Reverse proxy question


#1

Hi,

Does anyone know how to use ee commands to start using nginx reverse proxy for 80 AND 443 ports? It also seems that the reverse proxy does not cache at all.

Some new implements would be neat, i.e ee site create blaa.com --reverse-proxy 1.2.3.4 --withssl --withcache With yes; Q: Do you want to create a certificate [y/n] y A: SSL certificate created in /etc/ngingx/ssl/blaa. Please copy the certificates to your backend server.

With no; Do you want to create a certificate [y/n] n A: SSL certificate not created. Please copy the certificates to /etc/nginx/ssl/blaa and edit /var/www/blaa.com/conf/nginx/ssl.conf accordingly


#2

Im afraid you cannot do this in an automated way. EasyEngine provides -proxy support syntax, but not a reverse proxy one ( check https://easyengine.io/docs/commands/site/create/ ).

However, if you are willing to install nginx as a reverse proxy for http and https connections aswell, you can do it in a manual way, without affect EE at all ( editing nginx config by hand, taking care of double port conflicts etc )


#3

With the command ee site create yourdomain.com --proxy=1.2.3.4, EE will only create your vhost file with a basic reverse-proxy (no cache). You will also have to use manually letsencrypt because with a reverse-proxy you will not be able to check the root folder of the domain.


#4

The following config gives me 3-4x(!) time slower performance beching with ab than without caching - so something is off…

Caching Proxy Config

server {

server_name xxxxx   www.xxxxx;

access_log /var/log/nginx/xxxxx.access.log rt_cache;
error_log /var/log/nginx/xxxxx.error.log;

add_header X-Proxy-Cache $upstream_cache_status;
location / {
    proxy_pass http://10.189.68.134:80;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_redirect      off;
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_cache_bypass $cookie_nocache $arg_nocache;
}

}

server { listen 443; ssl on; server_name xxxxx www.xxxxx; resolver 8.8.8.8 8.8.4.4; ssl_certificate /etc/nginx/certs/xxxxx.ssl-bundle.crt; ssl_certificate_key /etc/nginx/certs/xxxx.key; #proxy_ssl_trusted_certificate /etc/nginx/certs/xxx.ssl-bundle.crt; ssl_stapling on; ssl_stapling_verify on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security “max-age=31536000; includeSubdomains;”; # ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; #proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on;

    location / {
            proxy_set_header X-Forwarded-Proto $scheme; #https;
            add_header Front-End-Https on;
            #proxy_set_header X-Forwarded-Host $host;
           # proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_cache my_cache;
            proxy_cache_valid 200 302 60m;
            proxy_cache_valid 404 1m;
            proxy_pass https://10.189.68.134:443;
    }

set $skip_cache 0;

if ($request_method = POST) { set $skip_cache 1; } if ($query_string != “”) { set $skip_cache 1; }

Don’t cache uris containing the following segments. ‘admin’ is for one of my websites, it’s not required

for everyone. I’ve removed index.php as I want pages cached.

#if ($request_uri ~* "/wp-admin/|/admin-|/purge|/xmlrpc.php|wp-..php|/feed/|index.php|sitemap(_index)?.xml") { if ($request_uri ~ “/wp-admin/|/admin-|/purge|/xmlrpc.php|wp-.*.php|/feed/|sitemap(_index)?.xml”) { set $skip_cache 1; }

Don’t use the cache for logged in users or recent commenters

if ($http_cookie ~* “comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in|code|PHPSESSID”) {

if ($http_cookie ~* “comment_author|wordpress_[a-f0-9]+|wordpress_logged_in|code”) { set $skip_cache 1; }

If we skip the cache it’s likely customised for one user. Set the caching headers to match.

http://www.mobify.com/blog/beginners-guide-to-http-cache-headers/

if ($skip_cache = 1) { set $cacheControl “private, max-age=0, s-maxage=0, no-cache, no-store”; } if ($skip_cache = 0) { set $cacheControl “public, max-age=86400, s-maxage=86400”; }

}


#5