This page is to document the migration of IIS to nginx
SSL Configuration
http://nginx.com/resources/admin-guide/nginx-ssl-termination/
Tomcat configuration
To take full advantage of nginx+ssl, I believe we need to setup Tomcat to use the RemoteIpValve:
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html
An example is here:
http://kdl.nobugware.com/post/2010/02/12/nginx-ssl-tomcat-confluence
nginx page on configuring individual applications
http://wiki.nginx.org/JavaServers
PHP Applications
[List of PHP Applications here]
Two potential solutions
- PHP applications on nginx reverse proxies
- PHP applications on another server (configured the same as Tomcat servers)
The second option potentially makes session handling easier.
Taylor has php54 option. I believe Taylor has a drupal option as well, but it may not suit our needs.
Necessary installs for PHP:
sudo yum install php54 php54-php-fpm php54-php-mysqlnd
Github's use of nginx and map files
http://githubengineering.com/rearchitecting-github-pages/
VMs
Hostnames and IPs
sca-nginx01 is deployed on > scalnx12-vmm with 12GB memory and 6 cores
sca-nginx02 is deployed on > scalnx13-vmm with 12GB memory and 6 cores
Both will share the sca-www hostname through the virtual IP address 134.79.129.86.
Management of the Virtual IP address will be handled with keepalived.
Keepalived
keepalived is to be configured on both machines.
keepalived seems to support HTTP status checks.
The following is roughly the configuration for sca-nginx01. The configuration for sca-nginx02, which will be the failover machine, will be nearly identical, but the priority on the vrrp_instance MUST BE LOWER than the priority on the master. The password will be different.
The configuration is located in /etc/keepalived/keepalived.conf
global_defs { notification_email { bvan@slac.stanford.edu } notification_email_from bvan@slac.stanford.edu smtp_server smtp.slac.stanford.edu # Not sure if this works smtp_connect_timeout 30 router_id SCA_WWW # Not sure if this is used } # Note: If the weight isn't enough to break a tie using the # priorty different between sca-nginx01 and sca-nginx02 # nginx is down but sca-nginx01 is up, then requests # may still go to vrrp_script chk_nginx { script "killall -0 nginx" interval 2 # seconds weight 2 # points } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 85 # Random ID. We shouldn't have the same router id on the same subnet priority 100 # See note on weight above advert_int 1 # Advertisement interval (i.e. heartbeat seconds) authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 134.79.129.86 } track_script { chk_nginx } unicast_src_ip 134.79.129.92 # Unicast specific option, this is the IP of the interface keepalived listens on unicast_peer { # Unicast specific option, this is the IP of the peer instance 134.79.129.91 } }