6

I have a Debian 6 32-bit Linode where I’m trying to run EE2.5.5 in Apache2 on port 8080 behind nginx0.7. The idea is to serve PHP code from Apache, and everything else from nginx. (Based on http://hybridlogic.co.uk/2011/07/setting-up-nginx-in-front-of-apache2-on-ubuntu-server/)

The outputs below (sitename replaced by “website”) show more or less what has been configured. So far image uploading and editing works with the settings:

Server Path to Upload Directory: /srv/www/website/static_content/
URL of Upload Directory: http://www.website/

Any feedback on the security, viability and any hidden gotchas with this setup? I disabled the built-in Rich Text Editor because it tried to directly open static files that I had moved out of the PHP tree.

Thanks!

root@phoenix:/var/www/website# ls
logs php_content static_content
root@phoenix:/var/www/website# ls static_content/
images themes system
root@phoenix:/var/www/website# ls php_content/
admin.php index.php setperm.sh system themes
root@phoenix:/var/www/website# cat /etc/nginx/sites-available/website
server {
      listen 80;
      access_log /srv/www/website/logs/nginx.access.log;
      error_log /srv/www/website/logs/nginx.error.log;
      root /srv/www/website/static_content;
      index index.php index.html;
      server_name website;
      rewrite ^/$ http://www.website/index.php;
      location \ {
          try_files $uri $uri/ index.php/$uri;
      }
      location ~* ^.*\.php\b {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
          proxy_pass http://127.0.0.1:8080;
      }
      location ~ /\.(ht|git) {
          deny all;
      }
}
root@phoenix:/var/www/website# cat /etc/apache2/sites-available/website
<VirtualHost *:8080>
    ServerAdmin webmaster@website
    ServerName website
    ServerAlias http://www.website
    DocumentRoot /srv/www/website/php_content/
    ErrorLog /srv/www/website/logs/error.log
    CustomLog /srv/www/website/logs/access.log combined
</VirtualHost>
root@phoenix:/var/www/website#
Improve this question
1
  • Just out of curiosity why not try Nginx with php-fpm? I was a bit hesitant to make the jump a year or two ago, but the performance gains we experienced made it a no-brainer. There are still some situations in which we have to use Nginx as a reverse proxy to Apache, but in that case Apache is only accessible via that proxy so can't really speak for security issues. Commented Feb 25, 2013 at 21:36

2 Answers 2

Reset to default
3

We have run exactly this setup for the past 3 years without issue. You shouldn't have any particular problems, security or otherwise.

The only issue is the added complexity - we do it because we use nginx to terminate all inbound http connections (mainly SSL on a wildcard certificate) and then proxy them out to either Apache on the same server or multiple other servers running whatever, nginx also dabbles in a bit of caching. So I would argue we have a good reason for this setup.

I'd argue that serving static files from nginx and dynamic from Apache for performance reasons adds virtually nothing to the overall performance of the site; sure nginx is faster, but it's not that much faster. I'd suggest you either server the whole thing out of nginx using FastCGI or ditching nginx and as has been suggested use Varnish - see http://www.kevincupp.com/2011/05/22/marking-ee-sites-fly-with-varnish.html for an excellent guide.

Improve this answer
3

I haven't tested any of these yet. I collected them, when preparing for a potential project on Nginx, but the project fell through. But here are the links:

Really, the only one that references security issues is the one Greg Aker pointed me to, which is the Nginx & PHP via FastCGI Important Security Issues on Clement Nedelcu's Journal. He mentions a few issues with the default set-up of Nginx, so the issues would be pretty much universal and effect EE on Nginx, as well. Since the security issues would be more directly related to Nginx or PHP, you may also want to look at: Top 20 Nginx WebServer Best Security Practices.

Sorry, that I can't offer any direct experience.

Improve this answer
3
  • Thanks for the links. Definitely some helpful information there. I'm guessing very few people run this kind of setup since I get few answers. I find this puzzling since I'm sure other people run EE on VPS where memory usage can be a problem as traffic rises. Commented Feb 25, 2013 at 5:47
  • Perhaps the answer will be to ditch nginx and use Squid or Varnish in front of Apache, so that there's no need to split the EE install among two web servers. Commented Feb 25, 2013 at 5:48
  • 1
    I'd say the number of responses is more indicative of the type of developers responding to questions, not what other developers are doing. Is Nginx popular in the ExpressionEngine community? I'd say, no, but it's used. But a lot of developers aren't configuring their own web servers. I've heard of Nginx with Varnish configurations, but what detail is available is based on what people write-up and not everyone has the time, patience, energy, or willingness to share. Commented Feb 25, 2013 at 11:05

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.