Nginx and Blocking Countries Redeux

After having some issues with this new server build and Apache2, I decided to move over to Nginx for the web server. This meant I had to figure out how to get a Linux, (e)Nginx, MySQL, and PHP (LEMP) server going.  Although I am not a DigitalOcean customer I used a great tutorial from them to determine what I needed on the Nginx and PHP5-FPM side of things and left off the other steps pertaining to Linux and MySQL.  I also had to recreate my self-signed cert for SSL which I did using these instructions from DigitalOcean. These portions of the upgrade, I actually did from remote while DJ’ing for an 80’s gig, but I did need to finish up swapping the Apache2 and Nginx daemon start ups the next day.  All in all, it was a pretty effortless job to make the Apache to Nginx switch until I started investigating what I needed to do to continue blocking web visitors by country.

So the next step was to enable the MaxMind GeoIP modules in Nginx and configure the web site profile to block countries other than the usual five. For this portion, I found another tutorial from  how-to-forge that walked through the process step by step. Just like the previous effort to do this under Apache, there are methods to allow all countries and specify a few to block or block all countries and specify a few to allow. The latter is the method I chose.  The one option that I really like with this setup is instead of giving a 403 – forbidden response to blocked visitors, I followed the tutorial’s recommendation to use a 444 – no response method which just keeps the browser at the other end hanging on and waiting for a response.

Between country blocking, using a self-signed SSL cert and a captcha requirement for administrative access, the number of attempted password guessing attacks against this site has gone from several an hour to zero.

Follow-Up:

ZP20In addition to WordPress, my site also includes Zenphoto 2.0 for the photo gallery.  While it initially looked like wordpress and zenphoto were functioning correctly under nginx, if you went into any of the albums you would get a 404 error.  Turns out that mod-rewrite and php needed some attention to get Zenphoto back to health.  Here is a post I made to the Zenphoto 2.0 forum on the adjustments needed.


 

Due to some problems with apache2 under a new Ubuntu 14.04 load, I decided to switch my web server to nginx.  I used a couple of nginx (LEMP) tutorials from DigitalOcean even though my server self hosted.  My primary site is wordpress with zenphoto 2.0 as a sub folder named zp.  Zenphoto detected the server change to nginx and prompted me to run setup.  This created two issues. One was setup did not detect a working mod_rewrite.  The other was a timeout error (504) waiting on the setup script to complete.  The timeout for php execution completion is probably set at 30 seconds on most default php installations. This is too short for the setup process to complete. This site (http://www.nginxtips.com/504-gateway-time-out-using-nginx/) has the settings needed for extending the timeout to avoid a 504 error waiting on Zenphoto 2.0 setup to complete.
You may have to make adjustments to the location of the files to edit, with Ubuntu 14.04, nginx, and php5-fpm these were the locations:
php.ini = /etc/php5/fpm/php.ini
www.conf = /etc/php5/fpm/pool.d
virtual host conf = /etc/nginx/sites-available/<default site file>
To fix the mod_rewrite issue I found one suggestion (http://www.zenphoto.org/news/nginx-rewrite-rules-tutorial#rewrite-rules-for-zenphoto-145) of this simple location section for zenphoto being hosted in a sub folder.

          location /subfolder {
try_files $uri $uri/ /subfolder/index.php?$args;
}

mod_rewrite is detected and seems to be working with this location portion added add to the default site config:

        location /zp {
try_files $uri $uri/ /zp/index.php?$args;
}

The nginx wiki has a much more detailed section of rewrite configuration (http://wiki.nginx.org/ZenPhoto), but I think the shorter one above is working.
Just passing this along for those that might hit these issues with nginx and zenphoto 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *