How to configure nginx front end apache2 (Drupal 8, Moodle) correctly?

B

Berkutman2019-09-14 19:13:51

Nginx

Berkutman, 2019-09-14 19:13:51

There is a web server on Debian 10 , PHP Version 7.3.4-2 , DBMS 5.5.5-10.3.17-MariaDB-0+deb10u1 , Apache/2.4.38 (Debian) , Nginx 1.14.2 and mod_rpaf 0.8.4 module for forwarding the client address to the server
At the moment, two web sites will be running on this server, one based on Drupal 8, the other based on moodle 3.7.2
D8 - example.com
Moodle 3.7.2 - moodle.example.com After reading
I decided to make nginx front end apache2 + mod_rpaf
The configuration is as follows
Apache2:

/etc/apache2/apache2.conf
замена
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
 на
 LogFormat "%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

/etc/apache2/ports.conf
Listen 127.0.0.1:81

<VirtualHost 127.0.0.1:81>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin [email protected]
  DocumentRoot /var/www/example_com/web
  <Directory /var/www/example_com/web>
    Options FollowSymLinks
    AllowOverride All
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/example_com_error.log
  CustomLog ${APACHE_LOG_DIR}/example_com_access.log vhost_combined
  ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/example_com/web"
</VirtualHost>

<VirtualHost 127.0.0.1:81>
  ServerName moodle.example.com
  ServerAdmin [email protected]
  DocumentRoot /var/www/moodle_example_com/web
  <Directory /var/www/moodle_example_com/web>
    Options FollowSymLinks
    AllowOverride All
  </Directory>
  ErrorLog ${APACHE_LOG_DIR}/moodle_example_com_error.log
  CustomLog ${APACHE_LOG_DIR}/moodle_example_com_access.log vhost_combined
  ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/var/run/php/php7.3-fpm.sock|fcgi://localhost/var/www/moodle_example_com/web"
</VirtualHost>

/etc/apache2/mods-available/rpaf.conf
<IfModule rpaf_module>
  RPAF_Enable             On
  RPAF_ProxyIPs           127.0.0.1 ::1
  RPAF_SetHostName        On
  RPAF_SetHTTPS           On
  RPAF_SetPort            On
  RPAF_ForbidIfNotProxy   Off
  RPAF_Header				 X-Forwarded-For
</IfModule>

Nginx:

server {
  listen 80;
  listen [::]:80;
  
  server_name example.com www.example.com;

  return 301 https://example.com$request_uri;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  root /var/www/example_com/web;
  index index.php index.html index.htm;
  server_name example.com www.example.com;
   
location / {
    proxy_pass http://127.0.0.1:81;
    proxy_redirect        on;
    set_real_ip_from 1.2.3.4;
    real_ip_recursive on;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass_header Set-Cookie;
    }

  location ~ /\.ht {
    deny all;
    }

  location ~* \.(ico|docx|doc|xls|xlsx|rar|zip|jpg|jpeg|txt|xml|pdf|gif|png|css|js|html)$ {
    root   /var/www/example_com/web;
  }
  
  ssl_certificate			/etc/nginx/ssl/example_com.crt;
  ssl_certificate_key		/etc/nginx/ssl/example_com.key;
}

server {
  listen 80;
  listen [::]:80;
  server_name moodle.example.com;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  root /var/www/moodle_example_com/web;
  index index.php;

  server_name moodle.example.com;
  
  location / {
    proxy_pass http://127.0.0.1:81;
    proxy_redirect        on;
    set_real_ip_from 1.2.3.4;
    real_ip_recursive on;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass_header Set-Cookie;
    }

  ssl_certificate			/etc/nginx/ssl/moodle_example_com.crt;
  ssl_certificate_key		/etc/nginx/ssl/moodle_example_com.key;
}

No errors, web sites work.
But there is one problem that I did not understand how to solve.
The thought is as follows: D8
has the CAS Server plugin, Moodle has the CAS Auth plugin .

2019/09/14 20:33:28 [error] 10802#10802: *105 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 1.2.3.4, server: moodle.example.com, request: "GET /login/index.php?authCASattras=CAS&ticket=ST-qXn8UiwEbFsYpX0nobVmGMS-ZARMGrXcm3Hbo7_uj2s HTTP/2.0", upstream: "http://127.0.0.1:81/login/index.php?authCASattras=CAS&ticket=ST-qXn8UiwEbFsYpX0nobVmGMS-ZARMGrXcm3Hbo7_uj2s", host: "moodle.example.com", referrer: "https://example.com/cas/login?service=https%3A%2F%2Fmoodle.example.com%2Flogin%2Findex.php%3FauthCASattras%3DCAS"

What I did, I created a site on a hosting (which is not my server) called it d8.example.com (Drupal 8) and md.example.com (Moodle 3.7.2)
It turns out:
On my server, the sites are example.com and moodle .example.com
Hosted - d8.example.com and md.example.com
Made d8.example.com CAS Server , md.example.com and example.com and moodle.example.com CAS client
I logged into all three sites under the user CAS Server which is on d8.example.com
Next, I did example.com CAS Server , md.exemple.com and d8.example.com and moodle.example.com
Authorization passed both on md.exemple.com and on d8. example.com , moodle.example.com got that error.
Where I screwed up with the configuration, as I understood from the error, he is trying to send a request from 127.0.0.1:81 to the external address moodle.example.com.
How can this be cured? Redirect?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Viktor Taran, 2019-09-14
@Berkutman

Here you have a working config for port 80 stupidly hit too much.
At the same time, Apache can be almost any one, since the main thing is to prox and what is behind is no longer important.
Also, you do not need to use the domain in the back, and 127.0.0.1 is enough, since there will still be parsed by the headers and not by the domain in the proxy.

real nginx

server {

######################################################################
## Server configuration 
######################################################################
  listen *:443 ssl http2;
    server_name 5job.ru www.5job.ru   ;
  root /var/www/5job.ru/web;
######################################################################
## Enable gzip for proxied requests and static files
######################################################################
    # Enable gzip for proxied requests and static files
    gzip on;
    gzip_proxied any;
    gzip_vary on;
    gzip_http_version 1.1;
    gzip_types application/javascript application/json text/css text/xml;
    gzip_comp_level 4;

######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
  ssl on;
  ssl_session_cache  shared:SSL:10m;
  ssl_session_timeout 1h;
  ssl_protocols TLSv1.2 TLSv1.1;
  add_header Strict-Transport-Security "max-age=15768000" always;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
  ssl_certificate /var/www/clients/client26/web28/ssl/5job.ru-le.crt;
  ssl_certificate_key /var/www/clients/client26/web28/ssl/5job.ru-le.key;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
######################################################################
## Log configuration
######################################################################
#Все логи отключены  
        error_log /dev/null crit;
        access_log off;
######################################################################
## 555 Еrror requires password password 
######################################################################
# Дев сайты закрыты htpass  login:dev pass:dev (второй кусок ниже)
  error_page 555 = @pass;
  location @pass {
    auth_basic	"Unauthorized";
    auth_basic_user_file	/var/www/dev_htpasswd;
    proxy_pass		https://127.0.0.1:4443;
    proxy_set_header 	Host		$host;
    proxy_set_header	X-Real-IP	$remote_addr;
    proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
    proxy_set_header	HTTPS		YES;
    }
######################################################################
## Errors send to apache2
######################################################################
# у апача своих алиасов куча,  а так же некоторая статика отдается 
# средствамси php, по этому все ошибки обрабатывать только apache2
  error_page 401 403 404 405 500 502 503 = @fallback;
  location @fallback {
    proxy_pass		https://127.0.0.1:4443;
    proxy_set_header 	Host		$host;
    proxy_set_header	X-Real-IP	$remote_addr;
    proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
    proxy_set_header	HTTPS		YES;
    }

######################################################################
## Locations configuration
######################################################################
#Отключаем логирование ошибок No such file or directory
## Disable .htaccess files

  location ~ /\.ht {
    deny all;

    access_log off;
    log_not_found off;
  }
  ##
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }
  ##
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }
  ##
######################################################################
# сервисы  на сайте phpmyadmin почта и letxencrypt
  location /phpmyadmin/ {
    deny all;
    # поставить пароль на phpmyadmin
    return 555;
    root  /usr/share/phpmyadmin/;
  }
  ##
  location /webmail/ {
    rewrite ^/(.*)$ https://$http_host:8080/$1 permanent;
  }
  # letsencrypt 
   location /.well-known/acme-challenge/ { 
   	alias /usr/local/ispconfig/interface/acme/;
   	default_type text/plain;

   }
# static content 
# Отдаем статику напрямую с nginx
  location ~* ^.+\.(jpg|jpeg|svg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
    root  /var/www/5job.ru/web;
    access_log off;
    expires 30d;
    gzip_static on;
  }

# default location
  location / {
    index index.php index.html index.htm;
    proxy_pass		https://127.0.0.1:4443;
    proxy_set_header 	Host		$host;
    proxy_set_header	X-Real-IP	$remote_addr;
    proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
    proxy_set_header	HTTPS		YES;
    ######################################################################
    ## Dev site Protection Requests in location /
    ######################################################################
    # Дабы дев сайты не индексировались поисковиками, принудительно
    # Ставим пароли на них,  все что начинается с dev,old. или домен ks03
      if ($http_host ~* "^(dev|old|www.old|www.dev)\..*\..{2,8}$"){
                    return 555;
                    }
                    if ($http_host ~* "^.*\.ks03\.ru$"){
                    return 555;
                    }
                
        proxy_set_header X-Forwarded-Proto https;
        include /etc/nginx/locations.d/*.conf;
    }
}

Better yet, put a web face so that they are available
brainycp
vestacp
ispconfig3
bitrix-vm (muzzle console)