I have three servers. One for load balancing other two for serving web application. My load balancing works fine if i use my web page as static site. but when i log into my web page it does not respond correctly because every time it changes its server when the page loads. how can i do it without changing current server before log-out. My load balancing server configuration is
upstream web_backend{
server 192.168.33.2;
server 192.168.33.3;
}
server{
listen 80;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://web_backend;
}
}
You can use Session persistence feature of nginx:
If there is the need to tie a client to a particular application
server — in other words, make the client’s session “sticky” or
“persistent” in terms of always trying to select a particular server —
the ip-hash load balancing mechanism can be used.
With ip-hash, the client’s IP address is used as a hashing key to
determine what server in a server group should be selected for the
client’s requests. This method ensures that the requests from the same
client will always be directed to the same server except when this
server is unavailable.
To configure ip-hash load balancing, just add the ip_hash directive to
the server (upstream) group configuration:
In your case just add ip_hash into your upstream definition
upstream web_backend{
ip_hash;
server 192.168.33.2;
server 192.168.33.3;
}
Related
I need to develop a challenge page much similar to the Cloudflare firewall challenge.
I know how to make the front end and the back end of the challenge app and I know how to set it up on the server.
The problem comes on how to implement it to the website which is on one server, while the challenge app is on another server. How should I make the communication between the servers? Both servers will be Ubuntu 16.4. Thank you all in advance.
I think it's better to solve this issue like cloudflare using nginx server.
Make an nginx reverse proxy with rate limit
if limit hit user will be redirected to error page
integrate your challenge app with the error page.
more about this configuration is here:
https://serverfault.com/questions/645154/how-to-redirect-to-an-other-link-when-excess-request-limit-req-with-nginx
And How to use PHP in error pages is here:
Nginx, PHP + FPM Custom Error Pages
you can run this reverse proxy on third server or you can run it on the challenge app server.
make your domain points to the reverse proxy
then
make nginx config
server {
listen 80 default_server;
server_name *.*;
client_body_timeout 5s;
client_header_timeout 5s;
location / {
proxy_set_header Host $host;
proxy_pass http://00.00.00.00/; #replace with upstream ip
}
}
you have to combine this with custom php error page
This is the warning when I open my phpMyAdmin's login (index) page:
There is mismatch between HTTPS indicated on the server and client.
This can lead to non working phpMyAdmin or a security risk.
Please fix your server configuration to indicate HTTPS properly.
The error should be caused by a loadbalancer in between my client and phpmyadmin itself. SSL terminates on the loadbalancer so the URL being used (that phpmyadmin receives in request headers, I assume) is https://mydomain/phpmyadmin.
The loadbalancer communicates with phpmyadmin via http, so the URL being used between lb and pma is http://mydomain/phpmyadmin (not https).
I found this very fitting article on github: Possibility to deactivate SSL connection #170 which is for Docker containers and describes an env var to be passed to the container called "PMA_ABSOLUTE_URI" to fix the problem.
Which setting would this be in phpmyadmin NON Docker?
Any other solution to my problem is also highly appreciated.
Sidenote: Phpmyadmin works fine after the login. You can log in, there are no warnings after the log in and you can perform all interactions without problems. I am just worried about the warning.
I have exactly the same setup as you are describing. A front load balancer acts as reverse proxy and also as SSL/TLS terminator. The LB talks in plain http with the backend server where phpMyAdmin is running.
When I upgraded from 4.0.4.1 to 4.9.0.1 I got the same warning appearing at the phpMyAdmin login screen as you. I was able to solve this on the reverse proxy by "faking" the protocol from http to https. In my case my reverse proxy is a Nginx web server and just before I'd pass to the backend server, I added X-Forwarded-Proto:
server {
listen 443;
server_name my.phpmyadmin.example.com;
[... log and ssl settings ...]
location / {
include /etc/nginx/proxy.conf;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://backendserver;
}
}
By adding proxy_set_header X-Forwarded-Proto https; this tells the backend server that the client to proxy communication happens over https. Without setting this header, phpMyAdmin probably identifies (not sure, just a guess) that it was loaded on a https:// URL yet the communication (between reverse proxy and phpMyAdmin server) happened over http. Therefore it's a correct warning to be shown.
As soon as Nginx was reloaded, the warning disappared from the phpMyAdmin login screen.
i am trying to send real visitor ip to nginx from php
this is the situation
server A - exmaple.com/a.php
server B - example/file.txt
when access exmaple.com/a.php it download file.txt located on server b
but nginx logs show server A ip as requested download, i guess that correct cause the file.txt downloaded via a.php located on server A
so how can i send the ip of the visitor instead of the server to nginx
i already have this in my nginx config
proxy_set_header X-Real-IP $remote_addr;
thank you
Server A: add X-Real-IP header with client's IP to outgoing request. This part depends on you code. For example, if CURL, you need to add curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'X-Real-IP: '.$_SERVER['REMOTE_ADDR'] ]).
Server B: you need to configure nginx. Add to nginx's server config block:
set_real_ip_from SERVER_A_IP;
real_ip_header X-Real-IP; (not required because default value)
You would need to add it to your request headers.
$opts['http']['header'] = 'X-Real-IP: ' . $_SERVER['REMOTE_ADDR'] . "\r\n";
You would also need to configure Nginx to accept this, with set_real_ip_from config directives.
A better option would be to use cURL (see #Terra's answer), which gives you a bit more flexibility than the fopen wrappers.
The best option however is just to let Nginx do this. It's far more efficient than piping all this data through PHP. Use proxy_pass.
I have high load website, my system runs out of memory in peak times. I want to split the load so the read operations which happens to be on specific URls move to another server.
I am using nginx and php-fpm, how do I redirect specific URLs to be processed by PHP-fpm on a different server?
This is the blue print of my requirements.
location /feed/generate {
use php-fpm on a different server
}
location / { #all other requests
use existing php-fpm
}
Setup php-fpm on the second server listening on an externally accessible IP (not 127.0.0.1) port 9000.
The IP address should be private (not routed to the internet) and/or configured to only allow connections from trusted hosts (firewall).
upstream feed_php_fpm {
server <other server ip>:9000;
}
upstream local_fpm {
server 127.0.0.1:9000;
}
location /feed/generate {
fastcgi_pass feed_php_fpm;
include fastcgi.conf;
}
location / {
fastcgi_pass local_fpm;
include fastcgi.conf;
}
Please understand what you are doing and the implications of php-fpm listening on a network port vs file socket.
I currently have two apps at AppFog, they are.
http://sru-forums-prod.aws.af.cm/ and http://sru-home-prod.aws.af.cm/
I have haProxy running locally on my computer, this is my current config file.
global
debug
defaults
mode http
timeout connect 500ms
timeout client 50000ms
timeout server 50000ms
backend legacy
server forums sru-forums-prod.aws.af.cm:80
frontend app *:8232
default_backend legacy
The end-goal is that localhost:8232 forwards traffic to sru-home-prod, while localhost:8232/forums/* forwards traffic to sru-forums-prod. However I cant even get a simple proxy up and running.
When I run HAProxy off this config file I receive AppFog 404 Not Found at localhost:8232.
What am I missing, is this even possible?
EDIT:
New config works but now i have a port 60032 coming back in the response.
global
debug
defaults
mode http
timeout connect 500ms
timeout client 50000ms
timeout server 50000ms
backend legacy
option forwardfor
option httpclose
reqirep ^Host: Host:\ sru-forums-prod.aws.af.cm
server forums sru-forums-prod.aws.af.cm:80
frontend app *:8000
default_backend legacy
The reason you are getting an AppFog 404 Not Found is because applications hosted on AppFog are routed by domain name. In order for AppFog to know what app to serve you, the domain name is required to be in the HTTP request. When you go to localhost:8232/forums/ it sends localhost as the domain name which AppFog does not have as a registered app name.
There is a good way to get around this issue
1) Map your application to a second domain name, for example:
af map <appname> sru-forums-prod-proxy.aws.af.cm
2) Edit your /etc/hosts file and add this line:
127.0.0.1 sru-forums-prod-proxy.aws.af.cm
3) Go to http://sru-forums-prod-proxy.aws.af.cm:8232/forums/ which will map to the local machine but will go through your haproxy successfully ending up with the right host name mapped to your app hosted at AppFog.
Here is a working haproxy.conf file that demonstrates how this has worked for us so far using similar methodologies.
defaults
mode http
timeout connect 500ms
timeout client 50000ms
timeout server 50000ms
backend appfog
option httpchk GET /readme.html HTTP/1.1\r\nHost:\ aroundtheworld.appfog.com
option forwardfor
option httpclose
reqirep ^Host: Host:\ aroundtheworld.appfog.com
server pingdom-aws afpingdom.aws.af.cm:80 check
server pingdom-rs afpingdom-rs.rs.af.cm:80 check
server pingdom-hp afpingdom-hp.hp.af.cm:80 check
server pingdom-eu afpingdom-eu.eu01.aws.af.cm:80 check
server pingdom-ap afpingdom-ap.ap01.aws.af.cm:80 check
frontend app *:8000
default_backend appfog
listen stats 0.0.0.0:8080
mode http
stats enable
stats uri /haproxy