Versions Compared

Old Version 7

changes.mady.by.user Laura McCord

Saved on

compared with

New Version Current

changes.mady.by.user Laura McCord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

nginx can be used in HTTP proxy mode or AJP proxy mode. The latter one is not tested, hence further description will focus on the HTTP proxy mode, but you're free to try AJP support (try starting here: https://github.com/yaoweibin/nginx_ajp_module) and report us your experience.

Step 1

...

: Configuring nginx as HTTP proxy

  1. Install nginx (this is OS and distribution-specific step) - Details on how to install Nginx can be found at http://wiki.nginx.org/Install

  2. Make sure that Tomcat accepts HTTP requests from localhost (by default on 8080 port)

  3. In order to web application resolve client IP address, protocol, you need to add the following:

    Code Block
    languagehtml/xml
     <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" /> in server.xml (remove 'protocolHeaderHttpsValue' attribute in case of non-SSL setup)

  4. Configure /etc/nginx/conf.d/default.conf (default directory of included config files for CentOS nginx installation): 

      

 

Code Block
Server {
    listen   80;
    server_name portal.example.com www.portal.example.com;
    charset utf-8;
 
    location / { 
      proxy_pass  http://localhost:8080;
 
      # Next headers are required in order to allow tomcat to resolve client address (not proxy)
      # In ${tomcat}/conf/server.xml add this line:
      # <Valve className="org.apache.catalina.valves.RemoteIpValve protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" />
    
      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        Host $http_host;
      proxy_buffer_size       8k;
      proxy_buffers           16 32k;  
      proxy_busy_buffers_size 64k;
    }
    location ~ /(WEB-INF|META-INF) {
       deny  all;
    }
}

 

Step 2

...

  1. SSL Configuration:

...

: Configure SSL

Code Block
Server {
   listen 443; 
   ...
   ssl    on;
   ssl_certificate      /etc/nginx/cert.pem;
   ssl_certificate_key  /etc/nginx/cert.key;
   ssl_session_timeout  5m;
   ssl_protocols  SSLv2 SSLv3 TLSv1;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers   on;

   2. Redirect

Step 3: Redirect all traffic to HTTPS:

Code Block
server {
  listen 80;
    ...
  rewrite     ^ https://portal.example.com$request_uri? permanent;
}

 3. Configure

Step 4: Configure custom error pages

:

Code Block
server {
    ...
   # Enable custom error pages
   proxy_intercept_errors on;
   error_page 404  /error/404.html;
   error_page 503  /error/503.html;
   error_page 500  /error/500.html;
   location/error {root /home/tomcat/ngerror/; }
}

 4. Enable

Step 5: Enable agressive resource caching

...

Code Block
server {
   ...
   # Enable aggressive caching for static resources - with this config there 
   # should be a cron-job that compresses all non-compressed files. For example
   # script checks that directory {tomcat}/webapps/static contains an image
   # example.gif and does not conain example.gif.gz, hence create one with the
   # same timestamp.    
  
   location /static/ {
    alias /home/tomcat/opt/tomcat/webapps/static/;
    gzip on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Some version of IE 6 don't handle compression well on some mime-types, so just disable for them
    gzip_disable "MSIE [1-6].(?!.*SV1)";


    # Set a vary header so downstream proxies don't send cached gzipped content to IE6
    gzip_vary on;

    expires 1y;
    add_header Cache-Control public;
   }
}

...

Step 6: Run this script periodically

...

Code Block
languagebash
#! /bin/bash


# Schedule this script using contab expression:
#   55 0 * * * /home/tomcat/create_gz_files.sh >> /dev/null 2>&1

FILETYPES="*.css *.jpg *.jpeg *.gif *.png *.js *.html"

# specify a list of directories to check recursively
DIRECTORIES="/directory/to/compress/*/another/directory/to/compress/*"

for currentdir in $DIRECTORIES

do
  for extension in $FILETYPES
   do
     #echo $currentdir
     find $currentdir -iname $extension -exec bash -c 'PLAINFILE={};GZIPPEDFILE={}.gz; 

     if [ -e $GZIPPEDFILE ]; 
     	then if [ `stat --printf=%Y $PLAINFILE` -gt `stat --printf=%Y $GZIPPEDFILE`]; 
                  then    echo "$GZIPPEDFILE outdated, regenerating"; 
                  gzip -9 -f -c $PLAINFILE > $GZIPPEDFILE; 
                  touch -r $PLAINFILE $GZIPPEDFILE ; 
             fi; 
        else echo "$GZIPPEDFILE is missing, creating it"; 
        gzip -9 -c $PLAINFILE > $GZIPPEDFILE; 
        touch -r $PLAINFILE $GZIPPEDFILE ; 
     fi;
   done
done

...