Server setup for digilib

There are a variety of ways to deploy digilib on different server configurations for production sites.

Here are some examples and tips.

nginx as proxy

This is an example configuration for nginx as a proxy for a single instance of digilib (listening on port 8080) that handles transport encryption and restricts access to sensitive data to the gateway of a local network (1.2.3.4).

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name digilib.example.org;

    # this certificate chain shall *not* include the root certificate:
    ssl_certificate /etc/ssl/certs/digilib.example.org.pem;
    ssl_certificate_key /etc/ssl/private/digilib.example.org.key;

    include /etc/nginx/proxy_params;

    location ~* .*/(dlConfig|dlRequest).jsp$ {
        allow 1.2.3.4;
        deny all;
        proxy_pass http://localhost:8080;
    }

    location / {
        proxy_pass http://localhost:8080;
    }
}

Please check the nginx documentation.

Apache as proxy and load-balancer

This is an example configuration for Apache as a proxy and load balancer for two instances of digilib (one running on localhost, port 8080 and another on otherserver, port 8080), using SSL and http/2:

<VirtualHost *:443>
    # HTTP/2 protocol (Apache 2.4.29 and later)
    Protocols h2 http/1.1
    ServerName digilib.example.com
    SSLCertificateFile /etc/ssl/private/digilib-cert.pem
    SSLCertificateKeyFile /etc/ssl/private/digilib-key.pem
    SSLEngine on

    DocumentRoot /var/www
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/digilib-ssl-error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/digilib-ssl-access.log combined

    # do not forward-proxy!
    ProxyRequests off
    # set proxy headers
    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto "https"
    # digilib instances 
    <Proxy balancer://digilibs>
       BalancerMember http://127.0.0.1:8080
       BalancerMember http://otherserver.example.com:8080
    </Proxy>
    # balance by busy-ness
    ProxyPass /digitallibrary balancer://digilibs/digitallibrary lbmethod=bybusyness
    ProxyPassReverse /digitallibrary balancer://digilibs/digitallibrary

    # balancer-manager frontend (be careful!)
    <Location /balancer-manager>
        SetHandler balancer-manager
        Require host localhost
    </Location>
</VirtualHost>

Jetty behind a proxy

When you are using Jetty as servlet container behind an Apache or nginx proxy then you should make sure that Jetty processes the X-Forwarded-* headers from the proxy server to derive the correct request URL for the servlets.

Please see this information for Jetty 9.4 or this information for Jetty 8 and earlier versions.

Tomcat behind a proxy

When you are using Tomcat as a servlet container behind an Apache or nginx proxy then you should make sure that Tomcat processes the X-Forwarded-* headers from the proxy server to derive the correct request URL for the servlets.

Please see the Tomcat documentation about the Remote IP Valve. You basically need to add the following XML tag with your proxy’s IP numbers to the Host tag of your server.xml file and make sure ProxyPreserveHost is set to on:

  <Valve className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="127\.0\.0\.1|123\.45\.67\.89"
    remoteIpHeader="x-forwarded-for" 
    proxiesHeader="x-forwarded-by" 
    protocolHeader="x-forwarded-proto" />