Five things you didn't know NGINX could do

Transcript

1. 5 things you didn’t know NGINX could do Sarah Novotny

   Nginx, Inc.

2. Many people know NGINX as an HTTP request and load

   balancing server that powers many of the world's busiest websites. But, there are a lot of ancillary pieces that go into the software to make it a whole web application accelerator.

3. What is NGINX? Internet N Web Server Serve content from

   disk Application Server FastCGI, uWSGI, Passenger… Proxy Caching, Load Balancing… HTTP traffic

4. 146,000,000 Websites NGINX Accelerates

5. Advanced Features þ Bandwidth Management þ Content-based Routing þ Request Manipulation þ Response Rewriting

   þ Application Acceleration þ SSL and SPDY termination þ Authentication þ Video Delivery þ Mail Proxy þ GeoLocation þ Performance Monitoring þ High Availability

6. 23% Top 1 million websites 39% Top 10,000 websites

7. Some  things  you  might  not  know     Form  

   spamming   Compress   assets   Thread   exhaus8on   Rewrite   content   Online   upgrades   Configure   flags   A/B  tes8ng   Include   direc8ve   Manipulate   proxy   headers  

8. Some  things  you  might  not  know     Compress assets

   for delivery Stop form spamming Protect Apache from thread exhaustion attacks Rewrite content inline Online upgrades Configure flags

9. Compress data to reduce bandwidth •  Reduce  bandwidth  requirements  per

    client   – Content  Compression  reduces  text  and  HTML   – Image  resampling  reduces  image  sizes  

10. HTTP gzip module •  Provides Gzip capabilities so that responses

    from NGINX are compressed to reduce file size •  Directives can be used in the http, server and location contexts •  Key directives –  gzip –  gzip_types –  gzip_proxied

11. Gzip example Enable gzip gzip on;   Apply gzip for

    text, html and CSS gzip_types text/plain text/html text/css; Enable gzip compression for any proxied request gzip_proxy any; It is not advisable to enable gzip for binary content types such as images, word documents or videos

12. HTTP image filter •  Provides inline image manipulation to transform

    images for optimal delivery •  Directives can be used in the location context •  Key directives –  image_filter size; –  image_filter resize width height; –  image_filter crop width height;

13. HTTP image filter example location /img/ { proxy_pass http://backend; image_filter

    resize 150 100; image_filter rotate 90; error_page 415 = /empty; } location = /empty { empty_gif; }

14. We talk about the ‘N second rule’: –  10 seconds

    (Jakob Nielsen, March 1997) –  8 seconds (Zona Research, June 2001) –  4 seconds (Jupiter Research, June 2006) –  3 seconds (PhocusWright, March 2010)

15. Stop brute force retries •  Stop brute force password attacks

    •  Stop form spamming – Use the NGINX limit request module

16. HTTP limit req module •  Allows granular control of request

    processing rate •  Directives an be used in http, server and location contexts •  Key directives –  limit_req_zone –  limit_req

17. HTTP limit req module http { limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

    … server { … location /search/ { limit_req zone=one burst=5; } } }

18. Protect Apache from thread exhaustion attacks •  Use NGINX in

    front of Apache •  Mitigates ‘slow loris’, ‘keep dead’ and ‘front page of hacker news’ attacks

19. What is thread exhaustion? hJp  process   hJp  process  

    hJp  process   hJp  process   hJp  process   hJp  process   hJp  process   Client-side: Multiple Connections HTTP Keepalives Server-side: Limited concurrency

20. How  NGINX  mi8gates  thread   exhaus8on   N Large  numbers

     of  clients,    with  long-­‐term  keepalive  connec8ons   NGINX  reduces  connec8ons   to  the  minimum  number   necessary  

21. Rewrite content inline •  Use the power of substitution to

    simplify updates •  Directives can be used in the http, server and location contexts •  Key directives –  sub_filter_once –  sub_filter –  sub_filter_types

22. HTTP sub filter example location / { sub_filter_once off; sub_filter_types

    text/html; sub_filter “__copyright_date__” “2014”; }

23. Online Binary updates and configuration changes •  Update either the

    configuration files or the binary without losing any connections

24. Configuration file update [root@localhost ~]# nginx -s reload [root@localhost ~]#

25. Yep. It’s that simple

26. Binary Upgrade [root@localhost ~]# cat /var/run/nginx.pid 1991 [root@localhost ~]# kill

    –USR2 1991 •  Choose your method of binary installation •  Replace the binary

27. Binary Upgrade [root@localhost ~]# ps -ef |grep nginx root 1991

    1 0 08:06 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 2974 1991 0 08:22 ? 00:00:00 nginx: worker process nginx 2975 1991 0 08:22 ? 00:00:00 nginx: worker process root 3123 2948 0 08:43 pts/0 00:00:00 grep nginx root 3124 1991 0 08:43 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf

28. Binary Upgrade [root@localhost ~]# kill –WINCH 1991 [root@localhost ~]# kill

    –QUIT 1991 •  Verify things are working as expected (you can still back out gracefully at this point)

29. nginx –V gives a nearly complete configuration script for compiling

    Configure Flags

30. [root@localhost ~]# nginx -V! nginx version: nginx/1.5.7! built by gcc

    4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) ! TLS SNI support enabled! configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/ nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/ nginx/error.log --http-log-path=/var/log/nginx/access.log --pid- path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http- client-body-temp-path=/var/cache/nginx/client_temp --http-proxy- temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/ var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/ nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with- http_spdy_module --with-http_realip_module --with- http_addition_module --with-http_sub_module --with-http_dav_module! --etc!

31. A/B  tes8ng   Internet N Content A HTTP traffic Content

    B

32. Split  Clients  Module   http { split_clients "${remote_addr}AAA" $variant {

    0.5% .A; 2.0% .B; * "”; } server { location / { index index${variant}.html;

33. Measurement     and  analysis  is  leQ  as    

    an  exercise  to  the     reader        

34. Include  Direc8ve   •  Includes files •  Directives can be

    used in the any context •  Key directives – include

35. HTTP include example http {! ! !include /etc/nginx/conf.d/mime.types;! ! !include

    /etc/nginx/conf.d/*.conf;! ! !include /etc/nginx/sites-enabled/*;! }

36. Manipulate proxy headers •  Mask  content  source  (like  assets  in

     S3)   •  Manage  proxy  behavior   •  Inject  your  own  headers  (host  header  or  x-­‐ forward-­‐for  etc)  

37. Proxy  Header  Manipula8on   •  Allows perception management of content

    delivery through headers •  Directives can be used in the http, server and location contexts •  Key directives –  proxy_hide_header –  proxy_set_header –  proxy_ignore_header

38. Proxy hide header example location / { proxy_pass http://your_bucket.s3.amazonaws.com; proxy_hide_header

    x-amz-id-2; proxy_hide_header x-amz-meta-s3fox-filesize; proxy_hide_header x-amz-request-id; proxy_hide_header x-amz-meta-s3fox-modifiedtime; ... }

39. Proxy set header example location / { proxy_pass http://localhost:8000; proxy_set_header

    Host $host; proxy_set_header X-Real-IP $remote_addr; ... }

40. Proxy ignore header example location / { proxy_pass http://localhost:8000; proxy_ignore_header

    X-Accel-Limit-Rate; proxy_ignore_header X-Accel-Expires; ... }

41. More resources •  Check out our blog on nginx.com • 

    Webinars: nginx.com/webinars Try: NGINX F/OSS (nginx.org) NGINX Plus (nginx.com)

42. Thanks for your time! @sarahnovotny Evangelist, NGINX Program Chair, OSCON