diff --git a/.gitignore b/.gitignore index 24e35135..a2334da4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,6 @@ /*tar* +custom/*.conf +sites-available/*.conf +sites-enabled/*.conf +upstream/*.conf +upstream/status_vhosts/*.conf diff --git a/apps/drupal/admin_basic_auth.conf b/apps/drupal/admin_basic_auth.conf index cc796ce0..30e61b2c 100644 --- a/apps/drupal/admin_basic_auth.conf +++ b/apps/drupal/admin_basic_auth.conf @@ -8,5 +8,5 @@ location ^~ /admin { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; } diff --git a/apps/drupal/drupal.conf b/apps/drupal/drupal.conf index 0679bf48..0df9cfe4 100644 --- a/apps/drupal/drupal.conf +++ b/apps/drupal/drupal.conf @@ -26,7 +26,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the two lines below. @@ -50,7 +50,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the two lines below. @@ -199,7 +199,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the two lines below. @@ -232,7 +232,7 @@ location / { location @drupal { ## Include the FastCGI config. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FastCGI microcache. include apps/drupal/microcache_fcgi.conf; @@ -259,7 +259,7 @@ location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FastCGI microcache. include apps/drupal/microcache_fcgi.conf; diff --git a/apps/drupal/drupal_boost.conf b/apps/drupal/drupal_boost.conf index 1cb10e16..8ae1f14c 100644 --- a/apps/drupal/drupal_boost.conf +++ b/apps/drupal/drupal_boost.conf @@ -26,7 +26,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -50,7 +50,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -192,7 +192,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -263,7 +263,7 @@ location @cache { location @drupal { ## Include the FastCGI config. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; @@ -285,7 +285,7 @@ location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; @@ -369,7 +369,7 @@ location ~* ^.+\.php$ { ## Boost stats. location = /boost_stats.php { - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; diff --git a/apps/drupal/drupal_boost_escaped.conf b/apps/drupal/drupal_boost_escaped.conf index 36f5d986..7ed64fa2 100644 --- a/apps/drupal/drupal_boost_escaped.conf +++ b/apps/drupal/drupal_boost_escaped.conf @@ -29,7 +29,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -53,7 +53,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -195,7 +195,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -267,7 +267,7 @@ location @cache { location @drupal { ## Include the FastCGI config. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; @@ -289,7 +289,7 @@ location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FCGI microcache for authenticated users also. include apps/drupal/microcache_fcgi_auth.conf; @@ -373,7 +373,7 @@ location ~* ^.+\.php$ { ## Boost stats. location = /boost_stats.php { - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; diff --git a/apps/drupal/drupal_cron_update.conf b/apps/drupal/drupal_cron_update.conf index 55500e97..f160ccba 100644 --- a/apps/drupal/drupal_cron_update.conf +++ b/apps/drupal/drupal_cron_update.conf @@ -3,7 +3,7 @@ ## XMLRPC. Comment out if not enabled. location = /xmlrpc.php { - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; # To use Apache for serving PHP uncomment the line bellow and # comment out the above. #proxy_pass http://phpapache; @@ -16,7 +16,7 @@ location = /cron.php { if ($not_allowed_cron) { return 404 /; } - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; @@ -24,7 +24,7 @@ location = /cron.php { ## Run the update from the web interface with Drupal 7. location = /authorize.php { - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; @@ -33,7 +33,7 @@ location = /authorize.php { location = /update.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## To use Apache for serving PHP uncomment the line bellow and ## comment out the above. #proxy_pass http://phpapache; diff --git a/apps/drupal/drupal_escaped.conf b/apps/drupal/drupal_escaped.conf index db08cc01..74ac049d 100644 --- a/apps/drupal/drupal_escaped.conf +++ b/apps/drupal/drupal_escaped.conf @@ -29,7 +29,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -53,7 +53,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -201,7 +201,7 @@ location / { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## If proxying to apache comment the two lines above and ## uncomment the line below. @@ -233,7 +233,7 @@ location / { location @drupal { ## Include the FastCGI config. include apps/drupal/fastcgi_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FastCGI microcache. include apps/drupal/microcache_fcgi.conf; @@ -259,7 +259,7 @@ location @drupal-no-args { ## Include the specific FastCGI configuration. This is for a ## FCGI backend like php-cgi or php-fpm. include apps/drupal/fastcgi_no_args_drupal.conf; - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; ## FastCGI microcache. include apps/drupal/microcache_fcgi.conf; diff --git a/apps/drupal/drupal_install.conf b/apps/drupal/drupal_install.conf index 1f4f11bf..2d971b49 100644 --- a/apps/drupal/drupal_install.conf +++ b/apps/drupal/drupal_install.conf @@ -5,12 +5,12 @@ location = /install.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; } ## This is for drupal 8. There's a new location for the install file. location = /core/install.php { auth_basic "Restricted Access"; # auth realm auth_basic_user_file .htpasswd-users; # htpasswd file - fastcgi_pass phpcgi; + fastcgi_pass $upstream_id; } diff --git a/apps/drupal/microcache_fcgi.conf b/apps/drupal/microcache_fcgi.conf index ea4e3f77..b3c1bca4 100644 --- a/apps/drupal/microcache_fcgi.conf +++ b/apps/drupal/microcache_fcgi.conf @@ -6,7 +6,7 @@ ## The cache zone referenced. fastcgi_cache microcache; ## The cache key. -fastcgi_cache_key $scheme$request_method$host$request_uri; +fastcgi_cache_key $scheme$request_method$is_mobile$host$request_uri; ## For 200 and 301 make the cache valid for 1s seconds. fastcgi_cache_valid 200 301 1s; diff --git a/blockips.conf b/blockips.conf new file mode 100644 index 00000000..2770dce7 --- /dev/null +++ b/blockips.conf @@ -0,0 +1,14 @@ +#-*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### This file implements a blacklist for misbehaved IPs. +### It's a first line of defense. It must be included +### inside a http block. + + +## Add here all ip addresses or CIDR blocks that are to be blocked. +## Format: +## deny ; +## deny /; +## +## Example: +## deny 10.1.2.3; +## deny 10.0.0.0/8; diff --git a/custom/README.md b/custom/README.md new file mode 100644 index 00000000..2d4cf1b8 --- /dev/null +++ b/custom/README.md @@ -0,0 +1,6 @@ +Custom configuration bits +========================= + +Place your custom configuration files here. + +There is no way to know where you'll need to include them so they are not included anywhere by default. diff --git a/map_mobile_useragent.conf b/map_mobile_useragent.conf new file mode 100644 index 00000000..43cdb3e2 --- /dev/null +++ b/map_mobile_useragent.conf @@ -0,0 +1,18 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Testing if the client is a mobile or a desktop. +### The selection is based on the usual UA strings for desktop browsers. + +## Testing a user agent using a method that reverts the logic of the +## UA detection. Inspired by notnotmobile.appspot.com. +map $http_user_agent $is_desktop { + default 0; + ~*linux.*android|windows\s+(?:ce|phone) 0; # exceptions to the rule + ~*spider|crawl|slurp|bot 1; # bots + ~*windows|linux|os\s+x\s*[\d\._]+|solaris|bsd 1; # OSes +} + +## Revert the logic. +map $is_desktop $is_mobile { + 1 0; + 0 1; +} diff --git a/nginx.conf b/nginx.conf index 2da6d130..10159089 100644 --- a/nginx.conf +++ b/nginx.conf @@ -35,24 +35,10 @@ http { ## Handling of IPs in proxied and load balancing situations. set_real_ip_from 0.0.0.0/32; # all addresses get a real IP. real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy + real_ip_recursive on; - ## Define a zone for limiting the number of simultaneous - ## connections nginx accepts. 1m means 32000 simultaneous - ## sessions. We need to define for each server the limit_conn - ## value refering to this or other zones. - ## ** This syntax requires nginx version >= - ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older - ## ** version then use the limit_zone directive below - ## ** instead. Comment out this - ## ** one if not using nginx version >= 1.1.8. - limit_conn_zone $binary_remote_addr zone=arbeit:10m; - - ## Define a zone for limiting the number of simultaneous - ## connections nginx accepts. 1m means 32000 simultaneous - ## sessions. We need to define for each server the limit_conn - ## value refering to this or other zones. - ## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below. - #limit_zone arbeit $binary_remote_addr 10m; + ## Include zone definitions + include zones/*.conf; ## Timeouts. client_body_timeout 60; @@ -64,7 +50,7 @@ http { reset_timedout_connection on; ## Body size. - client_max_body_size 10m; + client_max_body_size 16m; ## TCP options. tcp_nodelay on; @@ -108,8 +94,8 @@ http { ## for crufty clients. ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA; - ## No SSL2 support. Legacy support of SSLv3. - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ## No SSL2 or SSLv3 support. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ## Pregenerated Diffie-Hellman parameters. ssl_dhparam /etc/nginx/dh_param.pem; @@ -119,6 +105,7 @@ http { ## Enable OCSP stapling. A better way to revocate server certificates. ssl_stapling on; + ## Fill in with your own resolver. resolver 8.8.8.8; @@ -166,14 +153,8 @@ http { ## Block MIME type sniffing on IE. add_header X-Content-Options nosniff; - ## Include the upstream servers for PHP FastCGI handling config. - ## This one uses the FCGI process listening on TCP sockets. - include upstream_phpcgi_tcp.conf; - - ## Include the upstream servers for PHP FastCGI handling - ## configuration. This setup uses UNIX sockets for talking with the - ## upstream. - #include upstream_phpcgi_unix.conf; + ## Include the upstream servers + include upstream/*.conf; ## Include the map to block HTTP methods. include map_block_http_methods.conf; @@ -193,14 +174,8 @@ http { https on; } - ## Include the upstream servers for Apache handling the PHP - ## processes. In this case Nginx functions as a reverse proxy. + ## Make Nginx function as a reverse proxy. #include reverse_proxy.conf; - #include upstream_phpapache.conf; - - ## Include the php-fpm status allowed hosts configuration block. - ## Uncomment to enable if you're running php-fpm. - #include php_fpm_status_allowed_hosts.conf; ## Include the Nginx stub status allowed hosts configuration block. include nginx_status_allowed_hosts.conf; @@ -213,15 +188,14 @@ http { ## Include blacklist for bad bot and referer blocking. include blacklist.conf; + ## Include blacklist for misbehaved IP addresses and networks. + include blockips.conf; + ## Include the caching setup. Needed for using Drupal with an external cache. include apps/drupal/map_cache.conf; - ## Microcache zone definition for FastCGI. - include fastcgi_microcache_zone.conf; - - ## If you're using Apache for handling PHP then comment the line - ## above and uncomment the line below. - #include proxy_microcache_zone.conf + ## Include mobile device detection via User Agent string + include map_mobile_useragent.conf; ## Include all vhosts. include /etc/nginx/sites-enabled/*; diff --git a/nginx_status_allowed_hosts.conf b/nginx_status_allowed_hosts.conf index d2713d48..3663d2d8 100644 --- a/nginx_status_allowed_hosts.conf +++ b/nginx_status_allowed_hosts.conf @@ -4,7 +4,9 @@ ### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule geo $dont_show_nginx_status { + proxy 0.0.0.0/0; # Comment this line if not behind a reverse proxy, change the IP address if you have the proxy's IP address; default 1; 127.0.0.1 0; # allow on the loopback + 10.0.0.0/8 0; # allow on an internal network 192.168.1.0/24 0; # allow on an internal network } diff --git a/php_fpm_status_allowed_hosts.conf b/php_fpm_status_allowed_hosts.conf deleted file mode 100644 index f9cbbc20..00000000 --- a/php_fpm_status_allowed_hosts.conf +++ /dev/null @@ -1,9 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Configuration of php-fpm status and ping pages. Here we define the -### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule - -geo $dont_show_fpm_status { - default 1; - 127.0.0.1 0; # allow on the loopback - 192.168.1.0/24 0; # allow on an internal network -} diff --git a/php_fpm_status_vhost.conf b/php_fpm_status_vhost.conf deleted file mode 100644 index 1f6d218e..00000000 --- a/php_fpm_status_vhost.conf +++ /dev/null @@ -1,73 +0,0 @@ -# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- - -### The configuration for the status pages of php-fpm. As described in -### http://www.php.net/manual/en/install.fpm.configuration.php. - -### php-fpm provides a status and a heartbeat page that is served through the web server. -### Here's an example configuration for them. - -## The status page is at /fpm-status. Only local access is -## allowed. Non authorized access returns a 404 through the error_page -## directive. -location = /fpm-status { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass www0; -} - -## The ping page is at /ping and returns the string configured at the php-fpm level. -## Also only local network connections (loopback and LAN) are permitted. -location = /ping { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass www0; -} - -## This is for the second pool. It assumes that you've configured -## php-fpm to have two pools and the URIs configured for the status -## and ping pages are as specified below. Zwei is 2 in german. - -## The status page is at /fpm-status. Only local access is -## allowed. Non authorized access returns a 404 through the error_page -## directive. -location = /fpm-status-zwei { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass www1; -} - -## The ping page is at /ping and returns the string configured at the php-fpm level. -## Also only local network connections (loopback and LAN) are permitted. -location = /ping-zwei { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass www1; -} - -## This is for the third pool that acts as backup. It assumes that -## you've configured php-fpm to have two pools and the URIs configured -## for the status and ping pages are as specified below. Drei is 3 in -## german. - -## The status page is at /fpm-status. Only local access is -## allowed. Non authorized access returns a 404 through the error_page -## directive. -location = /fpm-status-drei { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass phpcgi; -} - -## The ping page is at /ping and returns the string configured at the php-fpm level. -## Also only local network connections (loopback and LAN) are permitted. -location = /ping-drei { - if ($dont_show_fpm_status) { - return 404; - } - fastcgi_pass phpcgi; -} diff --git a/sites-available/000-default b/sites-available/000-default index 59622793..c44270a6 100644 --- a/sites-available/000-default +++ b/sites-available/000-default @@ -7,8 +7,20 @@ server { listen 80 default_server; # IPv4 ## Socket options can only be specified once, hence the different ## address for the 'default' server. - listen [fe80::202:b3ff:fe1e:8328]:80 default_server ipv6only=on; # IPv6 + #listen [fe80::202:b3ff:fe1e:8328]:80 default_server ipv6only=on; # IPv6 server_name _; - return 444; + + ## Including the Nginx stub status page for having stats about + ## Nginx activity: http://wiki.nginx.org/HttpStubStatusModule. + include nginx_status_vhost.conf; + + ## Include all declared status or ping pages for upstream backends. + ## Useful for load balancers that check by IP address. + include upstream/status_vhosts/*.conf; + + ## Return empty for any other location. + location / { + return 444; + } } diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf.sample similarity index 97% rename from sites-available/example.com.conf rename to sites-available/example.com.conf.sample index 87775d81..a1510338 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf.sample @@ -8,7 +8,7 @@ server { listen 80; # IPv4 ## Replace the IPv6 address by your own address. The address below ## was stolen from the wikipedia page on IPv6. - listen [fe80::202:b3ff:fe1e:8329]:80 ipv6only=on; + #listen [fe80::202:b3ff:fe1e:8329]:80 ipv6only=on; server_name www.example.com; return 301 $scheme://example.com$request_uri; @@ -19,7 +19,9 @@ server { listen 80; # IPv4 ## Replace the IPv6 address by your own address. The address below ## was stolen from the wikipedia page on IPv6. - listen [fe80::202:b3ff:fe1e:8330]:80 ipv6only=on; + #listen [fe80::202:b3ff:fe1e:8330]:80 ipv6only=on; + + set $upstream_id phpcgi; server_name example.com; limit_conn arbeit 32; @@ -123,7 +125,7 @@ server { ## was stolen from the wikipedia page on IPv6. ## Comment the line below if you're using SPDY. - listen [fe80::202:b3ff:fe1e:8329]:443 ssl ipv6only=on; + #listen [fe80::202:b3ff:fe1e:8329]:443 ssl ipv6only=on; ## Uncomment the line below if you're using SPDY. #listen [fe80::202:b3ff:fe1e:8329]:443 ssl spdy ipv6only=on; @@ -151,7 +153,7 @@ server { ## was stolen from the wikipedia page on IPv6. ## Comment the line below if you're using SPDY. - listen [fe80::202:b3ff:fe1e:8330]:443 ssl ipv6only=on; + #listen [fe80::202:b3ff:fe1e:8330]:443 ssl ipv6only=on; ## Uncomment the line below if you're using SPDY. #listen [fe80::202:b3ff:fe1e:8330]:443 ssl spdy ipv6only=on; diff --git a/sites-enabled/000-default b/sites-enabled/000-default new file mode 120000 index 00000000..6e8116da --- /dev/null +++ b/sites-enabled/000-default @@ -0,0 +1 @@ +../sites-available/000-default \ No newline at end of file diff --git a/upstream/README.md b/upstream/README.md new file mode 100644 index 00000000..11c4bca2 --- /dev/null +++ b/upstream/README.md @@ -0,0 +1,23 @@ +UpStream Blocks +=============== + +Upstream blocks define the backends for Nginx. +Any file in this directory with the .conf suffix will be included in nginx.conf. + +Some sample configurations are provided + +| File | Contents | +|------|----------| +| phpapache.conf.sample | Upstream HTTP server like Apache with mod_php. Nginx will need to work as reverse proxy in this case | +| phpcgi_tcp.conf.sample | PHP-FPM configured to listen on Unix sockets | +| phpcgi_unix.conf.sample | PHP-FPM configured to listen on TCP sockets | + +Suggestions +----------- + +* One file per backend, named `.conf` +* Within the file there should be the following: + * One upstream block named ``, defining the backend's servers and policy. + * If the backend servers support ping/status: + * One upstream block per server/pool named `_` + * One Geo variable named `$acl__status` that will allow/deny access to the ping/status page (used in the locations defined under status_vhosts) diff --git a/upstream_phpapache.conf b/upstream/phpapache.conf.sample similarity index 60% rename from upstream_phpapache.conf rename to upstream/phpapache.conf.sample index 47796fdc..0b422e54 100644 --- a/upstream_phpapache.conf +++ b/upstream/phpapache.conf.sample @@ -2,12 +2,11 @@ ### Upstream configuration for Apache functioning has a PHP handler. -## Add as many servers as needed. -## Cf. http://wiki.nginx.org/HttpUpstreamModule. ## Note that this configuration assumes by default that keepalive ## upstream connections are supported and that you have a Nginx ## version with the fair load balancer. +## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. upstream phpapache { ## Use the least connection algorithm for load balancing. This ## algorithm was introduced in versions 1.3.1 and 1.2.2. @@ -15,22 +14,13 @@ upstream phpapache { server 127.0.0.1:8080; server 127.0.0.1:8081; + + ## Add a third pool as a fallback. Remember to add a monitoring upstream. + #server 127.0.0.1:8082 backup; + ## Create a backend connection cache. Note that this requires ## Nginx version greater or equal to 1.1.4. ## Cf. http://nginx.org/en/CHANGES. Comment out the following ## line if that's not the case. keepalive 5; } - -## Add a third pool as a fallback. Note that this requires php-cgi -## side by side php-fpm. If you don't have it installed comment it -## out. -upstream phpapache_backup { - server 127.0.0.1:8082; - ## Create a backend connection cache. Note that this requires - ## Nginx version greater or equal to 1.1.4. - ## Cf. http://nginx.org/en/CHANGES. Comment out the - ## following line if that's not the case. - keepalive 1; -} - diff --git a/upstream_phpcgi_tcp.conf b/upstream/phpcgi_tcp.conf.sample similarity index 58% rename from upstream_phpcgi_tcp.conf rename to upstream/phpcgi_tcp.conf.sample index 101ffc7a..d10a6a53 100644 --- a/upstream_phpcgi_tcp.conf +++ b/upstream/phpcgi_tcp.conf.sample @@ -1,21 +1,23 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Upstream configuration for PHP FastCGI. +### Upstream sample configuration for PHP FastCGI using TCP. -## Add as many servers as needed: -## Cf. http://wiki.nginx.org/HttpUpstreamModule. ## Note that this configuration assumes by default that keepalive ## upstream connections are supported and that you have a Nginx ## version with the fair load balancer. ## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. -upstream phpcgi { +upstream phpcgi_tcp { ## Use the least connection algorithm for load balancing. This ## algorithm was introduced in versions 1.3.1 and 1.2.2. least_conn; server 127.0.0.1:9001; server 127.0.0.1:9002; + + ## Add a third pool as a fallback. Remember to add a monitoring upstream. + #server 127.0.0.1:9003 backup; + ## Create a backend connection cache. Note that this requires ## Nginx version greater or equal to 1.1.4. ## Cf. http://nginx.org/en/CHANGES. Comment out the following @@ -23,26 +25,26 @@ upstream phpcgi { keepalive 5; } -## Add a third pool as a fallback. Note that this requires php-cgi -## side by side php-fpm. If you don't have it installed comment it -## out. -upstream phpcgi_backup { - server 127.0.0.1:9003; - ## Create a backend connection cache. Note that this requires - ## Nginx version greater or equal to 1.1.4. - ## Cf. http://nginx.org/en/CHANGES. Comment out the - ## following line if that's not the case. - keepalive 1; -} - ## The upstreams below are used only for monitoring php-fpm status, ## The PHP TCP upstream that corresponds to the first pool: www0. -upstream www0 { +upstream phpcgi_tcp_www0 { server 127.0.0.1:9001; } ## The PHP TCP upstream that corresponds to the second pool: www1. -upstream www1 { +upstream phpcgi_tcp_www1 { server 127.0.0.1:9002; } + + +### Configuration of php-fpm status and ping pages. Here we define the +### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule + +geo $acl_phpcgi_tcp_status { + proxy 0.0.0.0/0; # Comment this line if not behind a reverse proxy, change the IP address if you have the proxy's IP address; + default 1; + 127.0.0.1 0; # allow on the loopback + 10.0.0.0/8 0; # allow on an internal network + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/upstream_phpcgi_unix.conf b/upstream/phpcgi_unix.conf.sample similarity index 50% rename from upstream_phpcgi_unix.conf rename to upstream/phpcgi_unix.conf.sample index ec3a80b2..dc5947a4 100644 --- a/upstream_phpcgi_unix.conf +++ b/upstream/phpcgi_unix.conf.sample @@ -1,21 +1,23 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- -### Upstream configuration for PHP FastCGI. +### Upstream sample configuration for PHP FastCGI using Unix sockets. -## Add as many servers as needed: -## Cf. http://wiki.nginx.org/HttpUpstreamModule. ## Note that this configuration assumes by default that keepalive ## upstream connections are supported and that you have a Nginx ## version with the fair load balancer. ## Add as many servers as needed. Cf. http://wiki.nginx.org/HttpUpstreamModule. -upstream phpcgi { +upstream phpcgi_unix { ## Use the least connection algorithm for load balancing. This ## algorithm was introduced in versions 1.3.1 and 1.2.2. least_conn; - server unix:/var/run/php-fpm.sock; - server unix:/var/run/php-fpm-zwei.sock; + server unix:/var/run/php-fpm-www0.sock; + server unix:/var/run/php-fpm-www1.sock; + + ## Add a third pool as a fallback. Remember to add a monitoring upstream. + #server unix:/var/run/php-fpm-bkp.sock backup; + ## Create a backend connection cache. Note that this requires ## Nginx version greater or equal to 1.1.4. ## Cf. http://nginx.org/en/CHANGES. Comment out the following @@ -23,26 +25,26 @@ upstream phpcgi { keepalive 5; } -## Add a third pool as a fallback. Note that this requires php-cgi -## side by side php-fpm. If you don't have it installed comment it -## out. -upstream phpcgi_backup { - server unix:/var/run/php-fpm-bkp.sock; - ## Create a backend connection cache. Note that this requires - ## Nginx version greater or equal to 1.1.4. - ## Cf. http://nginx.org/en/CHANGES. Comment out the - ## following line if that's not the case. - keepalive 1; -} - ## The upstreams below are used only for monitoring php-fpm status, ## The PHP TCP upstream that corresponds to the first pool: www0. -upstream www0 { - server unix:/var/run/php-fpm.sock; +upstream phpcgi_unix_www0 { + server unix:/var/run/php-fpm-www0.sock; } ## The PHP TCP upstream that corresponds to the second pool: www1. -upstream www1 { - server unix:/var/run/php-fpm-zwei.sock; +upstream phpcgi_unix_www1 { + server unix:/var/run/php-fpm-www1.sock; +} + + +### Configuration of php-fpm status and ping pages. Here we define the +### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule + +geo $acl_phpcgi_unix_status { + proxy 0.0.0.0/0; # Comment this line if not behind a reverse proxy, change the IP address if you have the proxy's IP address; + default 1; + 127.0.0.1 0; # allow on the loopback + 10.0.0.0/8 0; # allow on an internal network + 192.168.1.0/24 0; # allow on an internal network } diff --git a/upstream/status_vhosts/README.md b/upstream/status_vhosts/README.md new file mode 100644 index 00000000..3304d51f --- /dev/null +++ b/upstream/status_vhosts/README.md @@ -0,0 +1,26 @@ +Status vHosts +============= + +Each file defines the locations for a particular upstream's ping/status pages. + +This needs to be included in the virtual hosts in order to check availability according to use (if one vHost uses a backend, it should include its check locations). + +All .conf files are included in the default server so any backend can be checked by IP address (e.g. from an AWS ELB). + +A sample file is provided to check the phpcgi_unix backend with two servers + +The backend must be configured appropriately to respond to the tests. + +Suggestions: +----------- + +Locations should be use the following naming convention + +``` +/upstream//[/] +``` + +Where: + * ``: is the name of the backend being tested + * ``: ping, status, etc. As supported by the backend. + * ``: Optionally test a specific server in the backend. diff --git a/upstream/status_vhosts/phpcgi_unix_status_vhost.conf.sample b/upstream/status_vhosts/phpcgi_unix_status_vhost.conf.sample new file mode 100644 index 00000000..2c325123 --- /dev/null +++ b/upstream/status_vhosts/phpcgi_unix_status_vhost.conf.sample @@ -0,0 +1,64 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + +### The configuration for the status pages of php-fpm. As described in +### http://www.php.net/manual/en/install.fpm.configuration.php. + +## Replace every instance of with the name you set in the upstream block + +### php-fpm provides a status and a heartbeat page that is served through the web server. +### Here's an example configuration for them. + +## Status and Ping pages are grouped under /upstream/{backend} +## The status page is at /upstream/{backend}/status. +## The ping page is at /upstream/{backend}/ping. +## Add /{pool} to query for any specific pool within the backend. +## (Each pool must have its own upstream block named {backend}_{pool}. +## Assumes pools are configured to respond to /fpm-status and /ping. +## +## Access is restricted via the geo variable $acl__status. +## Non authorized access returns a 403 through the error_page directive. + +location ^~ /upstream/ { + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + ## This location allows getting status of one pool in the backend + location ~ /status$ { + if ($acl__status) { + return 403; + } + fastcgi_pass ; + fastcgi_index /fpm-status; + } + + ## This location allows getting status of a specific pool + location ~ /status/(.+)$ { + if ($acl__status) { + return 403; + } + fastcgi_pass _$1; + fastcgi_index /fpm-status; + } + + ## This location allows pinging one pool in the backend + location ~ /ping$ { + if ($acl__status) { + return 403; + } + fastcgi_pass ; + fastcgi_index /ping; + } + + ## This location allows pinging a specific pool + location ~ /ping/(.+)$ { + if ($acl__status) { + return 403; + } + fastcgi_pass _$1; + fastcgi_index /ping; + } + + location = /upstream/ { + return 444; + } +} diff --git a/zones/README.md b/zones/README.md new file mode 100644 index 00000000..27f497a8 --- /dev/null +++ b/zones/README.md @@ -0,0 +1,20 @@ +Zones +===== + +Use this directory to define zones. +You may turn off any file by changing the suffix (I prefer adding .off) + +Limit Zones +----------- + +Limit zones for connections using the [limit_conn](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html) module and for requests using the [limit_req](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) module can be placed in this folder. + +It is suggested to use one file per zone following a naming convention .conf and all .conf files will be included in nginx.conf + +Zone names must be unique and they can then be used in the virtual hosts. + +MicroCache Zones +---------------- + +Proxy (Apache) and FastCGI cache zones are also defined here. + diff --git a/zones/arbeit.conf b/zones/arbeit.conf new file mode 100644 index 00000000..a6830e0d --- /dev/null +++ b/zones/arbeit.conf @@ -0,0 +1,19 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +## Define a zone for limiting the number of simultaneous +## connections nginx accepts. 1m means 32000 simultaneous +## sessions. We need to define for each server the limit_conn +## value refering to this or other zones. +## ** This syntax requires nginx version >= +## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older +## ** version then use the limit_zone directive below +## ** instead. Comment out this +## ** one if not using nginx version >= 1.1.8. +limit_conn_zone $binary_remote_addr zone=arbeit:10m; + +## Define a zone for limiting the number of simultaneous +## connections nginx accepts. 1m means 32000 simultaneous +## sessions. We need to define for each server the limit_conn +## value refering to this or other zones. +## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below. +#limit_zone arbeit $binary_remote_addr 10m; diff --git a/fastcgi_microcache_zone.conf b/zones/fastcgi_microcache_zone.conf similarity index 93% rename from fastcgi_microcache_zone.conf rename to zones/fastcgi_microcache_zone.conf index d448c509..09d66232 100644 --- a/fastcgi_microcache_zone.conf +++ b/zones/fastcgi_microcache_zone.conf @@ -1,7 +1,7 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- ### Defining the FastCGI cache zone for the microcache as presented at: -## http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n. +### http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n. ## If youre using a Nginx version greater than 1.1.1 then you can ## tweak the Tweaking of the cache loader parameters. diff --git a/proxy_microcache_zone.conf b/zones/proxy_microcache_zone.conf.off similarity index 100% rename from proxy_microcache_zone.conf rename to zones/proxy_microcache_zone.conf.off