Security

How to install Nginx with SPDY in centos linux from source code

Ananda Raj PandeyLeave a comment

How to installing Nginx from source code?

 

Nginx is very popular web server. With spdy we can make nginx sever much faster and secure.  SPDY main goal is to reduce load latency by compression, multiplexing and prioritization . SPDY only works in SSL ( https) . In this blog, we will learn how to install nginx with spdy. Setting and configuring nginx with spdy will be covered in seperate blog. 

 

Step 1: Get the latest Nginx from nginx.org

 $ wget http://nginx.org/download/nginx-1.7.3.tar.gz
 $ tar -xzf nginx-1.7.3.tar.gz

Step 2: Configure Nginx  with SPDY.

Along with spdy i am adding few more options to nginx which is generaly required in web servers. But based on own requirement we can add or reduce these extra parameters.  So go to nginx folder as above and do the following:

 

$ cd nginx-1.7.3
 $  ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log  --http-log-path=/var/log/nginx/access.log  --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock  --http-client-body-temp-path=/var/lib/nginx/body  --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --with-http_ssl_module  --with-http_spdy_module --with-http_realip_module  --with-http_gunzip_module   --with-http_gzip_static_module  --with-http_stub_status_module  --user=nginx group =nginx
$ make
 $ make install

 

Above will install Nginx with spdy.

Step 3: Add Nginx as user ( you can set different users as you want):

 

$ useradd -M -r --shell /sbin/nologin --home-dir /opt/nginx nginx

 

Step 4: Create Nginx demon:

$ wget -qO /etc/init.d/nginx https://gist.github.com/sairam/5892520/raw/b8195a71e944d46271c8a49f2717f70bcd04bf1a/etc-init.d-nginx
$ chmod +x /etc/init.d/nginx

Set chkconfig run:

chkconfig --add nginx
chkconfig --level 345 nginx on

Step 5: Nginx is now setup so start nginx server:

service nginx start

Setting domains config:

Step 1: I prefer to put all my domains config file in seperate folder so that it will be easy to manage. To do that lets create the folder called vhosts in /etc/nginx/vhosts.

$ cd /etc/nginx
$ mkdir vhosts

Step 2: Create a domain config file for example domain.com and put your domain setting there.

Example of basic nginx domain config file with spdy enable:

 server {
 error_log /var/log/domain.com_error_log warn;
 listen 198.168.0.1:443 ssl spdy;
 server_name 198.168.0.1 www.domain.com;
 access_log /var/log/domain.com-bytes_log bytes_log;
 access_log /var/log/domain.com_access_log combined;
 root /home/domain/public_html;
ssl_certificate /etc/nginx/ssl/domain.com.chained.crt;
 ssl_certificate_key /etc/nginx/ssl/myserver.key;
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers RC4:HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
 keepalive_timeout 60;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;
  location ~ \.php$
    {        fastcgi_pass 127.0.0.1:9000;        fastcgi_index index.php;        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;        include fastcgi_params;    }     # deny access to apache .htaccess files    location ~ /\.ht    {        deny all;    }}
Above is just an example, configuring nginx server will be covered in seperate blog.

Step 3: Nginx server configuration. This will be seperate topic but for the basic setup you can look below to get the idea.

Nignx config file will be in /etc/nginx/nginx.config

Example of nginx config:
# run as user nginx
user nginx;


# number of workers, general its number of cpu in your server.
 worker_processes 2;




# log critical errors in given location
 error_log /var/log/nginx/error.log crit;


worker_rlimit_nofile 20480;
 events {
 worker_connections 5120; # increase for busier servers
 use epoll; # you should use epoll here for Linux kernels 2.6.x
 }


http {
 open_file_cache max=2000 inactive=20s;
 open_file_cache_valid 30s;
 open_file_cache_min_uses 2;
 open_file_cache_errors on;
 # access_log off;
 server_name_in_redirect off;
 proxy_headers_hash_max_size 1024;
 proxy_headers_hash_bucket_size 1024;
 server_names_hash_max_size 10240;
 server_names_hash_bucket_size 1024;


server_names_hash_max_size 10240;
 server_names_hash_bucket_size 1024;
 include mime.types;
 default_type application/octet-stream;
 server_tokens off;
 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;
 keepalive_timeout 5;
 gzip on;
 gzip_vary on;
 gzip_disable "MSIE [1-6]\.";
 gzip_proxied any;
 gzip_http_version 1.1;
 gzip_min_length 1000;
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 # You can remove image/png image/x-icon image/gif image/jpeg if you have slow CPU
 gzip_types text/plain text/xml text/less text/css application/x-javascript application/xml application/xml+rss text/javascript application/atom+xml image/png image/x-icon image/gif image/jpeg;


ignore_invalid_headers on;
 client_header_timeout 3m;
 client_body_timeout 3m;
 send_timeout 3m;
 reset_timedout_connection on;
 connection_pool_size 256;
 client_header_buffer_size 256k;
 large_client_header_buffers 4 256k;
 client_max_body_size 200M;
 client_body_buffer_size 128k;




request_pool_size 32k;
 output_buffers 4 32k;
 postpone_output 1460;
 proxy_temp_path /tmp/nginx_proxy/;
 client_body_in_file_only on;
 log_format bytes_log "$msec $bytes_sent .";




# load all nginx domain config file in vhosts folder.


include "/etc/nginx/vhosts/*";
}

					


	
	


			
				


	


		
How to prevent DDOS attack by CSF firewall?

					

				Ananda Raj Pandey8 Comments			

		
	


	
		

			
Preventing DDOS attack from csf firewall.


First make sure DDOS attack is not from open recursive DNS settings. To check and fix that issue please read this article – Preventing DDOS aplification open resolver attack


This article is to set CSF firewall so that any DDOS intentional attack to your server can be prevented.


 


Step 1: open and edit CSF config file. 


vi /etc/csf/csf.conf


 


Settings: 


Enable connection tracking.

CT_LIMIT is max number of connection allowed from one IP, you can set this value as per your server requirement.


CT_LIMIT =100


Set connection tracking interval.


CT_INTERVAL =30


If you want to get possible ddos attack email then enable it.


CT_EMAIL_ALERT =1


If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds


CT_PERMANENT = 1


If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)


CT_BLOCK_TIME = 1800


If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”


CT_PORTS = 80,23,443


 


These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.


 


Step 2: Enable distributed attacks


LF_DISTATTACK = 1  


Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK


LF_DISTATTACK_UNIQ = 2


 


Step 3: Enable distributed FTP attacks


LF_DISTFTP = 1


 


Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work


LF_DISTFTP_UNIQ = 3


 


If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds


LF_DISTFTP_PERM =1


 


Step 4: Enable distributed SMTP attacks.


 


LF_DISTSMTP =1


 


Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work


LF_DISTSMTP_UNIQ =4


 


If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds


LF_DISTSMTP_PERM =1


 


This is the interval during which a distributed FTP or SMTP attack is
measured


LF_DIST_INTERVAL = 300