Where to compress text files and filter access

Mik J mikydevel at yahoo.fr
Sat Dec 31 16:34:33 UTC 2022


 Hello Maxim,Thank you for this detailed answer.I'll keep it in my personal notes.I wish you a good year for 2023

    Le vendredi 30 décembre 2022 à 01:17:11 UTC+1, Maxim Dounin <mdounin at mdounin.ru> a écrit :  
 
 Hello!

On Wed, Dec 28, 2022 at 11:05:01PM +0000, Mik J via nginx wrote:

> What is the best practice for these two situations:
> 1. Compress text files, should I make the compression on the 
> reverse proxy or on the backend server ?

In most cases, it makes sense to compress things on the frontend 
server.

In particular, this is because of at least the following factors:

1) Frontend servers are usually not just reverse proxies, but also 
serve some static resources.  As such, compression is anyway needs 
to be configured on frontend servers.

2) Frontend servers often used with multiple different backends.  
Further, in some cases they are used to generate responses based 
on subrequests to different requests, such as with SSI.  This 
makes compression on frontend servers easier or even the only 
possible solution.

3) Frontend servers are often used to cache backend responses, and 
proper caching of compressed responses might be problematic and/or 
inefficient (in particular, because the only mechanism available 
is Vary).

Note well that by default nginx uses HTTP/1.0 when connecting to 
upstream servers, and this in turn will disable gzip with default 
settings.  This naturally results in compression being done on 
frontend servers when nginx with default settings is used both as 
a backend and a frontend.

In some cases, it might make sense to compress on the backend 
servers, for example, to ensure that CPU usage for compression is 
balanced among multiple backend servers, or to minimize traffic 
between frontends and backends.  These are mostly about specific 
configurations though.

> 2. Deny access to specific files for example, files starting 
> with a dot .file, should I write the rule on the reverse proxy 
> or on the backend server ?

I would recommend both.  In particular, rules on the backend 
server will ensure that the access is denied where the file 
resides, making things safe even if the frontend servers is 
somehow bypassed.  Rules on the frontend server ensure that 
requests are denied efficiently.

-- 
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx at nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221231/77d00a4d/attachment.htm>


More information about the nginx mailing list