upload progress to work. From the README of the ## filefield_nginx_progress module. location ~ (.*)/x-progress-id:(\w*) { @@ -98,6 +104,10 @@ server { ## Uncomment to enable if you're running php-fpm. #include php_fpm_status_vhost.conf; + ## Including the Nginx stub status page for having stats about + ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule. + include nginx_status_vhost.conf; + } # HTTP server @@ -114,11 +124,6 @@ server { ## Keep alive timeout set to a greater value for SSL/TLS. keepalive_timeout 75 75; - ## Disable all methods besides HEAD, GET and POST. - if ($request_method !~ ^(GET|HEAD|POST)$ ) { - return 444; - } - ## See the keepalive_timeout directive in nginx.conf. ## Server certificate and key. ssl_certificate /etc/ssl/certs/example-cert.pem; @@ -132,6 +137,14 @@ server { root /var/www/sites/example.com; index index.php; + ## If you're using a Nginx version greater or equal to 1.1.4 then + ## you can use keep alive connections to the upstream be it + ## FastCGI or Apache. If that's not the case comment out the line below. + fastcgi_keep_conn on; # keep alive to the FCGI upstream + + ## Uncomment if you're proxying to Apache for handling PHP. + #proxy_http_version 1.1; # keep alive to the Apache upstream + ## See the blacklist.conf file at the parent dir: /etc/nginx. ## Deny access based on the User-Agent header. if ($bad_bot) { @@ -199,8 +212,21 @@ server { report_uploads uploads; } + ## Fallback location for 502 and 504 errors from upstream. + location @fallback { + ## If you're proxying to FastCGI. + fastcgi_pass phpcgi_backup; + ## Uncomment the line below if you're proxying to Apache for + ## PHP handling. + #proxy_pass phpapache_backup; + } + ## Including the php-fpm status and ping pages config. ## Uncomment to enable if you're running php-fpm. #include php_fpm_status.conf; + ## Including the Nginx stub status page for having stats about + ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule. + include nginx_status_vhost.conf; + } # HTTPS server diff --git a/upstream_phpapache.conf b/upstream_phpapache.conf index 4bc5645f..b8d1b523 100644 --- a/upstream_phpapache.conf +++ b/upstream_phpapache.conf @@ -2,7 +2,32 @@ ### Upstream configuration for Apache functioning has a PHP handler. -## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. +## Add as many servers as needed. +## Cf. http://wiki.nginx.org/HttpUpstreamModule. +## Note that this configuration assumes by default that keepalive +## upstream connections are supported and that you have a Nginx +## version with the fair load balancer. + upstream phpapache { + ## If your version of Nginx doesn't have the fair load balancer: + ## https://github.com/gnosek/nginx-upstream-fair comment out the + ## following line. + fair; server 127.0.0.1:8080; + server 127.0.0.1:8081; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the following + ## line if that's not the case. + keepalive 5; +} + +## Add a third pool as a fallback. +upstream phpapache_backup { + server 127.0.0.1:8082; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the + ## following line if that's not the case. + keepalive 1; } diff --git a/upstream_phpcgi.conf b/upstream_phpcgi.conf deleted file mode 100644 index fc275314..00000000 --- a/upstream_phpcgi.conf +++ /dev/null @@ -1,8 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- - -### Upstream configuration for PHP FastCGI. - -## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. -upstream phpcgi { - server unix:/var/run/php-fpm.sock; -} diff --git a/upstream_phpcgi_tcp.conf b/upstream_phpcgi_tcp.conf new file mode 100644 index 00000000..4b9e8df7 --- /dev/null +++ b/upstream_phpcgi_tcp.conf @@ -0,0 +1,33 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Upstream configuration for PHP FastCGI. + +## Add as many servers as needed: +## Cf. http://wiki.nginx.org/HttpUpstreamModule. +## Note that this configuration assumes by default that keepalive +## upstream connections are supported and that you have a Nginx +## version with the fair load balancer. + +upstream phpcgi { + ## If your version of Nginx doesn't have the fair load balancer: + ## https://github.com/gnosek/nginx-upstream-fair comment out the + ## following line. + fair; + server 127.0.0.1:9001; + server 127.0.0.1:9002; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the following + ## line if that's not the case. + keepalive 5; +} + +## Add a third pool as a fallback. +upstream phpcgi_backup { + server 127.0.0.1:9003; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the + ## following line if that's not the case. + keepalive 1; +} diff --git a/upstream_phpcgi_unix.conf b/upstream_phpcgi_unix.conf new file mode 100644 index 00000000..e915a766 --- /dev/null +++ b/upstream_phpcgi_unix.conf @@ -0,0 +1,34 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Upstream configuration for PHP FastCGI. + +## Add as many servers as needed: +## Cf. http://wiki.nginx.org/HttpUpstreamModule. +## Note that this configuration assumes by default that keepalive +## upstream connections are supported and that you have a Nginx +## version with the fair load balancer. + +## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. +upstream phpcgi { + ## If your version of Nginx doesn't have the fair load balancer: + ## https://github.com/gnosek/nginx-upstream-fair comment out the + ## following line. + fair; + server unix:/var/run/php-fpm.sock; + server unix:/var/run/php-fpm-zwei.sock; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the following + ## line if that's not the case. + keepalive 5; +} + +## Add a third pool as a fallback. +upstream phpcgi_backup { + server unix:/var/run/php-fpm-drei.sock; + ## Create a backend connection cache. Note that this requires + ## Nginx version greater or equal to 1.1.4. + ## Cf. http://nginx.org/en/CHANGES. Comment out the + ## following line if that's not the case. + keepalive 1; +}