NGINX Installation and Tuning

17a8a63d6d97b2fb736285f0aff5b48f?s=47 NGINX Inc
April 30, 2014

NGINX Installation and Tuning

For the recorded webinar, visit

You’re ready to make your applications more responsive, scalable, fast and secure. Then it’s time to get started with NGINX. In this webinar, you will learn how to install NGINX from a package or from source onto a Linux host. We’ll then look at some common operating system tunings you could make to ensure your NGINX install is ready for prime time.



April 30, 2014


  1. NGINX Installation and Tuning Introduced by Andrew Alexeev Presented by

    Owen Garrett Nginx, Inc.
  2. About this webinar You’re  ready  to  make  your  applica2ons  more

     responsive,  scalable,  fast  and   secure.  Then  it’s  2me  to  get  started  with  NGINX.  In  this  webinar,  you  will   learn  how  to  install  NGINX  from  a  package  or  from  source  onto  a  Linux   host.  We’ll  then  look  at  some  common  opera2ng  system  tunings  you  could   make  to  ensure  your  NGINX  install  is  ready  for  prime  2me.  
  3. Agenda   •  Installing  NGINX   –  Installa2on  source,  NGINX

     features   •  Tuning  NGINX   –  Opera2ng  System  tuning   –  NGINX  soHware  tuning   •  Benchmarking  NGINX   We’re  covering  a  lot  of  material.     Please  feel  free  to  take  screenshots   and  read  up  a9erwards.  

  5. What  can  NGINX  do  for  you?   Internet N Web

     Server   Serve  content  from  disk   Applica2on  Gateway   FastCGI,  uWSGI,  Passenger…   Proxy   Caching,  Load  Balancing…   HTTP  traffic   þ Applica2on  Accelera2on   þ SSL  and  SPDY  termina2on   þ Performance  Monitoring   þ High  Availability   Advanced  Features:   þ Bandwidth  Management   þ Content-­‐based  Rou2ng   þ Request  Manipula2on   þ Response  Rewri2ng   þ Authen2ca2on   þ Video  Delivery   þ Mail  Proxy   þ GeoLoca2on  
  6. Deployment  Plan   Determine  the  func2onality  you’ll  need   from

     NGINX:     •  Authen2ca2on   •  Proxy  to  API  gateways   •  GZIP   •  GeoIP   •  etc.  etc.   Modules  list  at  
  7. Three  ques2ons  before  installing  NGINX   1.  What  func<onality  do

     you  require?     •  Standard  modules   •  NGINX  Plus  func2onality   •  Op2onal  NGINX  and  third-­‐party  modules     3.  How  do  you  want  to  install?     •  “Official”  NGINX  packages  (   •  Build  from  Source   •  From  Opera2ng  System  repository   •  From  Amazon  AWS  Marketplace   2.  What  branch  do  you  want  to  track?     •  Mainline  (1.7)   •  Stable  (1.6)   •  Something  older?   h`p:// nginx-­‐1-­‐6-­‐1-­‐7-­‐released/    
  8. Recommended  Install   1.  Standard  modules  (  or  NGINX  Plus

      2.  Mainline  (1.7)   3.  Install  from  or  nginx-­‐plus  repository  builds  do  not  include:     •  Modules  with  complex  3rd-­‐party  dependencies:   •  GeoIP,  Image_Filter,  Perl,  XSLT   •  Modules  that  are  part  of  NGINX  Plus   •  Third-­‐party  modules  e.g.  Lua,  Phusion  Passenger   h`p://­‐specs/      
  9. Difference  between  NGINX  and  NGINX  Plus   h`p://­‐matrix/    

    NGINX   •  High-­‐performance,  open   source  web  server  and   accelera2ng  proxy.   •  Community  support  through   mailing  lists  on,   stackoverflow,  subject   experts  etc.   NGINX  Plus   •  Adds  Enterprise  Load   Balancing  and  Applica2on   Delivery  features.   •  Full  support  and  updates   from  NGINX  Inc.,  the  team   who  built  and  manage   NGINX.  

  11. Installa2on  process   $ wget! $ sudo apt-key add

    nginx_signing.key! ! # cat > /etc/apt/sources.list.d/nginx.list! deb trusty nginx! deb-src trusty nginx! ! # apt-get update! # apt-cache policy nginx! nginx:! Installed: (none)! Candidate: 1.7.0-1~trusty! Version table:! 1.7.0-1~trusty 0! 500 trusty/nginx amd64 Packages! 1.4.6-1ubuntu3 0! 500 trusty/main amd64 Packages! h`p://    
  12. Verify  that  it  is  working   # /etc/init.d/nginx status! *

    nginx is running! ! # /usr/sbin/nginx –v! nginx version: nginx/1.7.0!

  14. Common  tools   •  vmstat    

  15. Common  tools   •  strace  

  16. Other  tools   •  tcpdump  /   wireshark   • 

    Chrome     dev  tools   •  System  log    (dmesg –c)  

  18. Tuning  the  opera2ng  system   •  Basic  tunables:   – 

    Backlog  queue:  limits  number  of   pending  connec2ons   –  File  descriptors:  limit  number  of   ac2ve  connec2ons   –  Ephemeral  ports:  limit  number  of   upstream  connec2ons  
  19. Configuring  Tunables  -­‐  HOWTO   •  /proc:   ! !!

    ! !# echo "1" > /proc/sys/net/ipv4/tcp_syncookies! ! •  sysctl.conf:   ! !! ! !# vi /etc/sysctl.conf! ! ! ! !# Prevent against the common 'syn flood attack'! ! ! !net.ipv4.tcp_syncookies = 1! ! !! ! !# sysctl –p!
  20. The  Backlog  Queue   •  What  happens  when  a  connec2on

     is  received?   –  èSYN  /  çSYNACK  [syn_backlog  queue]  or  syncookie   –  èACK  [listen  backlog  queue]  /  NGINX:accept()! –  net.ipv4.tcp_max_syn_backlog! –  net.ipv4.tcp_syncookies! –  net.core.somaxconn! •  NGINX: listen backlog=1024! –  net.core.netdev_max_backlog !
  21. File  Descriptors   •  What  happens  when  a  connec2on  is

     processed?   File  descriptors  are  the  key  resource  –  es2mate  2  per  connec2on.   –  fs.file_max! –  /etc/security/limits.conf! –  worker_rlimit_nofile 200000;!
  22. Ephemeral  Ports   •  What  happens  when  NGINX  proxies  connec2ons?

      Each  TCP  connec2on  requires  a  unique  4-­‐tuple:   [src_ip:src_port, dst_ip:dst_port] ! Ephemeral  port  range  and  life2me:   –  net.ipv4.ip_local_port_range! –  net.ipv4.tcp_fin_timeout!
  23. Keep  checking  kernel  messages        # dmesg -c!

    ! ! !# tail -f /var/log/kern.log!  

  25. Tuning  NGINX     #1:  You  don’t  need  to  “tune”

     very  much     #2:  Don’t  tune  just  for  a  benchmark     #3:  Use  our  Prof  Services  team  to  help  
  26. Common  tunings   ! worker_processes auto;  –  set  to  ‘auto’

     or  higher! worker_connections  –  set  to  less  than  file  descriptor   count.   accept_mutex:  disable  for  busy  services  
  27. The  proxy  should  use  keepalives   Close  TCP  Connec<on  

    (two-­‐way  handshake)   Open  TCP  Connec<on   (three-­‐way  handshake)   Write  HTTP  request   Read  HTTP  response   Wait   (2meout)     NGINX  or  server   closes  the   connec2on   NGINX  re-­‐uses  connec2on  for  another  request   server {! listen 80;! location / {! proxy_pass http://backend;! proxy_http_version 1.1;! proxy_set_header Connection "";! }! }! ! upstream backend {! server webserver1 max_conns=256;! server webserver2 max_conns=256;! queue 4096 timeout=15s;! ! # maintain a maximum of 20 idle connections to each upstream server! keepalive 20;! }!

  29. Why  benchmark  NGINX?   1.  To find how fast NGINX

    can go 2.  To tune NGINX for your workload 3.  To find where the bottlenecks are 4.  All of the above

  31. In  conclusion:   •  Install  from  the  nginx  repo  

    –  NGINX  or  NGINX  Plus   •  Basic  tuning  and  configura2on   –  dmesg  /  kern.log   •  Benchmark  /  stress  test   •  NGINX  Professional  Services  and  Training   h`p://    
  32. None
  33. h`ps://­‐and-­‐nginx     h`ps://     h`ps://