Nginx- Small outside the world, more swedish, dosit functional web server and mail proxy server, retailer Igor Sisoev (rambler.ru). Through an arc of small resource savings, the system’s security and robotics, as well as the flexibility of configuration, the Internet nginx server often victorious as a frontend to more important servers, such as Apache, in projects with high ambitions. The classic option is zv'yazuvannya, Nginx - Apache - FastCGI. Practice with such a scheme, nginx server, accept all the requests that can be accessed via HTTP, and in the fallback in the configuration and the request itself, check whether to process the request yourself and instruct the client I’m ready to submit the request, or to supply the request for processing, one of the backends ( Apache or FastCGI).

Apparently, the Apache server, the skin is processed in an okremu process (thread), as it is required to say, it is necessary to do it with a large number of system resources, for example, there are 10-20 such processes, it’s not a lot, and if there are 100-500 and more, the system is no fun.

Let's try to identify such a situation. Let's say on Apache come 300 HTTP requests from clients, 150 clients sit on mobile video lines, and another 150, on the same number of Internet channels, don't go on modems. What do you think about this situation? And on the next step, the Apache web server, to process 300 days, create on the skin by the process (flow), the content of the wines is generated quickly, and 150 quick clients will immediately take the result of their requests, the processes of their service will be killed in the resource, and 150 more, and the results of your requests will be collected correctly, through a narrow Internet channel, after which there are 150 processes in the system Apache, what to check, if the clients take away the content generated by the web server, devouring a lot of system resources. Obviously the situation is hypothetical, but I think I understood the essence. Correct the above described situation and help the communication. Having read the entire request from the client, the wine is transferred to the processing Apache, which generates content at its own pace and turns it as quickly as possible and is ready to support Nginx, if you can, with a calm conscience, kill the process and call for system resources, like borrowing wine. Nginx web server, otrimavshi the result of the request vіd Apache, write it to the buffer or burn it to a file on the disk and maybe a little more for a long time to give it to the right clients, while doing it, the work process uses so few resources that .. "it's funny to talk about it" ©. :) Such a scheme, to save system resources, I repeat, but the working processes of Nginx save a small amount of resources, and this is more important for great projects.

And only a small part of the fact that the Nginx server is in it, do not forget about the ability to cache data and the robot memcached. I will list the main functionalities of the Nginx web server.

Nginx server functionality as HTTP server

• processing of static content, index files, listing of directories, cache of descriptors for open files;
• Accelerated proksuvannya z kashuvannya, rozpodіl navantazhennya that vіdmovostіykіstyu;
• Accelerated pidtrimka FastCGI servers for cash, rozpodіl navantazhennya and vіdmovostіykіstyu;
• Modular structure, support for various filters (SSI, XSLT, GZIP, downloading, chunked output);
• SSL support and TLS SNI extension;
• ip-based or name-based virtual servers;
• The robot with KeepAlive and pipelined by z'ednannami;
• Possibility of configuring any timeouts and number of buffers, on equal Apache server;
• Vikonannya raznomanіtnyh dіy zalezhno vіd the client's address;
• Change URI for additional regular viruses;
• Special sides of pardons for 4xx and 5xx;
• Exchange of access based on the client's address or password;
• Adjustment of log file formats; log rotation;
• Exchange of security for the client;
• Exchange of a number of one-hour connections and drinks;
• Support for PUT, DELETE, MKCOL, COPY and MOVE methods;
• Changing the update of the server without the teeth of the robot;
• Waking up Perl;

Nginx server functionality as a mail proxy server

• Forwarding to IMAP/POP3 backend, vicorous HTTP authentication server;
• SMTP forwarding to the external HTTP server authentication and forwarding to the internal SMTP server;
• A hint of offensive methods in authentication:
  • POP3 - USER/PASS, APOP, AUTH LOGIN/PLAIN/CRAM-MD5;
  • IMAP - LOGIN, AUTH LOGIN/PLAIN/CRAM-MD5;
  • SMTP - AUTH LOGI/PLAIN/CRAM-MD5;
• SSL support;
• trim STARTTLS and STLS;

Operating systems of the platform supported by the Nginx web server

• FreeBSD, 3 to 8 - platforms, i386 and amd64;
• Linux, from 2.2 to 2.6 - i386 platform; Linux 2.6 - amd64;
• Solaris 9 - i386 and sun4u platforms; Solaris 10 - i386, amd64 and sun4v platforms;
• MacOS X platforms ppc, i386;
• Windows XP, Windows Server 2003; (Currently in beta testing stage)

Architecture and scalability of the Nginx server

• The main (master) process, a sprat (included in the configuration file) of working processes, as it works under an unprivileged core;
• Support for offensive methods of processing z'ednan:
  • select- Standard method. The default Nginx module is picked up automatically, as no efficient method has been found on this platform. You can enable primus or disable the selection of the module for additional parameters in the configuration --with-select_module or --without-select_module.
  • poll- Standard method. The default Nginx module is picked up automatically, as no efficient method has been found on this platform. You can enable primus or disable the selection of the module for additional parameters in the configuration --with-poll_module or --without-poll_module.
  • kqueue- an effective method that can be triggered on FreeBSD 4.1+, OpenBSD 2.9+, NetBSD 2.0 and MacOS X operating systems.
  • epoll is an efficient method that works in Linux 2.6+. Some distributions, for example, SuSE 8.2, have patches to support epoll with the 2.4 kernel.
  • rtsig - real time signals, an efficient method that is victorious in Linux 2.2.19+. For locking in for the entire system, there can be no more than 1024 signals. This is not enough for servers with high ambitions, it is necessary to increase the number of kernels for the additional kernel parameter /proc/sys/kernel/rtsig-max. However, starting with Linux 2.6.6-mm2, this parameter is daily, the nature of the skin process has a lot of signals, the expansion of which is due to the help of RLIMIT_SIGPENDING.
  • When perepovnenny cherries, nginx server throwing off and processing the bill for the help of the poll method doti, the situation will not return to normal.
  • /dev/poll- an effective method that is supported in Solaris 7 11/99+, HP/UX 11.22+ (eventport), IRIX 6.5.15+ and Tru64 UNIX 5.1A+ operating systems.
  • eventport - event ports, an effective method that can be patched in Solaris 10. Before the patch, you need to install a patch to get rid of the kernel panic.
• Possibilities for the kqueue method, such as EV_CLEAR, EV_DISABLE (for time-limited withdrawal), NOTE_LOWAT, EV_EOF, number of available data, code of pardons;
• Working with sendfile (FreeBSD 3.1+, Linux 2.2.+, Mac OS X 10.5+), sendfile64 (Linux 2.4.21+) and sendfilev (Solaris 8 7/01+);
• Accept-filter tweak (FreeBSD 4.1+) and TCP_DEFER_ACCEPT (Linux 2.4+);
• For 10,000 inactive HTTP keep-alives, approximately 2.5M of memory is used up;
• Minimum number of operations for copying data;

NGINX can be used not only as a web server, but also as an http-proxy, but also for proxying via the SMTP, IMAP, POP3 protocols. Tse allow nalashtuvati:

• A single entry point for a scaled mail system.
• Balancing the vanity between mail servers.

This article is installed on the Linux operating system. As a mail service, to which requests are sent, you can use postfix, exim, dovecot, exchange, iredmail and more.

Robotic principle

NGINX accepts and retrieves authentication from the web server. Depending on the result of reverification of the login and password, the proxy turned the reversal of the headers.

In times of success:

Thus, the server and the port of the mail server are determined based on the authentication. This gives a lot of opportunities for advanced knowledge of mov programming.

In times of failure:

Depending on the authentication result in the header, the client is redirected to the required mail server.

Server preparation

Let's make some changes to the server security.

SELinux

Including SELinux, as well as fixing CentOS, or maybe fixing the security system on Ubuntu:

vi /etc/selinux/config

SELINUX=disabled

firewall

How to use firewalld(for locking from CentOS):

firewall-cmd --permanent --add-port=25/tcp --add-port=110/tcp --add-port=143/tcp

firewall-cmd --reload

How to use iptables(for locking in Ubuntu):

iptables -A INPUT -p tcp --dport 25-j ACCEPT

iptables -A INPUT -p tcp --dport 110 -j ACCEPT

iptables -A INPUT -p tcp --dport 143 -j ACCEPT

apt-get install iptables-persistent

iptables-save > /etc/iptables/rules.v4

* SMTP (25), POP3 (110), IMAP (143) were allowed for this application.

Installing NGINX

Fallen into the operating system, the installation of NGINX is trochic.

or Linux centos:

yum install nginx

or Linux ubuntu:

apt install nginx

It is allowed to autostart the service and start yoga:

systemctl enable nginx

systemctl start nginx

If NGINX is already installed in the system, it can be checked with the following modules:

We accept a list of options, with which web server choices - we can choose between them --with-mail. Since there is no required module, you need to update nginx

Customizing NGINX

Open the nginx configuration file and add the option mail:

vi /etc/nginx/nginx.conf

mail (

auth_http localhost:80/auth.php;

Server(
listen 25;
protocol smtp;
smtp_auth login plain cram-md5;
}

Server(
listen 110;
protocol pop3;

}

Server(
listen 143;
protocolimap;
}
}

*de:

• server_name- Name of the mail server, which is supposed to be the hour of the SMTP privatization.
• auth_http- web server and URL for requesting authentication.
• proxy_pass_error_message- allow or prevent the notification of notifications for an hour not far from authentication.
• listen- a port, at which one can hear the drink.
• protocol- the protocol of the program, for which the port is being listened to.
• smtp_auth— Available authentication methods for SMTP.
• pop3_auth— Available POP3 authentication methods.

Add the following to the http-server section:

Server(
listen 80 default_server;
listen [::]:80 default_server;
...

Location ~ \.php$ (
set $root_path /usr/share/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $root_path$fastcgi_script_name;
include fastcgi_params;
fastcgi_param DOCUMENT_ROOT $root_path;
}
...

Restart the nginx server:

systemctl restart nginx

Installing and customizing PHP

To achieve authentication for PHP help, you need to install the following packages into the system.

Yakscho CentOS:

yum install php php-fpm

Yakscho ubuntu:

apt-get install php php-fpm

Run PHP-FPM:

systemctl enable php-fpm

systemctl start php-fpm

Authentication

Rechecking the login and password is modified by the script, the path to which is set by the auth_http option. Our application has a PHP script.

An example of an official blank for the script for verifying the login and password:

vi /usr/share/nginx/html/auth.php

* this script accepts whether it is a login and a password and redirects the request to the server 192.168.1.22 і 192.168.1.33 . To set the authentication algorithm, edit rows 61 - 64. For the server turn, on the redirection route, rows 73 - 77 - in this application, the login is based on the symbol "a", "c", "f", "g", then you will be redirected to the server mailhost01, otherwise, on mailhost02. Setting server names with IP addresses can be set on rows 31, 32, otherwise you will go by domain name.

Setting up a mail server

Exchange data between NGINX proxies and send a server to go to the open source. It is necessary to add the ability to enable authentication behind the PLAIN mechanism. For example, for dovecot lashing, robimo take:

vi /etc/dovecot/conf.d/10-auth.conf

We add rows:

remote 192.168.1.11 (
disable_plaintext_auth = no
}

* which application was allowed to PLAIN requests for authentication from the server 192.168.1.11 .

It is also reverified:

* yakscho ssl matime meaning required, re-verification of nothing to clean up, oscillki weide, that from one side the server allows you to drink at a clear view, but also ssl encryption.

Restart Dovecot service:

systemctl restart dovecot

Customization of the client

You can go to rechecking our proxy settings. For which one in the client settings like IMAP / POP2 / SMTP, specify the address or the name of the nginx server, for example:

* for this application, the mail client is set up for connection to the server 192.168.1.11 via open ports 143 (IMAP) and 25 (SMTP).

encryption

Now we have an SSL connection. Nginx can be ordered with the module mail_ssl_module- Revised by the team:

For the presence of the required module, nginx is sorted.

Then we edit our configuration file:

vi /etc/nginx/nginx.conf

mail (
server_name mail.domain.local;
auth_http localhost/auth.php;

proxy_pass_error_message on;

SSL on;
ssl_certificate /etc/ssl/nginx/public.crt;
ssl_certificate_key /etc/ssl/nginx/private.key;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

Server(
listen 110;
protocol pop3;
pop3_auth plain apop cram-md5;
}

Server(
listen 143;
protocolimap;
}

The reason is the SELinux security system.

Solution: disable or configure SELinux.

Nginx is gaining popularity at a rapid pace, transforming itself from simply squashing statics for Apache to a fully functional and re-opening web server, which is becoming more and more often stagnant. In this article, we’ll talk about the cica and non-standard scenarios of the nginx version, which allow maximum access from the web server.

Post proxy

Let's start with the most obvious - the role of nginx as a mail proxy. This function is in nginx on the back, and the axis is victorious in production. No matter how it was, nginx supports the proxying of POP3, IMAP and SMTP protocols with different authentication methods, including SSL and StartTLS, and it’s easy to work.

Is it necessary? Є yak at least two zastosuvannya tsієї functionality. First: win nginx as a shield against annoying spammers, try to send smack lists through our SMTP server. Sound spammers do not create a lot of problems, shards are easily enabled at the stage of authentication, however, if they become too rich, nginx will help to save processor resources. Friend: ping nginx to redirect pings to POP3/IMAP mail servers. Zim, obviously, the next post proxies will be turned in, but now the city of servers is being fenced, as nginx is already installed on the frontend to handle HTTP statics, for example?

The mail proxy server of Nginx is not known by default. Vіn vikoristovy dodatkovy ball authentifikatsії, implementations by means of HTTP, and it's only possible to go through the bar'єr, vin passed far. This functionality is ensured by a way to create a sidebar / script, which nginx checks the data of the coristuvacha, and it turns out / wins in front of the standard OK, or causes a change (such as Invalid login or password). The script is launched with the following headers:

Authentication script input data HTTP_AUTH_USER: password HTTP_AUTH_PASS: password HTTP_AUTH_PROTOCOL: mail protocol (IMAP, POP3 or SMTP)

And turn it like this:

HTTP_AUTH_STATUS: OK or change reason HTTP_AUTH_SERVER: real mail server to redirect HTTP_AUTH_PORT: server port

Chudova osoblivіst such pіdhodu in fact, scho yogo mozhna vikoristovuvati zovsіm not samoї autentifіkatsії and dwellers rozkidati koristuvachіv on rіznih vnutrіshnіh servers, fallow od іmenі koristuvacha, danih about potochnі navantazhennya on poshtovі Dedicated Servers abo vzagalі organіzuvavshi nayprostіshe balansuvannya navantazhennya for Relief round-robin. Vtim, as it is more necessary to transfer the cores to the internal mail server, you can replace the real script with a stub implemented by nginx itself. For example, the simplest SMTP and IMAP proxy in the nginx configuration will look like this:

# vi /etc/nginx/nginx.conf mail ( # Authentication script addresses auth_http localhost:8080/auth; # Turn on the XCLIENT command to disable the mail server and xclient off; # IMAP server server ( listen 143; protocol imap; proxy on; ) # SMTP server server ( listen 25; protocol smtp; proxy on; ) )

# vi /etc/nginx/nginx.conf http ( # Mapping to the required port of the mail server is stowed in the port set in the HTTP_AUTH_PROTOCOL header map $http_auth_protocol $mailport ( default 25; smtp 25; imap 143; ) # Implementation " - turn OK and redirecting the caller to the internal mail server, setting the required port in addition to the mapped server ( listen 8080; location /auth ( add_header "Auth-Status" "OK"; add_header "Auth-Server" "192.168.0. ;add_header "Auth -Port" $mailport; return 200; ) ) )

That's all. This configuration allows you to transparently redirect messages to the internal mail server, without creating the top of a seemingly indecent script in any way. Once the script has been installed, this configuration can be significantly expanded: adjust the balance of the vanity, rewrite the files for the LDAP base, and change other operations. The writing of the script goes beyond the scope of this article, it is even easier to implement it, to gain more superficial knowledge about PHP and Python.

Streaming video

Setting up great video hosting based on Nginx is easy. It is enough just to transcode the video into a directory accessible to the server, register it in the config and adjust the flash-or HTML5-programmer so that the video is taken from that directory. However, it is necessary to create a continuous stream of video from some kind of remote dzherel or a webcam, such a scheme does not work, and you may marvel at the special streaming protocols.

Є k_lka protocolіv, scho vyrіshuyut tse zavdannya, the most efficient and support RTMP. It's not so bad that all RTMP server implementations suffer from problems. Official Adobe Flash Media Server is paid. Red5 and Wowza are written in Java, which does not give the necessary productivity, another implementation, Erlyvideo, is written in Erlang, which is good in cluster setup, but not so efficient for a single server.

Well, I'll propagate another pidhid - speed up the RTMP module for nginx. Vіn maє miraculous produktіvnіnіnі and before that, let vikoristovuvat one server to serve both the web interface of the site, and the video stream. The only problem is that this module is unofficial, so nginx can pick it up on its own. Fortunately, folding is done in a standard way:

$ sudo apt-get remove nginx $ cd /tmp $ wget http://bit.ly/VyK0lU -O nginx-rtmp.zip $ unzip nginx-rtmp.zip $ wget http://nginx.org/download/nginx- 1.2.6.tar.gz $tar -xzf nginx-1.2.6.tar.gz $cd nginx-1.2.6 $./configure --add-module=/tmp/nginx-rtmp-module-master $make$ sudo make install

Now the module needs to be configured. To fight, as always, through the nginx config:

Rtmp ( # Enable live server on port 1935 behind site/rtmp server ( listen 1935; application rtmp ( live on; ) ) )

The RTMP module does not work in a rich streaming configuration, so a lot of nginx working processes will reach the speed of one (I'll tell you later, to avoid this problem):

worker_processes 1;

Now you can save the file and reread the nginx configuration. The installation of nginx is completed, but the video stream itself is not yet possible, so you need to take it here. For example, let's put the video.avi file in the stream directory. To turn yoga on the fly and wrap it in our RTMP-mover, let's speed up the good old FFmpeg:

# ffmpeg -re -i ~/video.avi -c copy -f flv rtmp://localhost/rtmp/stream

If the view video file is not in H264 format, you need to re-encode it. Tse can be robiti on a lot for the help of the same FFmpeg:

# ffmpeg -re -i ~/video.avi -c:v libx264 -c:a libfaac -ar 44100 -ac 2 -f flv rtmp://localhost/rtmp/stream

Potik can be ordered directly from the webcam:

# ffmpeg -f video4linux2 -i /dev/video0 -c:v libx264 -an -f flv rtmp://localhost/rtmp/stream

To take a look at the stream on the client side, you can speed up whether it’s a kind of RTMP supporter, for example, mplayer:

$mplayer rmtp://example.com/rtmp/stream

Otherwise, you can get the program directly on the web page, as it seems to be the same nginx (an example from official documentation):

The simplest web RTMP program

There are only two important rows: "file: "stream"", which indicates the RTMP stream, and "streamer: "rtmp://localhost/rtmp"", which specifies the address of the RTMP streamer. For more, the task of such nalashtuvans will be enough. For one address, you can run a few different streams, and nginx effectively multiplexes them between clients. Alece is far from everything that the building RTMP module is. With this help, for example, you can organize the retransmission of the video stream from another server. The FFmpeg server is not needed for this purpose, it is enough to add the next rows to the config:

# vi /etc/nginx/nginx.conf application rtmp ( live on; pull rtmp://rtmp.example.com; )

As it is necessary to create a number of streams in different capacities, you can call the FFmpeg recoder directly from nginx:

# vi /etc/nginx/nginx.conf application rtmp ( live on; exec ffmpeg -i rtmp://localhost/rtmp/$name -c:v flv -c:a -s 320x240 -f flv rtmp://localhost /rtmp-320x240/$name; ) application rtmp-320x240 ( live on; )

For the help of such a configuration, we will take two browsers, one of which will be available at the address rtmp://site/rtmp, and the other, which works like 320x240, at the address rtmp://site/rtmp–320x240. Then you can add a flash player to the site and buttons to select the strength, which will send the player to the address of the browser.

Well, and finally the butt of the movement of music in a measure:

while true; do ffmpeg -re -i ``find /var/music -type f -name "*.mp3"|sort -R|head -n 1`" -vn -c:a libfaac -ar 44100 -ac 2 -f flv rtmp://localhost/rtmp/stream;done

Git proxy

The Git version control system is designed to secure access to the repository not only for the Git and SSH protocols, but also for HTTP. If the implementation of HTTP access was primitive and free of charge, it would provide full work with the repository. Since version 1.6.6, the situation has changed, and today the protocol can be reversed, for example, bypassing the firewall firewall as well as from the other side of it, or creating a hosted Git hosting with a web interface.

It’s a pity, the official documentation only tells about the organization of access to Git by the Apache web server, but the implementation itself is an older program with a standard CGI interface, you can practically screw it up to any other server, including lighttpd, and, of course, nginx. For which nothing is needed, except for the server itself, installed Git and the small FastCGI server fcgiwrap, which is necessary, because nginx cannot work with CGI without intermediary, but it can call scripts for the help of the FastCGI protocol.

The whole scheme of robots looks like this. The fcgiwrap server is in background and checktime is requested to the CGI addendum. Nginx, at its best, will be forced to request the git-http-backend CGI binary via the FastCGI-interface prompting you to return to the address we specified. After retrieving the input, fcgiwrap watches the git-http-backend from the set CGI arguments passed in by the GIT client, and rotates the result.

In order to implement such a scheme, we'll add fcgiwrap at the beginning:

$ sudo apt-get install fcgiwrap

It is not necessary to set it up, all parameters are passed by the FastCGI protocol. The launch of the VIN will also be automatic. That's why it's too much to fix nginx. For this, we create the file /etc/nginx/sites-enabled/git (as there is no such directory, you can write to the main config) and write before the next step:

# vi /etc/nginx/sites-enabled/git server ( # Depending on port 8080 listen 8080; # Addresses of our server (do not forget to add a DNS entry) server_name git.example.ru; # Logs access_log /var/log/nginx /git-http-backend.access.log;error_log /var/log/nginx/git-http-backend.error.log; arg_service ~* "git-receive-pack") ( rewrite ^ /private$uri last; ) include /etc/nginx/fastcgi_params; # Addresses of our git-http-backend fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; # Git repository addresses fastcgi_param GIT_PROJECT_ROOT /srv/git; # Fastcgi_param file addresses PATH_INFO $uri; # Server addresses fcgiwrap fastcgi_pass 127.0.0.1:9001; ) # Addresses for write access . )$ ( # Updated auth_basic "git anonymous read-only, authenticated write"; # HTTP authentication based on htpasswd auth_basic_user_file /etc/nginx/htpasswd; # Customized FastCGI and nclude /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr lib/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_param PATH_INFO $1; fastcgi_pass 127.0.0.1:9001; )

This config sends three important words:

1. Repository addresses will be /srv/git, you can set the appropriate access rights: $ sudo chown -R www-data:www-data /srv/git
2. The repository itself is to blame for not being read by anonymous users and allowing uploads over HTTP: $ cd /srv/git $ git config core.sharedrepository true
3. Authentication is required for the help htpasswd file, you need to create it and add it to the new code: $ sudo apt-get install apache2-utils $ htpasswd -c /etc/nginx/htpasswd user1

That's all for now, reload nginx:

Microcache

We notice the situation with a dynamic, often updated site, which raptly begins to take on even greater ambitions (well, having spent wine on the side of one of the largest sites of news) and ceases to cope with the content. Competent optimization and implementation of the correct cashing scheme will take a long time, and the problems need to be solved at once. What can we influence?

Fenn Bailey, fennb.com, propagated the idea for a few ways to get out of this situation with the least expenses. The idea is to simply put in front of the nginx server and cache all the content that is being transmitted, and not just cache, but only for one second. Rodzinka here is for the one that hundreds and thousands of views to the site in a second, in fact, generate only one return to the backend, taking away the largest cached side. At this price, it’s hardly worth remembering, because one second doesn’t mean anything on a dynamic site.

Config from the implementation of the idea looks not so neat:

# vi /etc/nginx/sites-enabled/cache-proxy # Set cache proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:5m max_size=1000m; server ( listen 80; server_name example.com; # Address cached location / ( # Enable cache for promoters set $no_cache ""; # Enable cache for all methods, cream GET and HEAD if ($request_method !~ ^(GET|HEAD) ) $) ( set $no_cache "1"; ) # In order to allow the client to grab the content to the site (no_cache = 1), it's safe to make sure that the data that is given to you is not cached for two seconds and win the result of the grab if ( $no_cache = "1") ( add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; ) if ($http_cookie ~* "_mcnc") ( set $ no_cache "1"; ) # Enable/disable the cache stale in the future no_cache proxy_no_cache $no_cache; proxy_cache_bypass $no_cache; # Proxy to the real server proxy_pass http://appserver.example.ru; proxy_cache microcache; pro$y_$ request_uri; proxy_cache_valid 200 1s;# Detect problem Thundering herd proxy_cache_use_stale updating;# Add standard header proxy_set_h header Host $host; proxy_set_he ader X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Can't cache files larger than 1 Mb proxy_max_temp_file_size 1M; )

A special place in this configuration takes the row "proxy_cache_use_stale updating;", without which we took periodic bursts of traffic to the backend server through requests, which came every hour of updating the cache. Otherwise, everything is standard and can be understood without explanation.

Nearby proxy to CA

Regardless of the global increase in Internet security, the physical distance of the server to the target audience still continues to play its role. This means that the Russian site is spinning on a server that has been set up here in America, access to the new one will be a priori better, lower from the Russian server with the same channel width (well, it’s like flattening your eyes on all other factors). In addition, it is most likely to deploy servers outside the cordon, including those in the service plan. To that, for otrimannya profit from seeing more high speeds of vіddachі, it happens to go to cunning.

One of the possible options: host the main productive server on the Zahodі, and not even more powerful to the resources of the frontend, which allows for statics, to spread on the territory of Russia. Tse allow without serious vitrates to win at shvidkost. nginx config for the frontend in which case we will forgive and we all know the implementation of the proxy:

# vi /etc/nginx/sites-enabled/proxy # Save cache for 30 days at 100 GB storage proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=static:32m inactive=30d max_size=100g; server ( listen 80; server_name example.com; # Well, our proxy location ~ * .(jpg|jpeg|gif|png|ico|css|midi|wav|bmp|js|swf|flv|avi|djvu|mp3) $ ( # Backend addresses proxy_pass back.example.com:80; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_x; proxy_cache_valid 30d; proxy_ignore_headers "Cache-Control" " Expires"; proxy_cache_key "$uri$is_args$args"; proxy_cache_lock on; ) )

Visnovki

Today, for the help of nginx, you can break the nameless tasks, many of which are not related to the web server and the HTTP protocol. A mail proxy, a streaming server, and a Git interface are only a few of these tasks.

iRedMail - ready to store a mail server with a valid exit code. The warehouse is based on the Postfix SMTP server (Mail Transfer Agent, MTA for short). The collection also includes: Dovecot, SpamAssassin, Greylist, ClamAV, SOGo Roundcube, NetData and NGINX.

Dovecot- IMAP/POP3 server.

Spamassassin- Spam filtering.

Greylist- Zasіb fight against spam on the basis of sіrih lists.

ClamAV- Antivirus.

Roundcubeі SOGo- Web clients for robots with electronic mail.

NetData- Program for monitoring server robots in real time.

Nginx- Web server.

Supporting operating systems: CentOS 7, Debian 9, Ubuntu 16.04/18.04, FreeBSD 11/12і OpenBSD 6.4.

iRedMail has both paid and non-cash versions, which are one in the same functionality of the iRedAdmin mail folder's own web interface. In the non-copy version, you can no longer create domains, post screens of coristuvachs and administrators. If you need to create an alias, then you won't be able to create a codeless version via iRedAdmin. Luckily, this is a cost-free solution, as it is called PostfixAdmin, which allows you to implement it. PostfixAdmin is easy to get into iRedMail and works wonders with it.

Installed

For installation, we need one of the larger operating systems. I'll be tweeting Ubuntu Server 18.04. Also, you can buy a domain name and set up a DNS zone. In order to win the DNS server of your domain registrar, it is necessary to separate two records for managing the domain zone: A and MX. You can also tweak your own DNS by setting up delegation in a special office of your domain name registrar.

Adjustment of the domain zone pіd hour vikoristannya DNS registrar

Get respect! Hour nabuttya nalashtuvan DNS for a few years until one tizhnya. Until the order is completed, the mail server will not work correctly.

To install, download the current version from the iRedMail site. Today 0.9.9.

# wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.9.tar.bz2

Let's unpack the archives.

# tar xjf iRedMail-0.9.9.tar.bz2

Unpacking the archive

І go to the created folder.

# cd iRedMail-0.9.9

Folder with iRedMail installer

Checking in folders

Folder space

І run the iRedMail installation script.

# bash iRedMail.sh

The installation of the mail system will start. The installation process will need low power. Let's wait for the installation.

Cob vstanovlennya

Select installation directory

Now you need to select a web server. The choice is small, so choose NGINX.

Select web server

Now it is necessary to select a database server, which will be installed and updated on the robot with a mail system. Choose MariaDB.

Select database server

Set the root password for the database.

Create a database password password

Now we specify our mail domain.

Mail domain creation

Let's create a password on the administrator's screen [email protected] domain.ru.

Mail administrator password creation

Select Web Components

Confirmed by the fix.

Confirmation of confirmation

The installation is running.

Installed

After the installation is completed, the rule is confirmed iptables for SSH and restart the firewall. iRedMail works iptables. In Ubuntu, it's most common to tweak the firewall management utility UVW. If you have such a need, then install UVW (apt install ufw) and add the rules that b UVW(Butt: ufw allow "nginx full" or ufw allow Postfix) without blocking the mail server robot. You can look through the list of available rules with the help of the command: ufw app list. Let's notice UVW: ufw enable.

Creating an iptables rule

Firewall restart

On which iRedMail installation is completed. The system gave us the addresses of the web interfaces and data for the login. To upgrade all components of the mail system, you need to reconfigure the server.

Completion of installation

Let's re-engage.

# reboot

Nalashtuvannya

For the cob, it is necessary to perekonatsya, that everything works. Let's try to go to the iReadAdmin login panel for the address https://domain/iredadmin. Login [email protected] domain.ru, the password was created at the time of installation. Є Russian interface.

Yak bachimo, everything works. When entering iRedAdmin, you, better for everything, took away the pardon of safety, tied with a certificate. It depends on the fact that iRedMail can have a sewn self-signed certificate on which browser is installed. To solve this problem, you need to install a valid SSL certificate. If you have є purchases, you can install yoga. In the application, I will install a costless SSL like Let's Encrypt.

Installing Let's Encrypt SSL Certificate

Install the certificate for the additional certbot utility. Dodamo repository on the fly.

# add-apt-repository ppa:certbot/certbot

Let's install certboot itself with the necessary components.

# apt install python-certbot-nginx

We take the certificate.

# certbot --nginx -d domain.ru

When you run the command, the system will ask you to enter an email address, enter. If so, you will take a pardon for everything, because it is impossible to know the server block for which the certificate is generated. In this situation, it's normal, we don't have any shards of any server block. For us, it’s smut to take the certificate.

Withdrawal of the certificate

Like Bachimo, the certificate was successfully withdrawn and the system showed us the paths to the certificate itself and the key. Stink us yakraz and we need. We took away 4 files, which are stored in the folder "/etc/letsencrypt/live/domain". Now it is necessary to tell the web server about our certificate, in order to replace the sewn certificate with the one that was taken away by me. For which we need to edit only one file.

# nano /etc/nginx/templates/ssl.tmpl

I change in the new two remaining rows.

Replace SSL certificate

We change the paths from the file to the path, as the system told us when the certificate was withdrawn.

SSL certificate replacement

І restart NGINX.

# service nginx restart

Now try to log in again iRedAdmin.

Revalidation of the SSL certificate

There is no pardon for the certificate. The certificate is valid. You can press on the castle and marvel at the yoga of power. After terminating the term of the certboot certificate, it can be updated automatically.

Now let's talk about the Dovecot and Postfix certificates. There are two configuration files for which wreeditable. Vikonuemo:

# nano /etc/dovecot/dovecot.conf

We know block:

#SSL: Global settings.

І minyaєmo prescribing a certificate for ours.

Replacing a certificate for Dovecot

Also pay attention to the "ssl_protocols" row. Please consider removing it from ssl_protocols when restarting Dovecot.

# nano /etc/postfix/main.cf

We know block:

# SSL key, certificate, CA

І change in a new way to the files of our certificate.

Change certificate for Postfix

On whom the installation of the certificate is completed. It is necessary to restart Dovecot and Postfix, or better yet, restart the server.

# service dovecot restart

# reboot

Installing PHPMyAdmin

This point is not very clear, but I recommend vikonati yoga and install PHPMyAdmin for manual work with databases.

# apt install phpmyadmin

The installer feeds the robot with some kind of web server to set up PHPMyAdmin, because NGINX is not on the list, just press TAB and let's go.

Installing PHPMyAdmin

After the installation is completed, in order for phpmyadmin to earn the need to create a symlink on the directory with some kind of locking, NGINX works.

# ln -s /usr/share/phpmyadmin /var/www/html

I try to go to https://domain/phpmyadmin/

PHPMyAdmin works. The connection is protected by a certificate, there are no annual pardons. Let's go. Let's create MySQL database administrator (MariaDB).

# mysql

І consumed by the MariaDB management console. Give the following robimo commands:

MariaDB > CREATE USER "admin"@"localhost" IDENTIFIED BY "password";
MariaDB > GRANT ALL PRIVILEGES ON *.* TO "admin"@"localhost" WITH GRANT OPTION;
MariaDB > FLUSH PRIVILEGES;

Creation of MySQL Koristuvach

Усі OK, entry of vicons. PHPMyAdmin is ready to go.

Installing PostfixAdmin

The PostfixAdmin principle, like PHPMyAdmin, may not be installed. The mail server is miraculously practical and without any components. However, you cannot create mail aliases. If you don’t need anything, then you can boldly skip it. If you still need an alias, then you have two options: buying a paid version of iReaAdmin or installing PostfixAdmin. Obviously, it is possible to work without additional software by manually writing aliases in the database, but not by hand and not for everyone. I recommend hacking PostfixAdmin, which is installed and integrated with iRedMail at a glance. Let's start the installation:

# apt install postfixadmin

Let's wait and create a password for the system database of the program.

Installing PostfixAdmin

Installing PostfixAdmin

Robimo symlink for analogy before installing PHPMyAdmin.

# ln -s /usr/share/postfixadmin /var/www/html

Robimo Koristuvacha, as the web server is launched by the catalog manager. In this mode, NGINX is launched under the name www-data.

# chown -R www-data /usr/share/postfixadmin

Now we need to edit the PostfixAdmin configuration file and add up to the new information about the database, like iRedAdmin. For promotion, this database is called vmail. If you go to PHPMyAdmin, you can її chat there. So, in order for PostfixAdmin to instantly make changes to the database, it is written in the PostfixAdmin configuration.

# nano /etc/postfixadmin/config.inc.php

We know the rows:

$CONF["database_type"] = $dbtype;
$CONF["database_host"] = $dbserver;
$CONF["database_user"] = $dbuser;
$CONF["database_password"] = $dbpass;
$CONF["database_name"] = $dbname;

І brought to a glance:

$CONF["database_type"] = "mysqli"; # Database Type
$CONF["database_host"] = "localhost"; # Database server host
$CONF["database_user"] = "admin"; # Login with write access to the vmail database. You can wick before creations admin
$CONF["database_password"] = "password"; # Password of the specified password
$CONF["database_name"] = "vmail"; # Database name iRedMail

Entering information about the database

If you are planning to win the SOGo mail web client, you will need to create one more addendum, and remember the PostfixAdmin encryption in the paragraph $CONF["encrypt"] h "md5crypt" on the "dovecot:SHA512-CRYPT". If you don't mind, then when you try to authorize in SOGo, we'll create it with PostfixAdmin, you will pardon an incorrect login or password.

Changing the encryption type

Now, in order to successfully complete the installation and not take pardons, it is necessary to wait until the data base. Manually zrobiti through PHPMyAdmin. We select the vmail database and go to the SQL tab. At the vіkni we enter:

DROP INDEX domain on mailbox;
DROP INDEX domain on alias;
ALTER TABLE alias ADD COLUMN `goto` text NOT NULL;

Ask up to the database

I press "Forward". Now we are all set, you can go to the PostfixAdmin web interface and complete the installation. For which browser you need to type: https://domain/postfixadmin/setup.php.

Guilty to appear like this:

Installing PostfixAdmin

If everything is broken for instructions, then pardons are not guilty. If there still will be, then you should take them out, otherwise the system will not let you continue. Set the installation password and click " Generate password hash The system generates a hash of the password, which must be inserted into the parameter $CONF["setup_password"].

Completing the installation of PostfixAdmin

Changing parameters in the configuration file

Now enter a new password and create a PostfixAdmin administrator. Do not create an administrator with the postmaster login, the shards may have problems with logging in to the iRedAdmin administration panel.

Created by PostfixAdmin administrator

Everything, administrator, is done. You can win the entry.

Please note that for safety reasons, it is better to rename the setup.php file in the postfixadmin directory or delete it.

Let's move on: https://domain/postfixadmin/ and we introduce the creation of oblique data. PostfixAdmin, like iRedAdmin, has Russian language available. You can reverse the authorization hour.

Let's try to create a postal screenshot of a coristuvach.

Notification/Notification of iRedMail modules

Behind iRedMail modules support iRedAPD. Vіn maє configuration file, in which the working modules are registered. If you don't need another module, you can remove it from the configuration file and stop using it. Vikonuemo:

# nano /opt/iredapd/settings.py

We know the row " plugins And apparently you don't need any of the components. I will take the component "greylisting". Vіn zvichayno dosit effectively protect from spam, but often do not reach and needed leaves.

Greylist (sir list) is a technology for automatic spam protection, based on the analysis of the behavior of the mail manager's server. When "greylisting" is enabled, the server will first start accepting lists from an unknown address, informing you about the pardon. At such a time, the server is guilty of repeating the force again. Spammers programs call this not to shy away. As soon as the sheet is overpowered again, the wine is added to the list for 30 days and the exchange is sent the first time. Vykoristovuvat tsey module chi nі vіrіshuyte yourself.

Notice / Warning of modules sent

After making changes, it is necessary to restart iRedAPD.

# service iredapd restart

Mail server testing

On whom the installation of the iRedMail mail server is completed. You can proceed to the final stage - testing. We make two postal screenshots. For perevіrka one through iRedAdmin, the other through PostfixAdmin and change the list from one mailbox to the next one. iRedAdmin has a screenshot [email protected] domain.ru. PostfixAdmin - [email protected] domain.ru

Creation of a koristuvach in iRedAdmin

Creation of a koristuvach in PostfixAdmin

It's hard to believe that the coristuvachi have happened.

If you respect the "To" column in PostfixAdmin mailboxes, you can mark the difference between mailboxes created in iRedAdmin and PostfixAdmin. Screenshots created in iRedAdmin are marked as " forward only", but created in PostfixAdmin as -" Mailbox I haven’t been able to figure out for a long time why it’s so different and how there is a difference between them, and I’ve come across one verse. Boxes in iRedAdmin are created without aliases, and boxes in PostfixAdmin with an alias on themselves.

If you see the aliases, then the mailboxes will be displayed as if they were created in iRedAdmin. forward only".

Vydalennya aliasiv

Alias ​​removed. Check PostfixAdmin.

Yak bachimo all boxes became "Forward only". So just to create in a box created in iRedAdmin alias on itself, then you will become "Mailbox". In principle, we don’t care about practicality. You will not be able to create an alias on a mailbox created in PostfixAdmin. The replacement for the creation of the alias will need to be redrafted already. Before talking about aliases, in the new version of iRedMail it is necessary to make a change in one of the Postfix cards, as if it were an alias. If you don’t create something else, then the creation of an alias will not work. Who needs a file /etc/postfix/mysql/virtual_alias_maps.cf correct:

Vikonuemo:

# nano /etc/postfix/mysql/virtual_alias_maps.cf

I fix it.

Nalashtuvannya aliasiv

Restart Postfix:

# service postfix restart

If anything, everything can be done.

And so, let's proceed to recheck the mail. Do drawer user1 we'll go through Roundcube, and into the box user2- through SOGo and correct the sheet from the screen user1 on the user2 i back.

Strengthening the sheet with Roundcube

Taking a leaf from SOGo

Strengthening the sheet to SOGo

Leaf removal from Roundcube

Everything works without any problems. Sheet delivery takes two to five seconds. So the leaves themselves are miraculously delivered to the Yandex server and mail.ru (rewritten).

Now we can change the alias. Let's make a box user3 and zrobimo alias from the screenshot user1 on the box user2. І corrected sheet from the screenshot user3 on the box user1. With which sheet can I come to the screen user2.

Creation alias

Strengthening the sheet from user3's screenshot to user1's screenshot

Removing the sheet on the screen user2

Z robot aliasiv tezh mustache harazd.

It is protested to the robot of the mail server through the local mail client. On the butt, we can see Mozilla Thunderbird. Let's make two more coristuvachiv: client1і client2. One screen can be added via IMAP, otherwise by POP3, and a list of one screenshot can be added per second.

IMAP connection

Connection via POP3

Force a sheet from Client 1 to Client 2.

Issued by Client 1

Otrimanya on Client 2

I in reverse order.

Issued by Client 2

Otrimanya on Client 1

Everything works.

How to go to address: https://domain/netdata, you can posterigati graphics will become a system.

Visnovok

On this installation, setting up and testing the iRedMail mail system is completed. As a result, we removed a fully cost-free full mail server with a strong SSL certificate, two different web mail clients, two control panels, as well as anti-spam and anti-virus installed in the mail. For your needs, you can replace web mail clients with local mail clients, such as Microsoft Outlook or Mozilla Thunderbird. If you don't plan to install mail web clients, you can not install them, so we won't install the server, but install one, whichever you need more. I especially like SOGo, because it's the interface of optimization for mobile devices, it's better to manually look through the email from the smartphone. The same should be done with NetData and iRedAdmin, if you don’t plan to fix it, then don’t install it. Tsya postal system is not too powerful for resources. Everything is done on a VPS server with 1024 MB of RAM and one virtual processor. As you have lost food according to the given postal system, write in the comments.

P.S. When testing a product on various operating systems with 1 GB of RAM (Ubuntu, Debian, CentOS), it was found that 1 GB is not enough for the ClamAV robot. Mayzhe zavzhd with vikoristanny 1 GB of memory antivirus posilavsya for mercy pov'yazanu z data base. In the case of Debian and Ubuntu operating systems, the antivirus simply did not scan the mail that passed through the server, otherwise everything worked fine. On CentOS, the situation was somewhat different. The clamd service hung up the system again, and at the same time, it disabled the normal operation of the server. When trying to log in to the web interface, NGINX periodically saw 502 and 504 pardons. The post office broke tezh at a time. If you add RAM up to 2 GB, then all kinds of everyday problems from the anti-virus robot and the server did not fizzle out. ClamAV scanning the mail server, how to go through the mail server, about writing in the logs. When tested, the virus was blocked at the deposit box. Memory recovery was about 1.2 - 1.7 GB.

This article will be displayed as configuration NGINX Plus or NGINX Open Source as proxy for mail server or external mail service.

Introduction

NGINX can proxy IMAP, POP3, and SMTP protocols up to one of the upstream mail servers that host mail accounts and thus can be reversed for email clients. Thay may bring in a number of benefits, such as:

• easy scaling the number of mail servers
• choosing a mail server basing on different rules, choosing the nearest server basing on a client’s IP address
• distributing the load among mail servers

Prerequisites

NGINX Plus (advanced email enablement required for proxy email traffic) or NGINX Open Source compiled the mail modules using the --with-mail parameter for email proxy functionality and --with-mail_ssl_module parameter for SSL/TLS support:

$ ./configure --with-mail --with-mail_ssl_module --with-openssl=[DIR] /openssl-1.1.1

IMAP, POP3 and/or SMTP mail servers or an external mail service

Configuring SMTP/IMAP/POP3 Mail Proxy Servers

NGINX configuration file:

mail(#...)

mail (server_name mail.example.com; #...)

mail ( server_name mail.example.com ; auth_http localhost : 9000 /cgi-bin/nginxauth.cgi ; #... )

Well, especially, if you can tell the bugger about pardons like authentication server, specifying the proxy_pass_error_message directive. This may be handy when a mailbox runs out of memory:

mail ( server_name mail.example.com ; auth_http localhost : 9000 /cgi-bin/nginxauth.cgi ; proxy_pass_error_message on ; #... )

Nalashtuvati whether SMTP, IMAP, or POP3 server with server blocks. For skin server, specify:

• the port number what does the listen directive need to comply with the special protocol
• the protocol with the protocol directive (if not specified, will be automatically detected from the port specified in the listen directive)
• permitted authentication methods with imap_auth , pop3_auth , and smtp_auth directives:

server ( listen 25 ; protocol smtp ; smtp_auth login plain cram-md5 ; ) server ( listen 110 ; protocol pop3 ; pop3_auth plain apop cram-md5 ; ) server ( listen 143 ; protocol imap ; )

Setting up Authentication for a Mail Proxy

Either POP3/IMAP/SMTP will ask the client first authenticated an external HTTP authentication server or by an authentication script. Having an authentication server is obligatory for NGINX mail server proxy. Server can be created for help in the fallback like NGINX authentication protocol which is based on the HTTP protocol.

If authentication is successful, the authentication server will choose an upstream server and redirect the request. In your opinion, the change of the server will be formed from the advancing lines:

HTTP/1.0 200 OK Auth-Status: OK Auth-Server: # the server name or IP address of the upstream server that will be used for mail processing Auth port: # the port of the upstream server

If authentication fails, the authentication server will return an error message. In your opinion, the change of the server will be formed from the advancing lines:

HTTP/1.0 200 OK Auth-Status: # an error message to be returned to the client, for example “Invalid login or password” Auth-Wait: # the number of remaining authentication attempts until the connection is closed

Note that in both cases the response will contain HTTP/1.0 200 OK which might be confusing.

To learn more about the authentication server's authentication server, ngx_mail_auth_http_module in NGINX Reference documentation .

Setting up SSL/TLS for Mail Proxy

Using POP3/SMTP/IMAP over SSL/TLS, you can see how data passes between the client and the email server.

To enable SSL/TLS for email:

Make sure your NGINX is configured with SSL/TLS support by typing-in the nginx -V command in the command line and then looking for the with -mail_ssl_module line in the output:

$nginx -V configure arguments: ... with-mail_ssl_module

Make sure you hatained server certificates and private keys and put them on the server. A Certificate can be obtained from a trusted Certificate Authority (CA) or generated by an additional SSL library such as OpenSSL.

ssl on;

startls on;

Additional SSL certificates: specify the path to the certificates (which is the one in PEM format) from the ssl_certificate directive, and specify the path to the private key in the ssl_certificate_key directive:

mail ( #... ssl_certificate /etc/ssl/certs/server.crt ; ssl_certificate_key /etc/ssl/certs/server.key ; )

You can tweet only strong versions and ciphers from SSL/TLS with the texts ssl_process and ssl_ciphers directives, or you can set your own preferable protocols and ciphers:

mail ( #... ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; ssl_ciphers HIGH:!aNULL:!MD5 ; )

Optimizing SSL/TLS for Mail Proxy

These hints will help you make your NGINX mail proxy faster and more secure:

Dial worker process numbers that appear on the number of processors worker_processes directive set on the same level as the mail context:

worker_processes auto; mail(#...)

Enable the shared session cache and disable the built-in session cache with the auto; mail ( server_name mail.example.com ; auth_http localhost : 9000 /cgi-bin/nginxauth.cgi ; proxy_pass_error_message on ; ssl on ; ssl_certificate /etc/ssl/certs/server.crt ; ssl_certificate_server key ;ssl_protocols TLSv1 TLSv1.1 TLSv1. 2 ;ssl_ciphers HIGH:!aNULL:!MD5 ; ; protocol pop3 ; pop3_auth plain apop cram-md5 ; ) server ( listen 143 ; protocol imap ; ) )

In my opinion, there are three electronic proxy servers: SMTP, POP3 and IMAP. All servers configured with SSL and STARTTLS support. SSL session parameters will be cached.

Whip proxy server HTTP authentication server – this configuration is beyond the scope of this article. All alarms reported to the server will be notified to the clients.