Placenet.fr

Le Libre, IP c'est tout !

Placenet.fr - Le Libre, IP c'est tout !

Nginx en Reverse Proxy Cache HTTP(S)

nginx [engine x] est un logiciel de serveur Web écrit par Igor Sysoev. Ses sources sont disponibles sous une licence de type BSD.

Nous utilisons ce serveur comme un « reverse proxy cache » pour délivrer plus efficacement les textes, images, sons et vidéo de nos sites hébergés sur notre plate-forme (une ferme de serveur Apache2).

Voici la configuration du serveur Nginx, sur distribution Gnu/Linux Debian Squeeze, dans ce contexte :

# apt-get install nginx

/etc/nginx/nginx.conf

worker_processes 4;
worker_priority -1;
worker_rlimit_nofile 8192;
user www-data www-data;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
daemon on;
timer_resolution 500ms;

events {
multi_accept on;
worker_connections 4096;
use epoll;
}

http { map_hash_bucket_size 128; include /etc/nginx/mime.types; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }

les fichiers dans le /etc/nginx/conf.d/ complètent la configuration du reverse proxy :

/etc/nginx/conf.d/nginx-global.conf

server_tokens off;
server_name_in_redirect off;
ignore_invalid_headers on;
if_modified_since before;
ssi on;
ssi_silent_errors on; # testing=off
add_header X-Frame-Options SAMEORIGIN;

# TCP
tcp_nodelay on;
tcp_nopush off;
sendfile on;

### timeouts ###
resolver_timeout 6;
client_header_timeout 12;
client_body_timeout 60;
send_timeout 60;
keepalive_timeout 65 20;
keepalive_requests 0; #100

### buffers ###
client_header_buffer_size 1k;
client_body_buffer_size 128k;
large_client_header_buffers 4 4k;
client_max_body_size 10M;
client_body_temp_path /var/spool/nginx/client/;
output_buffers 1 32k;
postpone_output 1460;

### errors par Apache ###
recursive_error_pages off;
#error_page 400 402 403 405 406 410 411 413 416 /40x.html;
#error_page 500 501 502 503 504 /50x.html;
#error_page 404 =410 /40x.html;

open_log_file_cache max=1024 inactive=30s min_uses=3 valid=5m;

### compression par apache aussi ###
gzip off;
gzip_static off;

#gzip on;
#gzip_disable "msie6";
#gzip_vary on;
#gzip_min_length 512;
#gzip_buffers 256 8k;
#gzip_comp_level 6;
#gzip_proxied any;
#gzip_types text/plain test/html text/xml text/css
#image/x-icon image/bmp application/atom+xml
#text/javascript application/x-javascript
#application/pdf application/postscript
#application/rtf application/vnd.ms-powerpoint
#application/msword application/vnd.ms-excel
#application/vnd.wap.xhtml+xml;

/etc/nginx/conf.d/nginx-backend.conf

upstream backend_virtualhosts {
ip_hash;
server 192.168.0.1:8080 max_fails=0;
server 192.168.0.2:8080 max_fails=0;
server 192.168.0.3:8080 max_fails=0;
server 192.168.0.4:8080 max_fails=0;
}

/etc/nginx/conf.d/nginx-logformat.conf

log_format main '$http_host $remote_addr $remote_port - $remote_user [$time_local] ''"$request" $status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';

log_format full
'$remote_addr $remote_user [$time_local] '
'"$host"->$proxy_host->$upstream_addr '
'"$request" $status($upstream_status) '
'$bytes_sent/$gzip_ratio($sent_http_content_type) '
'$request_time($upstream_response_time)';

log_format perf
'$request_time($upstream_response_time) '
'$bytes_sent/$gzip_ratio($sent_http_content_type) '
'$status "$upstream_addr$uri"';

log_format gzip
'$bytes_sent/$gzip_ratio($sent_http_content_type) '
'[$http_accept_encoding]"$http_user_agent"';

/etc/nginx/conf.d/nginx-cache.conf

proxy_cache_min_uses 3;
proxy_cache_path /var/cache/nginx/ levels=1:2
keys_zone=cache:15m inactive=15m max_size=1000M;
#proxy_cache_valid any 15m;
proxy_cache_key “$scheme$host$request_uri”;
#proxy_cache cache;
#proxy_cache_valid 200 302 15m;
#proxy_cache_valid 404 1m;
#proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

/etc/nginx/conf.d/nginx-proxy.conf

proxy_intercept_errors off; # Apache gère les erreurs
proxy_ignore_client_abort off;
proxy_next_upstream error timeout invalid_header;
port_in_redirect off;
proxy_redirect http:// $scheme://;

### proxy-header ###
#proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host; $
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
map $scheme $msiis { http off; https on; }
proxy_set_header Front-End-Https $msiis;
proxy_pass_header Set-Cookie;
proxy_pass_header P3P;

### proxy-timeouts ###
proxy_connect_timeout 60;
proxy_send_timeout 60;
proxy_read_timeout 60;

### proxy-buffers ###>
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 256 8k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_temp_path /var/spool/nginx/temp/;

Nous utilisons pour le SSL, le support TLS SNI, Les fichiers pour les virtualhost sont donc les suivants :

/etc/nginx/sites-available/nginx-vhost.conf

server {
listen 80 default;
listen [::]:80 default ipv6only=on;
server_name _;

# add_header Cache-Control public;
access_log /var/log/nginx/vhosts.access.log main;

if ($host ~* ^([a-z0-9\-]+\.(com|net|org|info|fr|eu))$) {
set $host_with_www www.$1;
rewrite ^(.*)$ http://$host_with_www$1 permanent;
}
if ($scheme = "https") {
rewrite ^ https://$http_host$request_uri permanent;
}

# only these methods.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ~/\.ht {
deny all;
}
location / {
if (-f $request_filename) { break; }
if ($request_method = POST) {
proxy_pass http://backend_virtualhosts;
break;
}

proxy_pass http://backend_virtualhosts;
proxy_cache cache;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
}

location ~* .(jpe?g|gif|css|js|flv|swf|png|ico|pdf|7z|zip|tar|t?gz|mp3|wav)$ {
access_log off;
proxy_cache_valid 200 120m;
expires 7d;
proxy_pass http://backend_virtualhosts;
proxy_cache cache;

}

}

/etc/nginx/sites-available/ssl-vhosts.conf

server {
listen 443 default ssl;
listen [::]:443 default ipv6only=on ssl;
server_name placenet.fr www.placenet.fr;
add_header Cache-Control public;
ssl on;
ssl_certificate /etc/ssl/example.tld.crt;
ssl_certificate_key /etc/ssl/example.tld.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 SSLv3;
ssl_ciphers HIGH:!ADH:!MD5:@STRENGTH;
ssl_session_cache shared:TLSSL:16m;
ssl_session_timeout 10m;
access_log /var/log/nginx/vhosts.access.log main;
# only these methods.
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ~/\.ht {
deny all;
}
location / {
if (-f $request_filename) { break; }
if ($request_method = POST) {
proxy_pass http://backend_virtualhosts;
break;
}

proxy_pass http://backend_virtualhosts;
proxy_cache cache;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
}

location ~* .(jpe?g|gif|css|js|flv|swf|png|ico|pdf|7z|zip|tar|t?gz|mp3|wav)$ {
access_log off;
proxy_cache_valid 200 120m;
expires 7d;
proxy_pass http://backend_virtualhosts;
proxy_cache cache;

}
}

Pour vider la cache, il faut en plus du redémarrage du serveur Nginx, ne pas oublier d’effacer le contenu du répertoire /var/cache/nginx/.

Catégorie : Techno, Tutoriel
Mot-Clé : , , , ,