nginx

- nginx - - - Reverse Proxy - - - - Encrypted connections with SSL - After tomcat is set up behind the reverse proxy, it is time to configure nginx to use SSL. Using SSL for serving DHIS 2 will provide better security since it encrypts the connection to the server. - To configure nginx to use SSL you will need a proper SSL certificate from an SSL provider. The cost of a certificate varies a lot depending on encryption strength. An affordable certificate from https://www.rapidsslonline.com should serve most purposes. - When you have your certificate files (.pem and .key) you will need to place them in a location which is reachable by nginx. A good location for this can be the same directory as where your nginx.conf file is located. - Below is an nginx server block where the files are named server.pem and server.key and using a reverse proxy from port 443 (HTTPS) passed on to a DHIS 2 instance running on port 8080. - - Please note that this requires that you enter your SSL password every time you start your server. You can have SSL certificates without a password, but this is not recommended. + Reverse proxy (optional) + A reverse proxy is a proxy server that acts on behalf of a server. Using a reverse proxy in combination with a servlet container is optional but has many advantages: + + + Requests can be mapped and passed on to multiple servlet containers - this improves flexibility and makes it easier to run multiple instances of DHIS on the same server. It also makes it possible to change the internal server setup without affecting clients. + + + The DHIS application can be run as a non-root user on a port different than 80 which reduces the consequences of session hijacking. + + + The reverse proxy can act as a single SSL server and be configured to inspect requests for malicious content, log requests and responses and provide non-sensitive error messages which will improve security. + + + nginx + We recommend using nginx (http://wiki.nginx.org) as reverse proxy due to its low memory footprint and ease of use. To get the latest version we recommend installing from source: + sudo apt-get install make gcc libpcre3 libpcre3-dev zlibc zlib1g zlib1g-dev libssl-dev openssl + wget http://nginx.org/download/nginx-1.0.13.tar.gz (check for latest!) + tar xzvf nginx-1.0.13.tar.gz + cd nginx-1.0.13 + ./configure --with-http_ssl_module + make + sudo make install + nginx can now be started and stopped with the following commands: + sudo /usr/local/nginx/sbin/nginx + sudo /usr/local/nginx/sbin/nginx -s stop + Now that we have installed nginx we will now continue to configure regular proxying of requests to our Tomcat instance, which we assume runs at http://localhost:8080/dhis. To configure nginx you can open the configuration file by invoking + sudo nano /usr/local/nginx/conf/nginx.conf + nginx configuration is built around a hierarchy of blocks representing http, server and location, where each block inherit settings from parent blocks. To configure nginx to proxy pass (redirect) requests from port 80 (which is the port nginx will listen on by default) to our Tomcat instance include the following configuration in nginx.conf: + + Now that the reverse proxy is set up we can improve security by making Tomcat only listen for local connections. In /conf/server.xml you can add an address attribute with the value localhost to the Connetor element for HTTP 1.1 like this: + <Connector address="localhost" protocol="HTTP/1.1" ... > + Encrypted connections with SSL + In order to improve security it is recommended to configure the server running DHIS to communicate with clients over an encrypted connection and to identify itself to clients using a trusted certificate. This can be achieved through SSL which is an cryptographic communication protocol running on top of TCP/IP. + To configure nginx to use SSL you will need a proper SSL certificate from an SSL provider. The cost of a certificate varies a lot depending on encryption strength. An affordable certificate from https://www.rapidsslonline.com should serve most purposes. + When you have your certificate files (.pem and .key) you will need to place them in a location which is reachable by nginx. A good location for this can be the same directory as where your nginx.conf file is located. + Below is an nginx server block where the certificate files are named server.pem and server.key. Since SSL connections usually occur on port 443 (HTTPS) we pass requests on that port (443) on to the DHIS instance running on http://localhost:8080/dhis. The first server block will rewrite all requests connecting to port 80 and force the use of HTTPS/SSL. This is also necessary because DHIS is using a lot of redirects internally which must be passed on to use HTTPS. + $request_uri? permanent; +} + +# SSL server block + +server { + listen 443; + server_name localhost; + + ssl on; + ssl_certificate server.pem; + ssl_certificate_key server.key; + + ssl_session_timeout 5m; + + ssl_protocols SSLv2 SSLv3 TLSv1; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://localhost:8080/dhis; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +}]]>

DHIS 2 Live setup @@ -110,6 +149,6 @@ Backup should be central in a disaster recovery plan. Even though such a plan should cover additional subjects, the database is the key component to consider since this is where all data used in the DHIS 2 application is stored. Most other parts of the IT infrastructure surrounding the application can be restored based on standard components. There are of course many ways to set up backup; however the following describes a setup where the database is copied into a dump file and saved on the file system. This can be considered a full backup. The backup is done with a cron job, which is a time-based scheduler in Unix/Linux operating systems. You can download both files from http://dhis2.com/download/pg_backup.zip - The cron job is set up with two files. The first is a script which performs the actual task of backup up the database. It uses a PostgreSQL program called pg_dump for creating the database copy. The second is a crontab file which runs the backup script every day at 23:00. Note that this script backs up the database file to the local disk. It is strongly recommended to store a copy of the backup at a location outside the server where the application is hosted. This can be achieved with the scp tool. + The cron job is set up with two files. The first is a script which performs the actual task of backup up the database. It uses a PostgreSQL program called pg_dump for creating the database copy. The second is a crontab file which runs the backup script every day at 23:00. Note that this script backs up the database file to the local disk. It is strongly recommended to store a copy of the backup at a location outside the server where the application is hosted. This can be achieved with the scp tool. Make sure that you have set the system date correctly on your server.