=== modified file 'src/docbkx/en/dhis2_implementation_guide_installation.xml' --- src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-03-14 12:07:57 +0000 +++ src/docbkx/en/dhis2_implementation_guide_installation.xml 2012-03-15 11:02:56 +0000 @@ -92,20 +92,29 @@ sudo /usr/local/nginx/sbin/nginx -s stop Now that we have installed nginx we will now continue to configure regular proxying of requests to our Tomcat instance, which we assume runs at http://localhost:8080. To configure nginx you can open the configuration file by invoking sudo nano /usr/local/nginx/conf/nginx.conf - nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. To configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance include the following configuration in nginx.conf: + nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. The following snippet will configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance. It will also make nginx serve requests for static content such as javascript, stylesheets and images and instruct clients to cache it for 14 days which will reduce the load on Tomcat and improve overall performance. Include the following configuration in nginx.conf: - Now that the reverse proxy is set up we can improve security by making Tomcat only listen for local connections. In /conf/server.xml you can add an address attribute with the value localhost to the Connetor element for HTTP 1.1 like this: + You can now access your DHIS instance at http://localhost. Since the reverse proxy has been set up we can improve security by making Tomcat only listen for local connections. In /conf/server.xml you can add an address attribute with the value localhost to the Connetor element for HTTP 1.1 like this: <Connector address="localhost" protocol="HTTP/1.1" ... > Encrypted connections with SSL In order to improve security it is recommended to configure the server running DHIS to communicate with clients over an encrypted connection and to identify itself to clients using a trusted certificate. This can be achieved through SSL which is an cryptographic communication protocol running on top of TCP/IP. @@ -116,32 +125,37 @@ server { listen 80; - server_name localhost; - rewrite ^ https://$request_uri? permanent; + rewrite ^ https://$request_uri? permanent; } # SSL server block server { - listen 443; - server_name localhost; - - ssl on; - ssl_certificate server.crt; - ssl_certificate_key server.key; - - ssl_session_timeout 5m; - - ssl_protocols SSLv2 SSLv3 TLSv1; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location / { - proxy_pass http://localhost:8080/; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + listen 443; + + ssl on; + ssl_certificate server.crt; + ssl_certificate_key server.key; + + ssl_session_timeout 5m; + + ssl_protocols SSLv2 SSLv3 TLSv1; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + # Root points to your DHIS webapp location, update it! + + location ~* (\.js$|\.css$|\.gif$|^/images/|^/icons/) { + root /home/dhis/tomcat/webapps/ROOT; + expires 14d; + } + + location / { + proxy_pass http://localhost:8080/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }]]>