nginx – conversion complete

By mike 0 Software, Virtualware , , ,

Well that was anti-climatic! I really thought this would take more time or be a lot more complicated though in the end it was actually quite straightforward, and I am using fewer resources (my VMware lab just isn’t all that big).

Moving from Apache to nginx was very straight forward and took far less time than I originally had anticipated.

Now the why..

Jamie (@thingles on the twitters) sent me a link to something he had worked on for his Linode deployment and that was the last straw. I just had to convert.

Converting this blog system over took me less than 30 minutes (and possibly less than 15 minutes but I was reading posts on the tubes about nginx as well). I also converted my wife’s system from Apache to nginx as well since I was already in there doing other maintenance work anyway.

Simple sequence of commands (as root):

apt-get install nginx
service nginx stop
apt-get install php5-fpm
service php-fpm stop

cp /etc/php5/fpm/pool.d/www.conf /etc/php5/fpm/pool.d/www.geekandi.com.conf
vi /etc/php5/fpm/pool.d/www.geekandi.com.conf

vi /etc/nginx/sites-available/www.geekandi.com
...
ln -sf /etc/nginx/sites-available/www.geekandi.com /etc/nginx/sites-enabled

[repeat for other sites - I am running multiple sites]

service apache2 stop
service php-fpm start
service nginx start
apt-get remove apache2 apache2-mpm-prefork apache2-suexec apache2-utils apache2.2-bin apache2.2-common libapache2-mod-fcgid libaprutil1-ldap libaprutil1-dbd-sqlite3

So, install (and stop) nginx and FPM, edit configuration files, start processes, and remove apache2 binaries from this Ubuntu LTS server.

The removal process does not remove the old configuration files but if you want to do that as well then run the following one liner as root (this has the added benefit of removing any left over configurations from previous installs as well):

dpkg -l | grep ^rc | awk '{print $2}' | xargs dpkg --purge

or if not root

dpkg -l | grep ^rc | awk '{print $2}' | xargs sudo dpkg --purge

Configurations still need to be edited so don’t forget!

FPM pool changes per site:

; change pool name
[geekandi]

; update user and group
user = geekandi
group = geekandi

; time for a socket (can also be a path for a UNIX edition)
listen = 127.0.0.1:9001

And my sample geekandi.com configuration is below but be mindful of the 192.168.110/24 addressing as that is my internal monitoring network to do fun things.

My nginx configuration file:

# www.geekandi.com

# internal monitoring
server {
	listen   192.168.110.212:80;
	root /usr/share/nginx/www;
	location /nginx_status {
		stub_status on;
		allow 192.168.110.0/24;
		deny all;
	}
}

server {
	listen 192.168.110.212:443;
	root /usr/share/nginx/www;
	location /nginx_status {
		stub_status on;
		allow 192.168.110.0/24;
		deny all;
	}

	ssl on;
	ssl_certificate /etc/ssl/certs/www.geekandi.com.chained.crt;
	ssl_certificate_key /etc/ssl/private/www.geekandi.com.key;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ALL:!RC4:HIGH:!IDEA:!MD5:!aNULL:!eNULL:!EDH:!SSLv2:!ADH:!EXPORT40:!EXP:!LOW:!ADH:!AECDH:!DSS:@STRENGTH;
	ssl_prefer_server_ciphers on;
}

# external serving for www.geekandi.com
server {
	listen   204.153.245.212:80;
	listen   [2001:4980:dead:dead::212]:80 default ipv6only=on;

	root /var/www/blog;
	index index.php index.html index.htm;

	server_name www.geekandi.com;

	# I run it all through HTTPS
	rewrite ^/(.*) https://www.geekandi.com/$1 permanent;

	access_log /var/log/nginx/www.geekandi.com.access.log combined;
	error_log /var/log/nginx/www.geekandi.com.error.log error;

	include /var/www/blog/nginx.conf;
}

server {
	listen 204.153.245.212:80;
	listen [2001:4980:dead:dead::212]:80;

	root /var/www/blog;
	index index.php index.html index.htm;

	server_name geekandi.com;

	# I'm not a fan of short name items, redirect it all
	rewrite ^/(.*) https://www.geekandi.com/$1 permanent;

	access_log /var/log/nginx/www.geekandi.com.access.log combined;
	error_log /var/log/nginx/www.geekandi.com.error.log error;

	include /var/www/blog/nginx.conf;
}

# HTTPS editions to follow
server {
	listen 204.153.245.212:443;
	listen [2001:4980:dead:dead::212]:443;

	root /var/www/blog;
	index index.php index.html index.htm;

	server_name www.geekandi.com;

	ssl on;
	ssl_certificate /etc/ssl/certs/www.geekandi.com.chained.crt;
	ssl_certificate_key /etc/ssl/private/www.geekandi.com.key;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	#ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ALL:!RC4:HIGH:!IDEA:!MD5:!aNULL:!eNULL:!EDH:!SSLv2:!ADH:!EXPORT40:!EXP:!LOW:!ADH:!AECDH:!DSS:@STRENGTH;
	ssl_prefer_server_ciphers on;

	location / {
		try_files $uri $uri/ /index.php?q=$uri&$args;
	}

	error_page 404 /404.html;

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
		root /usr/share/nginx/www;
	}

	location ~ \.php$ {
		fastcgi_pass 127.0.0.1:9001;
		fastcgi_index index.php;
		include fastcgi_params;
	}

	access_log /var/log/nginx/www.geekandi.com.access.log combined;
	error_log /var/log/nginx/www.geekandi.com.error.log error;

	include /var/www/blog/nginx.conf;
}

server {
	listen 204.153.245.212:443;
	listen [2001:4980:dead:dead::212]:443;

	root /var/www/blog;
	index index.php index.html index.htm;

	server_name geekandi.com;

	rewrite ^/(.*) https://www.geekandi.com/$1 permanent;

	ssl on;
	ssl_certificate /etc/ssl/certs/www.geekandi.com.chained.crt;
	ssl_certificate_key /etc/ssl/private/www.geekandi.com.key;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ALL:!RC4:HIGH:!IDEA:!MD5:!aNULL:!eNULL:!EDH:!SSLv2:!ADH:!EXPORT40:!EXP:!LOW:!ADH:!AECDH:!DSS:@STRENGTH;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/www.geekandi.com.access.log combined;
	error_log /var/log/nginx/www.geekandi.com.error.log error;

	include /var/www/blog/nginx.conf;
}

Now I just need to convert my kid’s blog server over.

Comments welcome!