Search the Community
Showing results for tags 'frontend'.
-
Ideea de a folosi nginx cu ssl ca frontend pentru apache cred ca este foarte buna din urmatoarele motive: - Se comporta ca un tcp offloader oferind ceva protectie extra pentru webserver (in caz de atacuri http(s)) - Scade timpul de acces pe site (spre diferenta de apache simplu cu SSL) vhost config server { listen 188.240.88.4:443; server_name rstcenter.com www.rstcenter.com; keepalive_timeout 60; ssl on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers aRSA:!eNULL:!EXP:!LOW:-RC4:-3DES:!SEED:!MD5:!kPSK:!kSRP:-kRSA:@STRENGTH:AES128-SHA:DES-CBC3-SHA:RC4-SHA; ssl_prefer_server_ciphers on; ssl_session_cache shared:TLSSL:30m; ssl_session_timeout 10m; ssl_certificate /etc/nginx/ssl/rstcenter.com.combined.crt; ssl_certificate_key /etc/nginx/ssl/rstcenter.com.key; more_set_headers "X-Secure-Connection: true"; add_header Strict-Transport-Security max-age=3456000; location / { proxy_pass http://127.0.0.1:1234; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; } Un nginx.conf se poate vedea aici (nu este cel default) user www-data; worker_processes 4; worker_priority -1; pid /var/run/nginx.pid; worker_rlimit_nofile 640000; worker_cpu_affinity 0001 0010 0100 1000; events { worker_connections 64000; } http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 20; keepalive_requests 10000; types_hash_max_size 2048; client_max_body_size 128M; client_body_buffer_size 128k; connection_pool_size 8192; request_pool_size 8k; server_names_hash_bucket_size 2048; server_tokens off; resolver 127.0.0.1; resolver_timeout 2s; reset_timedout_connection on; more_set_headers "Server: Apache"; more_set_headers "X-XSS-Protection: 1; mode=block"; more_set_headers "X-Frame-Options: sameorigin"; more_set_headers "X-Content-Type-Options: nosniff"; open_file_cache max=147000 inactive=30s; open_file_cache_valid 60s; open_file_cache_min_uses 2; open_file_cache_errors on; include /etc/nginx/mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; gzip on; gzip_static on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_min_length 500; gzip_http_version 1.0; gzip_types text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript text/plain; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } Note: - Nginx este instalat pe Debian (pachetul este 'nginx-extras') - Apache il rulez listat pe 127.0.0.1 port 1234 - Certificatul site-ului (CRT-ul) este concatenat din crt-ul domeniului + certificatul intermediar
-
Acest tutorial este adresat celor care doresc sa isi configureze un server cu Debian. O sa acopar in in el urmatoarele aspecte: 1. Instalare kernel cu grsec. 2. Instalare si configurare apache. 3. Instalare si configurare php. 4. Instalare si module php (extensii). 5. Configurare suhosin. 6. Instalare MySQL Server. 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) ---------------- 1. Instalare kernel cu grsec. Daca nu stiti inca ce este grsec/grsecurity, un bun punct de plecare este Grsecurity. Pentru linux, grsecurity este un fel de "sfantul graal" in materie de securitate. In plus, va scapa de o problema ce o are linux si care pe mine ma irita: ps aux dupa user, arata toate procesele. root@tex:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list root@tex:~# wget http://kernelsec.cr0.org/kernel-security.asc root@tex:~# apt-key add kernel-security.asc OK root@tex:~# apt-get update root@tex:~# apt-cache search grsec linux-source-2.6.32.15-1-grsec - Linux kernel source for version 2.6.32.15-1-grsec linux-source-2.6.25.10-1-grsec - Linux kernel source for version 2.6.25.10-1-grsec linux-image-2.6.32.15-1-grsec - Linux kernel binary image for version 2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec - Header files related to Linux kernel, specifically, linux-source-2.6.27.29-4-grsec - Linux kernel source for version 2.6.27.29-4-grsec root@tex:~# apt-get install linux-image-2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec root@tex:~# init 6 # aici dam reboot pentru a boota noul kernel. // Dupa reboot root@tex:~# uname -a Linux tex 2.6.32.15-1-grsec #2 SMP Mon Jun 28 09:05:30 CEST 2010 x86_64 GNU/Linux root@tex:~# su - tex tex@tex:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND tex 2103 0.6 0.1 36908 1276 pts/0 S 00:58 0:00 su - tex tex 2104 13.0 0.6 23380 6200 pts/0 S 00:58 0:00 -su tex 2129 0.0 0.1 16332 1176 pts/0 R+ 00:58 0:00 ps aux Din cate observati, vad doar procesele mele dupa user. 2. Instalare si configurare apache. root@tex:~# apt-get install apache2-mpm-prefork apache2.2-common apache2.2-bin root@tex:~# rm /etc/apache2/sites-available/default root@tex:~# cat >> /etc/apache2/sites-available/default << EOF > NameVirtualHost * > > <Directory "/var/www"> > AllowOverride AuthConfig FileInfo Options Indexes Limit > Options FollowSymLinks > Options -Indexes > </Directory> > > <VirtualHost *> > DocumentRoot /var/www > ServerName 10.0.0.220 > CustomLog /var/log/apache2/access_log combined > ErrorLog /var/log/apache2/error_log > </VirtualHost> > EOF root@tex:~# Apache o sa-l listam pe 127.0.0.1 port 81 si o sa fie backend. root@tex:~# echo "Listen 127.0.0.1:81" > /etc/apache2/ports.conf root@tex:~# /etc/init.d/apache2 start 3. Instalare si configurare php (plus libapache2-mod-php5, necesar la apache (mod php)) PHP-ul o sa-l instalez de la dotdeb. root@tex:~# echo "deb http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# echo "deb-src http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# wget http://www.dotdeb.org/dotdeb.gpg root@tex:~# cat dotdeb.gpg |apt-key add - && rm dotdeb.gpg OK root@tex:~# apt-get update root@tex:~# apt-get install php5 php5-cli libapache2-mod-php5 php5-common php5-suhosin Inlocuiesc "expose_php = On" cu "expose_php = Off" / "short_open_tag = Off" cu "short_open_tag = On" si "session.name = PHPSESSID" cu "session.name = SERVLET" in php.ini pentru apache2. root@tex:~# perl -pi -e 's/expose_php = On/expose_php = Off/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/short_open_tag = Off/short_open_tag = On/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/PHPSESSID/SERVLET/' /etc/php5/apache2/php.ini 4. Instalare si configurare module php (extensii). O sa instalez urmatoarele extensii php: curl, gd, mcrypt, mysql. root@tex:~# apt-get install php5-curl php5-gd php5-mcrypt php5-mysql 5. Configurare suhosin. Din motive de securitate, o sa adaug in blacklisted utilizand suhosin urmatoarele functii: exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown root@tex:~# cat >> /etc/php5/conf.d/suhosin.ini << EOF > > suhosin.executor.func.blacklist = "exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown" > suhosin.cookie.max_array_depth = 256 > suhosin.cookie.max_array_index_length = 256 > suhosin.cookie.max_name_length = 256 > suhosin.cookie.max_totalname_length = 512 > suhosin.cookie.max_value_length = 20000 > suhosin.cookie.max_vars = 200 > suhosin.get.max_array_depth = 200 > suhosin.get.max_totalname_length = 1024 > suhosin.get.max_value_length = 1024 > suhosin.get.max_vars = 1024 > > > suhosin.post.max_array_depth = 1024 > suhosin.post.max_array_index_length = 1024 > suhosin.post.max_name_length = 1024 > suhosin.post.max_totalname_length = 1024 > suhosin.post.max_value_length = 95000 > suhosin.post.max_vars = 1024 > > suhosin.request.max_vars = 512 > suhosin.request.max_value_length = 90000 > suhosin.request.max_totalname_length = 1024 > suhosin.upload.max_uploads = 400 > > suhosin.executor.include.max_traversal = 2 > > EOF root@tex:~# Cam asa arata php in cli: root@tex:~# php -v PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46) Copyright (c) 1997-2011 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH root@tex:~# 6. Instalare MySQL Server si MySQL Client root@tex:~# apt-get install mysql-client-5.5 mysql-server-5.5 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate Mountam tmpfs in /tmp cu flag-urile "noexec,nosuid,nodev" din motive de securitate. root@tex:~# echo "tmpfs /tmp tmpfs noexec,nosuid,nodev 2 2" >> /etc/fstab root@tex:~# mount /tmp root@tex:~# mount |grep "/tmp" tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev) Stergem "/var/tmp" si il facem simlink catre tmp. root@tex:~# rm -rf /var/tmp/ && ln -s /tmp /var/tmp Dam chmod 640 la "/dev/shm" din motive de securitate. root@tex:~# chmod 640 /dev/shm 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) O sa listam port 80 cu nginx si o sa-l folosim ca frontend pentru apache, care se listeaza pe 127.0.0.1 port 81. (reverse proxy) root@tex:~# apt-get install nginx root@tex:~# rm /etc/nginx/sites-enabled/default root@tex:~# pico /etc/nginx/sites-enabled/default # fisier configuratie server { listen 0.0.0.0:80 default; server_name _; access_log off; error_log /dev/null; location / { proxy_pass http://127.0.0.1:81; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Pornim nginx-ul. root@tex:~# /etc/init.d/nginx start Starting nginx: nginx. root@tex:~# [URL="http://i42.tinypic.com/121zmtx.png"]O sa pun un phpinfo in "/var/www/"[/URL] pentru a vedea daca este totul in ordine si o sa sterg index.html (default) root@tex:~# echo "<?php phpinfo(); ?>" >> /var/www/index.php root@tex:~# rm /var/www/index.html // restart la apache. root@tex:~# /etc/init.d/apache2 restart --------- Note: - Daca aveti intrebari legate de acest tutorial, va raspund cu cea mai mare placere. - Imi cer scuze pentru eventualele greseli legate de exprimare (am cam tras chiulul de la somn) - Nu am specificat sursa acestui tutorial pentru ca este facut de mine.