Jump to content
aelius

Utilizare nginx cu SSL ca frontend pentru apache

Recommended Posts

Ideea de a folosi nginx cu ssl ca frontend pentru apache cred ca este foarte buna din urmatoarele motive:

- Se comporta ca un tcp offloader oferind ceva protectie extra pentru webserver (in caz de atacuri http(s))

- Scade timpul de acces pe site (spre diferenta de apache simplu cu SSL)

vhost config


server {
listen 188.240.88.4:443;
server_name rstcenter.com www.rstcenter.com;
keepalive_timeout 60;
ssl on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers aRSA:!eNULL:!EXP:!LOW:-RC4:-3DES:!SEED:!MD5:!kPSK:!kSRP:-kRSA:@STRENGTH:AES128-SHA:DES-CBC3-SHA:RC4-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:TLSSL:30m;
ssl_session_timeout 10m;
ssl_certificate /etc/nginx/ssl/rstcenter.com.combined.crt;
ssl_certificate_key /etc/nginx/ssl/rstcenter.com.key;
more_set_headers "X-Secure-Connection: true";
add_header Strict-Transport-Security max-age=3456000;

location / {
proxy_pass http://127.0.0.1:1234;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}

Un nginx.conf se poate vedea aici (nu este cel default)


user www-data;
worker_processes 4;
worker_priority -1;
pid /var/run/nginx.pid;
worker_rlimit_nofile 640000;
worker_cpu_affinity 0001 0010 0100 1000;

events {
worker_connections 64000;
}

http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 20;
keepalive_requests 10000;
types_hash_max_size 2048;
client_max_body_size 128M;
client_body_buffer_size 128k;
connection_pool_size 8192;
request_pool_size 8k;
server_names_hash_bucket_size 2048;
server_tokens off;
resolver 127.0.0.1;
resolver_timeout 2s;
reset_timedout_connection on;
more_set_headers "Server: Apache";
more_set_headers "X-XSS-Protection: 1; mode=block";
more_set_headers "X-Frame-Options: sameorigin";
more_set_headers "X-Content-Type-Options: nosniff";

open_file_cache max=147000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

include /etc/nginx/mime.types;
default_type application/octet-stream;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

gzip on;
gzip_static on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 500;
gzip_http_version 1.0;
gzip_types text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript text/plain;

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

Note:

- Nginx este instalat pe Debian (pachetul este 'nginx-extras')

- Apache il rulez listat pe 127.0.0.1 port 1234

- Certificatul site-ului (CRT-ul) este concatenat din crt-ul domeniului + certificatul intermediar

Share this post


Link to post
Share on other sites

max concurenti = 4x64000 :o

Ce inseamna?

worker_processes 4; #4 core CPU

worker_cpu_affinity 0001 0010 0100 1000; #fiecare proces nginx pe cate 1 core

pt 5 core

worker_cpu_affinity 0001 0010 0100 1000 0011;

eu personal nu folosesc cpu_affinity, ii las sa mearga pe ce core vrea pl lor

events {
worker_connections 64000;
[B][COLOR="#FF0000"] use epoll; (pt kernel 2.6.x + )
multi_accept on;[/COLOR][/B]
}

pt protectie minima DDOS docs aici:

Module ngx_http_limit_conn_module

Module ngx_http_core_module

exemplu personal:

nginx conf

http {
...
limit_req_zone $binary_remote_addr zone=bbddosphp:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=bbddos:10m rate=10r/s;
...
}

vhost conf


server {
...
location / {
index index.php index.html index.htm;
limit_req zone=bbdos burst=10;
}
...
location ~ \.php$ {
...
limit_req zone=bbddosphp burst=2;
}
...
}

Share this post


Link to post
Share on other sites

@gogusan: Merci pentru post. Nu utilizez protectia dos din nginx pentru ca filtrez inainte cu iptables. Nu vreau sa filtrez pachetele la nivelul ala si prefer ca pachetele sa nu fie acceptate de server.

multi_accept on; # nu este ok pentru ca se produce aglomerare.

4x64000 -> este setat foarte mare pentru a fi sigur ca imi sunt acceptate toate conexiunile (de asemenea, in sysctl sunt valori f. mari)

5 core -> aici nu inteleg, nu exista five core

Share this post


Link to post
Share on other sites

- am scris ca e protectie minima (nu toata lumea stie sa faca filtrare cum trebuie cu iptables, defapt nici eu nu stiu :) )

- unele firme de hosting care au hexacoreuri poti cumpara cate core-uri vrei pt vps :)

- multi_accept on produce aglomerare doar daca ai worker_connection prea mic, gen 1024 dar pentru 10k+ merge pe on (parerea mea personala)

multi_accept

Syntax: multi_accept [ on | off ]

Default: off

multi_accept tries to accept() as many connections as possible after nginx gets notification about a new connection.

syctl:

net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 3240000
net.core.somaxconn = 3240000
net.ipv4.tcp_max_tw_buckets = 1440000

net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_congestion_control = cubic

mai mari?

Edited by gogusan

Share this post


Link to post
Share on other sites

mareste si txqueuelen pe interfata de retea


ifconfig eth0 |grep txqueuelen
ifconfig eth0 txqueuelen 5000

Hai ca deschidem un thread deseara despre posibilitatile de filtrare cu iptables, ipfilter, packet filter. Cred ca or sa fie mai multi interesati.

Ideea e ca odata ajunse conexiunile sa fie procesate de aplicatii, este prea tarziu (atacul si-a atins scopul)

Share this post


Link to post
Share on other sites

salut @aelius

baga un update la topic si scoate din config SSLv3 > poodle

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

mai sunt unii copy paste

si inca astept ce ai zis in postul de mai sus daca ai timp si chef

Edited by gogusan

Share this post


Link to post
Share on other sites
Guest

Ca si completare, doua chestii:

1). Este destul de periculos sa faci fallback din SSL pe non-SSL. Apache ar trebui sa faca listening tot pe SSL., deci https:// in loc de http://.

2). De la nginx 1.6 +, se poate adauga si protocolul spdy ca listener pe SSL.

Exemplu:

server {
listen 188.240.88.4:443 [COLOR="#FF0000"][B]ssl spdy[/B][/COLOR];
server_name rstcenter.com www.rstcenter.com;
keepalive_timeout 60;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers aRSA:!eNULL:!EXP:!LOW:-RC4:-3DES:!SEED:!MD5:!kPSK:!kSRP:-kRSA:@STRENGTH:AES128-SHA:DES-CBC3-SHA:RC4-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:TLSSL:30m;
ssl_session_timeout 10m;
ssl_certificate /etc/nginx/ssl/rstcenter.com.combined.crt;
ssl_certificate_key /etc/nginx/ssl/rstcenter.com.key;
more_set_headers "X-Secure-Connection: true";
add_header Strict-Transport-Security max-age=3456000;

location / {
proxy_pass [COLOR="#FF0000"][B]httpS[/B][/COLOR]://127.0.0.1:1234;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}

Share this post


Link to post
Share on other sites

probabil lipseste doar :

add_header Front-End-Https on;

atat nu httpS

dar cateva explicatii de rigoare in cazul asta este ca nginx comunica cu apache prin interfata de loopback, deci nu vad rostul la argumentul tau de la punctul 1.

ai 2 posibilitati de "security":

end 2 end sau nginx-client

defapt te hotarasti daca vrei nginx sa comunice cu apache prin ssl sau nu :)

in cazul nostru nginx-client e de ajuns folosind loopback.

daca faci upstreamuri & shit atunci da e periculos (si nu prea)

spydy a fost inlocuit cu HTTP/2 de la 1.9.5 incoace parca

deci: listen 188.240.88.4:443 ssl http2;

Edited by gogusan

Share this post


Link to post
Share on other sites

Hello,

Nu sunt de acord ca nginx sa faca proxy pass catre apache tot pe SSL. Scopul nginx-ului este sa scapi de resurse consumate aiurea cat si de protectie (cazul in care este utilizat ca reverse proxy). Apache sta listat doar pe http si pe localhost in exemplele de mai sus.

Update ssl_protocols + ssl_ciphers


ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4';

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...