Welcome to Centmin Mod Community
Become a Member

Install Apache and run Nginx as a reverse proxy

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Alcides, Nov 1, 2017.

  1. Alcides

    Alcides New Member

    7
    1
    3
    Aug 18, 2017
    Ratings:
    +2
    Local Time:
    9:58 AM
    Hello!

    I am preparing a production server with the 123.09beta01
    I would like to use NGINX as a main webserver but for some applications I would like to use Apache behind and run Nginx as a reverse proxy due to the complex rewrite/httacess setup.

    The methody I am using to install/setup Apache on 123.09beta01 CentOS 7 box is following:
    --------------------------------------------------
    ### --- Preparing Installation --- ###
    How to Install The Latest Apache Server (httpd) on Centos 7 | CROSP's Blog
    sudo yum install -y epel-release
    cd /etc/yum.repos.d && wget https://repo.codeit.guru/codeit.el`rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release)`.repo
    -------------------------------------------------
    ### --- Edit Repository config file --- ###
    vim /etc/yum.repos.d/codeit.el7.repo
    Add a line at the end with: priority=1
    -------------------------------------------------
    ### --- Installation --- ###
    yum install httpd
    systemctl start httpd
    systemctl enable httpd
    --------------------------------------------------
    ### --- Change TCP Listen port --- ###
    vim /etc/httpd/conf/httpd.conf
    Change Listen port to 80 to 8080
    --------------------------------------------------
    ### --- Add Firewall Ruresl --- ###
    vim /etc/csf/csf.conf
    Add port 8080 for TCP ipv6 and ipv4.
    csf -r (restart)
    --------------------------------------------------
    ### --- Enable Apache Modules for Proxy --- ###
    Create a custom config file
    touch /etc/httpd/conf.modules.d/custommodules.conf
    Add the lines bellow:
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
    --------------------------------------------------
    ### --- Setup apache vistual host to use PHP-FPM --- ###
    --------------------------------------------------
    Add inside of the vistual host directive:
    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/path/to/your/documentroot/$1
    DirectoryIndex /index.php index.php
    --------------------------------------------------

    I have done this. Looks like it is working very well. BUT I am not sure If I can couse future issues with Centminmod.

    Could you please tell me what is the best practices do you recommend to install apache without produce any issue with centnmod scripts and repositories dependences?
    I would like to keep updating Centinmod and I would like to avoid any future possible issue.

    Thanks in advanced.
     
    • Informative Informative x 1
  2. Jimmy

    Jimmy Premium Member Premium Member

    1,528
    316
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +779
    Local Time:
    8:58 AM
    1.15.x
    MariaDB 10.3.x
    [​IMG]
     
  3. Alcides

    Alcides New Member

    7
    1
    3
    Aug 18, 2017
    Ratings:
    +2
    Local Time:
    9:58 AM
    ?
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,264
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    3:58 PM
    Nginx-1.13.x
    MariaDB 10.1.x
  5. eva2000

    eva2000 Administrator Staff Member

    39,743
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    10:58 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  6. Atrix

    Atrix Premium Member Premium Member

    16
    4
    3
    Oct 7, 2018
    Ratings:
    +12
    Local Time:
    6:58 AM
    1.15.3
    MariaDB 10.1.36
    Hey, just wanted to say thanks to this thread, for servers that have legacy support for .htaccess, or unique cgi-bin interactions with perl and apache modules, going through and converting them to nginx is NOT a good solution, unless you love to deliver programs that don't work quite like they used to and have bugs. Or charge them or a fortune. Or both.

    So this solution works really nice for those legacy servers I have to maintain. There's more though, you need to do better with the vhost solutions for nginx. Also domains will need to be setup a certain way with apache and it won't auto create that for you. Since these domains are few, and aren't added a lot to it's not a prob for me.

    make a file in /usr/local/nginx/conf/proxy_apache.conf :
    Code:
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8080;
    
    server_name_in_redirect off;
    sendfile off;
    proxy_redirect off;
    
    Now for your server block in the nginx file for your domain under /usr/loca/nginx/conf/conf.d/domain.com.ssl.conf note I disabled the non ssl site and uncommented the top part to make it always use ssl which isn't shown here, if you use non ssl you'll need to do this for the non ssl file too.
    Code:
        # Proxy anything that isn't a file.
        location / {
           try_files $uri @apache;
        }
    
        # Proxy directories (This fixes the loop)
        # This will kill any other indexes like index.html if they're not explicitly used in the URL.
        location ~[^?]*/$ {
           if ( $is_args = "?" ){
               rewrite / /index.php$is_args$args;
           }
           try_files $uri @apache;
        }
    
       #cgi-bin
        location ~ cgi-bin/ {
           include /usr/local/nginx/conf/proxy_apache.conf;
        }
        # Proxy any .php file.
        location ~ \.php$ {
           include /usr/local/nginx/conf/proxy_apache.conf;
        }
    
        # Proxy to apache, used by location / {...}
        location @apache {
           include /usr/local/nginx/conf/proxy_apache.conf;
        }
    
       # prevent access to ./directories and files
       location ~ (?:^|/)\. {
           deny all;
       }
    
    The nginx rules took the most work by far and it was a combination of solutions I found online to solve diff problems. So far we have a sophisticated old school user lockout system that uses excessive http rewrites and cgi-bin perl modules running it very well.

    Now we get to the httpd configuration part which was fairly easy in no small part because we know the traffic it gets is supposed to be there:

    Code:
    ServerName domain.com
    <VirtualHost *:8080>
        ServerName domain.com
        #ServerAlias *.domain.com
    
        DocumentRoot /home/nginx/domains/domain.com/public/
    
        <Directory /home/nginx/domains/domain.com/public/>
            Options -Indexes +FollowSymLinks +MultiViews
            AllowOverride All
       AcceptPathInfo On
            Require all granted
        </Directory>
    
         <Directory "/home/nginx/domains/domain.com/public/cgi-bin/">
             Options +ExecCGI
             AddHandler cgi-script .cgi .pl
         </Directory>
        ScriptAlias "/cgi-bin/" "/home/nginx/domains/domain.com/public/cgi-bin/"
    
        <FilesMatch \.php$>
            # 2.4.10+ can proxy to unix socket
            # SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost/"
    
            # Else we can just use a tcp socket:
            SetHandler "proxy:fcgi://127.0.0.1:9000"
        </FilesMatch>
    
        ErrorLog /var/log/httpd/domain.com-error.log
    
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
    
        CustomLog /var/log/httpd/domain.com-access.log combined
    
    </VirtualHost>
    
    You also need to change /etc/httpd/conf/httpd.conf and replace lines for User and Group with:
    Code:
    User nginx
    Group nginx
    
    This makes it work with nginx permissions wise.

    The only other thing you'll want to do is any scripts that depend on the actual IP address, change them to use HTTP_CF_CONNECTING_IP header, if you're using cloudflare, or whichever header it's stored in, some possible listed here: https://www.virendrachandak.com/techtalk/getting-real-client-ip-address-in-php-2/ otherwise.

    When I tried this with the default centos httpd server it was a mess, cloudflare had these super rare errors and ppl would get error messages, but those messages didn't show up if you bypassed cloudflare. Since cloudflare works with most sites, it had to be something with the apache setup. It only happened under larger loads too. This one, not a single problem so thanks again.
     
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    39,743
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    10:58 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    thanks @Atrix for sharing (y)
     
..