nginx - yar145/mytestrepo1 GitHub Wiki

apt install nginx libnginx-mod-stream vi /etc/nginx/nginx.conf systemctl restart nginx

tail -n 30 -vf /var/log/nginx/stream-access.log

cat /etc/nginx/nginx.conf

user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf;

events { worker_connections 768; # multi_accept on; }

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

include /etc/nginx/conf.d/*.conf;

}

stream { log_format combined '$remote_addr - - [$time_local] $protocol $status $bytes_sent $bytes_received $session_time "$upstream_addr"'; access_log /var/log/nginx/stream-access.log combined; upstream pos_eximTS { server 1.2.3.4:1210; } upstream pos_eximNS { server 1.2.3.4:1200; } server { listen 1210; proxy_pass pos_eximTS; } server { listen 1200; proxy_pass pos_eximNS; }

}

How to Install an SSL/TLS Certificate In Nginx (OpenSSL) You need to link the two certificates (or “Concatenate” them) into a single file by entering the command below: cat your_domain_name.crt Intermediate.crt >> bundle.crt

Module ngx_stream_proxy_module

How to Build NGINX from Source on Ubuntu 22.04 or 20.04

apt install build-essential libpcre3-dev libssl-dev zlib1g-dev libgd-dev

wget https://nginx.org/download/nginx-1.23.3.tar.gz

tar -xzvf nginx-1.23.3.tar.gz

cd nginx-1.23.3

./configure --prefix=/var/www/html --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --with-pcre --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-http_ssl_module --with-http_image_filter_module=dynamic --modules-path=/etc/nginx/modules --with-http_v2_module --with-stream=dynamic --with-http_addition_module --with-http_mp4_module

make

make install

Nginx TCP transparent proxy

Module ngx_stream_realip_module

IP Transparency and Direct Server Return with NGINX and NGINX Plus as Transparent Proxy

Nginx TCP transparent proxy

Module ngx_http_proxy_module proxy_bind address [transparent] | off;

Makes outgoing connections to a proxied server originate from the specified local IP address with an optional port (1.11.2). Parameter value can contain variables (1.3.12). The special value off (1.3.12) cancels the effect of the proxy_bind directive inherited from the previous configuration level, which allows the system to auto-assign the local IP address and port.

The transparent parameter (1.11.0) allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client:

proxy_bind $remote_addr transparent; In order for this parameter to work, it is usually necessary to run nginx worker processes with the superuser privileges. On Linux it is not required (1.13.8) as if the transparent parameter is specified, worker processes inherit the CAP_NET_RAW capability from the master process. It is also necessary to configure kernel routing table to intercept network traffic from the proxied server.

configure kernel routing table to intercept network traffic from the proxied server.

ip route add local 0.0.0.0/0 dev lo table 100

ip rule add fwmark 1 lookup 100

iptables -t mangle -A PREROUTING -p tcp -s 1.2.3.4 -j MARK --set-xmark 0x1/0xffffffff

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! https://gist.github.com/soheilhy/8b94347ff8336d971ad0 setsebool -P httpd_can_network_connect 1

tcp keepalive

Using TCP keepalive under Linux

The first two parameters are expressed in seconds, and the last is the pure number. This means that the keepalive routines wait for two hours (7200 secs) before sending the first keepalive probe, and then resend it every 75 seconds. If no ACK response is received for nine consecutive times, the connection is marked as broken.

cat /proc/sys/net/ipv4/tcp_keepalive_time 7200

cat /proc/sys/net/ipv4/tcp_keepalive_intvl

cat /proc/sys/net/ipv4/tcp_keepalive_probes

sysctl -w \

net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_intvl=60
net.ipv4.tcp_keepalive_probes=20

Configuring nginx reverse proxy to send TCP keep alive packets to server

Module ngx_http_proxy_module

Syntax: proxy_socket_keepalive on | off; Default: proxy_socket_keepalive off; Context: http, server, location Configures the “TCP keepalive” behavior for outgoing connections to a proxied server. By default, the operating system’s settings are in effect for the socket. If the directive is set to the value “on”, the SO_KEEPALIVE socket option is turned on for the socket.

Module ngx_stream_proxy_module

Syntax: proxy_socket_keepalive on | off; Default: proxy_socket_keepalive off; Context: stream, server Configures the “TCP keepalive” behavior for outgoing connections to a proxied server. By default, the operating system’s settings are in effect for the socket. If the directive is set to the value “on”, the SO_KEEPALIVE socket option is turned on for the socket.

Syntax: proxy_timeout timeout; Default: proxy_timeout 10m; Context: Sets the timeout between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed.stream, server

Load Balance UDP Traffic

Load Balancing DNS Traffic with NGINX and NGINX Plus stream { upstream dns_servers { zone dns_mem 64k; server 192.168.136.130:53 fail_timeout=60s; server 192.168.136.131:53 fail_timeout=60s; }

match dns_lookup {
    send x00x01x00x00x00x01x00x00x00x00x00x00x06x68x65x61 ...;
    expect ~* "healthy.svcs.example.com.";
}

server {
    listen 53  udp;
    listen 53; #tcp
    health_check match=dns_lookup interval=20 fails=2 passes=2 udp;
    health_check                  interval=20 fails=1 passes=2 port=53; #tcp
    proxy_pass      dns_servers;
    error_log       /var/log/nginx/dns.log debug;
    proxy_responses 1;
    proxy_timeout   1s;

}

}