Archive for April 22nd, 2009

FreeBSD : web cluster – Frontend nginx, backend apache with SSL


Previously, I posted write-up on glusterfs on FreeBSD clusters. Here the installment on round-robin web proxy part. In my configuration, nginx is running as front-end and apache is the back-end. Both boxes have same configuration on nginx and apache. Nginx SSL cert and key should be the same as well (with same common name i.e. www.yourdomain.com).

APACHE
I will skip most of the apache installation part as it is too common and easy to set up. The basic requirement for apache is to run with SSL on port 8443. Please take note that mod_rpaf is required for apache to capture the real IP address of the visitors. Install it from /usr/ports/www/mod_rpaf2. Then add these lines to your httpd.conf.


LoadModule rpaf_module       libexec/apache22/mod_rpaf.so

<IfModule rpaf_module>
RPAFEnable On
RPAFsethostname On
RPAFproxy_ips 192.168.100.82 192.168.100.84
</IfModule>

Note:
IP address for node 1 = 192.168.100.82
IP address for node 2 = 192.168.100.84

NGINX (engine X)
Installation of nginx is fairly simple under FreeBSD as the ports is complete (no messy manual patching and stuff). Just run the installation with this command. But take note that you need these two options: HTTP_SSL_MODULE and HTTP_UPSTREAM_FAIR. Yes, you need them.

cd /usr/ports/www/nginx && make install

The configuration file, nginx.conf, is relatively easy to understand if you are fimilar with lighttpd or apache mod_proxy. The following is an example of nginx config file. Remember, use with care because YMMV.

user  www;
worker_processes  4;

events {
    worker_connections  4096;
}                            

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  5;
    gzip  on;
    upstream backend_servers {
        fair;
        server 192.168.100.82:8443;
        server 192.168.100.84:8443;
    }                                                 

    server {
        listen   80 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-access.log;
        error_log /var/log/nginx-error.log;
        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }                                                                              

    server {
        listen       443 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-ssl-access.log;
        error_log /var/log/nginx-ssl-error.log;
        ssl                  on;
        ssl_certificate      /etc/ssl/certs/nginx-cert.pem;
        ssl_certificate_key  /etc/ssl/keys/nginx-key.pem;
        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }
}

Vhost is managed by apache httpd. Thus these lines are needed in nginx.conf.

server_name  _;
server_name_in_redirect  off;

For SSL cert and key generation, please refer to previous post, glusterfs on FreeBSD. That’s it.

Wednesday, April 22nd, 2009

FreeBSD, Howto No Comments