Bits and pieces

by Stefano Fratini

common sense developer

Read this first

Nginx by examples: naxsi WAF

Naxsi is an open source WAF module developed by NBS System and released under GPL v3

In the past a nginx-naxsi standard Ubuntu package was available from the official repositories. Unfortunately this package is no longer maintained so we must now rebuild Nginx from source to use Naxsi

 System setup

Let’s start with a fresh Ubuntu 14.04.x system

# this is needed to build nginx
sudo apt-get install libpcre3 libpcre3-dev libssl-dev unzip make -y

cd /tmp

# we download Nginx
wget http://nginx.org/download/nginx-1.8.1.tar.gz

# we download the latest Naxsi source code
wget https://github.com/nbs-system/naxsi/archive/master.zip

tar xvzf nginx-1.8.1.tar.gz
unzip master.zip
cd nginx-1.8.1/

Now we need to build Nginx with the Naxsi waf module we just downloaded

# a standard configure block where we disable 
# some normally unused nginx modules (POP3 / IMAP / SMTP etc)
./configure

Continue reading →


Nginx by examples: DOS protection

If your web server is directly exposed to internet traffic it’s always a good idea to have some sort of Denial of Service protection enabled

Nginx alone cannot protect from more complex and Distributed DOS attacks (that would require a CDN) but this is no reason for not having some basic protection in place, which is also very easy to setup.

 Connection Limiting

It is a sensitive precaution to avoid too many connections from a single IP and it’s first line of defence against trivial DOS attacks (i.e. a simple script flooding our backend from 1 server with 1 IP)

limit_conn_zone $binary_remote_address zone=addr:10m;
limit_conn servers 1000;

This simple snippet enforces that there can be max 1000 connections per IP at any time.

10 MB (10m) will give us enough space to store a history of 160k requests

The 1000 limit can be tweaked and lowered if necessary always considering that our

Continue reading →


Nginx by examples: Caching

Nginx offers out of the box very efficient caching support where

  • the cache index is stored in a memory mapped files
  • all cache files reside on the filesystem.

As usual the setup is fairly trivial:

server {

    proxy_cache_path /tmp/nginx-cache levels=1:2 
      keys_zone=api_cache:10m max_size=10g inactive=60m;
    ...

    location /api {

        proxy_cache api_cache;

        # we allow only 1 req per URI to hit origin 
        # in case of a cache miss
        proxy_cache_lock on;

        # we add the X-Proxy-Cache header to our response to the client
        add_header X-Proxy-Cache $upstream_cache_status; 

        ...
        proxy_pass http://127.0.0.1:8080;

    }
}

In this example

  • we setup one proxy_cache location called api_cache
  • with key size: 10mb and cache size 1gb
  • in the /tmp/cache folder with a 2 level directory hierarchy
  • where cached data is purged every

Continue reading →


Nginx by examples: HTTPS

Setting up SSL/TLS on Nginx is a very simple exercise. A typical setup will look like this:

server {

  root /var/www/mydomain.com/web/;
  index index.php;

  server_name mydomain.com;

  # we enable SSL
  listen 443 ssl;
  ssl_certificate /home/ubuntu/ssl/mydomain.com.chained.crt;
  ssl_certificate_key /home/ubuntu/ssl/mydomain.com.key;

  # we enable only more recent protocols
  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

  # as suggested by Nginx we prioritize newer ciphers
  ssl_ciphers  HIGH:!aNULL:!MD5;

  # we cache the ssl session parameters 
  # to reduce the CPU load on the web server
  ssl_session_cache   shared:SSL:10m;
  ssl_session_timeout 10m;

  # we increase the keep alive timeout
  # to improve socket reuse and reduce
  # the need for SSL handshakes
  keepalive_timeout 70;

  access_log /var/www/mydomain.com/log/mydomain.com.access;
  error_log

Continue reading →


Nginx by examples: PHP setup

When setting up PHP with Nginx we are effectively still using Nginx as a reverse proxy in front of a FastCGI server as the fastcgi_pass directive is functionally equivalent to the proxy_pass one.

There are plenty of blog posts and examples online that show how to setup PHP behind nginx but most of them don’t really explain why the suggested setup simply works :)

Let’s start with a simple configuration:

server {

  root /var/www/mydomain.com/web/;
  index index.php;

  server_name mydomain.com;

  access_log /var/www/mydomain.com/log/mydomain.com.access;
  error_log /var/www/mydomain.com/log/mydomain.com.error error;

  location / {

    # we serve a file if it's there, 
    # otherwise we rewrite internally as a request to /index.php
    try_files $uri /index.php?$args;
  }

  # regex matching: anything ending with .php
  location ~ \.php$ {

    # allows for requests to

Continue reading →


Nginx by examples: reverse proxy

Nginx is primarily designed as a reverse proxy and can add a lot of value if placed in front of your applications:

  • HTTPS termination
  • HTTP2 termination
  • WAF protection
  • DOS protection
  • Caching
  • Basic/Digest Authentication

Let’s see how we can setup a basic Java API webapp behind Nginx

server {

    # custom virtual host root folder
    root /var/www/mydomain.com/web/;

    # index file (when a folder URI is matched)
    index index.html;

    # server name (for virtual host resolution)
    server_name mydomain.com www.mydomain.com;

    # custom access and error log
    access_log /var/www/mydomain.com/log/mydomain.com.access;
    error_log /var/www/mydomain.com/log/mydomain.com.error error;

    # the default catchall block
    location / {
        # this will return a 403 http error code
        deny all;
    }

    # we server some static welcome page if present on a / request

Continue reading →


Nginx by examples: the basics

Nginx is a very popular http server/rev proxy and can be used in a multitude of situations. Knowing how to configure it can literally save your day!

 Getting Started

To start with let’s install the latest version of Nginx from the official Nginx PPA (under Ubuntu)

sudo -s
add-apt-repository ppa:nginx/stable
apt-get update
apt-get install nginx

 Basic conf

Once it’s installed, Nginx comes with the following configuration (that I’ve slightly tweaked):

# runs worker processes nginx as www-data
user www-data;
# sets the number of worker processes to the number of cores as automatically identified by nginx at sturtup
worker_processes auto;
pid /run/nginx.pid;

events {
    # the number of incoming and outgoing connections per worker
    worker_connections 768;
}

http {
    # nginx core optimizations to serve files efficiently
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

Continue reading →


Redis x86 builds for Windows

redis-300dpi.png

 Update 5 Feb 2016

  • I’ve added the latest 2.8.x version from the ms opentech git repo
  • Added build instructions for the adventurous

 Update 4 Feb 2016

I’ve recompiled the same version of redis targeting WinXP as the minimum supported version. By default the MS guys had setup the VC2013 project to target Vista/7 and up.

The download links are in the table at the bottom of this post

 Redis and Windows

Redis has always been a Linux only project as the background snapshotting mechanism relies on the fork() call which exists only on POSIX systems

About a year ago the Microsoft Open Source Group decided to port Redis to Windows and maintain the port over time

Unfortunately they soon decided to drop support for 32 bit systems. I’m really not sure why they did that as there are so many 32 bit versions of Windows still out there.

I recently was asked to work on a project that would need

Continue reading →


Premature optimization

Programmers waste enormous amounts of time thinking about, or worrying about, the speed of noncritical parts of their programs, and these attempts at efficiency actually have a strong negative impact when debugging and maintenance are considered. We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil. Yet we should not pass up our opportunities in that critical 3%

premature-optimization-don-t-panic.png

I don’t usually agree with this statement. It’s an old product of a past era where developers were greatly limited by the CPU and memory resources available.

We’ve now gone to the other end of the spectrum and nowadays some frameworks and patterns are way too abstract and disconnected from the underlying technological boundaries.

I’ve seen quite a few projects where the state of the art software engineering practices of Object Oriented Incapsulations &amp

Continue reading →


Free programming books

A very nice collection of free programming books hosted on Github

Highly recommended!

See the list here

Continue reading →