Cranking Nginx to 11 - DPC 2012

Transcript

1. Helgi Þormar Þorbjörnsson DPC, Amsterdam, 8th of June, 2012 Cranking

   Nginx to 11

2. Co-founded Orchestra.io Work at EngineYard PEAR Developer From Iceland @h

   on Twitter Helgi

3. Nginx Just a web server?

4. ✓ Web Server ✓ Proxy ✓ Cache ✓ Mail Proxy

   ✓ And more! No! It’s so much more!

5. The journey to 11

6. Important for tweaking

7. Always run configtest before doing anything!

8. Reload (HUP Signal)

9. Reload (HUP Signal) ‣ Reloads config ‣ Starts up new

   workers ‣ Old workers stop listening ‣ Finish up any work they have

10. Upgrade (USR2 Signal)

11. Upgrade (USR2 Signal) ‣ Live upgrade of Nginx executable ‣

    Starts up a new Master ‣ Run in parallel ‣ Old Workers gracefully shutdown ‣ Old Master can be brought back

12. Location Blocks

13. Foundation of most things we will do

14. Most Common Block location / { try_files $uri $uri/ /index.php$is_args$args;

    }

15. location /helgi/is/awesome { return 202; }

16. Accepts Regex Done by adding ~ in front of the

    regular expression

17. Accepts Regex # deny access to all .dot-files location ~

    /\. { access_log off; log_not_found off; deny all; } # deny access to all backups location ~ ~$ { access_log off; log_not_found off; deny all; }

18. Error Pages

19. Basic Custom 404 error_page 404 /errors/404.html; Requires /errors/404.html to be

    in the document root

20. Basic Custom 404 root /var/www/public; error_page 404 /errors/404.html; location /errors/404.html

    { internal; root /var/www; }

21. Errors via PHP error_page 404 @four_oh_four; location @four_oh_four { if

    (!-f "/var/www/errors/404.php") { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/errors/404.php; fastcgi_pass web_workers; }

22. 50x and others error_page 500 501 502 503 504 @five_oh_ex;

    location @five_oh_ex { <Same as 404> } Most HTTP codes can be bunched together

23. Facebook

24. Official Solution error_page 405 =200 $uri;

25. My Hack error_page 405 =200 @four_oh_five; location @four_oh_five { if

    (!-f $request_filename) { return 404; } proxy_method GET; proxy_pass http://localhost:80; }

26. Health Checks

27. Nginx Check location = /health/ping { return 200; }

28. Nginx + FPM [healthcheck] listen = /var/run/php/healthcheck.sock user = www-data

    pm = static pm.max_children = 1 pm.max_requests = 10000 ping.path = /health/ping ping.response = "pong" PHP FPM Config

29. Nginx + FPM location = /health/ping { fastcgi_pass healthcheck; include

    fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } upstream healthcheck { server unix:/var/run/php/healthcheck.sock; } Nginx Config

30. Rewrite Module

31. Regex (PCRE)

32. Responsible for all if statements, file exists checks, returns and

    more. Can work with most Nginx variables such as http_cookie, user agent, uri and countless others.

33. last break redirect permanent Finish rewrite and evaluates all rewrites

    again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite Returns a 301 on the rewrite

34. server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server

    { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

35. server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server

    { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

36. Forward Domains server { server_name www.helgi.ws; return 301 $scheme://helgi.ws$request_uri; }

    The Correct Way™

37. upstream web_workers { server unix:/var/run/php/www1.sock; } location ~ \.php$ {

    if (!-f $request_filename) { return 404; } fastcgi_pass web_workers; fastcgi_index index.php; fastcgi_intercept_errors off; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $host; } PHP + Nginx

38. SSL

39. ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache

    shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_ecdh_curve secp521r1; Brain esplodes! Boom!

40. Lets break it down

41. ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols

    SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1;

42. ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols

    SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol

43. ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols

    SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Cache 1m of shared cache stores ~4000 connections

44. BEAST

45. CBC-mode ciphers can be exploited. Allowing the attacker to decrypt

    your traffic.

46. 75% of popular sites still vulnerable according to SSL Pulse

    https://www.trustworthyinternet.org/ssl-pulse/

47. ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols

    SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol

48. But stronger encryptions are slower!

49. Elliptic Curve Improves the Diffie-Hellmann performance... A LOT

50. ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols

    SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol 224bit = 2048bit RSA Key 521bit = 4096bit RSA Key

51. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; Strict Transport Security

52. Check SSL rating on SSLLabs.com

53. Headers

54. add_header add_header Set-Cookie "_orchestra=1; Max-Age=2; Path=/";

55. expires location ~* ^.+\.(jpg|js|jpeg|png)$ { expires 1h; }

56. wiki.nginx.org/NginxHttpHeadersMoreModule Introducing

57. more_set_headers 'Server: My-Temple'; # set and clear output headers location

    /bar { more_set_headers 'X-MyHeader: blah' 'X-MyHeader2: foo'; more_set_headers -t 'text/plain text/css' 'Content-Type: text/foo'; more_set_headers -s '400 404 500 503' -s 413 'Foo: Bar'; more_clear_headers 'Transfer-Encoding' 'Content-Type'; } # set output headers location /type { more_set_headers 'Content-Type: text/plain'; }

58. # set input headers location /foo { more_set_input_headers 'Host: ShoelessJoes';

    more_set_input_headers -t 'text/plain' 'X-Tek: bah'; } # replace input header X-Tek *only* if it already exists more_set_input_headers -r 'X-Tek: howdy';

59. Load Balancing

60. upstream web_workers { server www1.example.com; server www2.example.com; server www3.example.com; server

    www4.example.com; } Simple Round Robin

61. upstream web_workers { ip_hash; server www1.example.com; server www2.example.com; server www3.example.com;

    server www4.example.com; } Consistent IP Routing

62. upstream web_workers { server www1.example.com; server www2.example.com weight=2 max_fails=2 fail_timeout=15;

    server www3.example.com weight=4 max_fails=3; server www4.example.com weight=4 max_fails=4 fail_timeout=20; keepalive 8; } Different Weights weight and ip_hash can work together in Nginx 1.3.1+

63. Cache

64. http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host

    $http_host; proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=my-cache:8m max_size=2g inactive=600m; proxy_temp_path /dev/shm/nginx/tmp; proxy_cache_use_stale updating; server { location / { proxy_pass http://example.net; proxy_cache my-cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; } } }

65. Modules

66. cd /path/to/your/nginx/source ./configure --add-module=/usr/local/nginx/mod/headers-more/ make make install How to compile

    modules into nginx

67. Blue Sky thinking!

68. Memcache

69. Nginx PHP Memcache

70. Nginx PHP Memcache

71. location / { if ($request_method != GET) { rewrite .

    @fallback last; } # append an extenstion for proper MIME type detection if ($args ~* format=json) { rewrite ^/$uri/?(.*)$ /$uri.json$1 break; } if ($args ~* format=xml) { rewrite ^/$uri/?(.*)$ /$uri.xml$1 break; } if ($args ~* format=html) { default_type text/html; add_header "Content" "text/html; charset=utf8"; charset utf-8; } set $memcached_key nginx_prefix$uri; memcached_pass memcache_backend; error_page 500 404 405 = @fallback; } location @fallback { /* pass to FastCGI */ }

72. MySQL

73. JSON + CSV Output

74. Questions? @h [email protected] Please rate at joind.in/6240