Tuesday, September 10, 2019

Nginx Tips and Tricks - Load Balancer Configuration


1. Configure Nginx to do load balancer


If you have multiple sites, you can configure Nginx to load balance between multiple servers.
There are two files you will need to change:



[email protected]:/# cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {  upstream mysec {
ip_hash;
    server 3.81.70.239:30000 weight=3;
    server 34.73.78.142:80 weight=2;
  }

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
[email protected]:/#

[email protected]:/# cat /etc/nginx/conf.d/wordpress.conf
server {
    listen       80;
    server_name  www.51sec.org;

location / {
    proxy_pass       http://mysec;
    proxy_redirect             off;
    proxy_http_version         1.1;
    proxy_set_header Upgrade   $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
}
}
[email protected]:/#
Another simple Nginx Load Balance Configuration in /etc/nginx/nginx.conf
http {
  upstream project1 {
    server 127.0.0.1:8000 weight=3;
    server 127.0.0.1:8001 weitht=2;
    server 127.0.0.1:8002;
  }

  server {
    listen 80;
    server_name www.51sec.org;
    location / {
      proxy_pass http://project1;
    }
  }
}

There is a default file at /etc/nginx/sites-enabled if it is Ubuntu systems. If you already defined your wordpress configuration file under this folder, you might want to delete this default file.

On Debian and Ubuntu systems you’ll need to remove the default symbolic link from the sites-enabled folder.
sudo rm /etc/nginx/sites-enabled/default
CentOS hosts don’t use the same linking, instead, simply rename the default.conf in the conf.d/directory to something that doesn’t end with .conf, for example:
sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
Then use the following to restart nginx.
sudo systemctl restart nginx
sudo /etc/init.d/nginx restart
sudo /etc/init.d/nginx reload



2. Configure a backup server

ip_hash parameter is not working with backup command. In following configuration, server 3.81.70.239 will not be hit until server 34.73.78.142 is unavailable.
Ip_hash balancer does not support backup servers and weight.

[email protected]:/# cat /etc/nginx/nginx.conf
.....

http {  upstream mysec {
##ip_hash;
##  server 3.81.70.239:30000 weight=3;
    server 34.73.78.142:80 weight=2;
    server 3.81.70.239:30000 backup  }

.....

3. Hide Nginx Version Information from Hacker

Before the change:

防止被黑客进行针对性渗透配置下:
vi /etc/nginx/nginx.conf

http下添加:server_tokens off;

After enabled server_token off :


4. Valid Nginx.conf configuration before apply
nginx -t


5. Reload Nginx.conf without restart service
nginx -s reload

/etc/init.d/nginx reload



6. Domain Rewrite

If you are having a existing domain www.test.com, you would like to change it to blog.51sec.com. The purpose is to keep all contents no change, only domain will be changed automatically.
For example, if a user visits www.test.com/a/b/1.html, it will automatically redirect to blog.51sec.com/a/b/1.html page. 
Method 1:
Method 2:






No comments:

Post a Comment