...
nginx can be used in HTTP proxy mode or AJP proxy mode. The latter one is not tested, hence further description will focus on the HTTP proxy mode, but you're free to try AJP support (try starting here: https://github.com/yaoweibin/nginx_ajp_module) and report us your experience.
Step 1
...
: Configuring nginx as HTTP proxy
Install nginx (this is OS and distribution-specific step) - Details on how to install Nginx can be found at http://wiki.nginx.org/Install
Make sure that Tomcat accepts HTTP requests from localhost (by default on 8080 port)
In order to web application resolve client IP address, protocol, you need to add the following:
Code Block language html/xml <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" /> in server.xml (remove 'protocolHeaderHttpsValue' attribute in case of non-SSL setup)
Configure /etc/nginx/conf.d/default.conf (default directory of included config files for CentOS nginx installation):
Code Block |
---|
Server { listen 80; server_name portal.example.com www.portal.example.com; charset utf-8; location / { proxy_pass http://localhost:8080; # Next headers are required in order to allow tomcat to resolve client address (not proxy) # In ${tomcat}/conf/server.xml add this line: # <Valve className="org.apache.catalina.valves.RemoteIpValve protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" /> proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_buffer_size 8k; proxy_buffers 16 32k; proxy_busy_buffers_size 64k; } location ~ /(WEB-INF|META-INF) { deny all; } } |
Step 2
...
- SSL Configuration:
...
: Configure SSL
Code Block |
---|
Server { listen 443; ... ssl on; ssl_certificate /etc/nginx/cert.pem; ssl_certificate_key /etc/nginx/cert.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; |
2. Redirect
Step 3: Redirect all traffic to HTTPS:
Code Block |
---|
server { listen 80; ... rewrite ^ https://portal.example.com$request_uri? permanent; } |
3. Configure
Step 4: Configure custom error pages
:Code Block |
---|
server { ... # Enable custom error pages proxy_intercept_errors on; error_page 404 /error/404.html; error_page 503 /error/503.html; error_page 500 /error/500.html; location/error {root /home/tomcat/ngerror/; } } |
4. Enable
Step 5: Enable agressive resource caching
...
Code Block |
---|
server { ... # Enable aggressive caching for static resources - with this config there # should be a cron-job that compresses all non-compressed files. For example # script checks that directory {tomcat}/webapps/static contains an image # example.gif and does not conain example.gif.gz, hence create one with the # same timestamp. location /static/ { alias /home/tomcat/opt/tomcat/webapps/static/; gzip on; gzip_static on; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; # Some version of IE 6 don't handle compression well on some mime-types, so just disable for them gzip_disable "MSIE [1-6].(?!.*SV1)"; # Set a vary header so downstream proxies don't send cached gzipped content to IE6 gzip_vary on; expires 1y; add_header Cache-Control public; } } |
...
Step 6: Run this script periodically
...
Code Block | ||
---|---|---|
| ||
#! /bin/bash
# Schedule this script using contab expression:
# 55 0 * * * /home/tomcat/create_gz_files.sh >> /dev/null 2>&1
FILETYPES="*.css *.jpg *.jpeg *.gif *.png *.js *.html"
# specify a list of directories to check recursively
DIRECTORIES="/directory/to/compress/*/another/directory/to/compress/*"
for currentdir in $DIRECTORIES
do
for extension in $FILETYPES
do
#echo $currentdir
find $currentdir -iname $extension -exec bash -c 'PLAINFILE={};GZIPPEDFILE={}.gz;
if [ -e $GZIPPEDFILE ];
then if [ `stat --printf=%Y $PLAINFILE` -gt `stat --printf=%Y $GZIPPEDFILE`];
then echo "$GZIPPEDFILE outdated, regenerating";
gzip -9 -f -c $PLAINFILE > $GZIPPEDFILE;
touch -r $PLAINFILE $GZIPPEDFILE ;
fi;
else echo "$GZIPPEDFILE is missing, creating it";
gzip -9 -c $PLAINFILE > $GZIPPEDFILE;
touch -r $PLAINFILE $GZIPPEDFILE ;
fi';
done
done |
Info | ||||
---|---|---|---|---|
| ||||
|
Warning | ||||
---|---|---|---|---|
| ||||
Please send us feedback at uportal-user@lists.ja-sig.org |