dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #16476
[Branch ~dhis2-documenters/dhis2/dhis2-docbook-docs] Rev 469: Added para on nginx serving and client side caching of static content. This is important when usi...
------------------------------------------------------------
revno: 469
committer: Lars Helge Overland <larshelge@xxxxxxxxx>
branch nick: dhis2-docbook-docs
timestamp: Thu 2012-03-15 12:02:56 +0100
message:
Added para on nginx serving and client side caching of static content. This is important when using ssl to reduce roundtrips.
modified:
src/docbkx/en/dhis2_implementation_guide_installation.xml
--
lp:~dhis2-documenters/dhis2/dhis2-docbook-docs
https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs
Your team DHIS 2 developers is subscribed to branch lp:~dhis2-documenters/dhis2/dhis2-docbook-docs.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs/+edit-subscription
=== modified file 'src/docbkx/en/dhis2_implementation_guide_installation.xml'
--- src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-03-14 12:07:57 +0000
+++ src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-03-15 11:02:56 +0000
@@ -92,20 +92,29 @@
<para><code>sudo /usr/local/nginx/sbin/nginx -s stop</code></para>
<para>Now that we have installed nginx we will now continue to configure regular proxying of requests to our Tomcat instance, which we assume runs at <emphasis role="italic">http://localhost:8080</emphasis>. To configure nginx you can open the configuration file by invoking</para>
<para><code>sudo nano /usr/local/nginx/conf/nginx.conf</code></para>
- <para>nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. To configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance include the following configuration in nginx.conf:</para>
+ <para>nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. The following snippet will configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance. It will also make nginx serve requests for static content such as javascript, stylesheets and images and instruct clients to cache it for 14 days which will reduce the load on Tomcat and improve overall performance. Include the following configuration in nginx.conf:</para>
<para><screen><![CDATA[server {
- listen 80;
- server_name localhost;
-
- location / {
- proxy_pass http://localhost:8080/;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
+ listen 80;
+
+ # Serve static content
+ # Root points to your DHIS webapp location, update it!
+
+ location ~* (\.js$|\.css$|\.gif$|^/images/|^/icons/) {
+ root /home/dhis/tomcat/webapps/ROOT;
+ expires 14d;
+ }
+
+ # Proxy pass to servlet container
+
+ location / {
+ proxy_pass http://localhost:8080/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
}]]></screen></para>
- <para>Now that the reverse proxy is set up we can improve security by making Tomcat only listen for local connections. In <emphasis role="italic">/conf/server.xml</emphasis> you can add an <emphasis role="italic">address</emphasis> attribute with the value <emphasis role="italic">localhost</emphasis> to the Connetor element for HTTP 1.1 like this:</para>
+ <para>You can now access your DHIS instance at <emphasis role="italic">http://localhost</emphasis>. Since the reverse proxy has been set up we can improve security by making Tomcat only listen for local connections. In <emphasis role="italic">/conf/server.xml</emphasis> you can add an <emphasis role="italic">address</emphasis> attribute with the value <emphasis role="italic">localhost</emphasis> to the Connetor element for HTTP 1.1 like this:</para>
<para><screen><Connector address="localhost" protocol="HTTP/1.1" ... ></screen></para>
<para><emphasis role="bold">Encrypted connections with SSL</emphasis></para>
<para>In order to improve security it is recommended to configure the server running DHIS to communicate with clients over an encrypted connection and to identify itself to clients using a trusted certificate. This can be achieved through SSL which is an cryptographic communication protocol running on top of TCP/IP.</para>
@@ -116,32 +125,37 @@
server {
listen 80;
- server_name localhost;
- rewrite ^ https://<server-ip>$request_uri? permanent;
+ rewrite ^ https://<server-ip>$request_uri? permanent;
}
# SSL server block
server {
- listen 443;
- server_name localhost;
-
- ssl on;
- ssl_certificate server.crt;
- ssl_certificate_key server.key;
-
- ssl_session_timeout 5m;
-
- ssl_protocols SSLv2 SSLv3 TLSv1;
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
-
- location / {
- proxy_pass http://localhost:8080/;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ listen 443;
+
+ ssl on;
+ ssl_certificate server.crt;
+ ssl_certificate_key server.key;
+
+ ssl_session_timeout 5m;
+
+ ssl_protocols SSLv2 SSLv3 TLSv1;
+ ssl_ciphers HIGH:!aNULL:!MD5;
+ ssl_prefer_server_ciphers on;
+
+ # Root points to your DHIS webapp location, update it!
+
+ location ~* (\.js$|\.css$|\.gif$|^/images/|^/icons/) {
+ root /home/dhis/tomcat/webapps/ROOT;
+ expires 14d;
+ }
+
+ location / {
+ proxy_pass http://localhost:8080/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}]]></screen>
</section>