NGINX reverse proxy in front of Apache: hardened, high performance dedicated server setup
From DP
Overview
Apache is a reliable HTTP server that still holds more than 66%, according to W3Techs, of the web server market, but Apache was not designed with performance or scalability in mind.
When the traffic is too high, it generate a lot of Apache processes and consume too much memory and generate many high CPU processes.This situation cause server to crash.
You can speed up your current HTTP server by installing a reverse proxy server in front of it. A reverse proxy fetches resources from one or more servers and returns them to the client as if they originated from the proxy server itself.
We will use web server Nginx, Apache serve all dynamic content and Nginx handle all static files without consuming lots of system resources, combining the benefits of both servers.
Hardware
Dedicated Server EX 4 http://www.hetzner.de/en/hosting/produkte_rootserver/ex4
- Intel® Core™ i7-2600 Quadcore
- RAM 16 GB DDR3 RAM
- Hard disks 2 x 3 TB SATA 6 Gb/s HDD 7200 rpm
- NIC1 GBit OnBoard connected at 100 MBit
- Traffic 10TB/monthly
Operating System:
- Debian-60-squeeze-64-minimal (Hetzner image)
Basic server setup -LAMP
Debian OS, upgrade to latest packages
# apt-get update
# apt-get upgrade
Packages installation
Apache
# apt-get install apache2
# a2enmod rewrite
configuration:
#
#
server check:
# apachectl -S
# apache2ctl -t
After enabling, disabling, or modifying any part of your Apache configuration, you will need to reload the Apache configuration again with command:
# /etc/init.d/apache2 reload
PHP
# apt-get install php5 php-pear php5-suhosin php5-mysql
configuration: edit /etc/php5/apache2/php.ini
Make sure that the following values are set, and relevant lines are uncommented (comments are lines beginning with a semi-colon (;)):
max_execution_time = 60 memory_limit = 128M error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR display_errors = Off log_errors = On error_log = /var/log/php5.log register_globals = Off
MySQL
# apt-get install mysql-server
During the installation, you will be prompted for a password. Choose something secure and record it for future reference. At this point, MySQL should be ready to configure and run. While you shouldn't need to change the configuration file, note that it is located at /etc/mysql/my.cnf for future reference.
ProFTPD
Postfix
List of all installed packages for new installation
# dpkg --get-selections > all-installed-software.log
# dpkg --set-selections < all-installed-software.log
# dselect (select i -install)
References:
Advanced server setup - NGINX
Nginx installation
Using Dotdeb repo for Nginx 1.0.11 last stable
For the main Dotdeb repository add these two lines to: /etc/apt/sources.list file
# deb http://packages.dotdeb.org stable all
# deb-src http://packages.dotdeb.org stable all
# apt-get update
# apt-get install nginx
Nginx configuration
Apache reverse proxy forward module(mod_rpaf)
# apt-get install libapache2-mod-rpaf
Apache configuration
# nano /etc/apache2/ports.conf
change from: Listen 80 to: Listen 8080
WordPress, MediaWiki, phpBB configurations
WordPress
http://wordpress.org/extend/plugins/nginx-proxy-cache-integrator/
MediaWiki
phpBB
Hardening
sysctl.conf security hardening
#
#
/tmp, /var/tmp directory hardening
RootKit hunter
CSF firewall & LFD
Anti-DOS configuration
Brute force detection and prevention
Port scan detection and prevention
Securing SSH server
Root logger
Log analysis
FTP hardening
Apache mod_security
Remote monitoring
AWS EC2
#
#
Nagios
Munin
Backups!!!
Second HDD synchronization
Database dump
Offsite encrypted backups - Jungle Disk
Offsite encrypted backups on AWS EC3 or Rackspace Cloud Files