← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-documenters/dhis2/dhis2-docbook-docs] Rev 469: Added para on nginx serving and client side caching of static content. This is important when usi...

 

------------------------------------------------------------
revno: 469
committer: Lars Helge Overland <larshelge@xxxxxxxxx>
branch nick: dhis2-docbook-docs
timestamp: Thu 2012-03-15 12:02:56 +0100
message:
  Added para on nginx serving and client side caching of static content. This is important when using ssl to reduce roundtrips.
modified:
  src/docbkx/en/dhis2_implementation_guide_installation.xml


--
lp:~dhis2-documenters/dhis2/dhis2-docbook-docs
https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs

Your team DHIS 2 developers is subscribed to branch lp:~dhis2-documenters/dhis2/dhis2-docbook-docs.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs/+edit-subscription
=== modified file 'src/docbkx/en/dhis2_implementation_guide_installation.xml'
--- src/docbkx/en/dhis2_implementation_guide_installation.xml	2012-03-14 12:07:57 +0000
+++ src/docbkx/en/dhis2_implementation_guide_installation.xml	2012-03-15 11:02:56 +0000
@@ -92,20 +92,29 @@
     <para><code>sudo /usr/local/nginx/sbin/nginx -s stop</code></para>
     <para>Now that we have installed nginx we will now continue to configure regular proxying of requests to our Tomcat instance, which we assume runs at <emphasis role="italic">http://localhost:8080</emphasis>. To configure nginx you can open the configuration file by invoking</para>
     <para><code>sudo nano /usr/local/nginx/conf/nginx.conf</code></para>
-    <para>nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. To configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance  include the following configuration in nginx.conf:</para>
+    <para>nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. The following snippet will configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance. It will also make nginx serve requests for static content such as javascript, stylesheets and images and instruct clients to cache it for 14 days which will reduce the load on Tomcat and improve overall performance. Include the following configuration in nginx.conf:</para>
     <para><screen><![CDATA[server {
- listen       80;
- server_name  localhost;
-
- location / {
-  proxy_pass        http://localhost:8080/;
-  proxy_redirect    off;
-  proxy_set_header  Host            $host;
-  proxy_set_header  X-Real-IP       $remote_addr;
-  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
- }
+  listen       80;
+
+  # Serve static content
+  # Root points to your DHIS webapp location, update it!
+
+  location ~* (\.js$|\.css$|\.gif$|^/images/|^/icons/) {
+    root     /home/dhis/tomcat/webapps/ROOT;
+    expires  14d;
+  } 
+
+  # Proxy pass to servlet container
+
+  location / {
+    proxy_pass        http://localhost:8080/;
+    proxy_redirect    off;
+    proxy_set_header  Host            $host;
+    proxy_set_header  X-Real-IP       $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
 }]]></screen></para>
-    <para>Now that the reverse proxy is set up we can improve security by making Tomcat only listen for local connections. In <emphasis role="italic">/conf/server.xml</emphasis> you can add an <emphasis role="italic">address</emphasis> attribute with the value <emphasis role="italic">localhost</emphasis> to the Connetor element for HTTP 1.1 like this:</para>
+    <para>You can now access your DHIS instance at <emphasis role="italic">http://localhost</emphasis>. Since  the reverse proxy has been set up we can improve security by making Tomcat only listen for local connections. In <emphasis role="italic">/conf/server.xml</emphasis> you can add an <emphasis role="italic">address</emphasis> attribute with the value <emphasis role="italic">localhost</emphasis> to the Connetor element for HTTP 1.1 like this:</para>
     <para><screen>&lt;Connector address=&quot;localhost&quot; protocol=&quot;HTTP/1.1&quot; ... &gt;</screen></para>
     <para><emphasis role="bold">Encrypted connections with SSL</emphasis></para>
     <para>In order to improve security it is recommended to configure the server running DHIS to communicate with clients over an encrypted connection and to identify itself to clients using a trusted certificate. This can be achieved through SSL which is an cryptographic communication protocol running on top of TCP/IP.</para>
@@ -116,32 +125,37 @@
 
 server {
   listen      80;
-  server_name localhost;
-  rewrite     ^ https://<server-ip>$request_uri? permanent;
+  rewrite   ^ https://<server-ip>$request_uri? permanent;
 }
 
 # SSL server block
 
 server {
- listen       443;
- server_name  localhost;
-
- ssl                  on;
- ssl_certificate      server.crt;
- ssl_certificate_key  server.key;
-
- ssl_session_timeout  5m;
-
- ssl_protocols  SSLv2 SSLv3 TLSv1;
- ssl_ciphers  HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers   on;
-
- location / {
-  proxy_pass        http://localhost:8080/;
-  proxy_redirect    off;
-  proxy_set_header  Host            $host;
-  proxy_set_header  X-Real-IP       $remote_addr;
-  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+  listen       443;
+
+  ssl                  on;
+  ssl_certificate      server.crt;
+  ssl_certificate_key  server.key;
+
+  ssl_session_timeout  5m;
+
+  ssl_protocols  SSLv2 SSLv3 TLSv1;
+  ssl_ciphers  HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers   on;
+
+  # Root points to your DHIS webapp location, update it!
+
+  location ~* (\.js$|\.css$|\.gif$|^/images/|^/icons/) {
+    root     /home/dhis/tomcat/webapps/ROOT;
+    expires  14d;
+  } 
+
+  location / {
+    proxy_pass        http://localhost:8080/;
+    proxy_redirect    off;
+    proxy_set_header  Host            $host;
+    proxy_set_header  X-Real-IP       $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  }
 }]]></screen>
   </section>