caching content on nginx
You can cache content on front-end reverse proxy so as to provide content more effectively for requests and reduce traffic against back-end web server.
Let us get started.
nginx.conf
Key point here is that you should insert cache configuration line before includes so that it should be evaluated beforehand.
http {
##
# cache config
##
proxy_cache_path /tmp/nginx/cache levels=1 keys_zone=wiki:4m inactive=1h max_size=10m;
include /etc/nginx/conf.d/\*.conf;
include /etc/nginx/sites-enabled/\*;
}
With this configuration,
- actual cache files are stored under /tmp/nginx/cache directory with hierarchy of one
/tmp/nginx/cache
├── 0
│ └── 64b08f8ec9459d892a1a80bea5d2d400
├── 1
│ └── 4bbed59225358625d11842e1ec069b81
├── 2
│ └── 47c32bbfbc8c08c9047c8a8271893f02
- cache is registered as key, “wiki”, which can have 10MB in size at most
- cache will be retired after 1 hour
Please make certain that cache directory does exit.
virtual host
A simple setup to store cache for response of status 200, which lasts 10 minutes.
location / {
proxy_cache wiki;
proxy_cache_valid 200 10m;
}
password authentication on nginx
I hereby demonstrate a simple procedure to set password authentication against content on nginx, which is quite similar to that of apache.
First, you need to install apache2-utils for the purpose of creating password file.
$ sudo apt-get install apache2-utils
Create password file with htpasswd command.
$ sudo htpasswd -c /home/ubuntu/wiki/.htpasswd lupin
Incorporate newly created password file into virtual host configuration.
location / {
auth_basic "Open Sesame!";
auth_basic_user_file /home/ubuntu/wiki/.htpasswd;
}
Reflect modified configuration into running nginx process.
$ sudo /etc/init.d/nginx reload
enable encryption on nginx
Sometimes you would like to configure nginx instance to communicate with clients in secured connection. You can issue self signed certificate and make use of it for encryption.
Here is a quick procedure to do it.
issue certificate
Create a directory to store key and certificate.
$ cd /etc/nginx
$ sudo mkdir cert
$ cd cert
Install openssl package if not there. And create private key named “server.key”.
$ sudo apt-get install openssl
$ sudo openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......................................++++++
............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
$ file server.key
server.key: PEM RSA private key
And then create CSR named “server.csr”. Answer as appropriate to inquiries given by command.
$ sudo openssl req -new -key server.key -out server.csr
$ file server.csr
server.csr: PEM certificate request
Rename private key and request certificate against forged CA.
$ sudo cp server.key server.key.org
$ sudo openssl rsa -in server.key.org -out server.key
Finally issue certificate named, “server.cert”.
$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.cert
$ file server.cert
server.cert: PEM certificate
Now you have your own server certificate for your encryption.
enable SSL
Incorporate server certificate into nginx’s configuration by pointing its location.
server {
listen 443 ssl;
ssl on;
ssl_certificate cert/server.cert;
ssl_certificate_key cert/server.key;
}
Now you see that nginx listens on HTTPS port.
$ sudo lsof -nPi:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 385 root 8u IPv4 127726 0t0 TCP \*:443 (LISTEN)
nginx 387 www-data 8u IPv4 127726 0t0 TCP \*:443 (LISTEN)