Nginx Configuration

Owned by Laura McCord
Aug 28, 2013
4 min read

Documentation provided by Arvīds Grabovskis

nginx can be used in HTTP proxy mode or AJP proxy mode. The latter one is not tested, hence further description will focus on the HTTP proxy mode, but you're free to try AJP support (try starting here: https://github.com/yaoweibin/nginx_ajp_module) and report us your experience.

Step 1: Configuring nginx as HTTP proxy

  1. Install nginx (this is OS and distribution-specific step) - Details on how to install Nginx can be found at http://wiki.nginx.org/Install

  2. Make sure that Tomcat accepts HTTP requests from localhost (by default on 8080 port)

  3. In order to web application resolve client IP address, protocol, you need to add the following:

     <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" /> in server.xml (remove 'protocolHeaderHttpsValue' attribute in case of non-SSL setup)

  4. Configure /etc/nginx/conf.d/default.conf (default directory of included config files for CentOS nginx installation): 

      

 

Server {
    listen   80;
    server_name portal.example.com www.portal.example.com;
    charset utf-8;
 
    location / { 
      proxy_pass  http://localhost:8080;
 
      # Next headers are required in order to allow tomcat to resolve client address (not proxy)
      # In ${tomcat}/conf/server.xml add this line:
      # <Valve className="org.apache.catalina.valves.RemoteIpValve protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https" />
    
      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        Host $http_host;
      proxy_buffer_size       8k;
      proxy_buffers           16 32k;  
      proxy_busy_buffers_size 64k;
    }
    location ~ /(WEB-INF|META-INF) {
       deny  all;
    }
}

 

Step 2: Configure SSL

Server {
   listen 443; 
   ...
   ssl    on;
   ssl_certificate      /etc/nginx/cert.pem;
   ssl_certificate_key  /etc/nginx/cert.key;
   ssl_session_timeout  5m;
   ssl_protocols  SSLv2 SSLv3 TLSv1;
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers   on;

 

Step 3: Redirect all traffic to HTTPS:

server {
  listen 80;
    ...
  rewrite     ^ https://portal.example.com$request_uri? permanent;
}

 

Step 4: Configure custom error pages

server {
    ...
   # Enable custom error pages
   proxy_intercept_errors on;
   error_page 404  /error/404.html;
   error_page 503  /error/503.html;
   error_page 500  /error/500.html;
   location/error {root /home/tomcat/ngerror/; }
}

 

Step 5: Enable agressive resource caching

server {
   ...
   # Enable aggressive caching for static resources - with this config there 
   # should be a cron-job that compresses all non-compressed files. For example
   # script checks that directory {tomcat}/webapps/static contains an image
   # example.gif and does not conain example.gif.gz, hence create one with the
   # same timestamp.    
  
   location /static/ {
    alias /home/tomcat/opt/tomcat/webapps/static/;
    gzip on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    # Some version of IE 6 don't handle compression well on some mime-types, so just disable for them
    gzip_disable "MSIE [1-6].(?!.*SV1)";


    # Set a vary header so downstream proxies don't send cached gzipped content to IE6
    gzip_vary on;

    expires 1y;
    add_header Cache-Control public;
   }
}

Step 6: Run this script periodically

#! /bin/bash


# Schedule this script using contab expression:
#   55 0 * * * /home/tomcat/create_gz_files.sh >> /dev/null 2>&1

FILETYPES="*.css *.jpg *.jpeg *.gif *.png *.js *.html"

# specify a list of directories to check recursively
DIRECTORIES="/directory/to/compress/*/another/directory/to/compress/*"

for currentdir in $DIRECTORIES

do
  for extension in $FILETYPES
   do
     #echo $currentdir
     find $currentdir -iname $extension -exec bash -c 'PLAINFILE={};GZIPPEDFILE={}.gz; 

     if [ -e $GZIPPEDFILE ]; 
     	then if [ `stat --printf=%Y $PLAINFILE` -gt `stat --printf=%Y $GZIPPEDFILE`]; 
                  then    echo "$GZIPPEDFILE outdated, regenerating"; 
                  gzip -9 -f -c $PLAINFILE > $GZIPPEDFILE; 
                  touch -r $PLAINFILE $GZIPPEDFILE ; 
             fi; 
        else echo "$GZIPPEDFILE is missing, creating it"; 
        gzip -9 -c $PLAINFILE > $GZIPPEDFILE; 
        touch -r $PLAINFILE $GZIPPEDFILE ; 
     fi;
   done
done

Additional References

  • Latest Zabbix (2.x) version supports data gathering from JMX out of the box and is used for monitoring datasource, memory, thread pool usage and a lot of other stats. 

Having problems with these instructions?

Please send us feedback at uportal-user@lists.ja-sig.org