Installing Niginx is very easy and straight forward with yum on CentOS. But I found it stopped to work last night. My installation script aborted with an error saying that it could not find libunwind package, which turns out no longer in the EPEL7 after a upgrade a couple of days ago.
Everything works well until some big changes got in – it stopped working sometimes and the pattern is not quite consistent. Initially I thought it was because of long time processing at the server side.
If you’ve followed my blog, you’ve read several articles on Nginx. This is the last article of the series, and also an interesting one. While troubleshooting a system I helped to build, I found a very challenging problem that I think is worthwhile to share. The system consists of a client and a server, between which is a Nginx server as reversed proxy. This is a typical setting for flexibility and control. Somehow, the client got disconnected pretty consistently but the back end work went through successfully. It’s really a false alarm but not good for a product.
In a recent project using Nginx as reversed proxy server, I got into an interesting problem: how can the server behind the Nginx tell whether a HTTP request comes from remote host or local host? If I just look at the IP header of the request, they are all local because the reversed-proxied packets from remote seems to be sent from local as well. So I cannot really tell the source of a HTTP request.
In some use cases, you want to protect different parts of a Web application with different approaches. For example, the admin related resources normally require stronger mechanism than the user related ones. The following I will show how to use Nginx with client side certificate for the resources under /admin namespace for admins, and user/name for normal users.
Generating Certificates and Keys
As I introduced in last article, Nginx is a lightweight Web and reversed proxy server that is gaining momentum. If you have URLs to be accessed only by authenticated users, you can have many options. In this article, I just introduce a very easy way for the Nginx to leverage the PAM (Pluggable Authentication Module) for user authentication. We will use OS user for authentication (there are many more methods supported by PAM). If you have a valid user with the Linux on which Nginx runs, your request will pass through; otherwise, it would be blocked.
Nginx (pronounced as ‘engine x’) is a light-weight HTTP/reverse proxy/mail proxy server written by Igor Sysoe. It is flexible, lightweight compared, and high-performant with Apache. The official nginx site is here. The beginner guide is a very good starting point. The following is based on my hands-on experience with Nginx. If you have similar requirement, you can copy over the scripts and configuration for your environment.
Installing and running Nginx