Utilizare nginx cu SSL ca frontend pentru apache

aelius · February 24, 2014

Ideea de a folosi nginx cu ssl ca frontend pentru apache cred ca este foarte buna din urmatoarele motive:

- Se comporta ca un tcp offloader oferind ceva protectie extra pentru webserver (in caz de atacuri http(s))

- Scade timpul de acces pe site (spre diferenta de apache simplu cu SSL)

vhost config


server {
     listen 188.240.88.4:443;
     server_name rstcenter.com www.rstcenter.com;
     keepalive_timeout 60;
     ssl    on;
     ssl_protocols           SSLv3 TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers             aRSA:!eNULL:!EXP:!LOW:-RC4:-3DES:!SEED:!MD5:!kPSK:!kSRP:-kRSA:@STRENGTH:AES128-SHA:DES-CBC3-SHA:RC4-SHA;
     ssl_prefer_server_ciphers on;
     ssl_session_cache       shared:TLSSL:30m;
     ssl_session_timeout     10m;
     ssl_certificate         /etc/nginx/ssl/rstcenter.com.combined.crt;
     ssl_certificate_key     /etc/nginx/ssl/rstcenter.com.key;
     more_set_headers "X-Secure-Connection: true";
     add_header Strict-Transport-Security max-age=3456000;

location / {
     proxy_pass        http://127.0.0.1:1234;
     proxy_set_header  Host $http_host;
     proxy_set_header  X-Real-IP  $remote_addr;
 }

Un nginx.conf se poate vedea aici (nu este cel default)


user www-data;
worker_processes 4;
worker_priority -1;
pid /var/run/nginx.pid;
worker_rlimit_nofile 640000;
worker_cpu_affinity 0001 0010 0100 1000;

events {
	worker_connections 64000;
}

http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 20;
	keepalive_requests 10000;
	types_hash_max_size 2048;
	client_max_body_size 128M;
	client_body_buffer_size 128k;
	connection_pool_size 8192;
	request_pool_size 8k;
	server_names_hash_bucket_size 2048;
	server_tokens off;
	resolver 127.0.0.1;
	resolver_timeout 2s;
	reset_timedout_connection on;
	more_set_headers "Server: Apache";
	more_set_headers "X-XSS-Protection: 1; mode=block";
	more_set_headers "X-Frame-Options: sameorigin";
	more_set_headers "X-Content-Type-Options: nosniff";

 	open_file_cache max=147000 inactive=30s; 
 	open_file_cache_valid    60s; 
 	open_file_cache_min_uses 2;
 	open_file_cache_errors   on;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	gzip on;
	gzip_static on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_min_length 500;
	gzip_http_version 1.0;
	gzip_types text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript text/plain;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

Note:

- Nginx este instalat pe Debian (pachetul este 'nginx-extras')

- Apache il rulez listat pe 127.0.0.1 port 1234

- Certificatul site-ului (CRT-ul) este concatenat din crt-ul domeniului + certificatul intermediar

gogusan · February 25, 2014

max concurenti = 4x64000

Ce inseamna?

worker_processes 4; #4 core CPU

worker_cpu_affinity 0001 0010 0100 1000; #fiecare proces nginx pe cate 1 core

pt 5 core

worker_cpu_affinity 0001 0010 0100 1000 0011;

eu personal nu folosesc cpu_affinity, ii las sa mearga pe ce core vrea pl lor

events {
	worker_connections 64000;
[B][COLOR="#FF0000"]        use epoll; (pt kernel 2.6.x + )
        multi_accept on;[/COLOR][/B]
}

pt protectie minima DDOS docs aici:

Module ngx_http_limit_conn_module

Module ngx_http_core_module

exemplu personal:

nginx conf

http {
...
limit_req_zone $binary_remote_addr zone=bbddosphp:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=bbddos:10m rate=10r/s;
...
}

vhost conf


server {
...
location / {
index index.php index.html index.htm;
limit_req zone=bbdos burst=10;
}
...
location ~ \.php$ {
...
limit_req zone=bbddosphp burst=2;
}
...
}

aelius · February 25, 2014

@gogusan: Merci pentru post. Nu utilizez protectia dos din nginx pentru ca filtrez inainte cu iptables. Nu vreau sa filtrez pachetele la nivelul ala si prefer ca pachetele sa nu fie acceptate de server.

multi_accept on; # nu este ok pentru ca se produce aglomerare.

4x64000 -> este setat foarte mare pentru a fi sigur ca imi sunt acceptate toate conexiunile (de asemenea, in sysctl sunt valori f. mari)

5 core -> aici nu inteleg, nu exista five core

gogusan · February 25, 2014

- am scris ca e protectie minima (nu toata lumea stie sa faca filtrare cum trebuie cu iptables, defapt nici eu nu stiu )

- unele firme de hosting care au hexacoreuri poti cumpara cate core-uri vrei pt vps

- multi_accept on produce aglomerare doar daca ai worker_connection prea mic, gen 1024 dar pentru 10k+ merge pe on (parerea mea personala)

multi_accept
Syntax: multi_accept [ on | off ]
Default: off
multi_accept tries to accept() as many connections as possible after nginx gets notification about a new connection.

syctl:

net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 3240000
net.core.somaxconn = 3240000
net.ipv4.tcp_max_tw_buckets = 1440000

net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_congestion_control = cubic

mai mari?

Edited February 25, 2014 by gogusan

aelius · February 25, 2014

mareste si txqueuelen pe interfata de retea


ifconfig eth0 |grep txqueuelen
ifconfig eth0 txqueuelen 5000

Hai ca deschidem un thread deseara despre posibilitatile de filtrare cu iptables, ipfilter, packet filter. Cred ca or sa fie mai multi interesati.

Ideea e ca odata ajunse conexiunile sa fie procesate de aplicatii, este prea tarziu (atacul si-a atins scopul)

gogusan · December 15, 2015

salut @aelius

baga un update la topic si scoate din config SSLv3 > poodle

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

mai sunt unii copy paste

si inca astept ce ai zis in postul de mai sus daca ai timp si chef

Edited December 15, 2015 by gogusan

December 15, 2015

Ca si completare, doua chestii:

1). Este destul de periculos sa faci fallback din SSL pe non-SSL. Apache ar trebui sa faca listening tot pe SSL., deci https:// in loc de http://.

2). De la nginx 1.6 +, se poate adauga si protocolul spdy ca listener pe SSL.

Exemplu:

server {
     listen 188.240.88.4:443 [COLOR="#FF0000"][B]ssl spdy[/B][/COLOR];
     server_name rstcenter.com www.rstcenter.com;
     keepalive_timeout 60;
     ssl    on;
     ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers             aRSA:!eNULL:!EXP:!LOW:-RC4:-3DES:!SEED:!MD5:!kPSK:!kSRP:-kRSA:@STRENGTH:AES128-SHA:DES-CBC3-SHA:RC4-SHA;
     ssl_prefer_server_ciphers on;
     ssl_session_cache       shared:TLSSL:30m;
     ssl_session_timeout     10m;
     ssl_certificate         /etc/nginx/ssl/rstcenter.com.combined.crt;
     ssl_certificate_key     /etc/nginx/ssl/rstcenter.com.key;
     more_set_headers "X-Secure-Connection: true";
     add_header Strict-Transport-Security max-age=3456000;

location / {
     proxy_pass        [COLOR="#FF0000"][B]httpS[/B][/COLOR]://127.0.0.1:1234;
     proxy_set_header  Host $http_host;
     proxy_set_header  X-Real-IP  $remote_addr;
 }

gogusan · December 15, 2015

probabil lipseste doar :

add_header Front-End-Https on;

atat nu httpS

dar cateva explicatii de rigoare in cazul asta este ca nginx comunica cu apache prin interfata de loopback, deci nu vad rostul la argumentul tau de la punctul 1.

ai 2 posibilitati de "security":

end 2 end sau nginx-client

defapt te hotarasti daca vrei nginx sa comunice cu apache prin ssl sau nu

in cazul nostru nginx-client e de ajuns folosind loopback.

daca faci upstreamuri & shit atunci da e periculos (si nu prea)

spydy a fost inlocuit cu HTTP/2 de la 1.9.5 incoace parca

deci: listen 188.240.88.4:443 ssl http2;

Edited December 15, 2015 by gogusan

aelius · December 15, 2015

Hello,

Nu sunt de acord ca nginx sa faca proxy pass catre apache tot pe SSL. Scopul nginx-ului este sa scapi de resurse consumate aiurea cat si de protectie (cazul in care este utilizat ca reverse proxy). Apache sta listat doar pe http si pe localhost in exemplele de mai sus.

Update ssl_protocols + ssl_ciphers


ssl_protocols  TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers  'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4';

sleed · December 16, 2015

Peste 30% din site-uri folosesc inca SSLv3

Sign In

Utilizare nginx cu SSL ca frontend pentru apache

Recommended Posts

aelius

gogusan

aelius

gogusan

aelius

gogusan

Guest

gogusan

aelius

sleed

Join the conversation

Browse

Activity

Pages