Nginx and Apache can be used simultaneously where Nginx acts as a reverse proxy that accepts requests from clients and forwards them to other web servers such as Apache, then Apache sends back the response requested by Nginx to be sent to the client. This is done so that the two web servers can cover each other’s shortcomings.
Nginx as a Reverse Proxy for Apache
*0.Install Apache*
Install Apache web server
[INPUT]1 2 apt update apt install apache2 php-fpm -y
Install FastCGI module
[INPUT]1 2 wget https://mirrors.edge.kernel.org/ubuntu/pool/multiverse/liba/libapache-mod-fastcgi/libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb dpkg -i libapache2-mod-fastcgi_2.4.7~0910052141-1.2_amd64.deb
*1.Setting Apache*
Rename the Apache port.conf configuration file
[INPUT]1 mv /etc/apache2/ports.conf /etc/apache2/ports.conf.default
Create a new port.conf file with port number 8080
[INPUT]1 echo “Listen 8080” | tee /etc/apache2/ports.conf
Disable the 000-default Apache virtual host
[INPUT]1 a2dissite 000-default
Create a virtual host configuration file
[INPUT]1 vim /etc/apache2/sites-available/001-default.conf
Enter the 001-default.conf configuration
[INPUT]1 2 3 4 5 6
Activate virtual host 001-default.conf
[INPUT]1 a2ensite 001-default
Restart Apache
[INPUT]1 systemctl restart apache2
Verify that Apache is already running on port 8080
[INPUT]1 netstat -tulpn
The results show that apache2 runs on port 8080
[INPUT]1 2 3 4 5 6 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 127.0.0.53:53 0.0.0.0:* LISTEN 870/systemd-resolve tcp 0.0.0.0:22 0.0.0.0:* LISTEN 1065/sshd tcp6 :::8080 :::* LISTEN 8774/apache2 tcp6 :::22 :::* LISTEN 1065/sshd
*2.Configure Apache to use FastCGI*
Activate the actions module
[INPUT]1 a2enmod actions
Rename the FastCGI configuration file
[INPUT]1 mv /etc/apache2/mods-enabled/fastcgi.conf /etc/apache2/mods-enabled/fastcgi.conf.default
Create a new configuration file for FastCGI
[INPUT]1 vim /etc/apache2/mods-enabled/fastcgi.conf
Memasukkan konfigurasi FastCGI
[INPUT]1 2 3 4 5 6 7 8 9 10 11
Apache configuration test
[INPUT]1 apachectl -t
The result is *Syntax OK*, restart Apache
[INPUT]1 systemctl restart apache2
*3.PHP Verification*
Verify that the PHP script can be run by Apache web server
Create info.php file to call the phpinfo function
[INPUT]1 echo “” | tee /var/www/html/info.php
Browse *http://IP_SERVER:8080/info.php*, check *Server API*, *SERVER_PORT*, and *SERVER_SOFTWARE*.
PHP Information – Server API
PHP Information – SERVER PORT and SERVER SOFTWARE
*4.Create Apache Virtual Host*
Create an Apache virtual host configuration for the *web.defnex.com* subdomain
Create a document root folder
[INPUT]1 mkdir /var/www/web.defnex.com
Create index.html file
[INPUT]1 echo “
web.defnex.com
” | tee /var/www/web.defnex.com/index.html
Create info.php file
[INPUT]1 echo “” | tee /var/www/web.defnex.com/info.php
Create a virtual host file for web.defnex.com
[INPUT]1 vim /etc/apache2/sites-available/web.defnex.com.conf
Enter the virtual host configuration
[INPUT]1 2 3 4 5 6 7 8 9 10 11
Activating virtual host
[INPUT]1 a2ensite web.defnex.com
Apache configuration test
[INPUT]1 apachectl -t
Restart Apache
[INPUT]1 systemctl restart apache2
Verify that the virtual host configuration is functioning properly, browse *http: //web.defnex.com: 8080*
Browse subdomain
*5.Install and Configure Nginx*
Install Nginx
[INPUT]1 apt install nginx -y
Create a Nginx server block configuration for *web.defnex.com*
[INPUT]1 vim /etc/nginx/conf.d/web.defnex.com.conf
Enter the server block configuration
[INPUT]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 server { listen 80; server_name web.defnex.com; root /var/www/web.defnex.com; index index.php index.htm index.html; location / { try_files $uri $uri/ /index.php?$query_string; } location ~ \.php$ { proxy_pass http://178.128.212.251:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location ~ /\.ht { deny all; } access_log /var/log/nginx/web.defnex.com_access.log; error_log /var/log/nginx/web.defnex.com_error.log warn; }
Nginx configuration test
[INPUT]1 nginx -t
The result
[INPUT]1 2 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx
[INPUT]1 2 systemctl restart nginx systemctl status nginx
Verify the Nginx reverse proxy by accessing *http://web.defnex.com/info.php*
PHP Information – Nginx Reverse Proxy
*6.Install and Configure mod_rpaf*
Apache module mod_rpaf rewrites values from *REMOTE_ADDR*, *HTTPS* and *HTTP_PORT*. If without this module, what is read in the Apache log is IP from Nginx, not from visitors.
Install the packages needed to build the module
[INPUT]1 apt install unzip build-essential apache2-dev -y
Download the mod_rpaf source code from GitHub
[INPUT]1 wget https://github.com/gnif/mod_rpaf/archive/stable.zip -O mod_rpaf.zip
Extract the mod_rpaf.zip file
[INPUT]1 unzip mod_rpaf.zip
Compile mod_rpaf
[INPUT]1 2 3 cd mod_rpaf-stable make make install
Create the rpaf.load file
[INPUT]1 vim /etc/apache2/mods-available/rpaf.load
Memasukkan konfigurasi load module
[INPUT]1 LoadModule rpaf_module /usr/lib/apache2/modules/mod_rpaf.so
Create a rpaf.conf configuration file
[INPUT]1 vim /etc/apache2/mods-available/rpaf.conf
Entering the module configuration, *RPAF_ProxyIPs* is filled with SERVER_IP
[INPUT]1 2 3 4 5 6 7 8
Activate the rpaf module
[INPUT]1 a2enmod rpaf
Apache configuration test
[INPUT]1 apachectl -t
Restart Apache
[INPUT]1 systemctl restart apache2
Browse *http://web.defnex.com/info.php*, check *REMOTE_ADDR*, must contain the Public IP address of the visitor’s computer
PHP Information – REMOTE ADDR
*7.Configure HTTPS*
Install SSL Let’s Encrypt to enable HTTPS
[INPUT]1 2 3 cd add-apt-repository ppa:certbot/certbot apt install python-certbot-nginx -y
Generate an SSL certificate for the *web.defnex.com* subdomain located in Nginx
[INPUT]1 certbot –nginx -d web.defnex.com
Enter email address
[INPUT]1 Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to cancel): hai@musaamin.web.id
Agree ToS
[INPUT]1 2 3 Please read the Terms of Service at https://letsencrypt.org/documents/ LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory – – – – – – – – – – – – – – – – – – – – – – – – – – – (A)gree/(C)ancel: A
Consent to be sent information about Let”s Encrypt, you can answer Y or N.
[INPUT]1 2 3 Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot? We’d like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. – – – – – – – – – – – – – – – – – – – – – – – – – – – (Y)es/(N)o: N
An SSL certificate was created, changed and added a virtual host configuration for SSL.
[INPUT]1 2 3 Obtaining a new certificate Performing the following challenges: http-01 challenge for web.defnex.com
Then select *2* to redirect HTTP to HTTPS.
[INPUT]1 2 3 4 5 6 Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1: No redirect – Make no further changes to the webserver configuration. 2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you’re confident your site works on HTTPS. You can undo this change by editing your web server’s configuration. – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
The SSL certificate installation for *web.defnex.com* is complete
[INPUT]1 Congratulations! You have successfully enabled https://web.defnex.com
The SSL certificate is only valid for 90 days, run the *renew* command to renew the SSL certificate
[INPUT]1 cerbot renew
Browse *https://web.defnex.com/info.php*, check *$_SERVER[‘SERVER_PORT’]* and *$_SERVER[‘HTTPS’]*
PHP Information – HTTPS
*8.Block Direct Access to Apache*
Block direct access to Apache on port 8080 using iptables.
Format the firewall rule, change *SERVER_IP*
[INPUT]1 iptables -I INPUT -p tcp –dport 8080 ! -s SERVER_IP -j REJECT –reject-with tcp-reset
SERVER_IP uses *178.128.212.251*
[INPUT]1 iptables -I INPUT -p tcp –dport 8080 ! -s 178.128.212.251 -j REJECT –reject-with tcp-reset
iptables rule test by accessing *http: //web.defnex.com: 8080*, the result is *ERR_CONNECTION_RESET*
Browse port 8080
Good luck ð
