Where to compress text files and filter access

Maxim Dounin mdounin at mdounin.ru
Fri Dec 30 00:16:57 UTC 2022


On Wed, Dec 28, 2022 at 11:05:01PM +0000, Mik J via nginx wrote:

> What is the best practice for these two situations:
> 1. Compress text files, should I make the compression on the 
> reverse proxy or on the backend server ?

In most cases, it makes sense to compress things on the frontend 

In particular, this is because of at least the following factors:

1) Frontend servers are usually not just reverse proxies, but also 
serve some static resources.  As such, compression is anyway needs 
to be configured on frontend servers.

2) Frontend servers often used with multiple different backends.  
Further, in some cases they are used to generate responses based 
on subrequests to different requests, such as with SSI.  This 
makes compression on frontend servers easier or even the only 
possible solution.

3) Frontend servers are often used to cache backend responses, and 
proper caching of compressed responses might be problematic and/or 
inefficient (in particular, because the only mechanism available 
is Vary).

Note well that by default nginx uses HTTP/1.0 when connecting to 
upstream servers, and this in turn will disable gzip with default 
settings.  This naturally results in compression being done on 
frontend servers when nginx with default settings is used both as 
a backend and a frontend.

In some cases, it might make sense to compress on the backend 
servers, for example, to ensure that CPU usage for compression is 
balanced among multiple backend servers, or to minimize traffic 
between frontends and backends.  These are mostly about specific 
configurations though.

> 2. Deny access to specific files for example, files starting 
> with a dot .file, should I write the rule on the reverse proxy 
> or on the backend server ?

I would recommend both.  In particular, rules on the backend 
server will ensure that the access is denied where the file 
resides, making things safe even if the frontend servers is 
somehow bypassed.  Rules on the frontend server ensure that 
requests are denied efficiently.

Maxim Dounin

More information about the nginx mailing list