Commit e84c9a1a authored by Davide Depau's avatar Davide Depau

Add content

parent 5320fc87
Pipeline #555 passed with stage
in 1 minute and 42 seconds
......@@ -105,106 +105,219 @@ curl -L poul.org
---
# NGINX
## Reverse proxy
- An HTTP **forward proxy** is a server the browser **(knowingly)** connects to in order to access HTTP resources
- An HTTP **reverse proxy** is a server that *pretends* to be the requested service
- It will **transparently** provide the requested resources
----
## Why are reverse proxies useful?
- Load balancing
- We have a number of instances of the same web app
- The reverse proxy will distribute the requests uniformly
----
## Why are reverse proxies useful?
- High availability
- The reverse proxy may be configured detect the target services' health
- It will send requests to the other instances until it's fixed
- We can perform maintenances on one instance while the others are taking its load
----
## Why are reverse proxies useful?
- Running multiple services on the same server
- The reverse proxy can direct requests to different services running on the same machine,
based on configurable parameters such as the domain name
----
## Architettura
## Why are reverse proxies useful?
- Retro-fitting TLS or other new standards
- We can serve over TLS (HTTPS) services that do not support it
- We can serve over HTTP/2 services that do not support it
---
## NGINX
- It is a web server
- It can serve files from a directory over HTTP(S)
- It is a reverse proxy
- It can proxy services over a number of protocols
- Most interesting: HTTP, FastCGI
----
Due tipi di processo:
## Architecture
- **Processo master**: processo principale, eseguito come root
- Legge i file di configurazione
- Apre il socket usato per comunicare con i processi worker
- **Master process**: main process, (optionally) run as root
- Reads configuration files
- Orchestraters and handles communication with workers
- **Processi worker**: eseguiti come utente non amministratore (`www-data` su
Debian)
- **Worker processes**: run as non-root user (i.e. `www-data` on debian)
- Gestiscono le richieste
----
## Installazione
## Installation
In Debian ci sono tre diversi pacchetti:
- Official packages are available for a number of distributions
- However, we will use Docker/Podman
- `nginx-light`: versione minimale
- `nginx` (`nginx-full`): quello che vi serve
- `nginx-extras`: bloated
```bash
docker run -it -p 80:80 -p 443:443 nginx:1-alpine
podman run -it -p 80:80 -p 443:443 nginx:1-alpine
```
[Qua](https://wiki.debian.org/Nginx#Recap_of_the_different_modules_in_every_package_.28starting_Squeeze-Backports.29) un confronto completo
<small>We'll use the Alpine image since it's smaller</small>
----
## Comandi
## Commands
Since we'll be using containers, we'll have to use our container engine
to perform some tests on nginx.
That is usually a matter of running:
- Controllare la versione installata:
```
sudo nginx -v
docker/podman ps # get the container ID
docker/podman run -it <container ID> <our command>
```
- Lista dei moduli abilitati
<small>
<ul>
<li>`-i`: run an interactive program</li>
<li>`-t`: allocate a terminal</li>
</ul>
</small>
----
## Commands
- Check if the config is valid without loading it (**very useful**)
```
sudo nginx -V
nginx -t
```
- Controllare se la configurazione è valida
- List the installed modules
```
sudo nginx -t
nginx -V
```
- Ricaricare la configurazione
- Reload the configuration (without restarting the container)
```
sudo nginx -s reload
nginx -s reload
```
----
## nginx.conf
Direttive: semplici o a blocco
Default config from container
```
nome parametri;
user nginx;
worker_processes auto;
nome {
altre direttive;
...
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
... (continues)
```
Sono presenti:
- 1 blocco **events**
- 1 blocco **http**
- N blocchi **server**
- N blocchi **location**
----
## nginx.conf
### nginx.conf
```
user www-data;
worker_processes 1;
pid /run/nginx.pid ;
events {
worker_connections 128;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on; # optimize for sending files
#tcp_nodelay on; # send packets ASAP
#tcp_nopush on; # try to fill packets before sending
keepalive_timeout 65;
#gzip on; # enable compression (good!)
include /etc/nginx/conf.d/*.conf;
}
```
http {
server {
location {
}
----
### conf.d/default.conf
```
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
```
<small>I removed the commented lines for brevity</small>
----
## nginx.conf
We must have:
- 1 **events** block
- 1 **http** block
- N **server** blocks
- N **location** blocks
----
## nginx.conf
- **events** è indipendente
- **http** contiene i blocchi **server**
- **server** contiene i blocchi **location**
- suggerimento: applicare le direttive al blocco più esterno
How do we override the container's config?
With a **volume**!
```bash
docker/podman run \
-v /path/to/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /path/to/nginx/conf.d:/etc/nginx/conf.d:ro \
-p 80:80 -p 443:443 \
nginx:1-alpine
```
<small>Note that we made sure everything is mounted read-only</small>
----
## Virtual Hosts
With virtual hosts we can accomplish serving multiple sites from the same server
----
......@@ -230,12 +343,10 @@ http {
## Location blocks
- Quando si ha a che fare con file e cartelle
- Per indicare a NGINX cosa fare quando una specifica risorsa viene richiesta
- Si può usare il percorso esatto o un'espressione regolare, con un opportuno
prefisso
- Used to tell NGINX what to do with particular URL paths
- We can discriminate against specific paths or a regular expressions
```
```
server {
location / {
root /var/www/html;
......@@ -246,7 +357,16 @@ server {
root /var/www/images;
}
}
```
```
---
## Reverse proxying applications
We will see how to reverse-proxy apps over
- HTTP
- FastCGI
----
......@@ -255,9 +375,10 @@ server {
```
server {
location / {
proxy_pass http://localhost:8080;
proxy_pass http://other_container:8080;
}
# Serve images directly, improves performance
location ~ \.(gif|jpg|png)$ {
root /var/www/images;
}
......@@ -271,7 +392,9 @@ server {
```
server {
location / {
fastcgi_pass localhost:9000;
fastcgi_pass other_container:9000;
# Or with UNIX domain sockets
#fastcgi_pass unix:///var/run/gunicorn.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
}
......@@ -282,30 +405,47 @@ server {
}
```
[Guida completa](http://www.patricksoftwareblog.com/how-to-configure-nginx-for-a-flask-web-application/) usando Gunicorn
---
# HTTPS
## HTTPS (HTTP over TLS)
Why is it important?
- For many top-level domain names it's mandatory
- It ensures the **communication is private**
- As a side effect, it also ensures **integrity** of the content
----
## X.509 certificates
- In most server-client TLS connections, the client wants the server to authenticate itself
- <small>Sometimes the client is also authenticated (i.e. Agenzia delle Entrate website, authentication
with Tessera Sanitaria)</small>
- The authentication is done using **X.509 certificates**
----
## HTTPS in breve
## X.509 certificates
- When a TLS connection is made, the browser will check whether the certificate
- Is valid for the website's **domain name**
- Is valid right now (certificates **expire**)
- Is itself **signed** by a known, trusted **Certification Authority**
- It has not been **revoked** by the CA
Certification Authority certificates usually come with the **OS** or the **browser** itself.
- Scegli un cifrario simmetrico abbastanza veloce (AES)
- Scegli una chiave casuale (chiave di sessione)
- Cifra la chiave usando un cifrario a chiave pubblica
- Inviala al client
- Ora può essere usata come segreto condiviso per AES
----
## Certificati
## X.509 certificates
- In the past, in order to get a signed certificate you would have to pay a CA
- They would check your identity and see if you're really entitled for the cert
- They would then hand out a certificate, usually valid for 1 year
- Nella parte di cifratura della chiave di sessione viene usato un certificato
per garantire l'identità del server.
- I certificati vengono rilasciati da istituzioni col ruolo di **Certification
Authority** (CA)
But today we have a simpler (and free) option...
----
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment