8 月 25 2015
調整 Apache HTTPD & Apache Tomcat & nginx 的 content cache & compression
前陣子調整了一些 Apache HTTPD & Tomcat & nginx 的 cache 機制與內容壓縮機制,稍微紀錄一下。
Apache HTTPD 的 cache:
<IfModule mod_expires.c> ExpiresActive On ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType text/css "access plus 1 month" </IfModule>
Apache HTTPD 的壓縮:
<IfModule mod_deflate.c> DeflateCompressionLevel 9 AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-httpd-php AddOutputFilter DEFLATE js css </IfModule>
Apache Tomcat 的 cache(在 application 的 web.xml 做調整):
<filter>
<filter-name>ExpiresFilter</filter-name>
<filter-class>org.apache.catalina.filters.ExpiresFilter</filter-class>
<init-param>
<param-name>ExpiresByType image</param-name>
<param-value>access plus 1 month</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType text/css</param-name>
<param-value>access plus 1 month</param-value>
</init-param>
<init-param>
<param-name>ExpiresByType application/javascript</param-name>
<param-value>access plus 1 month</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ExpiresFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>Apache Tomcat 的壓縮(在 conf/server.xml 做調整):
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,application/javascript"
redirectPort="8443" />nginx 的 cache(在 server tag 內做調整):
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 1M;
}nginx 的壓縮(在 http tag 內做調整):
gzip_vary on;
gzip_proxied any;
gzip_comp_level 9;
gzip_buffers 8 32k;
gzip_http_version 1.0;
gzip_types text/plain text/css application/json
application/javascript application/x-javascript text/javascript
text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;大概就調這些,其他多媒體檔案就看需求了…
9 月 2 2022
幫 Apache Tomcat 7/9 上 HTTPS
近日敝單位踩到 HSTS 的地雷,於是就著手解決問題…
先說地雷的引爆點: 新上線 example.com 這網站給了 “strict-transport-security: max-age=31536000; includeSubDomains” 這組 HTTP header,使得原本透過 Apache Tomcat 提供服務的 http://system.example.com.tw:8080/ 網頁瀏覽異常;因瀏覽器參照 HSTS 後,只把 “http://” 改為 “https://” ,瀏覽器不知道應該同步修改連接埠號(port 8080)。
因為這幾台伺服器的網頁服務僅使用 Apache Tomcat,沒有 Apache HTTPD、nginx 等其他軟體佔用 port 80 與 443,用 iptables 作 port redirection 就可以擺平,調整的方式會比較簡單。
需要作的事的大概就這些:
Apache Tomcat 7 的 server.xml 用這段(某些參數視狀況調整):
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="200" SSLEnabled="true" SSLCertificateFile="/etc/letsencrypt/live/example.com/cert.pem" SSLCertificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem" SSLCACertificateFile="/etc/letsencrypt/live/example.com/chain.pem" />Apache Tomcat 9 的 server.xml 用這段(某些參數視狀況調整),支援 HTTP/2:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="200" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="/etc/letsencrypt/live/example.com/privkey.pem" certificateFile="/etc/letsencrypt/live/example.com/cert.pem" certificateChainFile="/etc/letsencrypt/live/example.com/chain.pem" type="RSA" /> </SSLHostConfig> </Connector>iptables rules 增加以下這兩條:
By Joe Horn • WWW 0 • Tags: Apache Tomcat, HSTS, HTTP, HTTP Strict Transport Security, HTTPS