dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #20472
[Branch ~dhis2-documenters/dhis2/dhis2-docbook-docs] Rev 639: Simplified the nginx cache setup. Thanks to Bob for tip.
------------------------------------------------------------
revno: 639
committer: Lars Helge Øverland <larshelge@xxxxxxxxx>
branch nick: dhis2-docbook-docs
timestamp: Tue 2012-12-18 14:01:15 +0100
message:
Simplified the nginx cache setup. Thanks to Bob for tip.
modified:
src/docbkx/en/dhis2_implementation_guide_installation.xml
--
lp:~dhis2-documenters/dhis2/dhis2-docbook-docs
https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs
Your team DHIS 2 developers is subscribed to branch lp:~dhis2-documenters/dhis2/dhis2-docbook-docs.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs/+edit-subscription
=== modified file 'src/docbkx/en/dhis2_implementation_guide_installation.xml'
--- src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-12-13 15:10:02 +0000
+++ src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-12-18 13:01:15 +0000
@@ -127,11 +127,10 @@
<para>nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. The following snippet will configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance. It will also make nginx serve requests for static content such as javascript, stylesheets and images and instruct clients to cache it for 4 days which will reduce the load on Tomcat and improve overall performance. Include the following configuration in nginx.conf:</para>
<para><screen><![CDATA[server {
listen 80;
- root /home/dhis/tomcat/webapps/ROOT;
- client_max_body_size 10M; # Default 1M, change it!
+ root /home/dhis/tomcat/webapps/ROOT; # Update path!
+ client_max_body_size 10M;
# Serve static content
- # Root points to your DHIS webapp location, update it!
location ~ (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$) {
add_header Cache-Control public;
@@ -162,18 +161,18 @@
<screen>openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr</screen>
<para>When you have your certificate files (.pem and .key) you will need to place them in a location which is reachable by nginx. A good location for this can be the same directory as where your nginx.conf file is located.</para>
<para>Below is an nginx server block where the certificate files are named server.crt and server.key. Since SSL connections usually occur on port 443 (HTTPS) we pass requests on that port (443) on to the DHIS instance running on <emphasis role="italic">http://localhost:8080</emphasis> The first server block will rewrite all requests connecting to port 80 and force the use of HTTPS/SSL. This is also necessary because DHIS is using a lot of redirects internally which must be passed on to use HTTPS. Remember to replace <emphasis role="italic"><server-ip></emphasis> with the IP of your server. These blocks should replace the one from the previous section.</para>
- <screen><![CDATA[# Rewrite block to force use of SSL
+ <screen><![CDATA[# HTTP server - rewrite to force use of SSL
server {
listen 80;
- rewrite ^ https://<server-ip>$request_uri? permanent;
+ rewrite ^ https://<server-url>$request_uri? permanent;
}
-# SSL server block
+# HTTPS server
server {
listen 443;
- root /home/dhis/tomcat/webapps/ROOT;
+ root /home/dhis/tomcat/webapps/ROOT; # Update path!
client_max_body_size 10M;
ssl on;
@@ -186,13 +185,15 @@
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
- # Root points to your DHIS webapp location, update it!
+ # Serve static content
location ~ (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$) {
add_header Cache-Control public;
expires 7d;
}
+ # Proxy pass to servlet container
+
location / {
proxy_pass http://localhost:8080/;
proxy_redirect off;
@@ -208,24 +209,29 @@
<para>Requests for reports, charts, maps and other analysis-related resources will often take
some time to respond and might utilize a lot of server resources. In order to improve
response times, reduce the load on the server and hide potential server downtime we can
- introduce a cache proxy in our server setup. However, a cache proxy cannot cache content
- which is served over SSL/HTTPS since the content will be encrypted and the response headers
- cannot be understood by the server. The following configuration will serve reports, data
- visualizer, GIS and dashboard modules over HTTP while serving all other modules over
- SSL/HTTPS. Analysis-related requests will be cached by nginx. The cached content will be
+ introduce a cache proxy in our server setup. This setup will cache analysis related content
+ which typically requries the most server resources to produce. The cached content will be
stored in directory /var/cache/nginx, and up to 250 MB of storage will be allocated. Nginx
will create this directory automatically.</para>
<screen>http {
# ...
- root /home/dhis/tomcat/webapps/ROOT; # update path!
+ root /home/dhis/tomcat/webapps/ROOT; # Update path!
proxy_cache_path /var/cache/nginx keys_zone=dhis:250m inactive=1d;
+ <![CDATA[# HTTP server - rewrite to force use of HTTPS
+
+ server {
+ listen 80;
+ rewrite ^ https://<server-ip>$request_uri? permanent;
+ }
+
# HTTPS server
server {
- listen 443 ssl default_server;
+ listen 443;
client_max_body_size 10M;
+ ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
@@ -235,79 +241,36 @@
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
- # Rewrite analysis modules to HTTP, update domain!
-
- location ~ ^/(dhis-web-mapping|dhis-web-visualizer|dhis-web-reporting|dhis-web-dashboard-integration) {
- rewrite ^ http://yourdomain.org$request_uri? permanent;
- }
-
- # Serve static content
-
- location ~* (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$) {
- add_header Cache-Control public;
- expires 7d;
- }
-
- # Proxy pass to servlet container, update URL!
-
- location / {
- proxy_pass http://localhost:8080;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto https;
- }
- }
-
- # HTTP server
-
- server {
- listen 80;
- client_max_body_size 10M;
-
- # Rewrite security and about namespace to HTTPS, update domain!
-
- location ~ ^/(dhis-web-commons/security|dhis-web-commons-security|dhis-web-commons-about) {
- rewrite ^ https://yourdomain.org$request_uri? permanent;
- }
-
- # Serve static content
-
- location ~* (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$) {
- add_header Cache-Control public;
- expires 7d;
- }
-
- # Cache and proxy pass analysis to servlet container, update URL!
+ # Serve static content
+
+ location ~ (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$) {
+ add_header Cache-Control public;
+ expires 7d;
+ }
+
+ # Cache and proxy pass analysis related requests to servlet container
location ~ (api/(chart*|map*|reports|reportTables)|generateDataSetReport.action|exportTable.action) {
- proxy_pass http://localhost:8080;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto http;
- proxy_cache dhis;
- }
-
- # Proxy pass analysis modules to servlet container, update URL!
-
- location ~ ^/(api|dhis-web-commons|dhis-web-mapping|dhis-web-visualizer|dhis-web-reporting|dhis-web-dashboard-integration) {
- proxy_pass http://localhost:8080;
- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto http;
- }
-
- # Rewrite remaining to HTTPS, update domain!
+ proxy_pass http://localhost:8080;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_cache dhis;
+ }
+
+ # Proxy pass remaining requests to servlet container
location / {
- rewrite ^ https://yourdomain.org$request_uri? permanent;
+ proxy_pass http://localhost:8080/;
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
}
- }
+ }]]>
}
</screen>
Follow ups
