Configuring Nginx+Apache for ISPConfig 3 on Debian 11 server

Discussion in 'Installation/Configuration' started by Oazis, Jul 17, 2022.

  1. Oazis

    Oazis New Member

    Hello!
    I decided to install panel ISPConfig 3.2.8 on the Debian 11 server, by this instruction — https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/. Our team is working on high-load projects, but today the panel supports only one web server or Apache or Nginx. We started looking for instructions on how to setup Nginx as a reverse proxy for Apache. Here's what we found, I'd like your assessment:

    1. We transfer the work of the Apache2 web server to port 82
    # nano /etc/apache2/ports.conf​
    Change the default Apache port from 80 to 82:
    [...]
    Listen 82
    NameVirtualHost *:82
    [...]

    2. Change port 80 to port 82 of the ISPConfig 3 panel
    # nano /etc/apache2/sites-available/ispconfig.conf​
    Change the default port from 80 to 82 as shown below:
    <VirtualHost *:82>

    3. Checking all domains on the Apache2 server
    # ls -l /etc/apache2/sites-enabled/*​
    Replace all 100*.vhost and '000-default' port 80 with 82:
    # sed -i 's/:80/:82/g' /etc/apache2/sites-enabled/100*.vhost
    # sed -i 's/:80/:82/g' /etc/apache2/sites-enabled/000-defau*​
    there was:
    [...]
    <VirtualHost *:80>
    [...]
    has become:
    [...]
    <VirtualHost *:82>
    [...]

    4. We make changes to the ISPConfig 3 hosting panel
    BackUP configuration file 'apache2_plugin.inc.php':
    # cp /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php_backup​
    Change all 80 ports to 82 in the plugin:
    # sed -i 's/[8][0][)]\;/82);/g' /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php​

    BackUP configuration file 'apps_vhost_plugin.inc.php':
    # cp /usr/local/ispconfig/server/plugins-available/apps_vhost_plugin.inc.php /usr/local/ispconfig/server/plugins-available/apps_vhost_plugin.inc.php_backup​
    Change all 80 ports to 82 in the plugin:
    # sed -i 's/[=][=][ ][8][0][ ]/== 82 /g' /usr/local/ispconfig/server/plugins-available/apps_vhost_plugin.inc.php​
    ATTENTION!!! If you have to update the ISPConfig 3 panel, after the update you will also need to make changes from port 80 to port 82 in the updated files.

    5. Installing the libapache2-mod-rpaf module
    # apt install libapache2-mod-rpaf​
    Edit the config file:
    # nano /etc/apache2/mods-enabled/rpaf.conf​
    Code:
    <IfModule rpaf_module>
        RPAFenable On
        RPAFsethostname On
        RPAFproxy_ips 127.0.0.1 xxx.xxx.xxx.xxx (external server IP)
        RPAFheader X-Real-IP
    </IfModule>
    
    6. Install Nginx using the following command
    # apt install nginx -y​
    Create a 'dhparam' certificate by running the command:
    # openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
    # chown 600 /etc/ssl/certs/dhparam.pem​
    Edit the config file:
    Code:
    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    # include /etc/nginx/modules-enabled/*.conf;
    timer_resolution 100ms;
    worker_priority -5;
    worker_rlimit_nofile 8192;
    
    events {
       worker_connections 2048;
       use epoll;
       # multi_accept on;
    }
    
    http {
    
       ##
       # Basic Settings
       ##
    
       sendfile on;
       tcp_nopush on;
       keepalive_timeout  35 45;
       types_hash_max_size 2048;
       tcp_nodelay on;
       server_tokens off;
    
       # server_names_hash_bucket_size 64;
       # server_name_in_redirect off;
    
       include /etc/nginx/mime.types;
       default_type application/octet-stream;
    
       ##
       # SSL Settings
       ##
    
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
       ssl_prefer_server_ciphers on;
       ssl_dhparam /etc/ssl/certs/dhparam.pem;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
       ssl_session_timeout 1d;
       ssl_session_cache shared:SSL:50m;
    #   ssl_stapling on;
    #   ssl_stapling_verify on;
       add_header Strict-Transport-Security max-age=0;
    
    
       ##
       # Logging Settings
       ##
    
       log_format main      '$remote_addr - $remote_user [$time_local] '
                                 '"$request" $status $bytes_sent '
                                 '"$http_referer" "$http_user_agent" '
                                 '"$gzip_ratio" "$request_time"';
    
       access_log /var/log/nginx/access.log main;
       error_log /var/log/nginx/error.log;
       client_max_body_size 16M;
    
       ##
       # Gzip Settings
       ##
    
       gzip on;
       gzip_vary on;
       gzip_proxied any;
       gzip_min_length 1024;
       gzip_disable "MSIE [1-6]\.(?!.*SV1)";
       gzip_comp_level 5;
       gzip_buffers 64 8k;
       gzip_http_version 1.1;
       gzip_types text/plain text/css text/x-js text/xml application/javascript application/x-javascript application/json application/xml application/xml+rss application/vnd.ms-fontobject application/x-font-ttf font/ttf font/opentype;
    
       ##
       # Virtual Host Configs
       ##
    
       include /etc/nginx/conf.d/*.conf;
       include /etc/nginx/sites-enabled/*;
    }
    
    7. Edit the config file '/etc/nginx/sites-enabled/default'
    # nano /etc/nginx/sites-enabled/default​
    Code:
    server {
       listen 80 default_server;
       listen [::]:80 default_server;
       server_name  _;
       server_name_in_redirect off;
       resolver 127.0.0.1;
       error_page 404 = @fallback;
    
    #  All 404 errors are sent for processing Apache2
    location @fallback {
       proxy_pass http://127.0.0.1:82;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       }
    #  Static content is delivered directly
    location ~* ^.+\.(jpg|jpeg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|docx|xls|xlsx|ppt|pptx|exe|pdf|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
       root /var/www/$host/web;
       access_log off;
       expires 30d;
       }
    #  HTML
    location ~* ^.+\.(htm|html)$ {
       root /var/www/$host/web;
       #try_files $uri /index.php ;
       access_log off;
       expires 30d;
       }
    #  MAIN LOCATION
    location / {
       root /var/www/$host/web;
       index index.php index.html index.htm;
       access_log off;
       proxy_pass http://127.0.0.1:82;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       }
       location ~ /\.ht {
       deny all;
       }
    #  PHPMYADMIN
    location /phpmyadmin {
       root /usr/share/;
       index index.php index.html index.htm;
       location ~ ^/phpmyadmin/(.+\.php)$ {
       try_files $uri =404;
       root /usr/share/;
       proxy_pass http://127.0.0.1:82;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       }
    location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
       root /usr/share/;
       }
        }
    location /phpMyAdmin {
       rewrite ^/* /phpmyadmin last;
       }
    #  WEBMAIL
    location /webmail {
       root /var/www/apps;
       index index.php index.html index.htm;
       proxy_pass http://127.0.0.1:82;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
       location ~* ^/webmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
       root /var/www/apps;
       }
        }
    # AWSTATS
    location ^~ /awstats-icon {
       alias /usr/share/awstats/icon/;
       access_log off;
        }
    location ^~ /awstatscss {
       alias /usr/share/doc/awstats/examples/css/;
       access_log off;
        }
    location ^~ /awstatsclasses {
       alias /usr/share/doc/awstats/examples/classes/;
       access_log off;
        }
    }
    
    8. Check Nginx for Syntax Error
    # nginx -t​
    9. Restart Apache2 and Nginx services
    # systemctl restart apache2
    # systemctl restart nginx​

    p.s.
    The instructions have been checked and everything works!
     
    Last edited: Jul 18, 2022
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Then you should use a pure Nginx setup as a web server as used by ISPConfig and not Apache plus Nginx. A pure Nginx setup is faster and is able to handle high loads better than your setup, that's why ISPconfig is using it instead of the setup that you manually configured now.
     
  3. ahrasis

    ahrasis Well-Known Member

    Or you can have two servers, one of which is using nginx as a reverse proxy server to the other apache2 server.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As a general note: do not change the source code of ISPConfig for such a modified setup as it's not update-safe. Instead, change the config file templates for the ispconfig apache vhost and nginx vhost and place your modified config files into the server/conf-custom folder, this way you get a setup that can be updated without problems.
     
  5. Oazis

    Oazis New Member

    As you can see, only two configuration files change in '/usr/local/ispconfig/server/plugins-available/' while making backups of these files. Other settings are related to web servers Apache2 and Nginx.
    I wonder why you say that pure Nginx works faster than in conjunction with Apache?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    These are not configuration files, this is the source code of ISPConfig. Configuration file templates are in /usr/local/ispconfig/server/conf/ folder.

    Because we tested that before we decided which setups to use in ISPConfig for high-performance setups. But you can also narrow it down logically without testing: an incoming request is first handled by Nginx and then passed to apache as Nginx works just as a reverse proxy. Yes, nginx might cache some requests, but others have to be handed over to apache and need therefore be processed twice, this uses more resources and is slower than having everything processed by nginx directly. An Apache + Nginx setup is typically not used because it's faster than a pure Nginx setup, it is just used because users or administrators that are not familiar with setting up Nginx prefer to use apache with its .htaccess functionality as most CMS ship with ready-made .htaccess file and then to boost Apache's performance a bit, they add Nginx as a proxy in front to speed up delivery of static resources a bit.
     
  7. Oazis

    Oazis New Member

    That's right, that's the point of increasing server performance. Can you tell me how Nginx can handle dynamic content? This is possible only in a bunch of Nginx + PHP-fpm. When installing ISPConfig 3 with the Nginx web server, the following bundle occurs?
     
    Last edited: Jul 17, 2022
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Just install ISPConfig with Nginx, ISPConfig and the ISPConfig auto installer takes care of all the configuration of Nginx plus php-fpm. So you can run any PHP-based CMS like WordPress, Joomla, Typo3, Contao etc. on such a setup.
     
  9. Oazis

    Oazis New Member

    There is a configuration manual for ISPConfig 3?
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    There is, yes. It is on ISPConfig website, the Documentation page.
     
  11. Oazis

    Oazis New Member

    AWESOME & Thank you!
     
    Last edited: Jul 17, 2022
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The ISPConfig manual explains the various settings in ISPConfig. It is not a guide on how to set up an Nginx reverse proxy in front of Apache.
     
  13. Oazis

    Oazis New Member

    What prevents to create a manual for setting up an Nginx reverse proxy in front of Apache. I think this information will be in demand as well as the platform ISPConfig. Please help me write a correct manual without errors.
     
    Last edited: Jul 17, 2022
  14. ahrasis

    ahrasis Well-Known Member

    You can already write on your own and the above is basically the main point that you need to start with but will be quite hard to figure other things to do to run both nginx and apache2 in one server to be managed by just ISPConfig.

    Other choice is to use NPM (Nginx Proxy Manager) to manage nginx and ISPConfig to manage apache2 in one server but the best is still to use either nginx or apache2 as a single standalone server as already advised above. Or use two separate server, one nginx and one apache2, and both can be managed by ISPConfig.

    For what to write in nginx directives via ISPConfig UI to make it work, there are several discussions that you search in this forum. E.g. in opening ISPConfig without port 8080, like in: https://forum.howtoforge.com/thread...-without-specifying-a-port.87743/#post-428249 or e.g. single nginx in multiple other servers in: https://forum.howtoforge.com/threads/nginx-reverse-proxy-with-multiple-servers.83617/#post-400709 or https://forum.howtoforge.com/thread...-as-a-reverse-proxy-for-http-s-and-ssh.82918/ etc.

    Googling "site:forum.howtoforge.com nginx proxy" should lead to various of them.

    You don't the nginx directives if you use NPM obviously which manages the proxy via its own website and is very user friendly.
     
  15. Oazis

    Oazis New Member

    Thank you very much for the information!
     
  16. Oazis

    Oazis New Member

  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Because we don't recommend such a setup as we have already instructions for a better scaling setup implemented and available in ISPConfig. See:

    https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

    The command to get that fast Nginx setup is:

    Code:
    wget -O - https://get.ispconfig.org | sh -s -- --use-nginx --use-ftp-ports=40110-40210 --unattended-upgrades
    I know that many hosting panels lack real Nginx support and therefore implement a proxy as a workaround and praise it as the holy grail due to the inability for configuring a faster setup, but we have real Nginx support built into ISPconfig and therefore a proxy setup makes not much sense on an ISPConfig system, especially if you want to get a high-performance setup as you said in your first post.
     
    Th0m likes this.
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    And maybe one note on your setup from the first post, I'm not sure if you recognized that the setup that you build there is using Nginx for HTTP connections only, any HTTPS request is handled by apache. As almost any website today uses HTTPS, your proxy would not handle nearly any requests, all HTTPS requests would be purely handled by apache. To handle HTTPS requests, you would have to create an Nginx config file for each website and configure SSL in that file, which then would mean writing an ISPconfig plugin to create the SSL cert and configure Nginx per site. But this can all be circumvented by using the faster pure Nginx setup that I recommended to you.
     
  19. Oazis

    Oazis New Member

    Thanks Tim, I will take your advice.
     
  20. Oazis

    Oazis New Member

    Dear Till, I set up a server on Nginx according to the recommendation, but a few questions appeared:
    1. Phpmyadmin needs to be configured separately?
    2. How to set up work with .htaccess ?
    3. If you need to install an 'Afterlogic' mail server in Nginx do you need to specify a proxy?
     
    Last edited: Jul 20, 2022

Share This Page