Setup Nginx as reverse proxy for Apache with Virtualmin support
\nWe know that Nginx is more faster than Apache and most of us prefer to replace Apache with Nginx as their web server.
\nNginx is known to serve faster static content and run with less RAM. As of this writing, Virtualmin supports Apache as its web server.<\/p>\n
To take advantage of Nginx, we will install it as reverse proxy for Apache and continue using Virtualmin to manage your domains. Nginx configurations for virtual host are tailored for Drupal site and microcache is used here.<\/p>\n
The following procedures are tested on my Linode server running Centos 7 64-bit Linux distribution.<\/p>\n
Install Nginx<\/p>\n
If you need to install Nginx with Pagespeed module please follow the steps here instead and jump to configure Nginx section.
\nIn able to install the latest Nginx server we will need to register Nginx repository:<\/p>\n
vi \/etc\/yum.repos.d\/nginx.repo<\/p>\n
Have the following codes as its content:<\/p>\n
name=nginx repo
\nbaseurl=http:\/\/nginx.org\/packages\/mainline\/centos\/$releasever\/$basearch\/
\ngpgcheck=0
\npriority=1
\nenabled=0<\/p>\n
Note: if just in case the nginx does not install try to hard code the $releasever with value of 7
\nInstall Nginx using yum:<\/p>\n
yum –enablerepo=nginx -y install nginx<\/p>\n
Make Nginx auto-start upon reboot:<\/p>\n
chkconfig nginx on<\/p>\n
Configure Nginx<\/p>\n
Edit the main Nginx file “\/etc\/nginx\/nginx.conf” to match the following:<\/p>\n
user nginx;
\n# This number should be, at maximum, the number of CPU cores on your system.
\n# (since nginx doesn’t benefit from more than one worker per CPU.)
\nworker_processes auto;
\nerror_log \/var\/log\/nginx\/error.log error;
\npid \/var\/run\/nginx.pid;
\n# Number of file descriptors used for Nginx. This is set in the OS with ‘ulimit -n 200000’
\n# or using \/etc\/security\/limits.conf
\nworker_rlimit_nofile 200000;
\nevents {
\n# Determines how many clients will be served by each worker process.
\n# (Max clients = worker_connections * worker_processes)
\nworker_connections 1024;
\n# Accept as many connections as possible,
\n# after nginx gets notification about a new connection.
\n# May flood worker_connections, if that option is set too low.
\nmulti_accept on;
\n}
\nhttp {
\ninclude \/etc\/nginx\/mime.types;
\ndefault_type application\/octet-stream;
\nlog_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
\n‘$status $body_bytes_sent “$http_referer” ‘
\n‘”$http_user_agent” “$http_x_forwarded_for”‘;
\n## Use sendfile() syscall to speed up I\/O operations and speed up
\n## static file serving.
\n# Sendfile copies data between one FD and other from within the kernel.
\n# More efficient than read() + write(), since the requires transferring
\n# data to and from the user space.
\nsendfile on;
\n## Handling of IPs in proxied and load balancing situations.
\nset_real_ip_from 0.0.0.0\/32; # all addresses get a real IP.
\nreal_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer\/proxy
\n## If you are using CloudFlare, uncomment the lines below
\n## CloudFlare IPs https:\/\/www.cloudflare.com\/ips
\n#set_real_ip_from 199.27.128.0\/21;
\n#set_real_ip_from 173.245.48.0\/20;
\n#set_real_ip_from 103.21.244.0\/22;
\n#set_real_ip_from 103.22.200.0\/22;
\n#set_real_ip_from 103.31.4.0\/22;
\n#set_real_ip_from 141.101.64.0\/18;
\n#set_real_ip_from 108.162.192.0\/18;
\n#set_real_ip_from 190.93.240.0\/20;
\n#set_real_ip_from 188.114.96.0\/20;
\n#set_real_ip_from 197.234.240.0\/22;
\n#set_real_ip_from 198.41.128.0\/17;
\n#set_real_ip_from 162.158.0.0\/15;
\n#set_real_ip_from 104.16.0.0\/12;
\n#set_real_ip_from 172.64.0.0\/13;
\n#set_real_ip_from 2400:cb00::\/32;
\n#set_real_ip_from 2606:4700::\/32;
\n#set_real_ip_from 2803:f800::\/32;
\n#set_real_ip_from 2405:b500::\/32;
\n#set_real_ip_from 2405:8100::\/32;
\n#real_ip_header CF-Connecting-IP;
\n## Timeouts.
\nclient_body_timeout 60;
\nclient_header_timeout 60;
\n# Timeout for keep-alive connections. Server will close connections after this time.
\nkeepalive_timeout 10 10;
\nsend_timeout 60;
\n## Reset lingering timed out connections. Deflect DDoS.
\nreset_timedout_connection on;
\n## Body size.
\nclient_max_body_size 10m;
\n## TCP options.
\n# don’t buffer data-sends (disable Nagle algorithm).
\n# Good for sending frequent small bursts of data in real time.
\ntcp_nodelay on;
\n## Optimization of socket handling when using sendfile.
\n# Tcp_nopush causes nginx to attempt to send its HTTP response head in one packet,
\n# instead of using partial frames. This is useful for prepending headers
\n# before calling sendfile, or for throughput optimization.
\ntcp_nopush on;
\n## Compression.
\n# Reduces the amount of data that needs to be transferred over the network
\ngzip on;
\ngzip_buffers 16 8k;
\ngzip_comp_level 1;
\ngzip_http_version 1.1;
\ngzip_min_length 10;
\ngzip_types text\/plain text\/css application\/json application\/javascript text\/xml application\/xml application\/xml+rss text\/javascript image\/x-icon application\/vnd.ms-fontobject font\/opentype application\/x-javascript application\/x-font-ttf text\/x-js;
\ngzip_vary on;
\ngzip_proxied any; # Compression for all requests.
\ngzip_disable “MSIE [1-6]\\.(?!.*SV1)”;
\n## Hide the Nginx version number.
\nserver_tokens off;
\n## Use a SSL\/TLS cache for SSL session resume. This needs to be
\n## here (in this context, for session resumption to work. See this
\n## thread on the Nginx mailing list:
\n## http:\/\/nginx.org\/pipermail\/nginx\/2010-November\/023736.html.
\nssl_session_cache shared:SSL:30m;
\nssl_session_timeout 1d;
\n## The server dictates the choice of cipher suites.
\nssl_prefer_server_ciphers on;
\n## No SSL2 support.
\n## No SSLv3 support (SSLv3 POODLE Vulnerability)
\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;
\n## Pregenerated Diffie-Hellman parameters.
\nssl_dhparam \/etc\/nginx\/dh_param.pem;
\n## Curve to use for ECDH.
\nssl_ecdh_curve secp521r1;
\n## Enable OCSP stapling. A better way to revocate server certificates.
\nssl_stapling on;
\n## Enable verification of OCSP stapling responses by the server.
\nssl_stapling_verify on;
\n## Use Google’s DNS
\nresolver 8.8.4.4 8.8.8.8;
\n## Enable the builtin cross-site scripting (XSS) filter available
\n## in modern browsers. Usually enabled by default we just
\n## reinstate in case it has been somehow disabled for this
\n## particular server instance.
\n## https:\/\/www.owasp.org\/index.php\/List_of_useful_HTTP_headers.
\nadd_header X-XSS-Protection ‘1; mode=block’;
\n## Enable this if using HTTPS
\n#add_header Strict-Transport-Security “max-age=7200″;
\n## Block MIME type sniffing on IE.
\nadd_header X-Content-Options nosniff;
\n## Add a cache miss\/hit status header
\nadd_header X-Micro-Cache $upstream_cache_status;
\n## Block HTTP methods.
\nmap $request_method $not_allowed_method {
\ndefault 1;
\nGET 0;
\nHEAD 0;
\nPOST 0;
\n}
\n## Add as many servers as needed.
\n## Cf. http:\/\/wiki.nginx.org\/HttpUpstreamModule.
\n## Note that this configuration assumes by default that keepalive
\n## upstream connections are supported and that you have a Nginx
\n## version with the fair load balancer.
\nupstream phpapache {
\n## Use the least connection algorithm for load balancing
\nleast_conn;
\nserver 127.0.0.1:8000;
\nkeepalive 5;
\n}
\n## Configuration for reverse proxy. Passing the necessary headers to
\n## the backend. Nginx doesn’t tunnel the connection, it opens a new
\n## one. Hence whe need to send these headers to the backend so that
\n## the client(s) IP is available to them. The host is also sent.
\nproxy_set_header X-Real-IP $remote_addr;
\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
\nproxy_set_header Host $http_host;
\n## Hide the Drupal headers
\nproxy_hide_header ‘X-Drupal-Cache’;
\nproxy_hide_header ‘X-Generator’;
\n## Include blacklist for bad bot and referer blocking.
\ninclude blacklist.conf;
\n## Include the caching setup. Needed for using Drupal with an external cache.
\ninclude apps\/drupal\/drupal_map.conf;
\n## Defining the proxy cache zone for the microcache as presented at:
\n## http:\/\/fennb.com\/microcaching-speed-your-app-up-250x-with-no-n.
\nproxy_cache_path \/var\/cache\/nginx\/microcache levels=1:2 keys_zone=microcache:5M max_size=1G loader_threshold=2592000000 loader_sleep=1 loader_files=100000;
\n## To build optimal server_names_hash
\nserver_names_hash_bucket_size 72;
\n## Include all vhosts.
\ninclude \/etc\/nginx\/sites-enabled\/*;
\n}<\/p>\n
Create the file \/etc\/nginx\/dh_param.pem and add the following to it:<\/p>\n
—–BEGIN DH PARAMETERS—–
\nMIIBCAKCAQEAkD39jm2I+Sr1j1+YPB5TbgUvIWUv3Gzj1s1rtpuZJUhCQ8MElafR
\nXrjrNXtgN8yjX6J5+Nuj0G9SytrvtKU9T3pLDVjZiV2l0m+\/pvzaW3qCSlegpA\/S
\nbkIQPg4n7CP\/dhs7JcQD0Ny6TX9iYioDz5\/kGfrBHTfAW8A6gPinAiC\/+8Osz6mP
\nUghuQPkFVxJmleIdGU7ll3tAKARJpe8HyHNMNoRGbWTCH1mc8Z\/la0E7xjs5R2mh
\nrYxofg\/TMFJyvnnjtTLRQ9edvdA+K9JNsF23t8qvY78ppHNEP7u1PA7ORtePagJk
\nvcSF5yMYeDzUQLWpOuK5B0yHtltZzANH6wIBAg==
\n—–END DH PARAMETERS—–<\/p>\n
Create the file \/etc\/nginx\/blacklist.conf and add the following to it:<\/p>\n
## Add here all user agents that are to be blocked.
\nmap $http_user_agent $bad_bot {
\ndefault 0;
\n~*^Lynx 0; # Let Lynx go through
\nlibwww-perl 1;
\n~(?i)(httrack|htmlparser|libwww) 1;
\n}
\n## Add here all referrers that are to blocked.
\nmap $http_referer $bad_referer {
\ndefault 0;
\n~(?i)(adult|babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica) 1;
\n}
\n## Add here all hosts that should be spared any referrer checking.
\ngeo $bad_referer {
\n127.0.0.1 0;
\n192.168.1.0\/24 0;
\n}<\/p>\n
Create the file \/etc\/nginx\/drupal_map.conf and add the following to it:<\/p>\n
## Let Ajax calls go through
\nmap $uri $no_cache_ajax {
\ndefault 0;
\n\/system\/ajax 1;
\n}
\n## Check session cookie being present
\nmap $http_cookie $no_cache_cookie {
\ndefault 0;
\n~SESS 1; # PHP session cookie
\n}
\n## Combine both results to get the cache bypassing mapping
\nmap $no_cache_ajax$no_cache_cookie $no_cache {
\ndefault 1;
\n00 0;
\n}
\n## Cache bypassing mapping (auth).
\nmap $no_cache_ajax $no_auth_cache {
\ndefault 0;
\n1 1;
\n}
\n## Set a cache_uid variable for authenticated users.
\nmap $http_cookie $cache_uid {
\ndefault nil;
\n~SESS[[:alnum:]]+=(?[[:graph:]]+) $session_id;
\n}<\/p>\n
Create the file \/etc\/nginx\/drupal.conf and add the following to it:<\/p>\n
location \/ {
\n## Let Drupal handle 404
\nerror_page 404 \/index.php;
\n## Regular private file serving (i.e. handled by Drupal).
\nlocation ^~ \/system\/files\/ {
\nproxy_pass http:\/\/phpapache;
\nproxy_http_version 1.1; # keep alive to the Apache upstream
\nproxy_set_header Connection ”;
\n## Rewrite the ‘Host’ header to the value in the client request,
\n## or primary server name
\nproxy_set_header Host $host;
\n## For not signaling a 404 in the error log whenever the
\n## system\/files directory is accessed add the line below.
\n## Note that the 404 is the intended behavior.
\nlog_not_found off;
\n}
\n## Trying to access private files directly returns a 404.
\nlocation ^~ \/sites\/[\\.\\-[:alnum:]]+\/files\/private\/ {
\ninternal;
\n}
\n## Support for the file_force module
\n## http:\/\/drupal.org\/project\/file_force.
\nlocation ^~ \/system\/files_force\/ {
\nproxy_pass http:\/\/phpapache;
\nproxy_http_version 1.1; # keep alive to the Apache upstream
\nproxy_set_header Connection ”;
\n## Rewrite the ‘Host’ header to the value in the client request,
\n## or primary server name
\nproxy_set_header Host $host;
\n## For not signaling a 404 in the error log whenever the
\n## system\/files directory is accessed add the line below.
\n## Note that the 404 is the intended behavior.
\nlog_not_found off;
\n}
\n## If accessing an image generated by Drupal imagecache, serve it
\n## directly if available, if not relay the request to Drupal to (re)generate
\n## the image.
\nlocation ~* \/imagecache\/ {
\n## Image hotlinking protection. If you want hotlinking
\n## protection for your images uncomment the following line.
\ninclude hotlinking_protection.conf;
\naccess_log off;
\nexpires 30d;
\ntry_files $uri $uri\/ @drupal-noexp;
\n}
\n## Drupal generated image handling, i.e., imagecache in core. See:
\n## http:\/\/drupal.org\/node\/371374.
\nlocation ~* \/files\/styles\/ {
\n## Image hotlinking protection. If you want hotlinking
\n## protection for your images uncomment the following line.
\ninclude hotlinking_protection.conf;
\naccess_log off;
\nexpires 30d;
\ntry_files $uri $uri\/ @drupal-noexp;
\n}
\n## Advanced Aggregation module CSS\/JS
\n## support. http:\/\/drupal.org\/project\/advagg.
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/advagg_(?:css|js)\/ {
\nexpires max;
\ngzip_static on;
\nadd_header ETag ”;
\nadd_header Accept-Ranges ”;
\n# Set a far future Cache-Control header to 52 weeks.
\nadd_header Cache-Control ‘max-age=31449600, no-transform, public’;
\nlocation ~* (?:css|js)[_\\-[:alnum:]]+\\.(?:css|js)(\\.gz)?$ {
\naccess_log off;
\ntry_files $uri $uri\/ @drupal-noexp;
\n}
\n}
\n## All static files will be served directly.
\nlocation ~* ^.+\\.(?:css|cur|js|jpe?g|gif|htc|ico|png|htm|html|xml|txt|otf|ttf|eot|woff|svg|webp|webm|zip|gz|tar|rar)$ {
\naccess_log off;
\nexpires 30d;
\n## No need to bleed constant updates. Send the all shebang in one
\n## fell swoop.
\ntcp_nodelay off;
\n## Set the OS file cache.
\nopen_file_cache max=3000 inactive=120s;
\nopen_file_cache_valid 45s;
\nopen_file_cache_min_uses 2;
\nopen_file_cache_errors off;
\ntry_files $uri $uri\/ @drupal-noexp;
\n}
\n## PDFs and powerpoint files handling.
\nlocation ~* ^.+\\.(?:pdf|pptx?)$ {
\naccess_log off;
\nexpires 30d;
\n## No need to bleed constant updates. Send the all shebang in one
\n## fell swoop.
\ntcp_nodelay off;
\ntry_files $uri $uri\/ @drupal-noexp;
\n}
\n## MP3 and Ogg\/Vorbis files are served using AIO when supported. Your OS must support it.
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/audio\/mp3 {
\nlocation ~* .*\\.mp3$ {
\naccess_log off;
\ndirectio 4k; # for XFS
\n## If you’re using ext3 or similar uncomment the line below and comment the above.
\n#directio 512; # for ext3 or similar (block alignments)
\ntcp_nopush off;
\naio on;
\noutput_buffers 1 2M;
\ntry_files $uri $uri\/ @drupal;
\n}
\n}
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/audio\/ogg {
\nlocation ~* .*\\.ogg$ {
\naccess_log off;
\ndirectio 4k; # for XFS
\n## If you’re using ext3 or similar uncomment the line below and comment the above.
\n#directio 512; # for ext3 or similar (block alignments)
\ntcp_nopush off;
\naio on;
\noutput_buffers 1 2M;
\ntry_files $uri $uri\/ @drupal;
\n}
\n}
\n## Pseudo streaming of FLV files:
\n## http:\/\/wiki.nginx.org\/HttpFlvStreamModule.
\n## If pseudo streaming isn’t working, try to comment
\n## out in nginx.conf line with:
\n## add_header X-Frame-Options SAMEORIGIN;
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/video\/flv {
\nlocation ~* .*\\.flv$ {
\naccess_log off;
\nflv;
\ntry_files $uri $uri\/ @drupal;
\n}
\n}
\n## Pseudo streaming of H264\/AAC files. This requires an Nginx
\n## version greater or equal to 1.0.7 for the stable branch and
\n## greater or equal to 1.1.3 for the development branch.
\n## Cf. http:\/\/nginx.org\/en\/docs\/http\/ngx_http_mp4_module.html.
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/video\/mp4 { # videos
\nlocation ~* .*\\.(?:mp4|mov)$ {
\naccess_log off;
\nmp4;
\nmp4_buffer_size 1M;
\nmp4_max_buffer_size 5M;
\ntry_files $uri $uri\/ @drupal;
\n}
\n}
\nlocation ~ ^\/sites\/[\\.\\-[:alnum:]]+\/files\/audio\/m4a { # audios
\nlocation ~* .*\\.m4a$ {
\naccess_log off;
\nmp4;
\nmp4_buffer_size 1M;
\nmp4_max_buffer_size 5M;
\ntry_files $uri $uri\/ @drupal;
\n}
\n}
\n## Advanced Help module makes each module provided README available.
\nlocation ^~ \/help\/ {
\nlocation ~* ^\/help\/[^\/]*\/README\\.txt$ {
\naccess_log off;
\nproxy_pass http:\/\/phpapache;
\nproxy_http_version 1.1; # keep alive to the Apache upstream
\nproxy_set_header Connection ”;
\n## Rewrite the ‘Host’ header to the value in the client request,
\n## or primary server name
\nproxy_set_header Host $host;
\n}
\n}
\n## Replicate the Apache\u00a0 directive of Drupal standard
\n## .htaccess. Disable access to any code files. Return a 404 to curtail
\n## information disclosure. Hide also the text files.
\nlocation ~* ^(?:.+\\.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|pot|sh|.*sql|test|theme|tpl(?:\\.php)?|xtmpl)|code-style\\.pl|\/Entries.*|\/Repository|\/Root|\/Tag|\/Template)$ {
\nreturn 404;
\n}
\n## First we try the URI and relay to the upstream server if not found.
\ntry_files $uri $uri\/ @drupal;
\n}
\n## Restrict access to the strictly necessary PHP files. Reducing the
\n## scope for exploits. Handling of PHP code and the Drupal event loop.
\nlocation @drupal {
\nproxy_pass http:\/\/phpapache;
\nproxy_http_version 1.1; # keep alive to the Apache upstream
\nproxy_set_header Connection ”;
\n## Rewrite the ‘Host’ header to the value in the client request,
\n## or primary server name
\nproxy_set_header Host $host;
\n## Proxy microcache
\ninclude microcache_proxy.conf;
\n## The Cache-Control and Expires headers should be delivered untouched
\n## from the upstream to the client.
\nproxy_ignore_headers Cache-Control Expires;
\n## To avoid any interaction with the cache control headers we expire
\n## everything on this location immediately.
\nexpires epoch;
\n}
\n## Restrict access to the strictly necessary PHP files. Reducing the
\n## scope for exploits. Handling of PHP code and the Drupal event loop.
\nlocation @drupal-noexp {
\nproxy_pass http:\/\/phpapache;
\nproxy_http_version 1.1; # keep alive to the Apache upstream
\nproxy_set_header Connection ”;
\n## Rewrite the ‘Host’ header to the value in the client request,
\n## or primary server name
\nproxy_set_header Host $host;
\n## Proxy microcache.
\ninclude microcache_proxy.conf;
\n}
\n## Disallow access to .bzr, .git, .hg, .svn, .cvs directories
\n## Return 404 as not to disclose information.
\nlocation ^~ \/.bzr {
\nreturn 404;
\n}
\nlocation ^~ \/.git {
\nreturn 404;
\n}
\nlocation ^~ \/.hg {
\nreturn 404;
\n}
\nlocation ^~ \/.svn {
\nreturn 404;
\n}
\nlocation ^~ \/.cvs {
\nreturn 404;
\n}
\n## Disallow access to patches directory.
\nlocation ^~ \/patches {
\nreturn 404;
\n}
\n## Disallow access to drush backup directory.
\nlocation ^~ \/backup {
\nreturn 404;
\n}
\n## Disable access logs for robots.txt.
\nlocation = \/robots.txt {
\naccess_log off;
\n## Add support for the robotstxt module
\n## http:\/\/drupal.org\/project\/robotstxt.
\ntry_files $uri $uri\/ @drupal;
\n}
\n## RSS feed support.
\nlocation = \/rss.xml {
\ntry_files $uri $uri\/ @drupal;
\n}
\n## XML Sitemap support.
\nlocation = \/sitemap.xml {
\ntry_files $uri $uri\/ @drupal;
\n}
\n## Support for favicon.
\n## Return an 1×1 transparent GIF if it doesn’t exist.
\nlocation = \/favicon.ico {
\nexpires 30d;
\ntry_files \/favicon.ico @empty;
\n}
\n## Return an in memory 1×1 transparent GIF.
\nlocation @empty {
\nexpires 30d;
\nempty_gif;
\n}
\n## Any other attempt to access PHP files returns a 404.
\nlocation ~* ^.+\\.php$ {
\nreturn 404;
\n}<\/p>\n
Create the file \/etc\/nginx\/microcache_proxy.conf and add the following to it:<\/p>\n
## The cache zone referenced.
\nproxy_cache microcache;
\n## The cache key.
\nproxy_cache_key $cache_uid@$scheme$host$request_uri;
\n## For 200 and 301 make the cache valid for 5 seconds.
\nproxy_cache_valid 200 301 5s;
\n## For 302 make it valid for 1 minute.
\nproxy_cache_valid 302 1m;
\n## For 404 make it valid 1 second.
\nproxy_cache_valid 404 1s;
\n## If there are any upstream errors or the item has expired use
\n## whatever it is available.
\nproxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504 off;
\nproxy_pass_header Set-Cookie;
\nproxy_pass_header Cookie;
\n## Bypass the cache.
\nproxy_cache_bypass $no_auth_cache;
\nproxy_no_cache $no_auth_cache;
\n## Add a cache miss\/hit status header.
\nadd_header X-Micro-Cache $upstream_cache_status;
\n## Block MIME type sniffing on IE.
\nadd_header X-Content-Options nosniff;
\n## Cache locking mechanism for protecting the backendof too many
\n## simultaneous requests.
\nproxy_cache_lock on;<\/p>\n
Create the file \/etc\/nginx\/hotlinking_protection.conf and add the following to it:<\/p>\n
## Hotlinking protection for images. Include it in any context you
\n## want. Adjust the list of allowed referers to your liking.
\nvalid_referers none blocked
\nwww.yahoo.com
\nwww.google.com.ph
\nwww.google.com;
\nif ($invalid_referer) {
\nreturn 200 “No hotlinking allowed\\n”;
\n}<\/p>\n
Create the folders \/etc\/nginx\/sites-available and \/etc\/nginx\/sites-enabled:<\/p>\n
mkdir \/etc\/nginx\/sites-available \/etc\/nginx\/sites-enabled
\nchown nginx. \/etc\/nginx\/sites-available \/etc\/nginx\/sites-enabled<\/p>\n
In \/etc\/nginx\/sites-available contains the physical file Nginx configurations for your virtual hosts and to enable a virtual host Nginx configuration just create a soft link if this configuration file from \/etc\/nginx\/sites-available to \/etc\/nginx\/sites-enabled. This is easy and good approach to disable and enable a virtual host.
\nRestart Nginx:<\/p>\n
systemctl restart nginx.service<\/p>\n
Setup Nginx requirements<\/p>\n
In this tutorial the Apache will use port 8000 and lets open this port to become accessible:<\/p>\n
iptables -I INPUT -p tcp -m tcp –dport 8000 -j ACCEPT
\niptables –line -vnL
\nservice iptables save
\nservice iptables restart<\/p>\n
Create the Nginx cache path folder:<\/p>\n
mkdir \/var\/cache\/nginx\/microcache
\nchown nginx:root \/var\/cache\/nginx\/microcache
\nchmod 700 \/var\/cache\/nginx\/microcache<\/p>\n
Create Nginx logrotate script:<\/p>\n
vi \/etc\/logrotate.d\/websites_nginx_logs.conf<\/p>\n
Content:<\/p>\n
\/var\/log\/virtualmin\/*nginx_access_log \/var\/log\/virtualmin\/*nginx_error_log {
\nrotate 10
\nmissingok
\ndaily
\ncompress
\npostrotate
\nservice httpd graceful ; sleep 5
\nendscript
\nsharedscripts
\n}<\/p>\n
Configure Apache<\/p>\n
Since Nginx is reverse proxy to Apache, the IP address that Apache will get is the IP of the server and we need to correct that. Apache 2.4 and above do have mod_remoteip and we will use that module. Open mod_remoteip’s configuration file:<\/p>\n
vi \/etc\/httpd\/conf.d\/remoteip.conf<\/p>\n
Add the following codes:<\/p>\n
# mod_remoteip settings
\nRemoteIPHeader X-Real-IP
\nRemoteIPInternalProxy 127.0.0.1
\nRemoteIPInternalProxy 188.8.8.8<\/p>\n
Note: change 188.8.8.8 to your server’s IP address.
\nChange the port of Apache:<\/p>\n
vi \/etc\/httpd\/conf\/httpd.conf<\/p>\n
Look for:<\/p>\n
Listen 80<\/p>\n
… and change to:<\/p>\n
Listen 8000<\/p>\n
Restart Apache:<\/p>\n
systemctl restart httpd.service<\/p>\n
Configure Virtualmin<\/p>\n
Set the virtual server template to listen to 8000. Login to Virtualmin, go to “System Settings” -> “Server Templates” -> “Default Settings” and select from the dropdown “Apache Website”. Change the “Port number for virtual hosts” from 80 to 8000. Restart webmin:<\/p>\n
systemctl restart webmin.service<\/p>\n
Lets build the necessary scripts that will automate the creation of Nginx virtual host file each time Virtualmin created a new server. First the Nginx virtual host template:<\/p>\n
vi \/etc\/nginx\/sites-available\/template.conf<\/p>\n
The content:<\/p>\n
## Configuration for {DOM}.
\nserver {
\n## Replace XXX.XXX.XXX.XXX with your server’s IPv4 address
\nlisten XXX.XXX.XXX.XXX:80;
\n## Replace XXXX:XXXX::XXXX:XXXX:XXXX:XXXX with your server’s IPv6 address
\nlisten [XXXX:XXXX::XXXX:XXXX:XXXX:XXXX]:80;
\nserver_name {DOM};
\n## Redirect permanently to domain with www
\nreturn 301 $scheme:\/\/www.{DOM}$request_uri;
\n}
\nserver {
\n## Replace XXX.XXX.XXX.XXX with your server’s IPv4 address
\nlisten XXX.XXX.XXX.XXX:80;
\n## Replace XXXX:XXXX::XXXX:XXXX:XXXX:XXXX with your server’s IPv6 address
\nlisten [XXXX:XXXX::XXXX:XXXX:XXXX:XXXX]:80;
\nserver_name www.{DOM};
\n## Access and error logs.
\naccess_log \/var\/log\/virtualmin\/{DOM}_nginx_access_log;
\nerror_log \/var\/log\/virtualmin\/{DOM}_nginx_error_log error;
\n## Root of the site and index.
\nroot {HOME}\/public_html;
\nindex index.php;
\n## Deny access based on the User-Agent header.
\nif ($bad_bot) {
\nreturn 444;
\n}
\n## Deny access based on the Referer header.
\nif ($bad_referer) {
\nreturn 444;
\n}
\n## Protection against illegal HTTP methods. Only HEAD,
\n## GET and POST are allowed.
\nif ($not_allowed_method) {
\nreturn 405;
\n}
\n## Configuration for Drupal site
\ninclude drupal.conf;
\n}<\/p>\n
vi \/usr\/local\/bin\/virtualmin.sh<\/p>\n
#!\/bin\/sh
\nNGINX_CONF_FILE=”\/etc\/nginx\/sites-available\/${VIRTUALSERVER_DOM}.conf ”<\/p>\n
if [ “$VIRTUALSERVER_ACTION” = “CREATE_DOMAIN” ]; then
\nif [ “${VIRTUALSERVER_WEB}” = “1” ];
\nthen
\ncp \/etc\/nginx\/sites-available\/template.conf $NGINX_CONF_FILE
\nperl -pi -e “s#{DOM}#$VIRTUALSERVER_DOM#g” $NGINX_CONF_FILE
\nperl -pi -e “s#{SITE_IP}#$VIRTUALSERVER_IP#g” $NGINX_CONF_FILE
\nperl -pi -e “s#{HOME}#$VIRTUALSERVER_HOME#g” $NGINX_CONF_FILE
\nln -s $NGINX_CONF_FILE \/etc\/nginx\/sites-enabled\/${VIRTUALSERVER_DOM}.conf
\nnginx -s reload
\nfi
\nelif [ “$VIRTUALSERVER_ACTION” = “DELETE_DOMAIN” ]; then
\nif [ “${VIRTUALSERVER_WEB}” = “1” ];
\nthen
\nrm \/etc\/nginx\/sites-enabled\/${VIRTUALSERVER_DOM}.conf
\nrm \/etc\/nginx\/sites-available\/${VIRTUALSERVER_DOM}.conf
\nrm \/var\/log\/virtualmin\/${VIRTUALSERVER_DOM}_nginx_*
\nnginx -s reload
\nfi
\nelif [ “$VIRTUALSERVER_ACTION” = “MODIFY_DOMAIN” ]; then
\nif [ “${VIRTUALSERVER_WEB}” = “1” ];
\nthen
\nif [ ! -f $NGINX_CONF_FILE ]; then
\ncp \/etc\/nginx\/sites-available\/template.conf $NGINX_CONF_FILE
\nperl -pi -e “s#{DOM}#$VIRTUALSERVER_DOM#g” $NGINX_CONF_FILE
\nperl -pi -e “s#{SITE_IP}#$VIRTUALSERVER_IP#g” $NGINX_CONF_FILE
\nperl -pi -e “s#{HOME}#$VIRTUALSERVER_HOME#g” $NGINX_CONF_FILE
\nln -s $NGINX_CONF_FILE \/etc\/nginx\/sites-enabled\/${VIRTUALSERVER_DOM}.conf
\nfi
\nfi
\nif [ “$VIRTUALSERVER_DOM” != “$VIRTUALSERVER_OLDSERVER_DOM” ]; then
\nif [ “${VIRTUALSERVER_WEB}” = “1” ];
\nthen
\nOLD_NGINX_CONF_FILE=\/etc\/nginx\/sites-available\/${VIRTUALSERVER_OLDSERVER_DOM}.conf
\nmv $OLD_NGINX_CONF_FILE $NGINX_CONF_FILE
\nrm \/etc\/nginx\/sites-enabled\/${VIRTUALSERVER_OLDSERVER_DOM}.conf
\nperl -pi -e “s#$VIRTUALSERVER_OLDSERVER_DOM#$VIRTUALSERVER_DOM#g” $NGINX_CONF_FILE
\nperl -pi -e “s#$VIRTUALSERVER_OLDSERVER_IP#$VIRTUALSERVER_IP#g” $NGINX_CONF_FILE
\nperl -pi -e “s#$VIRTUALSERVER_OLDSERVER_HOME#$VIRTUALSERVER_HOME#g” $NGINX_CONF_FILE
\nln -s \/etc\/nginx\/sites-available\/${VIRTUALSERVER_DOM}.conf \/etc\/nginx\/sites-enabled\/${VIRTUALSERVER_DOM}.conf
\nfi
\nfi
\nif [ “${VIRTUALSERVER_WEB}” = “1” ];
\nthen
\nnginx -s reload
\nfi
\nfi<\/p>\n
Make the script executable:<\/p>\n
chmod u+x \/usr\/local\/bin\/virtualmin.sh<\/p>\n
Let Virtualmin know about the virtualmin.sh. Login to Virtualmin, go to “System Settings” -> “Virtualmin Configuration” and select from dropdown “Actions upon server and user creation”. Populate the “Command to run after making changes to a server” field with:<\/p>\n
\/usr\/local\/bin\/virtualmin.sh<\/p>\n","protected":false},"excerpt":{"rendered":"
Setup Nginx as reverse proxy for Apache with Virtualmin support We know that Nginx is more faster than Apache and most of us prefer to replace Apache with Nginx as their web server. Nginx is known to serve faster static content and run with less RAM. As of this writing, Virtualmin supports Apache as its […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5953"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5953"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5953\/revisions"}],"predecessor-version":[{"id":5954,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5953\/revisions\/5954"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5953"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5953"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5953"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}