Revision as of 06:26, July 9, 2015 by Uudruid74 (Talk | contribs) (security updates and joomla compatibility)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Source Repository:No results

Summary: Robust, small and high performance http and reverse proxy server



Project Unfork Status

Here's an update on Project Unfork, plus other neat things.
2015-10-03 by Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! container.host.funtoo.org DNS will be updated after the move.
2015-08-27 by Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins



We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

Tengine is an Package:Nginx fork. It supports DSO module loading, meaning it can have external modules without the need to compile them in. Tengine is a good back end web server node choice. As tengine is missing from many upstream gentoo web-server-stack packages, emerge nginx also, and direct the system to use nginx instead of apache to prevent apache from being pulled in.


Shared & Static Modules

If you happen to want all modules installed dynamically, you, still, need to install some static modules. Make sure to add this to your /etc/portage/make.conf file:

/etc/portage/make.conf - Tengine all-modules build
TENGINE_SHARED_MODULES_HTTP="access addition autoindex browser charset_filter empty_gif fastcgi flv footer_filter geoip image_filter limit_conn limit_req lua map memcached mp4 random_index referer reqstat rewrite scgi secure_link slice split_clients sub sysguard tfs trim_filter upstream_ip_hash upstream_least_conn upstream_session_sticky user_agent userid_filter uwsgi xslt"
TENGINE_STATIC_MODULES_HTTP="concat dav degradation geo gunzip gzip gzip_static perl proxy realip spdy ssi ssl stub_status upstream-rbtree upstream_check upstream_consistent_hash upstream_keepalive"

External Modules

Passenger is an easy method to serve ruby, python, node.js, and Meteor cms' or web applications.

If you want to run passenger:

/etc/portage/make.conf - build the passenger module

Then merge:

# emerge tengine


Files for configuration are located at /etc/tengine

The major differing point in tengine from nginx is that you have to specifically declare which modules are loaded. Available modules are located at /var/lib/tengine/modules.

/etc/tengine/tengine.conf - DSO module statements
dso {
	load ngx_http_charset_filter_module.so;
	load ngx_http_fastcgi_module.so;
	load ngx_http_rewrite_module.so;
	load ngx_http_access_module.so; ## added because you want most likely use allow & deny on certain positions
/etc/tengine/tengine.conf - make life easier
#user tengine tengine;
user apache apache;
http {
#	disable_symlinks if_not_owner;
	disable_symlinks off;


/etc/tengine/tengine.conf contains engine specific configurations.


/etc/tengine/sites-available/localhost has site specific configurations. Generally localhost is copied to domain.tld file formats in the /etc/tengine/sites-available/ directory.

SSL Encryption

Follow these instructions HOWTO:WebServer_SSL

Redirection / Rewriting

Tengine has a number of features that allow you to redirect users from one URL to another or rewrite the incoming URL so your site sees it differently. If you are familiar with regular expressions, you're in luck as you'll be using them. If you aren't, you might want to learn them.

Do not use redirection to redirect from http to https as this opens up the possibility of a man-in-the-middle attack. Instead, use HTTP Strict Transport Security. This is just a single line and its already in the above SSL configuration.

Unix Socket

To listen on a unix socket &

/etc/tengine/sites-available/localhost - Listen on a unix socket
	listen unix:/var/run/tengine.sock;


Tengine does not natively support php, so we delegate that responsibility to php-fpm

/etc/tengine/sites-available/localhost - fpm tcp/ip configuration
server {
	index index.php index.cgi index.htm index.html;
	location ~ \.php$ {
		fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
#	        fastcgi_pass;   #uncomment this line, and comment the socket line above to use tcp
		include fastcgi.conf;

Content Management Systems

The above PHP configuration is a bare-minimal default. If you are using a content management system where your URL doesn't end in .PHP, the above will fail. A full description of how to set up Joomla is beyond the scope of this article, but you can start with this. And like in the above example, if your PHP-FPM is running via TCP/IP you can change to an IP address instead of a Unix socket, although the most common reason for that is if you have the web server and PHP on different servers (and so you replace with the PHP-FPM server's IP); otherwise, Unix domain is faster. Also the try_files line should always end in =404 for security reasons.

server {
       #- Support Clean (aka Search Engine Friendly) URLs
        location / {
            try_files $uri $uri/ /index.php?$args =404;

       #- deny running scripts inside writable directories
        location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
                return 403;
                error_page 403 /error/403.html;

        #- magic needed to make joomla URLs work
        location ~ [^/]\.php(/|$) {
                gzip off;
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                if (!-f $document_root$fastcgi_script_name) {
                        return 404;
                fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                fastcgi_index index.php;
                include /etc/tengine/fastcgi.conf;


Passenger's app environments:

  1. test
  2. development
  3. production

Anything the internet can touch should be in production mode.

Ruby on Rails

To serve with passenger, change the root statement below to point to your application's public directory:

/etc/tengine/sites-available/localhost - passenger configuration
passenger_root /usr/libexec/passenger/locations.ini;
passenger_ruby /usr/bin/ruby;

server {
        passenger_enabled on;
	passenger_app_env development;
	root /home/$USER/ror/public;


/etc/tengine/sites-available/localhost - passenger configuration
passenger_root /usr/libexec/passenger/locations.ini;
passenger_ruby /usr/bin/ruby;

server {
        passenger_enabled on;
	passenger_app_env development;
	root /home/$USER/node/public;

Create the public directory:

# mkdir /home/$USER/node/public
Passenger's node entry point is app.js, the entry point must be named this for passenger to serve it.

Create a node hello world:

/home/$USER/node/app.js - node hello world
// Load the http module to create an http server.
var http = require('http');

// Configure our HTTP server to respond with Hello World to all requests.
var server = http.createServer(function (request, response) {
  response.writeHead(200, {"Content-Type": "text/plain"});
  response.end("Hello World From Node.js\n");

//**only for instances started via node app.js** Listen on port 8000, IP defaults to

//**only for instances started via node app.js** Put a friendly message on the terminal
console.log("Server running at");



This section is in need of updates.

Currently (01:52, May 19, 2015 (UTC)) python 3.x doesn't clash well with passenger, however python 2.7 runs well.

# eselect python set  python2.7


To start the tengine server:

# rc-update add tengine default
# rc