After try open a page using an IPv6 (AAAA) name,
nginx crashed with “Bad Gateway” message and Apache gives “Segmentation Fault”.

After dig a little bit, I discover that the problem were in the (lack of) IPv6 Linux Module.
A “modprobe ipv6″ solved my problem.
=D

Just a quick question on point #7 Restrictive Iptables Based Firewall

I’m trying to get an understanding of iptables and in doing so your output rules confuse me.
Plese see below example:

$IPT -A INPUT -i ${PUB_IF} -s ${ip} -p tcp -d ${SERVER_IP} –destination-port 22 -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -d ${ip} -p tcp -s ${SERVER_IP} –sport 22 -j ACCEPT

I interpret that as being
Accept a SSH in to server from IP as defined in $PUB_SSH_ONLY.
Allow a ssh connection out to an IP as defined in $PUB_SSH_ONLY.

Why do you need the output rule?
Is it simply to allow a SSH connection to an IP defined in $PUB_SSH_ONLY or
is the output required as part of a handshaking process?

I know I should experiment and see but I’m curious to the answer and that I may have a gap in my iptables understanding.

Thanks,
SuilAmhain

My server has suffered from socket port exhaustion for 2 years now.
Ive tried every sysctl variable and a hundred configurations from various linux administrators, and only YOUR sysctl.conf file did the trick.
Im not sure why, ive used all these parameters before, but it finally fixed the problem on centos and now I can run a load test for hours and never suffer from port exhaustion.
YOU ARE THE MAN!


server {
listen 80 default;
return 403;
}


#11, I doubt nginx supports any other methods

And #12… I doubt there’s any spambots left running using non-common user agent.

Additionally, running php-cgi and nginx daemons as different user is recommended. Setting owner of the files to root and making it non-group/world writable except for some directories used by php (in which should be set to php-owned and not group/world writable) is also recommended.

I’ve setup a video streaming server, using Nginx and php-fpm… ( this server transmits @ 3-4 mbps at average ) I am seeing a lot of erros like “connection to upstream timed out ” etc , which throws a ” Bad Gateway” at times. After a lot of googling I increased the time out of fcgi and that seem to alleviate the issue, but I am seeing such entries in the logs often. I assume the issue is with nginx getting failed to communicate with PHP engine…

I wonder if the error is common and do we have hotfix for the issue ? I doubt if that is an issue with any compiled module ?

Thanks!
Vinod !

It’s great to see the complete step by step on hardening nginx web server.

Would you consider in writing something like that for lighttpd web server? :)

You can chroot nginx using chroot command under CentOS / RHEL or any Linux disro as follows. You need to copy /usr/local/nginx to your $D. Next copy /etc/{passwd,group,hosts,resolv.conf,php.ini} to $D/etc, You need to copy required libs to $D. Once done copy /lib64/* to $D too. Copy php-cgi to $D/usr/bin. Finally, copy required php modules such gd, php-mysql to $D/usr/lib64/php/modules directory. Run php-cgi in $D using the following syntax

/usr/bin/spawn-fcgi -c $D -a 192.168.1.10 -p 9000 -P /var/run/php-cgi.fastcgi.pid -u nginx -g nginx -- /usr/bin/php-cgi

Where,
D=/jail.dir

You need to place /dev/null and a few more entries in $D/dev. Do not add hard disk and/or any other block device entries in $D/dev. This is the main problem with chroot and it can be easily escaped if proper care is not taken, hence I recommend proper tools.

Update nginx.conf and point fastcgi to 192.168.1.10:9000. Once done start nginx as

chroot $D /usr/local/nginx/sbin/nginx

HTH

Can you share your instructions on chrooting Nginx in a chroot jail?

Re:#18: Limits Connections Per IP At The Firewall Level;
You can use something like the following in nginx; – this is already what I use on heavily loaded servers with many visitors behind proxies -

limit_req_zone $binary_remote_addr zone=ratezone:20m rate=16r/s;
limit_req zone=ratezone burst=160 nodelay;

I believe that nginx can do it better than iptables, specially under a DDoS attack, because the iptables recent module have a maximum memory limit of 8MB, as I can remeber it, and after that it’s either completely fail or drop everything … nginx will do always behave better.

Re: #20: Restrict Outgoing Nginx Connections;
I think that It’s better to do that using selinux policy … if you use seedit , you can add some line like this to the nginx_t.sp ..

allownet -protocol tcp -port 21,25,80,110,143,443 client;

Thanks a lot

I find it much more clean and convenient to simply create a default website with blank webpage (or return error if preferred) that will respond to all non-matched queries.