NSLU2-Linux
view · edit · print · history

ReverseProxy is a component that sits in front of web server(s) or app server(s), and routes requests to the corresponding server based on configuration. The advantage of this approach is:

  • Security
    • App server can be behind reverse proxy server and not directly accessible
    • For selective subsite, reverse proxy server can add SSL encryption
  • Flexibility
    • With a reverse proxy server, you can mix and match different server technologies and have them co-exist. For example, subsite1 maybe served by PHP, subsite2 by python app, subsite3 by RoR, and subsite34 by tomcat.
  • Scalability with load balancing.
  • Optionally, if the reverse proxy server supports, it can efficiently serve static content and thus let the app server(s) focus on dynamic content.

Using apache or even lighttpd for reverse proxy seems overkill.

On nslu2 with optware, pound and nginx are two lightweight reverse proxy servers. Pound is strictly a "reverse proxy and load balancer", while nginx can also connect to upstream (backend) PHP server with fastcgi protocol and serve static content.

It makes a lot of sense to use nginx on the slug, especially in the following scenarios:

  1. If a slug is all you want to use, for dynamicly generated content as well as static content, yet you don't want to use a full web server;
  2. If you would like to use a slug as a reverse proxy in front of your other app server(s).

Let's say we want to test nginx (localhost:7007) in front of cherokee (localhost:8008, an example of http web/app server) and PHP (localhost:9009, an example of fastcgi).

Preparation

Install cherokee and php-fcgi

# ipkg update
# ipkg install cherokee
# ipkg install php-fcgi
  • Browse to http://slug:8008 and you should see cherokee serving /opt/share/www/cherokee/ content.

Verify php-fcgi version

# /opt/bin/php-fcgi -v
PHP 5.1.6 (cgi-fcgi) (built: Aug 25 2006 08:50:32)
...

Prepare a simple info.php, with just a single line of "<?php phpinfo(); ?>"

# mkdir -p /opt/share/www/php
# echo "<?php phpinfo(); ?>" > /opt/share/www/phpinfo.php

Install, config & test nginx.

Basic setup

# ipkg install nginx

Change /opt/etc/nginx/nginx.conf http server to listen on port 7007 instead of the default 8082

Launch nginx

# /opt/sbin/nginx

  • Browse to http://slug:7007/ and you should see nginx serving /opt/share/www/nginx/ content.

Add cherokee

Add the following lines to /opt/etc/nginx/nginx.conf http server section:

        location /cherokee/ {
            proxy_pass      http://127.0.0.1:8008/;
            proxy_redirect  default;
        }

Restart nginx

# killall nginx
# /opt/sbin/nginx
  • Browse to http://slug:7007/ and you should still see nginx serving /opt/share/www/nginx/ (== /opt/nginx/html/) content.
  • Browse to http://slug:7007/cherokee/ and you should see cherokee serving /opt/share/www/cherokee/ content thru nginx.

Add php-fcgi

Add the following lines to /opt/nginx/conf/nginx.conf http server section:

        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9009;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /opt/share/www/php/$fastcgi_script_name;
            fastcgi_param  QUERY_STRING     $query_string;
            fastcgi_param  REQUEST_METHOD   $request_method;
            fastcgi_param  CONTENT_TYPE     $content_type;
            fastcgi_param  CONTENT_LENGTH   $content_length;
        }

Launching php-fcgi

# /opt/bin/php-fcgi -b 9009

Restart nginx

# killall nginx
# /opt/sbin/nginx
  • Browse to http://slug:7007/ and you should still see nginx serving /opt/share/www/nginx/ content.
  • Browse to http://slug:7007/cherokee/ and you should still see /opt/share/www/cherokee/ content.
  • Browse to http://slug:7007/info.php and you should now see the PHP info page!

Tighten security

Try to run PHP or app server as non-root, and only pass certain environment variables to PHP. See reference.

References

  1. nginx
  2. nginx English wiki
  3. Nginx - Small, But Very Powerful and Efficient Web Server
  4. nginx and Rimuhosting

Page Password

Due to spam, lock the page with password being the same as page title, all lower case.

Page last modified on October 08, 2008, at 02:57 AM