top

Setting caching headers for a SPA in NGINX cache

When your frontend app is a SPA, all the assets get loaded into the browser and routing happens within the browser unlike a SSR app or conventional/legacy web apps where every page is spat out by the server. If caching is misconfigured or not configured, you will have a horrifying time during deployments.Muscle memories of your developers will make them hit hard refresh when they hear the word “Code Deployed” but your customers will rant and rave when their web page gets mangled in the middle of something important because of your deployment.Having read on the internet before “Browsers and Web servers have been configured by default handle basic caching” made me procrastinate my learning on caching until one day. It started annoying QA and started killing developer’s productivity. That day I told myself “You are not gonna sleep tonight!”Here is a guide to caching headers for SPA in Nginx.How to Cache headers for SPA on Nginx?Primary RequirementThe configuration which I’m going to explain wil+l work only if your SPA uses webpack or any other bundler which can be configured to append random characters to file names in the final distribution folder on every build (revving). This is quite a standard practice in modern web development. I’m pretty sure it will be happening in your system without your knowledge.Checkout Revved resources section at https://developer.mozilla.org/en-US/docs/Web/HTTP/CachingStatus Quo2 WebApps segregated by NGINX locations pathsAWS ELB is sitting in front of the NGINX Web ServerAWS CloudFront is sitting in front of AWS ELB. (Actual caching is done here)NGINX is sending out last-modified and etag headers.I have some faint idea on how caching works.Configure caching in NGINXThe headers which we are going to need are cache-control, etag and vary. vary is added by NGINX by default, so we don’t have to worry about it. We need to add the other two headers in our configs at the right place to get caching working.We have to configure the following things:disable caching for index.html ( Every time browser will ask for a fresh copy of index.html)Enable caching for static assets (CSS, JS, fonts, images) and set the expiry as long as you need ( eg: 1year).1. Let's disable caching for index.html My current config.location /app1 {   alias /home/ubuntu/app1/;   try_files $uri $uri/ /index.html; } After disabling caching.location /app1{    alias /home/ubuntu/app1/;    try_files $uri $uri/ /index.html;    add_header Cache-Control "no-store, no-cache, must-revalidate"; }How this will work?When I hit /app1 from my browser NGINX will serve the index.html from /home/ubuntu/app1 directory to my browser, at the same time it will also execute the add_header directive which will add the Cache-Control "no-store, no-cache, must-revalidate"; to the response header. The header conveys the following instructions to my browserno-store: don’t cache/store any of the response in the browser.no-cache: ask every-time(every request) with the server “Can I show the cached content I have to the user?”must-revalidate: once the cache expires don’t serve the stale resource. ask the server and revalidate.The combination of these three values will disable caching for the response which is received from the server.2. Let's enable caching for static assetsMy current config.#for app1 static files location /app1/static {    alias /home/ubuntu/app1/static/; }After enabling caching.#for app1 static files location /app1/static {    alias /home/ubuntu/app1/static/;    expires 1y;    add_header Cache-Control "public";    access_log off; }How to implement cache headers with Nginx?We enable aggressive caching for static files by setting Cache-Control to "public" and set expires header to 1y. We do this because our frontend build system generates new file names (revving) for the static assets every time we build and new file names invalidate the cache when browsers request it. These static files are referred in index.html which we have disabled caching completely. I disable access logs for static assets as it adds noise to my logs.That's it! This must set up the Nginx caching headers for SPA to create a beautiful app.NGINX add-header GotchaWe usually add the headers which we want to be common for all the location blocks in the server block of the config. But beware that these headers will not get applied when you add any header inside a location block.http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_headerThere could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.server {   # X-Frame-Options is to prevent from clickJacking attack   add_header X-Frame-Options SAMEORIGIN;   # disable content-type sniffing on some browsers.   add_header X-Content-Type-Options nosniff;   # This header enables the Cross-site scripting (XSS) filter   add_header X-XSS-Protection "1; mode=block";   # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";   add_header Referrer-Policy "no-referrer-when-downgrade";   location /app1 {       alias /home/ubuntu/app1/;       try_files $uri $uri/ /index.html;        add_header Cache-Control "no-store, no-cache, must-revalidate";      } In the above example the security headers in the beginning will not be applied to /app1 block. Make sure you either duplicate it or have it written in a separate .conf file and import it in every location block.BonusEnabling CORS for fonts when serving through a different CDN domain.location /app1/static/fonts {    alias /home/ubuntu/app1/static/fonts/;    add_header “Access-Control-Allow-Origin” *;        expires 1y;    add_header Cache-Control “public”; } Adding the Access-Control-Allow-Origin header will instruct the browsers to allow loading fonts from a different sub-domain. Note that I also enabled aggressive caching for fonts too.Adding vary by gzip# Enables response header of "Vary: Accept-Encoding" gzip_vary on; This will add Vary: Accept-Encoding header to the publicly cacheable, compressible resources and makes sure that the browser will get the correct encoded cached response.NGINX HTTP to HTTPS Redirection# Get the actual IP of the client through load balancer in the logs real_ip_header     X-Forwarded-For; set_real_ip_from   0.0.0.0/0; if ($http_x_forwarded_proto = 'http') {   return 301 https://$host$request_uri; } Add the above in your server block and open port 80 along with 443 in your AWS ELB. This redirect http to https and also log the actual client IP n your logs.Putting all the above things together, this how the final config would look like.server {     server_name www.my-site.com     listen       80;         # Get the actual IP of the client through load balancer in the logs     real_ip_header     X-Forwarded-For;     set_real_ip_from   0.0.0.0/0;         # redirect if someone tries to open in http     if ($http_x_forwarded_proto = 'http') {       return 301 https://$host$request_uri;     }     # X-Frame-Options is to prevent from clickJacking attack     add_header X-Frame-Options SAMEORIGIN;         # disable content-type sniffing on some browsers.     add_header X-Content-Type-Options nosniff;         # This header enables the Cross-site scripting (XSS) filter     add_header X-XSS-Protection "1; mode=block";         # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";         add_header Referrer-Policy "no-referrer-when-downgrade";         # Enables response header of "Vary: Accept-Encoding"     gzip_vary on;         location /app1 {         alias /home/ubuntu/app1/;         try_files $uri $uri/ /index.html;         add_header Cache-Control "no-store, no-cache, must-revalidate";         }         #for app1 static files     location /app1/static {         alias /home/ubuntu/app1/static/;         expires 1y;         add_header Cache-Control "public";         access_log off;      }           #for app1 fonts     location /app1/static/fonts {         alias /home/ubuntu/app1/static/fonts/;         add_header "Access-Control-Allow-Origin" *;             expires 1y;         add_header Cache-Control "public";     } }                                                                                       Final config snippet.
Rated 4.5/5 based on 111 customer reviews
  1. Home
  2. Magazine
  3. Setting caching headers for a SPA in NGINX cache
Normal Mode Dark Mode

Setting caching headers for a SPA in NGINX cache

Pratheek Hegde
Blog
16th Oct, 2018
Setting caching headers for a SPA in NGINX cache

When your frontend app is a SPA, all the assets get loaded into the browser and routing happens within the browser unlike a SSR app or conventional/legacy web apps where every page is spat out by the server. If caching is misconfigured or not configured, you will have a horrifying time during deployments.

Muscle memories of your developers will make them hit hard refresh when they hear the word “Code Deployed” but your customers will rant and rave when their web page gets mangled in the middle of something important because of your deployment.

Having read on the internet before “Browsers and Web servers have been configured by default handle basic caching” made me procrastinate my learning on caching until one day. It started annoying QA and started killing developer’s productivity. That day I told myself “You are not gonna sleep tonight!

Here is a guide to caching headers for SPA in Nginx.

How to Cache headers for SPA on Nginx?

Primary Requirement

The configuration which I’m going to explain wil+l work only if your SPA uses webpack or any other bundler which can be configured to append random characters to file names in the final distribution folder on every build (revving). This is quite a standard practice in modern web development. I’m pretty sure it will be happening in your system without your knowledge.

Checkout Revved resources section at 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching

Status Quo

  • 2 WebApps segregated by NGINX locations paths
  • AWS ELB is sitting in front of the NGINX Web Server
  • AWS CloudFront is sitting in front of AWS ELB. (Actual caching is done here)
  • NGINX is sending out last-modified and etag headers.
  • I have some faint idea on how caching works.


Configure caching in NGINX

The headers which we are going to need are cache-control, etag and vary. vary is added by NGINX by default, so we don’t have to worry about it. We need to add the other two headers in our configs at the right place to get caching working.

We have to configure the following things:

  1. disable caching for index.html ( Every time browser will ask for a fresh copy of index.html)
  2. Enable caching for static assets (CSS, JS, fonts, images) and set the expiry as long as you need ( eg: 1year).


1. Let's disable caching for index.html 

My current config.

location /app1 {
  alias /home/ubuntu/app1/;
  try_files $uri $uri/ /index.html;
}

After disabling caching.

location /app1{
   alias /home/ubuntu/app1/;
   try_files $uri $uri/ /index.html;
   add_header Cache-Control "no-store, no-cache, must-revalidate";
}


How this will work?

When I hit /app1 from my browser NGINX will serve the index.html from /home/ubuntu/app1 directory to my browser, at the same time it will also execute the add_header directive which will add the Cache-Control "no-store, no-cache, must-revalidate"; to the response header. The header conveys the following instructions to my browser

  • no-store: don’t cache/store any of the response in the browser.
  • no-cache: ask every-time(every request) with the server “Can I show the cached content I have to the user?”
  • must-revalidate: once the cache expires don’t serve the stale resource. ask the server and revalidate.

The combination of these three values will disable caching for the response which is received from the server.


2. Let's enable caching for static assets

My current config.

#for app1 static files
location /app1/static {
   alias /home/ubuntu/app1/static/;
}

After enabling caching.

#for app1 static files
location /app1/static {
   alias /home/ubuntu/app1/static/;
   expires 1y;
   add_header Cache-Control "public";
   access_log off;
}


How to implement cache headers with Nginx?

We enable aggressive caching for static files by setting Cache-Control to "public" and set expires header to 1y. We do this because our frontend build system generates new file names (revving) for the static assets every time we build and new file names invalidate the cache when browsers request it. These static files are referred in index.html which we have disabled caching completely. I disable access logs for static assets as it adds noise to my logs.

That's it! This must set up the Nginx caching headers for SPA to create a beautiful app.

NGINX add-header Gotcha

We usually add the headers which we want to be common for all the location blocks in the server block of the config. But beware that these headers will not get applied when you add any header inside a location block.

http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header

There could be several add_header directives. These directives are inherited from the previous level if and only if there are no add_header directives defined on the current level.


server {
  # X-Frame-Options is to prevent from clickJacking attack
  add_header X-Frame-Options SAMEORIGIN;
  # disable content-type sniffing on some browsers.
  add_header X-Content-Type-Options nosniff;
  # This header enables the Cross-site scripting (XSS) filter
  add_header X-XSS-Protection "1; mode=block";
  # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header Referrer-Policy "no-referrer-when-downgrade";
  location /app1 {
      alias /home/ubuntu/app1/;
      try_files $uri $uri/ /index.html;
       add_header Cache-Control "no-store, no-cache, must-revalidate";   
  }

In the above example the security headers in the beginning will not be applied to /app1 block. Make sure you either duplicate it or have it written in a separate .conf file and import it in every location block.


Bonus

  1. Enabling CORS for fonts when serving through a different CDN domain.

location /app1/static/fonts {
   alias /home/ubuntu/app1/static/fonts/;
   add_header “Access-Control-Allow-Origin” *;    
   expires 1y;
   add_header Cache-Control “public”;
}

Adding the Access-Control-Allow-Origin header will instruct the browsers to allow loading fonts from a different sub-domain. Note that I also enabled aggressive caching for fonts too.

  1. Adding vary by gzip

# Enables response header of "Vary: Accept-Encoding"
gzip_vary on;

This will add Vary: Accept-Encoding header to the publicly cacheable, compressible resources and makes sure that the browser will get the correct encoded cached response.

  1. NGINX HTTP to HTTPS Redirection

# Get the actual IP of the client through load balancer in the logs
real_ip_header     X-Forwarded-For;
set_real_ip_from   0.0.0.0/0;
if ($http_x_forwarded_proto = 'http') {
  return 301 https://$host$request_uri;
}

Add the above in your server block and open port 80 along with 443 in your AWS ELB. This redirect http to https and also log the actual client IP n your logs.

Putting all the above things together, this how the final config would look like.

server {

    server_name www.my-site.com
    listen       80;
   
    # Get the actual IP of the client through load balancer in the logs
    real_ip_header     X-Forwarded-For;
    set_real_ip_from   0.0.0.0/0;
   
    # redirect if someone tries to open in http
    if ($http_x_forwarded_proto = 'http') {
      return 301 https://$host$request_uri;
    }

    # X-Frame-Options is to prevent from clickJacking attack
    add_header X-Frame-Options SAMEORIGIN;
   
    # disable content-type sniffing on some browsers.
    add_header X-Content-Type-Options nosniff;
   
    # This header enables the Cross-site scripting (XSS) filter
    add_header X-XSS-Protection "1; mode=block";
   
    # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
   
    add_header Referrer-Policy "no-referrer-when-downgrade";
   
    # Enables response header of "Vary: Accept-Encoding"
    gzip_vary on;
   
    location /app1 {
        alias /home/ubuntu/app1/;
        try_files $uri $uri/ /index.html;
        add_header Cache-Control "no-store, no-cache, must-revalidate";    
    }
   
    #for app1 static files
    location /app1/static {
        alias /home/ubuntu/app1/static/;
        expires 1y;
        add_header Cache-Control "public";
        access_log off;
     }
     
    #for app1 fonts
    location /app1/static/fonts {
        alias /home/ubuntu/app1/static/fonts/;
        add_header "Access-Control-Allow-Origin" *;    
        expires 1y;
        add_header Cache-Control "public";
    }
} 

                                                                                     Final config snippet.

Pratheek

Pratheek Hegde

Blog author

Pratheek is passionate about programming. He is currently building small and large scale applications using Javascript and Node.js . His dream is to improve the web platform and bring everyone onto it. Currently he is a Frontend and Infrastructure developer at Cyware Labs.


Website : https://iam.pratheekheg.de

Leave a Reply

Your email address will not be published. Required fields are marked *

Top comments

name

Anfal

16 November 2018 at 4:01pm
Nice post. I used to be checking continuously this weblog and I'm inspired

SUBSCRIBE OUR BLOG

TRENDING BLOG POSTS

Python in a Nutshell: Everything That You Need to Know

Python is one of the best known high-level programming languages in the world, like Java. It’s steadily gaining traction among programmers because it’s easy to integrate with other technologies and offers more stability and higher coding productivity, especially when it comes to mass projects with volatile requirements. If you’re considering learning an object-oriented programming language, consider starting with Python.A Brief Background On Python It was first created in 1991 by Guido Van Rossum, who eventually wants Python to be as understandable and clear as English. It’s open source, so anyone can contribute to, and learn from it. Aside from supporting object-oriented programming and imperative and functional programming, it also made a strong case for readable code. Python is hence, a multi-paradigm high-level programming language that is also structure supportive and offers meta-programming and logic-programming as well as ‘magic methods’.More Features Of PythonReadability is a key factor in Python, limiting code blocks by using white space instead, for a clearer, less crowded appearancePython uses white space to communicate the beginning and end of blocks of code, as well as ‘duck typing’ or strong typingPrograms are small and run quickerPython requires less code to create a program but is slow in executionRelative to Java, it’s easier to read and understand. It’s also more user-friendly and has a more intuitive coding styleIt compiles native bytecodeWhat It’s Used For, And By WhomUnsurprisingly, Python is now one of the top five most popular programming languages in the world. It’s helping professionals solve an array of technical, as well as business problems. For example, every day in the USA, over 36,000 weather forecasts are issued in more than 800 regions and cities. These forecasts are put in a database, compared to actual conditions encountered location-wise, and the results are then tabulated to improve the forecast models, the next time around. The programming language allowing them to collect, analyze, and report this data? Python!40% of data scientists in a survey taken by industry analyst O’Reilly in 2013, reported using Python in their day-to-day workCompanies like Google, NASA, and CERN use Python for a gamut of programming purposes, including data scienceIt’s also used by Wikipedia, Google, and Yahoo!, among many othersYouTube, Instagram, Quora, and Dropbox are among the many apps we use every day, that use PythonPython has been used by digital special effects house ILM, who has worked on the Star Wars and Marvel filmsIt’s often used as a ‘scripting language’ for web apps and can automate a specific progression of tasks, making it more efficient. That’s why it is used in the development of software applications, web pages, operating systems shells, and games. It’s also used in scientific and mathematical computing, as well as AI projects, 3D modelers and animation packages.Is Python For You? Programming students find it relatively easy to pick up Python. It has an ever-expanding list of applications and is one of the hottest languages in the ICT world. Its functions can be executed with simpler commands and much less text than most other programming languages. That could explain its popularity amongst developers and coding students.If you’re a professional or a student who wants to pursue a career in programming, web or app development, then you will definitely benefit from a Python training course. It would help if you have prior knowledge of basic programming concepts and object-oriented concepts. To help you understand how to approach Python better, let’s break up the learning process into three modules:Elementary PythonThis is where you’ll learn syntax, keywords, loops data types, classes, exception handling, and functions.Advanced PythonIn Advanced Python, you’ll learn multi-threading, database programming (MySQL/ MongoDB), synchronization techniques and socket programming.Professional PythonProfessional Python involves knowing concepts like image processing, data analytics and the requisite libraries and packages, all of which are highly sophisticated and valued technologies.With a firm resolve and determination, you can definitely get certified with Python course!Some Tips To Keep In Mind While Learning PythonFocus on grasping the fundamentals, such as object-oriented programming, variables, and control flow structuresLearn to unit test Python applications and try out its strong integration and text processing capabilitiesPractice using Python’s object-oriented design and extensive support libraries and community to deliver projects and packages. Assignments aren’t necessarily restricted to the four-function calendar and check balancing programs. By using the Python library, programming students can work on realistic applications as they learn the fundamentals of coding and code reuse.
Rated 4.5/5 based on 12 customer reviews
Python in a Nutshell: Everything That You Need to Know

Python in a Nutshell: Everything That You Need to Know

Blog

The Ultimate Guide to Node.Js

IT professionals have always been in much demand, but with a Node.js course under your belt, you will be more sought after than the average developer. In fact, recruiters look at Node js as a major recruitment criterion these days.  Why are Node.js developers so sought-after, you may ask. It is because Node.js requires much less development time and fewer servers, and provides unparalleled scalability.In fact, LinkedIn uses it as it has substantially decreased the development time. Netflix uses it because Node.js has improved the application’s load time by 70%. Even PayPal, IBM, eBay, Microsoft, and Uber use it. These days, a lot of start-ups, too, have jumped on the bandwagon in including Node.js as part of their technology stack.The Course In BriefWith a Nodejs course, you learn beyond creating a simple HTML page, learn how to create a full-fledged web application, set up a web server, and interact with a database and much more, so much so that you can become a full stack developer in the shortest possible time and draw a handsome salary. The course of Node.js would provide you a much-needed jumpstart for your career.Node js: What is it?Developed by Ryan Dahl in 2009, Node.js is an open source and a cross-platform runtime environment that can be used for developing server-side and networking applications.Built on Chrome's JavaScript runtime (V8 JavaScript engine) for easy building of fast and scalable network applications, Node.js uses an event-driven, non-blocking I/O model, making it lightweight and efficient, as well as well-suited for data-intensive real-time applications that run across distributed devices.Node.js applications are written in JavaScript and can be run within the Node.js runtime on different platforms – Mac OS X, Microsoft Windows, Unix, and Linux.What Makes Node js so Great?I/O is Asynchronous and Event-Driven: APIs of Node.js library are all asynchronous, i.e., non-blocking. It simply means that unlike PHP or ASP, a Node.js-based server never waits for an API to return data. The server moves on to the next API after calling it. The Node.js has a notification mechanism (Event mechanism) that helps the server get a response from the previous API call.Superfast: Owing to the above reason as well as the fact that it is built on Google Chrome's V8 JavaScript Engine, Node JavaScript library is very fast in code execution.Single Threaded yet Highly Scalable: Node.js uses a single threaded model with event looping, in which the same program can ensure service to a much larger number of requests than the usual servers like Apache HTTP Server. Its Event mechanism helps the server to respond promptly in a non-blocking way, eliminating the waiting time. This makes the server highly scalable, unlike traditional servers that create limited threads to handle requests.No buffering: Node substantially reduces the total processing time of uploading audio and video files. Its applications never buffer any data; instead, they output the data in chunks.Open source: Node JavaScript has an open source community that has produced many excellent modules to add additional capabilities to Node.js applications.License: It was released under the MIT license.Eligibility to attend Node js CourseThe basic eligibility for pursuing Node training is a Bachelors in Computer Science, Bachelors of Technology in Computer Science and Engineering or an equivalent course.As prerequisites, you would require intermediate JavaScript skills and the basics of server-side development.CertificationThere are quite a few certification courses in Node Js. But first, ask yourself:Do you wish to launch your own Node applications or work as a Node developer?Do you want to learn modern server-side web development and apply it on apps /APIs?Do you want to use Node.js to create robust and scalable back-end applications?Do you aspire to build a career in back-end web application development?If you do, you’ve come to the right place!Course CurriculumA course in Node JavaScript surely includes theoretical lessons; but prominence is given to case studies, practical classes, including projects.  A good certification course would ideally train you to work with shrink-wrap to lock the node modules, build a HTTP Server with Node JS using HTTP APIs, as well as about important concepts of Node js like asynchronous programming, file systems, buffers, streams, events, socket.io, chat apps, and also Express.js, which is a flexible, yet powerful web application framework.Have You Decided Yet? Now that you know everything there is to know about why you should pursue a Node js course and a bit about the course itself, it is time for you to decide whether you are ready to embark on a journey full of exciting technological advancements and power to create fast, scalable and lightweight network applications.
Rated 4.5/5 based on 6 customer reviews
The Ultimate Guide to Node.Js

The Ultimate Guide to Node.Js

Blog

MIT’s new automated ML runs 100x faster than human Data Scientists

According to Michigan State University and MIT, automated machine learning system analyses the data and deliver a solution 100x faster than one human. The automated machine learning platform which is known as ATM (Auto Tune Models) uses cloud-based, on demand computing to accelerate data analysis. Researchers of MIT tested the system through open-ml.org, a collaborative crowdsourcing platform, on which data scientists collaborate to resolve problems. They found that ATM evaluated 47 datasets from the platform and the system was capable to deliver a solution that is better than humans. It took nearly 100 days for data scientists to deliver a solution, while it took less than a day for ATM to design a better-performing model. "There are so many options," said Ross, Franco Modigliani professor of financial economics at MIT, told MIT news. "If a data scientist chose support vector machines as a modeling technique, the question of whether she should have chosen a neural network to get better accuracy instead is always lingering in her mind." ATM searches via different techniques and tests thousands of models as well, analyses each, and offers more resources that solves the problem effectively. Then, the system exhibits its results to help researchers compare different methods. So, the system is not automating the human data scientists out of the process, Ross explained. "We hope that our system will free up experts to spend more time on data understanding, problem formulation and feature engineering," Kalyan Veeramachaneni, principal research scientist at MIT's Laboratory for Information and Decision Systems and co-author of the paper, told MIT News. Auto Tune Model is now made available for companies as an open source platform. It can operate on single machine, on-demand clusters, or local computing clusters in the cloud and can work with multiple users and multiple datasets simultaneously, MIT noted. "A small- to medium-sized data science team can set up and start producing models with just a few steps," Veeramachaneni told MIT News. Source: MIT Official Website  
Rated 4.0/5 based on 20 customer reviews
MIT’s new automated ML runs 100x faster than human Data Scientists

MIT’s new automated ML runs 100x faster than human Data Scientists

What's New

Follow Us On

Share on

other Blogs

20% Discount