HAUT

Nginx en Reverse Proxy Cache HTTP(S)

nginx [engine x] est un logiciel de serveur Web écrit par Igor Sysoev. Ses sources sont disponibles sous une licence de type BSD.\r\n\r\nNous utilisons ce serveur comme un « reverse proxy cache » pour délivrer plus efficacement les textes, images, sons et vidéo de nos sites hébergés sur notre plate-forme (une ferme de serveur Apache2).\r\n\r\nVoici la configuration du serveur Nginx, sur distribution Gnu/Linux Debian Squeeze, dans ce contexte :\r\n

# apt-get install nginx

\r\n/etc/nginx/nginx.conf\r\n

\r\nworker_processes 4;\r\nworker_priority -1;\r\nworker_rlimit_nofile 8192;\r\nuser www-data www-data;\r\npid /var/run/nginx.pid;\r\nerror_log /var/log/nginx/error.log;\r\ndaemon on;\r\ntimer_resolution 500ms;\r\n\r\nevents {\r\nmulti_accept on;\r\nworker_connections 4096;\r\nuse epoll;\r\n}\r\n

http {\r\nmap_hash_bucket_size 128;\r\ninclude /etc/nginx/mime.types;\r\ninclude /etc/nginx/conf.d/*.conf;\r\ninclude /etc/nginx/sites-enabled/*;\r\n}

\r\n

\r\nles fichiers dans le /etc/nginx/conf.d/ complètent la configuration du reverse proxy :\r\n\r\n/etc/nginx/conf.d/nginx-global.conf\r\n

\r\nserver_tokens off;\r\nserver_name_in_redirect off;\r\nignore_invalid_headers on;\r\nif_modified_since before;\r\nssi on;\r\nssi_silent_errors on; # testing=off\r\nadd_header X-Frame-Options SAMEORIGIN;\r\n\r\n# TCP\r\ntcp_nodelay on;\r\ntcp_nopush off;\r\nsendfile on;\r\n\r\n### timeouts ###\r\nresolver_timeout 6;\r\nclient_header_timeout 12;\r\nclient_body_timeout 60;\r\nsend_timeout 60;\r\nkeepalive_timeout 65 20;\r\nkeepalive_requests 0; #100\r\n\r\n### buffers ###\r\nclient_header_buffer_size 1k;\r\nclient_body_buffer_size 128k;\r\nlarge_client_header_buffers 4 4k;\r\nclient_max_body_size 10M;\r\nclient_body_temp_path /var/spool/nginx/client/;\r\noutput_buffers 1 32k;\r\npostpone_output 1460;\r\n\r\n### errors par Apache ###\r\nrecursive_error_pages off;\r\n#error_page 400 402 403 405 406 410 411 413 416 /40x.html;\r\n#error_page 500 501 502 503 504 /50x.html;\r\n#error_page 404 =410 /40x.html;\r\n\r\nopen_log_file_cache max=1024 inactive=30s min_uses=3 valid=5m;\r\n\r\n### compression par apache aussi ###\r\ngzip off;\r\ngzip_static off;\r\n\r\n#gzip on;\r\n#gzip_disable "msie6";\r\n#gzip_vary on;\r\n#gzip_min_length 512;\r\n#gzip_buffers 256 8k;\r\n#gzip_comp_level 6;\r\n#gzip_proxied any;\r\n#gzip_types text/plain test/html text/xml text/css\r\n#image/x-icon image/bmp application/atom+xml\r\n#text/javascript application/x-javascript\r\n#application/pdf application/postscript\r\n#application/rtf application/vnd.ms-powerpoint\r\n#application/msword application/vnd.ms-excel\r\n#application/vnd.wap.xhtml+xml;

\r\n\r\n/etc/nginx/conf.d/nginx-backend.conf\r\n

\r\nupstream backend_virtualhosts {\r\nip_hash;\r\nserver 192.168.0.1:8080 max_fails=0;\r\nserver 192.168.0.2:8080 max_fails=0;\r\nserver 192.168.0.3:8080 max_fails=0;\r\nserver 192.168.0.4:8080 max_fails=0;\r\n}\r\n

\r\n/etc/nginx/conf.d/nginx-logformat.conf\r\n

\r\nlog_format main '$http_host $remote_addr $remote_port - $remote_user [$time_local] ''"$request" $status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';\r\n\r\nlog_format full\r\n'$remote_addr $remote_user [$time_local] '\r\n'"$host"->$proxy_host->$upstream_addr '\r\n'"$request" $status($upstream_status) '\r\n'$bytes_sent/$gzip_ratio($sent_http_content_type) '\r\n'$request_time($upstream_response_time)';\r\n\r\nlog_format perf\r\n'$request_time($upstream_response_time) '\r\n'$bytes_sent/$gzip_ratio($sent_http_content_type) '\r\n'$status "$upstream_addr$uri"';\r\n\r\nlog_format gzip\r\n'$bytes_sent/$gzip_ratio($sent_http_content_type) '\r\n'[$http_accept_encoding]"$http_user_agent"';\r\n

\r\n/etc/nginx/conf.d/nginx-cache.conf\r\n

\r\nproxy_cache_min_uses 3;\r\nproxy_cache_path /var/cache/nginx/ levels=1:2\r\nkeys_zone=cache:15m inactive=15m max_size=1000M;\r\n#proxy_cache_valid any 15m;\r\nproxy_cache_key “$scheme$host$request_uri”;\r\n#proxy_cache cache;\r\n#proxy_cache_valid 200 302 15m;\r\n#proxy_cache_valid 404 1m;\r\n#proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;\r\n

\r\n/etc/nginx/conf.d/nginx-proxy.conf\r\n

\r\nproxy_intercept_errors off; # Apache gère les erreurs\r\nproxy_ignore_client_abort off;\r\nproxy_next_upstream error timeout invalid_header;\r\nport_in_redirect off;\r\nproxy_redirect http:// $scheme://;\r\n\r\n### proxy-header ###\r\n#proxy_set_header Accept-Encoding "";\r\nproxy_set_header Host $host;\r\nproxy_set_header X-Real-IP $remote_addr;\r\nproxy_set_header X-Forwarded-By $server_addr:$server_port;\r\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\nproxy_set_header X-Forwarded-Host $host; $\r\nproxy_set_header X-Forwarded-Server $host;\r\nproxy_set_header X-Forwarded-Proto $scheme;\r\nmap $scheme $msiis { http off; https on; }\r\nproxy_set_header Front-End-Https $msiis;\r\nproxy_pass_header Set-Cookie;\r\nproxy_pass_header P3P;\r\n\r\n### proxy-timeouts ###\r\nproxy_connect_timeout 60;\r\nproxy_send_timeout 60;\r\nproxy_read_timeout 60;\r\n\r\n### proxy-buffers ###>\r\nproxy_buffering on;\r\nproxy_buffer_size 8k;\r\nproxy_buffers 256 8k;\r\nproxy_busy_buffers_size 64k;\r\nproxy_temp_file_write_size 64k;\r\nproxy_temp_path /var/spool/nginx/temp/;\r\n

\r\nNous utilisons pour le SSL, le support TLS SNI, Les fichiers pour les virtualhost sont donc les suivants :\r\n\r\n/etc/nginx/sites-available/nginx-vhost.conf\r\n

\r\nserver {\r\nlisten 80 default;\r\nlisten [::]:80 default ipv6only=on;\r\nserver_name _;\r\n\r\n# add_header Cache-Control public;\r\naccess_log /var/log/nginx/vhosts.access.log main;\r\n\r\nif ($host ~* ^([a-z0-9\-]+\.(com|net|org|info|fr|eu))$) {\r\nset $host_with_www www.$1;\r\nrewrite ^(.*)$ http://$host_with_www$1 permanent;\r\n}\r\nif ($scheme = "https") {\r\nrewrite ^ https://$http_host$request_uri permanent;\r\n}\r\n\r\n# only these methods.\r\nif ($request_method !~ ^(GET|HEAD|POST)$ ) {\r\nreturn 444;\r\n}\r\nlocation ~/\.ht {\r\ndeny all;\r\n}\r\nlocation / {\r\nif (-f $request_filename) { break; }\r\nif ($request_method = POST) {\r\nproxy_pass http://backend_virtualhosts;\r\nbreak;\r\n}\r\n\r\nproxy_pass http://backend_virtualhosts;\r\nproxy_cache cache;\r\nproxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;\r\n}\r\n\r\nlocation ~* .(jpe?g|gif|css|js|flv|swf|png|ico|pdf|7z|zip|tar|t?gz|mp3|wav)$ {\r\naccess_log off;\r\nproxy_cache_valid 200 120m;\r\nexpires 7d;\r\nproxy_pass http://backend_virtualhosts;\r\nproxy_cache cache;\r\n\r\n}\r\n\r\n}\r\n

\r\n/etc/nginx/sites-available/ssl-vhosts.conf\r\n

\r\nserver {\r\nlisten 443 default ssl;\r\nlisten [::]:443 default ipv6only=on ssl;\r\nserver_name placenet.fr www.placenet.fr;\r\nadd_header Cache-Control public;\r\nssl on;\r\nssl_certificate /etc/ssl/example.tld.crt;\r\nssl_certificate_key /etc/ssl/example.tld.key;\r\nssl_prefer_server_ciphers on;\r\nssl_protocols TLSv1 SSLv3;\r\nssl_ciphers HIGH:!ADH:!MD5:@STRENGTH;\r\nssl_session_cache shared:TLSSL:16m;\r\nssl_session_timeout 10m;\r\naccess_log /var/log/nginx/vhosts.access.log main;\r\n# only these methods.\r\nif ($request_method !~ ^(GET|HEAD|POST)$ ) {\r\nreturn 444;\r\n}\r\nlocation ~/\.ht {\r\ndeny all;\r\n}\r\nlocation / {\r\nif (-f $request_filename) { break; }\r\nif ($request_method = POST) {\r\nproxy_pass http://backend_virtualhosts;\r\nbreak;\r\n}\r\n\r\nproxy_pass http://backend_virtualhosts;\r\nproxy_cache cache;\r\nproxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;\r\n}\r\n\r\nlocation ~* .(jpe?g|gif|css|js|flv|swf|png|ico|pdf|7z|zip|tar|t?gz|mp3|wav)$ {\r\naccess_log off;\r\nproxy_cache_valid 200 120m;\r\nexpires 7d;\r\nproxy_pass http://backend_virtualhosts;\r\nproxy_cache cache;\r\n\r\n}\r\n}\r\n

\r\nPour vider la cache, il faut en plus du redémarrage du serveur Nginx, ne pas oublier d’effacer le contenu du répertoire /var/cache/nginx/.

3 commentaires. Ecrire un commentaire

  1. Thibaut

    Merci pour votre retour. Actuellement, je test votre config (nginx en reverse proxy cache pour apache) avec eaccelerator qui après avoir testé apc me semble plus rapide.

  2. Thibaut

    Très bon tutoriel, je vous remercie, ça marche bien. Pensez-vous qu’il est pertinent de le combiner avec un systeme de cache type apc ou eaccelerator?

    • Webmestre

      Nous utilisons Apache2 en backend avec Suphp. Nous rencontrons quelques soucis avec APC qui tourne en ce moment mais les optimisations que nous avons essayé ne fonctionnent pas très bien avec WordPress. Nous allons donc essayer Xcache, mais en plus sur le serveur Apache2 nous utilisons le Mod Deflate, Expires, Headers et le module Cache_mem. Une fois que nous aurons validé Xcache, nous allons mettre en ligne la conf du Backend. L’ensemble Nginx et Apache2, nous permet d’avoir de bons résultats à un test comme Yslow.