dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #20478
Re: [Branch ~dhis2-documenters/dhis2/dhis2-docbook-docs] Rev 639: Simplified the nginx cache setup. Thanks to Bob for tip.
nice commit ,, hope this will work on Mack/Windows as well.
On Tue, Dec 18, 2012 at 6:32 PM, <noreply@xxxxxxxxxxxxx> wrote:
> ------------------------------------------------------------
> revno: 639
> committer: Lars Helge Øverland <larshelge@xxxxxxxxx>
> branch nick: dhis2-docbook-docs
> timestamp: Tue 2012-12-18 14:01:15 +0100
> message:
> Simplified the nginx cache setup. Thanks to Bob for tip.
> modified:
> src/docbkx/en/dhis2_implementation_guide_installation.xml
>
>
> --
> lp:~dhis2-documenters/dhis2/dhis2-docbook-docs
> https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs
>
> Your team DHIS 2 developers is subscribed to branch
> lp:~dhis2-documenters/dhis2/dhis2-docbook-docs.
> To unsubscribe from this branch go to
> https://code.launchpad.net/~dhis2-documenters/dhis2/dhis2-docbook-docs/+edit-subscription
>
> === modified file
> 'src/docbkx/en/dhis2_implementation_guide_installation.xml'
> --- src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-12-13
> 15:10:02 +0000
> +++ src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-12-18
> 13:01:15 +0000
> @@ -127,11 +127,10 @@
> <para>nginx configuration is built around a hierarchy of blocks
> representing http, server and location, where each block inherit settings
> from parent blocks. The following snippet will configure nginx to proxy
> pass (redirect) requests from port 80 (which is the port nginx will listen
> on by default) to our Tomcat instance. It will also make nginx serve
> requests for static content such as javascript, stylesheets and images and
> instruct clients to cache it for 4 days which will reduce the load on
> Tomcat and improve overall performance. Include the following configuration
> in nginx.conf:</para>
> <para><screen><![CDATA[server {
> listen 80;
> - root /home/dhis/tomcat/webapps/ROOT;
> - client_max_body_size 10M; # Default 1M, change it!
> + root /home/dhis/tomcat/webapps/ROOT; # Update path!
> + client_max_body_size 10M;
>
> # Serve static content
> - # Root points to your DHIS webapp location, update it!
>
> location ~
> (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$)
> {
> add_header Cache-Control public;
> @@ -162,18 +161,18 @@
> <screen>openssl req -new -newkey rsa:2048 -nodes -keyout server.key
> -out server.csr</screen>
> <para>When you have your certificate files (.pem and .key) you will
> need to place them in a location which is reachable by nginx. A good
> location for this can be the same directory as where your nginx.conf file
> is located.</para>
> <para>Below is an nginx server block where the certificate files
> are named server.crt and server.key. Since SSL connections usually occur on
> port 443 (HTTPS) we pass requests on that port (443) on to the DHIS
> instance running on <emphasis role="italic">http://localhost:8080</emphasis>
> The first server block will rewrite all requests connecting to port 80 and
> force the use of HTTPS/SSL. This is also necessary because DHIS is using a
> lot of redirects internally which must be passed on to use HTTPS. Remember
> to replace <emphasis role="italic"><server-ip></emphasis> with the
> IP of your server. These blocks should replace the one from the previous
> section.</para>
> - <screen><![CDATA[# Rewrite block to force use of SSL
> + <screen><![CDATA[# HTTP server - rewrite to force use of SSL
>
> server {
> listen 80;
> - rewrite ^ https://<server-ip>$request_uri? permanent;
> + rewrite ^ https://<server-url>$request_uri? permanent;
> }
>
> -# SSL server block
> +# HTTPS server
>
> server {
> listen 443;
> - root /home/dhis/tomcat/webapps/ROOT;
> + root /home/dhis/tomcat/webapps/ROOT; # Update path!
> client_max_body_size 10M;
>
> ssl on;
> @@ -186,13 +185,15 @@
> ssl_ciphers HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers on;
>
> - # Root points to your DHIS webapp location, update it!
> + # Serve static content
>
> location ~
> (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$)
> {
> add_header Cache-Control public;
> expires 7d;
> }
>
> + # Proxy pass to servlet container
> +
> location / {
> proxy_pass http://localhost:8080/;
> proxy_redirect off;
> @@ -208,24 +209,29 @@
> <para>Requests for reports, charts, maps and other analysis-related
> resources will often take
> some time to respond and might utilize a lot of server resources.
> In order to improve
> response times, reduce the load on the server and hide potential
> server downtime we can
> - introduce a cache proxy in our server setup. However, a cache
> proxy cannot cache content
> - which is served over SSL/HTTPS since the content will be
> encrypted and the response headers
> - cannot be understood by the server. The following configuration
> will serve reports, data
> - visualizer, GIS and dashboard modules over HTTP while serving all
> other modules over
> - SSL/HTTPS. Analysis-related requests will be cached by nginx. The
> cached content will be
> + introduce a cache proxy in our server setup. This setup will
> cache analysis related content
> + which typically requries the most server resources to produce.
> The cached content will be
> stored in directory /var/cache/nginx, and up to 250 MB of storage
> will be allocated. Nginx
> will create this directory automatically.</para>
> <screen>http {
> # ...
> - root /home/dhis/tomcat/webapps/ROOT; # update path!
> + root /home/dhis/tomcat/webapps/ROOT; # Update path!
> proxy_cache_path /var/cache/nginx keys_zone=dhis:250m inactive=1d;
>
> + <![CDATA[# HTTP server - rewrite to force use of HTTPS
> +
> + server {
> + listen 80;
> + rewrite ^ https://<server-ip>$request_uri? permanent;
> + }
> +
> # HTTPS server
>
> server {
> - listen 443 ssl default_server;
> + listen 443;
> client_max_body_size 10M;
>
> + ssl on;
> ssl_certificate server.crt;
> ssl_certificate_key server.key;
>
> @@ -235,79 +241,36 @@
> ssl_ciphers HIGH:!aNULL:!MD5;
> ssl_prefer_server_ciphers on;
>
> - # Rewrite analysis modules to HTTP, update domain!
> -
> - location ~
> ^/(dhis-web-mapping|dhis-web-visualizer|dhis-web-reporting|dhis-web-dashboard-integration)
> {
> - rewrite ^ http://yourdomain.org$request_uri? permanent;
> - }
> -
> - # Serve static content
> -
> - location ~*
> (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$)
> {
> - add_header Cache-Control public;
> - expires 7d;
> - }
> -
> - # Proxy pass to servlet container, update URL!
> -
> - location / {
> - proxy_pass http://localhost:8080;
> - proxy_redirect off;
> - proxy_set_header Host $host;
> - proxy_set_header X-Real-IP $remote_addr;
> - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> - proxy_set_header X-Forwarded-Proto https;
> - }
> - }
> -
> - # HTTP server
> -
> - server {
> - listen 80;
> - client_max_body_size 10M;
> -
> - # Rewrite security and about namespace to HTTPS, update domain!
> -
> - location ~
> ^/(dhis-web-commons/security|dhis-web-commons-security|dhis-web-commons-about)
> {
> - rewrite ^ https://yourdomain.org$request_uri? permanent;
> - }
> -
> - # Serve static content
> -
> - location ~*
> (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$)
> {
> - add_header Cache-Control public;
> - expires 7d;
> - }
> -
> - # Cache and proxy pass analysis to servlet container, update URL!
> + # Serve static content
> +
> + location ~
> (\.js$|\.css$|\.gif$|\.woff$|\.ttf$|\.eot$|^/images/|^/icons/|^/dhis-web-commons/.*\.png$)
> {
> + add_header Cache-Control public;
> + expires 7d;
> + }
> +
> + # Cache and proxy pass analysis related requests to servlet container
>
> location ~
> (api/(chart*|map*|reports|reportTables)|generateDataSetReport.action|exportTable.action)
> {
> - proxy_pass http://localhost:8080;
> - proxy_redirect off;
> - proxy_set_header Host $host;
> - proxy_set_header X-Real-IP $remote_addr;
> - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> - proxy_set_header X-Forwarded-Proto http;
> - proxy_cache dhis;
> - }
> -
> - # Proxy pass analysis modules to servlet container, update URL!
> -
> - location ~
> ^/(api|dhis-web-commons|dhis-web-mapping|dhis-web-visualizer|dhis-web-reporting|dhis-web-dashboard-integration)
> {
> - proxy_pass http://localhost:8080;
> - proxy_redirect off;
> - proxy_set_header Host $host;
> - proxy_set_header X-Real-IP $remote_addr;
> - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> - proxy_set_header X-Forwarded-Proto http;
> - }
> -
> - # Rewrite remaining to HTTPS, update domain!
> + proxy_pass http://localhost:8080;
> + proxy_redirect off;
> + proxy_set_header Host $host;
> + proxy_set_header X-Real-IP $remote_addr;
> + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> + proxy_set_header X-Forwarded-Proto https;
> + proxy_cache dhis;
> + }
> +
> + # Proxy pass remaining requests to servlet container
>
> location / {
> - rewrite ^ https://yourdomain.org$request_uri? permanent;
> + proxy_pass http://localhost:8080/;
> + proxy_redirect off;
> + proxy_set_header Host $host;
> + proxy_set_header X-Real-IP $remote_addr;
> + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> + proxy_set_header X-Forwarded-Proto https;
> }
> - }
> + }]]>
> }
>
> </screen>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
>
>
--
Regards,
Brajesh
References
