I amtrying to follow the google pagespeed advice and Leverage browser caching. For that I place the following code into the server block of my nginx.conf file.
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location ~* \.(pdf)$ {
expires 30d;
}
It seems to work nicely, page speed increases my score to from 87/100 to 95/100. However, when I click the refresh button for my site it doesn't seem to load the css files anymore?
Did the caching not work?
The error message I get is
Failed to load resource: the server responded with a status of 404 (Not Found)
Here is my entire nginx.conf file
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript
application/atom+xml;
# Configuration containing list of application servers
upstream app_servers {
server 127.0.0.1:8080;
}
# Configuration for Nginx
server {
# Running port
listen 80;
# Settings to serve static files
location /static/ {
# Example:
# root /full/path/to/application/static/file/dir;
root /var/www/benty-fields/app/;
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location ~* \.(pdf)$ {
expires 30d;
}
# Serve a static file (ex. favico)
# outside /static directory
location = /favico.ico {
root /app/favico.ico;
}
# Proxy connections to the application servers
# app_servers
location / {
proxy_pass http://app_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
Take a look at Fiddler traces or Chrome dev tools.
A 304 would mean that the server responded with "not modified, use your local cache". If you clear your browser cache or do Shift + Refresh, you will get a 200 along with the body of the file. 304 on the contrary have zero body length.
I was getting the same issue.
Resolved it by placing:
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location ~* \.(pdf)$ {
expires 30d;
}
inside
location /static/
So the final config looks like
location / {
proxy_pass http://app_servers;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
location ~* \.(pdf)$ {
expires 30d;
}
}
Reference: https://developers.google.com/speed/pagespeed/module/filter-cache-extend
Related
I use Nginx as reverse proxy to forward my Https request to backend server (which runs in Http protocol with port 7654 in the same server). Everything works well in Safari and Firefox, but Chrome throws an error.
Chrome Error: net::ERR_CERT_AUTHORITY_INVALID
Below is my nginx.conf file. BTW, it also works fine when I use IP address instead of domain name in Chrome. How can I fix this problem?
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name mydomain.name.lan;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/tls/certs/crt.crt";
ssl_certificate_key "/etc/pki/tls/private/key.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ /index.html;
}
location /app/v1/ {
proxy_pass http://localhost:7654;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
i can give you an example of working config, which works for all browsers (currently latest releases) which we use at company. TLDR story behind, we have docker swarm deployment, but we have entry point Nginx which runs on host, and has another Nginx inside container which then redirects trafic to specific API gateways and so on..
We are gonna focus on that first level Nginx (which is on host), which actually does all SSL checks and so on .. we use http inside docker (between pods & containers)..
Working example for linux:
server_tokens off;
server {
listen 443 http2 ssl;
server_name development.docker.company.si;
add_header Strict-Transport-Security "max-age=31536000" always;
proxy_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
set $upstream_local_docker_proxy 10.10.0.2; #static location of inner nginx
ssl_certificate /etc/tls/si.company.docker.development-chain.crt;
ssl_certificate_key /etc/tls/si.company.docker.development-unencrypted.key;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
#here we just have /url-location-level-routing/ , in case you want to know
location /my-application-demo/ {
proxy_pass http://$upstream_local_docker_proxy;
proxy_set_header Host local.docker.company-my-application-demo;
rewrite ^/my-application-demo/(.*) /$1 break;
}
}
For a specific case you have, i have a windows config, all u need to do is change windows path of certs to linux and it should work:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
upstream local-company1-api {
server localhost:5000;
}
server {
listen 443 http2 ssl;
server_name company1.company.si;
add_header Strict-Transport-Security "max-age=31536000" always;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
ssl_certificate C:\\tls\\si.company.company1-chain.pem;
ssl_certificate_key C:\\tls\\si.company.company1-unencrypted.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
# ----------------------------------------------------------------------------------------------------
location / {
proxy_pass http://local-company1-api/;
proxy_redirect off;
}
}
}
I hope any of this helps.
I am running an app on a digital ocean server using ubuntu 14.04 and nginx. My app runs via gunicorn. I would like to redirect http request directly to https.
I tried
server {
# Running port
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
and it works on safari. But it does not work on Chrome or Firefox? Any idea what I do wrong?
I attached the entire nginx.conf file below
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
sendfile on;
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_proxied any;
gzip_min_length 256;
gzip_vary on;
# Configuration containing list of application servers
upstream app_servers {
server 127.0.0.1:8080;
}
# Configuration for Nginx
server {
# Running port
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
# Settings to serve static files
location /static/ {
# Example:
# root /full/path/to/application/static/file/dir;
root /var/www/example/app/;
location ~* \.(jpg|woff|jpeg|png|gif|ico|css)$ {
expires 30d;
}
location ~* \.(js)$ {
expires 1d;
}
# we do not cache html, xml or json
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
# access_log logs/static.log; # I don't usually include a static log
}
location ~* \.(pdf)$ {
expires 30d;
}
}
# Serve a static file (ex. favico)
# outside /static directory
location = /favico.ico {
root /app/favico.ico;
gzip_static on;
}
}
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Proxy connections to the application servers
# app_servers
location / {
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
proxy_pass http://app_servers;
proxy_redirect off;
#Â proxy_redirect http:// https://;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
First of all you should not serve anything on http. Everything should be on https, even favico.ico
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
sendfile on;
gzip on;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_proxied any;
gzip_min_length 256;
gzip_vary on;
# Configuration containing list of application servers
upstream app_servers {
server 127.0.0.1:8080;
}
# Configuration for Nginx
server {
# Running port
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Settings to serve static files
location /static/ {
# Example:
# root /full/path/to/application/static/file/dir;
root /var/www/example/app/;
location ~* \.(jpg|woff|jpeg|png|gif|ico|css)$ {
expires 30d;
}
location ~* \.(js)$ {
expires 1d;
}
# we do not cache html, xml or json
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
# access_log logs/static.log; # I don't usually include a static log
}
location ~* \.(pdf)$ {
expires 30d;
}
}
# Serve a static file (ex. favico)
# outside /static directory
location = /favico.ico {
root /app/favico.ico;
gzip_static on;
}
# Proxy connections to the application servers
# app_servers
location / {
proxy_connect_timeout 300s;
proxy_read_timeout 300s;
proxy_pass http://app_servers;
proxy_redirect off;
# proxy_redirect http:// https://;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
Next when you test in chrome or any other browser, make sure to open a Private or a Incognito window.
I have an ASP.NET Core site running behind an NGINX reverse-proxy on Linux. I'm running into an issue where if I do a file request through the proxy with a query string attached (i.e. for cache-busting), I'm getting 404 errors, but if I request the exact same URL directly from the application (not through NGINX), it works fine, and if I drop the query string, it also works fine.
Examples below (the NGINX proxy is listening on port 5000 and the application is listening on port 5002)...
If I use a url like:
http://host-name:5000/path/file.json
I get the result back correctly, and this is what appears on the application's console output:
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://host-name:5000/path/file.json
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://host-name:5000/path/file.json
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware:Information: Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 400.9508ms 200 application/json
If I use a url like:
http://host-name:5002/path/file.json
I get the result back correctly, and this is what appears on the application's console output:
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://host-name:5002/path/file.json
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://host-name:5002/path/file.json
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware:Information: Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 28.2031ms 200 application/json
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 28.2031ms 200 application/json
If I use a url like:
http://host-name:5002/path/file.json?_dc=1020
I get the result back correctly, and this is what appears on the application's console output:
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://host-name:5002/path/bootstrap.json?_dc=1020
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://host-name:5002/path/bootstrap.json?_dc=1020
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware[2]
Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware:Information: Sending file. Request path: '/path/file.json'. Physical path: '/home/coreuser/debug/wwwroot/path/file.json'
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 146.8157ms 200 application/json
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 146.8157ms 200 application/json
If I use a url like:
http://host-name:5000/path/file.json?_dc=1020
I get a 404 error, and this is what appears on the application's console output:
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://host-name:5000/path/file.json?_dc=1020
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://host-name:5000/path/file.json?_dc=1020
[40m[32minfo[39m[22m[49m: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 379.4175ms 404
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request finished in 379.4175ms 404
Now, I'm not clear on whether this is an issue with NGINX messing with what it is forwarding to the ASP.NET Core application, or it isn't just an issue with the ASP.NET Core application (and/or Kestrel) getting thrown off by the combination of query string and the proxy's port number showing up on the request.
The relevant part of the NGINX configuration looks like this:
server {
server_name host-name;
listen 5000 default_server;
listen [::]:5000 default_server;
location / {
proxy_pass http://localhost:5002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Path $request_uri;
}
}
Any ideas?
EDIT:
I've since modified my server block to look like this:
server {
server_name host-name;
listen 5000 default_server;
listen [::]:5000 default_server;
root /var/www/path-to-debug/wwwroot;
location / {
if ($query_string ~ "^(.*)_dc=(.*)$") {
rewrite ^(.*)$ $uri?;
}
try_files $uri #proxy;
}
location #proxy {
proxy_pass http://localhost:5002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Path $request_uri;
}
}
Now that specific file is being fetched properly (bypassing Kestrel completely), but that seems to be messing with one of my controller calls that also has the _dc=XXXX attached.
I've gotten this part to work by modifying my server proxy block as below...it feels like a hack to me, but I haven't found a better solution yet. I also still have other issues, but will post separate questions for those if/when I can't figure them out.
server {
server_name host-name;
listen 5000 default_server;
listen [::]:5000 default_server;
root /var/www/path-to-debug/wwwroot;
location / {
if ($query_string ~ "^(.*)_dc=(.*)$") {
rewrite ^(.*)$ $uri?;
}
try_files $uri #proxy;
}
location #proxy {
proxy_pass http://localhost:5002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Path $uri;
}
}
I have changed my site to https,but I used the cdn of static files in the code. it can't work and the chrome console show the errors like this:
Mixed Content: The page at 'https://a.example.com/static/' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css'. This request has been blocked; the content must be served over HTTPS.
I have add the add_header Content-Security-Policy upgrade-insecure-requests; in the nginx configuration file like this:
server {
listen 80;
listen 443;
server_name a.example.com;
add_header Content-Security-Policy upgrade-insecure-requests;
if ($scheme != "https") {
return 301 https://$server_name$request_uri;
#rewrite ^ https://$server_name$request_uri? permanent;
}
ssl on;
ssl_certificate /etc/nginx/ssl/example.crt;
ssl_certificate_key /etc/nginx/ssl/example.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
gzip on;
gzip_proxied any;
gzip_types text/plain application/xml application/json;
client_max_body_size 8M;
access_log /var/log/nginx/example.log;
location / {
proxy_pass http://10.10.10.110:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
location ^~ /static/ {
proxy_pass http://10.10.10.110:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
#proxy_set_header Content-Security-Policy upgrade-insecure-requests;
}
}
but it does't work yet! Can someone tell me how to fix this? thx :)
Be aware that upgrade-insecure-requests is not supported in all browsers, e.g. Safari and IE.
I recommend that you just replace the HTTP requests in your code. You can use // to load it relative to the protocol it is called from as per:
//cdn.bootcss.com/bootstrap/3.3.5/css/bootstrap.min.css
That means that if you are opening the web application from an HTTPS context, it will load it using the HTTPS protocol, otherwise it will use HTTP.
I have an application with both dynamic and static content. I use nginx as a front end for this app. When dynamic content is requested, the request is forwarded to an unix socket (to a node.js app), this part works well. I have added a "location" directive to serve the static content but this part does not work, I get the 404 error each time despite the fact the folder "/home/test/my_app/static" does exist.
This is the nginx conf I have:
upstream test_sock {
server unix:/tmp/test.sock
fail_timeout=0;
}
server {
listen 15000;
client_max_body_size 4G;
server_name localhost domain.com;
keepalive_timeout 5;
location ~ /static/ {
if (!-f $request_filename) {
return 404;
}
if (-f $request_filename) {
root /home/test/my_app/static;
expires 30d;
}
}
location / {
proxy_pass http://test_sock;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
Any idea ?
hmmm... ok, silly thing, I was missing the root directive before the locations ones...