nginx
Table of Contents
nginx
The nginx webserver is a fast and powerfull webserver, which usually used in production for loadbalancing.
Configuraiton PHP+nginx on Windows
Here is the describiton:
https://eksith.wordpress.com/2008/12/08/nginx-php-on-windows/
On Windows7 x64 a lib Visual C++ Redistributable for Visual Studio 2012 Update 4 has to be installed, for php-cgi.exe to work. Otherwise it throws an exception
The program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the problem to fix this problem."
Both versions, 32 and x64 bit have to be installed for the php-cgi to work:
http://www.microsoft.com/en-us/download/details.aspx?id=30679
PHP configuraiton
Php in configured in php.ini. You can check where it should be located by checking the *Configuration File (php.ini) Path* among the output of
<?php phpinfo(); ?>
Alternatively you can pass the php.ini explicitely to the service php-cgi which serves the cgi requests.
"c:\nginx\php\php-cgi.exe" -b 127.0.0.1:9000 -c c:\Windows\php.ini
nginx.conf
This config redirects all requests with all methods (GET, POST, PUT, DELETE) to the file index.php. The originally requested path may be retrieved from the $_SERVER variable. The GET / POST parameters are available as well.
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
# this guy redirects any path to /api.json
rewrite ^.*$ /index.php last;
location / {
root html;
index index.php index.html index.htm;
try_files $uri $uri/ /index.php;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
set $path_info $uri;
fastcgi_param PATH_INFO $fastcgi_script_name;
}
}
}
To retrieve the requested method do the following inside the index.php
<?php
echo "hello \n";
# requested method (PUT GET POST DELETE)
echo getServerVariable('REQUEST_METHOD') . "\n";
# REQUEST_URI as string
$requesturi = getServerVariable('REQUEST_URI');
echo requesturi . "\n";
# REQUEST_URI as an array of path segments
$requesturiArray = explode('/', $requesturi);
echo implode($requesturiArray) . "\n";
function getServerVariable($variable){
if(isset($_SERVER[$variable])){
$pmethod = $_SERVER[$variable];
return $pmethod;
}else{
return "$variable undefined";
}
}
?>
Generated config from reverse_proxy nginx
root@f5ae19524493:/# cat /etc/nginx/conf.d/default.conf
# nginx-proxy version : 1.3.0
# Networks available to the container running docker-gen (which are assumed to
# match the networks available to the container running nginx):
# docker_network
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
default $http_x_forwarded_host;
'' $http_host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
default upgrade;
'' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
# Preserve nginx's default behavior (send "Connection: close").
default close;
# Use an empty string to cancel nginx's default behavior.
true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined. This is necessary because:
# - The $proxy_connection variable is indirectly derived from
# $upstream_keepalive, so $upstream_keepalive must be defined whenever
# $proxy_connection is resolved.
# - The $proxy_connection variable is used in a proxy_set_header directive in
# the http block, so it is always fully resolved for every request -- even
# those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
# The value here should not matter because it should always be overridden in
# a location block (see the "location" template) for all requests where the
# value actually matters.
default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
listen 80;
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
# No default.crt certificate found for this vhost, so force nginx to emit a
# TLS error if the client connects via https.
ssl_ciphers aNULL;
set $empty "";
ssl_certificate data:$empty;
ssl_certificate_key data:$empty;
if ($https) {
return 444;
}
return 503;
}
# alf.digital/
upstream alf.digital {
# Container: businesscard_s3
# networks:
# docker_network (reachable)
# IP address: 172.18.0.3
# exposed ports: 80/tcp 8081/tcp
# default port: 80
# using port: 8081
# /!\ WARNING: Virtual port published on host. Clients
# might be able to bypass nginx-proxy and
# access the container's server directly.
server 172.18.0.3:8081;
}
server {
server_name alf.digital;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name alf.digital;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/alf.digital.crt;
ssl_certificate_key /etc/nginx/certs/alf.digital.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://alf.digital;
set $upstream_keepalive false;
}
}
# card.alf.digital/
upstream card.alf.digital {
# Container: businesscard_s3
# networks:
# docker_network (reachable)
# IP address: 172.18.0.3
# exposed ports: 80/tcp 8081/tcp
# default port: 80
# using port: 8081
# /!\ WARNING: Virtual port published on host. Clients
# might be able to bypass nginx-proxy and
# access the container's server directly.
server 172.18.0.3:8081;
}
server {
server_name card.alf.digital;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name card.alf.digital;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/alf.digital.crt;
ssl_certificate_key /etc/nginx/certs/alf.digital.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://card.alf.digital;
set $upstream_keepalive false;
}
}
# wiki.alf.digital/
upstream wiki.alf.digital {
# Container: wiki_localhost
# networks:
# docker_network (reachable)
# IP address: 172.18.0.2
# exposed ports: 8080/tcp 8443/tcp
# default port: 80
# using port: 8080
# /!\ WARNING: Virtual port published on host. Clients
# might be able to bypass nginx-proxy and
# access the container's server directly.
server 172.18.0.2:8080;
}
server {
server_name wiki.alf.digital;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name wiki.alf.digital;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/alf.digital.crt;
ssl_certificate_key /etc/nginx/certs/alf.digital.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://wiki.alf.digital;
set $upstream_keepalive false;
}
}
# www.alf.digital/
upstream www.alf.digital {
# Container: businesscard_s3
# networks:
# docker_network (reachable)
# IP address: 172.18.0.3
# exposed ports: 80/tcp 8081/tcp
# default port: 80
# using port: 8081
# /!\ WARNING: Virtual port published on host. Clients
# might be able to bypass nginx-proxy and
# access the container's server directly.
server 172.18.0.3:8081;
}
server {
server_name www.alf.digital;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name www.alf.digital;
access_log /var/log/nginx/access.log vhost;
listen 443 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/alf.digital.crt;
ssl_certificate_key /etc/nginx/certs/alf.digital.key;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://www.alf.digital;
set $upstream_keepalive false;
}
}
nginx.txt · Last modified: 2023/10/13 16:30 by skipidar