Skip to content

Instantly share code, notes, and snippets.

@suzannealdrich

suzannealdrich/diff_response_headers

Last active August 15, 2017 20:31
Show Gist options
  • Save suzannealdrich/a00cf6fb4a9e44af204d to your computer and use it in GitHub Desktop.
Save suzannealdrich/a00cf6fb4a9e44af204d to your computer and use it in GitHub Desktop.
Download ZIP
Installing Railgun with LEMP for CentOS 6.6
Raw
diff_response_headers
#!/bin/bash
# Returns the diff between response headers of a domain vs. its origin ip. Requires SSL.
NAME=`basename $0`
COMMAND="diff <(curl -Isk https://$1) <(curl -Isk -H 'Host: $1' https://$2)"
if [ $# -ne 2 ]
then
echo "Usage: $NAME domain.tld origin.ip" 1>&2
echo "Returns the response headers and a diff of a domain vs. its origin ip. Requires SSL." 1>&2
exit 1
fi
echo "Comparing '$1' to '$2'..."
echo $COMMAND
bash -c "$COMMAND"
Raw
install-railgun-lemp-centos-6.md

Installing Railgun with LEMP for CentOS 6

Railgun is an optimization technology from CloudFlare for accelerating dynamic web requests. To utilize Railgun, you must install the Railgun listener software on your origin server, and configure your Railgun on CloudFlare. This guide is for enabling Railgun on a CentOS 6 server with a LEMP stack.

Install LEMP stack

  • Nginx
  • PHP
  • PHP-FPM
  • MySQL

Configure webserver with HTTPS and IPv6

Generate ECC private key

openssl ecparam -out private.key -name prime256v1 -genkey

Generate certificate signing request

openssl req -new -key private.key -out csr.pem -config server.conf -reqexts req_ext

CSR server.conf file:

[req]
req_extensions = req_ext
distinguished_name = req_dn
default_md = sha256

[req_ext]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[req_dn]
CN=issues4.us

[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com

Generate self-signed certificate

openssl req -x509 -sha256 -days 3650 -key private.key -in csr.pem -out server.pem

Configure Nginx for HTTPS and IPv6

server {
    listen       80;
    listen       [::]:80 ipv6only=on;
    listen       443 ssl;
    listen       [::]:443 ssl ipv6only=on;
    server_name  example.com www.example.com;

    ssl_session_timeout  5m;
    ssl_session_cache    shared:SSL:10m;

    ssl_certificate	 /etc/nginx/certs/server.pem;
    ssl_certificate_key  /etc/nginx/certs/private.key;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers   on;
}

Install Railgun

Install memcached

yum install memcached

Configure iptables

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport 2408 -j ACCEPT; done

iptables-save | sudo tee /etc/sysconfig/iptables

for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -s $i --dport 2408 -j ACCEPT; done

ip6tables-save | sudo tee /etc/sysconfig/ip6tables

Install latest Railgun

rpm -ivh http://pkg.cloudflare.com/cloudflare-release-latest.el6.rpm
rpm -Uvh railgun-el6.latest.rpm

Edit Railgun configuration

Locate the Railgun activation key in your CloudFlare Account Railgun panel and modify these values in the /etc/railgun/railgun.conf configuration file on the origin server:

activation.token = ACTIVATION_TOKEN
activation.railgun_host = ORIGIN_IP_ADDRESS

Start Railgun listener

service railgun start

Test Railgun

Pre-activation

Prior to activating Railgun for the origin domain, test its connectivity and operation with the origin server.

curl -iv -o /dev/null -H "cf-setopt-wan-id: rg-WANIDHERE.port2408.net:2408" example.com -L

rg-diag -decode='d886bcd70a 0.31 0.041705 0030 5f99'
   Compression ratio 0.31%
     Railgun version 5f99
        Railgun Flag rg-sender sent dictionary
        Railgun Flag rg-listener found dictionary

Post-activation

curl -X GET "https://api.cloudflare.com/client/v4/zones/:zone_identifier/railguns/:identifier/diagnose" -H "X-Auth-Email: user@example.com" -H "X-Auth-Key: API_KEY" -H "Content-Type: application/json" | python -m json.tool

{
    "errors": [],
    "messages": [],
    "result": {
        "body_hash": "cf6d8b065bfe2d47f15072cf2ae9dc12dcc70645",
        "body_size": "33319 bytes",
        "cf-cache-status": "",
        "cf-railgun": "6cfb707456 stream 0.000000 0210 5f99",
        "cf-ray": "1f7b9a7e2aee11f5-SJC",
        "cf-wan-error": "",
        "cloudflare": "on",
        "connection_close": "false",
        "elapsed_time": "0.152064s",
        "method": "GET",
        "missing_headers": null,
        "ord": "4 Silicon Valley (sv1)",
        "protocol": "HTTP/1.1",
        "railgun": "on",
        "response_status": "200 OK",
        "transfer_encoding": "chunked",
        "url": "https://www.example.com"
    },
    "success": true
}

Enable HTTPS redirection Page Rule

Enable redirection to HTTPS for all HTTP requests to the origin domain by adding a Page Rule to always use HTTPS for this pattern:

http://*example.com/*

Enable HSTS

Enable HSTS for the origin domain associated with the Railgun on the CloudFlare Crypto panel.

Important Note: Once HSTS is enabled for a domain, HTTPS service must always be enabled or the website will not load for visitors until it is re-enabled, or the HSTS policy expires.

@suzannealdrich
Copy link
Author

  • The most difficult aspect of setting up Railgun for a particular server configuration may be all the disparate sources of information from which to draw best practices. The CloudFlare documentation for installing Railgun presents instructions for all flavors of Linux mixed together, requiring extra effort to filter out the relevant bits.
  • Best practices on generating ECC certs and configuring server ciphers is not widespread.
  • Railgun 4 does not work in conjunction with HSTS, producing handshake errors in my testing. Installing the latest Railgun 5 solves this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment