NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup

From DP

Revision as of 17:13, 8 January 2012 by Alexlwa (Talk | contribs)
Jump to: navigation , search

Contents

Overview

Apache is a reliable HTTP server that still holds more than 66%, according to W3Techs http://w3techs.com/technologies/overview/web_server/all , of the web server market, but Apache was not designed with performance or scalability in mind.

When the traffic is too high, it generate a lot of Apache processes and consume too much memory and generate many high CPU processes.This situation cause server to crash.

You can speed up your current HTTP server by installing a reverse proxy server in front of it. A reverse proxy fetches resources from one or more servers and returns them to the client as if they originated from the proxy server itself. Apache can act as a reverse proxy with the mod_proxy module, but there is no actual benefit to running mod_proxy on the same system the Apache web server runs on, plus it consumes more system resources.

For this setup, we will use an alternative web server, Nginx http://wiki.nginx.org/Main, which is lighter and more efficient. Apache serve all dynamic content and Nginx handle all static files without consuming lots of system resources, combining the benefits of both servers.

Hardware

Dedicated Server EX 4 http://www.hetzner.de/en/hosting/produkte_rootserver/ex4

  • Intel® Core™ i7-2600 Quadcore
  • RAM 16 GB DDR3 RAM
  • Hard disks 2 x 3 TB SATA 6 Gb/s HDD 7200 rpm
  • NIC1 GBit OnBoard connected at 100 MBit
  • Traffic 10TB/monthly

Operating System:

  • Debian-60-squeeze-64-minimal (Hetzner image)


Basic server setup

Debian OS, upgrade to latest packages

    # apt-get update 
    # apt-get upgrade

List of all installed packages for new installation

    # dpkg --get-selections > all-installed-software.log
    # dpkg --set-selections < all-installed-software.log 
    # dselect (select i -install)

References:

Packages installed

Apache
PHP
MySQL
ProFTPD
Postfix

Advanced server setup - NGINX

Nginx installation

Using Dotdeb repo for Nginx 1.0.11 last stable

For the main Dotdeb repository add these two lines to: /etc/apt/sources.list file 


    # deb http://packages.dotdeb.org stable all 
    # deb-src http://packages.dotdeb.org stable all
    



    # apt-get update    
    # apt-get install nginx

Nginx configuration

Apache reverse proxy forward module(mod_rpaf)

    # apt-get install libapache2-mod-rpaf

Apache configuration

    # nano /etc/apache2/ports.conf

change from: Listen 80 to: Listen 8080

WordPress, MediaWiki, phpBB configurations

WordPress

http://wordpress.org/extend/plugins/nginx-proxy-cache-integrator/

MediaWiki

phpBB

Hardening

sysctl.conf security hardening

    # 
    #

/tmp, /var/tmp directory hardening

RootKit hunter

CSF firewall & LFD

Anti-DOS configuration
Brute force detection and prevention
Port scan detection and prevention
Securing SSH server
Root logger

Log analysis

FTP hardening

Apache mod_security

Remote monitoring

AWS EC2

    # 
    #
Nagios
Munin

Backups!!!

Second HDD synchronization

Database dump

Offsite encrypted backups - Jungle Disk

Offsite encrypted backups on AWS EC3 or Rackspace Cloud Files

Troubleshooting

References

Retrieved from "http://dangerousprototypes.com/docs/NGINX_reverse_proxy_in_front_of_Apache:_hardened,_high_performance_dedicated_server_setup"