Once deploy application (web or enterprise application), the most common pattern is three tier pattern which includes web application, application server and database server. In this post, I will demonstrate how to use Nginx / Apache Web Server as web server to deploy application. NginX / Apache Web Server has the comparability to perform load balancing which could help to dispatch request to the application server. The difference between NginX / Apache Web Server is how it handle the request. Nginx use concept of NIO (Non-Blocking IO) which mean it uses one thread to handle all requests that come to the server. But for Apache Web Server, it handle each request comes to the server by creating new thread for each request.
|
|
Fig 01 Deploy Application Concept |
For my setup, I have deployed application (EAR) file to my application server (Wildlfly 10.0.1)
- Application Server 01 : wildfly01.itstikk.pro (Wildfly 10.0.1)
- Application Server 02 : wildfly02.itstikk.pro (Wildfly 10.0.1)
Install NginX
In my environment, I have used CentOS 6 to install Nginx. You can also use CentOS 7. First you need to update your system
#yum -y update
#yum -y install epel-release
In my case, I got error once I installed NGINX by yum, so I need to edit my yum repository by
#vi /etc/yum.repos.d/epel.repo
Update as following
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Next, we install nginx by yum
#yum -y install nginx
#service nginx start
#chkconfig nginx onConfigure NginX as load balancing
After installing Nginx, you need to configuer nginx to route traffic to application server. For my set up I use round robin, it is very easy set up, because my application have same spec. But in case of your server have different spec, you could you weight or hashing scheme.
 |
| Fig 03 Environment setup |
For my setup, I will route every traffic that come to port 80 to my application servers. But 80 is used by default you need to change default port from port 80 to another port (e.g. 8888 etc). you can do that by
#vim /etc/nginx/config.d/default.cong
Create as following
#
# The default server
#
server {
listen 8888 default_server;
listen [::]:8888 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
After edit default.conf, you need to setup routing by create rounting file in /etc/nginx/config.d/app.conf as following
#vi /etc/nginx/conf.d/app.conf
Then you need to put following code in the file created
# Define which servers to include in the load balancing scheme.
# It's best to use the servers' private IPs for better performance and
security.
# You can find the private IPs at your UpCloud control panel Network
section.
upstream backend {
server wildfly01.itstikk.pro:8080;
server wildfly02.itstikk.pro:8080;
}
# This server accepts all traffic to port 80 and passes it to the
upstream.
# Notice that the upstream name and the proxy_pass need to match.
server {
listen 80;
location / {
proxy_pass http://backend;
}
}
Next is to restart nginx and test the result
#service nginx restart
But before you can access to the web server, you need to make sure you have allow port, here is what I have configured in my firewall configuration
#vi /etc/sysconfig/iptables
Update code as below
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
COMMIT
Then you need to restart the firewall
#service iptables restart
You can test by accessing through access through http://app.itstikk.pro/java-ee-03-web-sample/searchBook.xhtml
Set Up SSL on Nginx
Nginx has many feature to support web application (load balancing, reverse proxy, API gateway, Static contain web server, etc). And one of the most import feature is to set up SSL.
But first you need to create certificate and key file as following.
Create Key and Certificate
First, you need to create certificate
#mkdir /etc/ssl
#mkdir /etc/ssl/private
#mkdir /etc/ssl/certs
#openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Now, you should have 3 file in /etc/ssl/private/nginx-selfsigned.key, /etc/ssl/certs/nginx-selfsigned.crt and /etc/ssl/certs/dhparam.pem.
Configure SSL in Nginx
Next is to edit your /etc/nginx/conf.d/app.conf
#vi /etc/nginx/conf.d/app.conf
Edit as below
#
# HTTPS server configuration
#
upstream backendserver {
server wildfly01.itstikk.pro:8080;
server wildfly02.itstikk.pro:8080;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl;
server_name _;
root /usr/share/nginx/html;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Load configuration files for the default server block.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling off;
ssl_stapling_verify off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
proxy_pass http://backendserver;
}
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
The rest is to restart nginx. Then ngix shoule redirect all http request come to port 80 to https port 443
 |
| Fig 06 Nginx redirection HTTP to HTTPS |
No comments:
Post a Comment