1.Перенос Apache с 80 на 8080 порт
nano /usr/local/etc/apache22/httpd.conf
#Only Apache
#Listen 80
#Nginx(frontend)-80 port,Aapche(backend)-8080port
Listen 8080
nano /usr/local/etc/apache22/extra/httpd-vhosts.conf
NameVirtualHost *:8080
<VirtualHost *:8080>
……………………
</VirtualHost>
httpd -S
httpd -t
/usr/local/etc/rc.d/apache22 restart
2.Установка и настройка Nginx
cd /usr/ports/www/nginx
make install clean
cd /usr/local/etc/nginx/
cp nginx.conf nginx.conf~
nano nginx.conf (конфиг см.ниже)
nginx –t
mkdir -p /var/tmp/nginx/client_body_temp
mkdir -p /var/log/nginx
Прикручиваем виртуальные хосты(сайты)
nano conf.d/joomla.to.conf (конфиг см.ниже)
nano conf.d/wordpress.to.conf (конфиг см.ниже)
nano conf.d/proxy.conf (конфиг см.ниже)
htpasswd -c .htpasswd tom
htpasswd .htpasswd bob
nginx -t
/usr/local/etc/rc.d/nginx restart
3.Установка и настройка модуля mod_rpaf
cd /usr/ports/www/mod_rpaf2/
make install clean
nano /usr/local/etc/apache22/httpd.conf
LoadModule rpaf_module libexec/apache22/mod_rpaf2.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 192.168.1.42
RPAFheader X-Real-IP
/usr/local/etc/rc.d/apache22 restart
В логах Apache теперь вместо 127.0.0.1 будет реальный IP-адрес клиента.
tail -f /var/log/httpd-access.log
Альтернативная проверка корректности работы модуля Rpaf
В корне любого сайта(например,у меня в корне сайта по умолчанию) создать файл,например, ipcheck.php с таким содержанием
nano /usr/local/www/apache22/data/ipcheck.php
<?PHP
echo $_SERVER[‘REMOTE_ADDR’];
?>
После чего обратится к нему и убедиться, что полчаем IP-адрес клиента
http://freebsd911.kama.dnsalias.com/ipcheck.php или
http://192.168.1.42/ipcheck.php
4.Настройка SSL для Nginx
cd /usr/local/etc/nginx/
mkdir ssl
cd ssl/
openssl req -new -x509 -nodes -days 3650 -out joomla.pem -keyout joomla.key
openssl req -new -x509 -nodes -days 3650 -out wordpress.pem -keyout wordpress.key
cd ..
chown -R www:www ssl
chmod -R 700 ssl
nano conf.d/joomla.to.conf
listen 443 ssl;
ssl_certificate /usr/local/etc/nginx/ssl/joomla.pem;
ssl_certificate_key /usr/local/etc/nginx/ssl/joomla.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
nano conf.d/wordpress.to.conf
listen 443 ssl;
ssl_certificate /usr/local/etc/nginx/ssl/wordpress.pem;
ssl_certificate_key /usr/local/etc/nginx/ssl/wordpress.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
nginx -t
/usr/local/etc/rc.d/nginx restart
Если необходимо использовать принудительно перенапрвление с http на https,тогда используем следующую конструкцию
if ( $scheme = «http» ) {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
после строки
ssl_prefer_server_ciphers on;
cat nginx.conf
user www www;
worker_processes 1;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use kqueue;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main ‘$remote_addr — $remote_user [$time_local] «$request» ‘
‘$status $body_bytes_sent «$http_referer» ‘
‘»$http_user_agent» «$http_x_forwarded_for»‘;
access_log /var/log/nginx/access.log main;
client_header_timeout 10;
client_body_timeout 10;
send_timeout 10;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
sendfile on;
#tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_buffers 4 8k;
gzip_disable msie6;
gzip_types text/plain application/json text/xml text/css text/comma-separated-values text/javascript application/x-javascript application/atom+xml;
keepalive_timeout 5 5;
limit_conn_zone $binary_remote_addr zone=addr:10m;
output_buffers 1 32k;
client_body_buffer_size 8K;
proxy_buffer_size 4K;
proxy_buffers 10 4k;
postpone_output 1460;
index index.html;
client_max_body_size 80m;
index index.html index.htm index.php;
include /usr/local/etc/nginx/conf.d/*.conf;
upstream backend {
server 127.0.0.1:8080;
}
server {
listen 80 default_server;
server_name _;
#charset koi8-r;
# location / {
# root /usr/local/www/nginx;
# index index.html index.htm;
# }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
# location ~ \.php$ {
location / {
proxy_pass http://127.0.0.1:8080;
}
# deny access to .htaccess files, if Apache’s document root
# concurs with nginx’s one
#
location ~ /\.ht {
deny all;
}
}
}
cat conf.d/joomla.to.conf
server {
listen 80;
server_name joomla.to www.joomla.to;
location /server-status {
stub_status on;
access_log on;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
}
location / {
root /usr/local/www/joomla.to;
satisfy any;
allow 192.168.1.0/24;
allow 127.0.0.1/32;
deny all;
auth_basic «Restricted»;
auth_basic_user_file /usr/local/etc/nginx/.htpasswd;
proxy_pass http://backend/;
include /usr/local/etc/nginx/conf.d/proxy.conf;
}
location ~*^.+\.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|wav|bmp|rtf|js)$
{
root /usr/local/www/joomla.to;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
cat conf.d/wordpress.to.conf
server {
listen 80;
server_name wordpress.to www.wordpress.to;
location /server-status {
stub_status on;
access_log on;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
}
location / {
root /usr/local/www/wordpress.to;
satisfy any;
allow 192.168.1.0/24;
allow 127.0.0.1/32;
deny all;
auth_basic «Restricted»;
auth_basic_user_file /usr/local/etc/nginx/.htpasswd;
proxy_pass http://backend/;
include /usr/local/etc/nginx/conf.d/proxy.conf;
}
location ~*^.+\.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|wav|bmp|rtf|js)$
{
root /usr/local/www/wordpress.to;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
cat conf.d/proxy.conf
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_connect_timeout 120;
proxy_send_timeout 120;
proxy_read_timeout 180;