tickets #155002
closed
Webserver customization for security.opensuse.org
Added by cahu 6 months ago.
Updated 6 months ago.
Category:
(Other) Websites
Description
Hi,
thanks for setting up security.opensuse.org in ticket #152482, it is very helpful.
We were tinkering a bit with the page and we found two small issues that could be probably addressed by custom config options on the webserver side:
1) HTTP Caching
Currently new html content is not auto updated on the client side since the content is cached. Currently the Cache-Control header is set to max-age=86400
.
Would it be possible to reduce the max-age of Cache-Control for html to: Cache-Control: max-age=3600;
or even Cache-Control: max-age=no-cache,no-store;
on the webserver?
2) 404 page
Currently the 404 page is set to the default nginx 404 page. I think there is an option in nginx to direct it to the jekyll 404 page: https://security.opensuse.org/404.html
Would it be possible to add this 404 page to the webserver config?
I can also try to fiddle something into the opensuse heroes salt, but since i don't have a testing deployment, i thought it would be probably quicker to ask here :D
Thanks a lot :)
- Private changed from Yes to No
- Status changed from New to Workable
Hi Cathy,
the suggested changes sound good to me.
I'm not sure where max-age=86400
is coming from. I can reproduce it when querying security.opensuse.org from the internet, but internally all the nginx backends return 3600:
$ for i in $(seq 5 8); do curl -sIH 'Host: security.opensuse.org' narwal$i | grep ^Cache; done
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Cache-Control: max-age=3600
Same result with GET instead of HEAD. The HAProxy configuration does not have Cache-Control defined anywhere. It seems something en route adds or increases the max-age value? Maybe someone else knows more.
For the error page, it seems like the Jekyll guide https://jekyllrb.com/tutorials/custom-404-page/#hosting-on-nginx-server pretty much matches the example from the nginx documentation, so it should be simple to implement. But I wonder if we want this for all our Jekyll pages or only security.o.o. It would be nice if our other static pages also provided a /404.html, currently it seems to not be the case.
You tested the wrong servers - security.o.o lives on jekyll.i.o.o (not narwal*) which indeed has that long TTL.
IMHO we should reduce the TTL for all jekyll pages (at least for text/html, not sure about other file/mime types) - it doesn't make sense to generate the pages hourly if we tell everybody that they are valid for a day ;-)
Right, I then realized this comes from the Jekyll and not from the static pages backend:
$ curl -sIH 'Host: security.opensuse.org' jekyll|grep ^Cache
Cache-Control: max-age=86400
Now, what makes this nginx server behave differently? They are equally managed by Salt as far as I can tell, both without the header being set explicitly.
But I agree, good to do it for all of them.
I found it:
# pillar/role/web_jekyll.sls
...
- map $sent_http_content_type $expires:
- text/css: 7d
- image/x-icon: 90d
- ~application/: 28d
- ~font/: 28d
- ~text/: 1d
- ~image/: 28d
...
I think setting ~text/
and ~image/
to 1h makes sense?
I think setting ~text/ and ~image/ to 1h makes sense?
Yes :-)
- Status changed from Workable to In Progress
- Assignee set to crameleon
- Status changed from In Progress to Resolved
Also available in: Atom
PDF