An easyer solution (to my origibal purpose - isolate OM from direct access - ) which seem to be working is tunneling with iptables ip forwarding and dnat on a basic vps.
So far "self tests" showed no issues. Regards, Bogdan "Varga Balázs" <[email protected]> wrote: >Try this, not full config file....: > >/etc/nginx/nginx.conf ># default username mapped a security vault >user www-service www-service; ># worker process as CPU >worker_processes 4; >worker_rlimit_nofile 1024; >events { > worker_connections 1024; >} > > >http { > include mime.types; > default_type application/octet-stream; > > log_format main '$remote_addr - $remote_user [$time_local] >"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" >"$http_range" "$sent_http_content_range" "$http_x_forwarded_for"'; > > index index.html index.htm index.php; > > access_log /var/log/nginx/access.log main; > error_log /var/log/error.log; > ## General Options > ignore_invalid_headers on; > keepalive_requests 2000; > recursive_error_pages on; > server_name_in_redirect off; > server_tokens off; > > ## Timeouts > client_body_timeout 5m; #A file feltoltesekhez eleg >hosszunak kel lennie > client_header_timeout 30; > keepalive_timeout 60 30; > send_timeout 60; > expires 24h; > > ## TCP options > tcp_nodelay on; > tcp_nopush on; > > ## Compression > gzip on; > gzip_buffers 16 8k; > gzip_comp_level 6; > gzip_http_version 1.1; > gzip_min_length 1400; > gzip_vary on; > gzip_types text/plain text/css image/png image/gif >image/jpeg application/pdf application/x-javascript text/xml >application/xml application/xml+rss text/javascript ; > gzip_disable "MSIE [1-6]\.(?!.*SV1)"; > > > output_buffers 1 32k; > postpone_output 1640; > client_max_body_size 256M; > > sendfile on; > > #limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; > #limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m >rate=5r/s; > > > #OM Backend servers, NGINX is parse many server over RDNS, custom >RR database, simple timeout/connected peer count...etc > #Visit this NGINX Wiki > > upstream openmeetings_http_server_1{ > server serverx.omserver.tld:5080; > } > upstream openmeetings_event_server_1{ > server serverx.omserver.tld:8088; > } >} > >Include this conf in your (virtual)host SERVER section: > >/etc/nginx/virtualhosts/openmeetings_proxyed >location ~ ^/openmeetings { > access_log /var/log/nginx/openmeetings.log main; > error_log /var/log/nginx/openmeetings-error.log debug; > expires off; > #location ~* ^.+.(jpg|jpeg|png|gif|ico|flv|mp4)$ { > # expires 1d; > # log_not_found off; > # access_log off; > # #add_header Cache-Control "public"; > #} > > #Read and rewrite all url query > rewrite ^/(.*) http://openmeetings_http_server_1/$1; > #Set proxy name/IP based upstream > proxy_pass http://openmeetings_http_server_1; > > #Caller header settings is a critical point, require all IP and >header data > proxy_redirect off; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Server $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > client_max_body_size 10m; > client_body_buffer_size 128k; > > proxy_connect_timeout 90; > proxy_send_timeout 90; > proxy_read_timeout 90; > proxy_buffer_size 4k; > proxy_buffers 4 32k; > proxy_busy_buffers_size 64k; > proxy_temp_file_write_size 64k; > } > >location ~ ^(/open/|/close/|/idle/|/send/)$ { > access_log /var/log/nginx/openmeetings.log main; > error_log /var/log/nginx/openmeetings-error.log debug; > #expires off; > proxy_pass http://openmeetings_event_server_1; > proxy_redirect off; > proxy_set_header X-Forwarded-Host $host; > proxy_set_header X-Forwarded-Server $host; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > client_max_body_size 10m; > client_body_buffer_size 128k; > > proxy_connect_timeout 90; > proxy_send_timeout 90; > proxy_read_timeout 90; > proxy_buffer_size 4k; > proxy_buffers 4 32k; > proxy_busy_buffers_size 64k; > proxy_temp_file_write_size 64k; > #include /etc/nginx/fastcgi_params; > } > > >I try this config vith OM 2.1.1 and 3.0 oldest (~6 month later). >I aply this http 80/443 SSL tunneling: > >/etc/nginx/virtualhost.conf: > >tunneling 80: >server{ > server_name..... ; > listen 80; > .. > .. > include /etc/nginx/virtualhosts/openmeetings_proxyed; > >} > >tunneling 443: >server{ > # more OM server is one common SSL cert protected a frontend > server_name..... ; > listen 443 ssl; > .. > .. > include /etc/nginx/virtualhosts/openmeetings_proxyed; > >} > > >The tunneled version is work fine, problem a presentation pagination, >this is not working correctli when OM backend. >I sure, the pagination event generated call is ok, the SWF method >get->loading call server direct IP url and not a frontend, this is >conflict. >Try and test this, refer to me pleas! > >I not testing more settings - no many time. > >Balazs > >2013-11-28 18:56 keltezéssel, Sergey írta: >> Hello! >> Can you show your config of nginx, where you proxy 80 port to 5080 >and >> 8088. How do you split them? I can only suggest name field in the >> HTTP1.1 header, but i am interested in the configuration. Thanks in >> advanced! >> >> Sergey. >> >> >> 28.11.2013 21:47, Varga Balázs пишет: >>> I try nginx frontend proxy from OM: >>> >>> Set NGINX as frontend and OM server backend as IP based upstream. >>> Upstream proxy tunneling OM 5080 and 8088 to frontend 80 port, 1935 >>> is live - this a firewall friendly. >>> My OM server(s) is set FQDN host name, not IP base. >>> >>> Try this model a common frontend SSL tunneling, OM-s have in >>> separated LAN and communocate directly only proxy, not a public. >>> >>> This combination working, available problem presentation pagination >>> not working. >>> The pagination events successfull load, check in logs, problem the >>> name/IP based wrapping on proxy. >>> >>> This method working finaly whenn OM is IP based, non hostname. >>> >>> After find this pagination problem, I not try other settings. >>> >>> Balazs >>> >>> >>> 2013-11-28 13:16 keltezéssel, Stefan írta: >>>> Hello. What ports other than 5080 and 1935 need I setup in nginx, >in >>>> order to provide full reverse proxy for an OM installation? >>>> Should I consider tunneling instead (to be able to tunnel all >possible >>>> ports through another server) ? >>>> >>>> Regards, Bogdan. >>>> >>> >> >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
