NGINX Installation and Tuning Introduced by Andrew Alexeev Presented by Owen Garrett Nginx, Inc. 

About this webinar You’re  ready  to  make  your  applica2ons  more  responsive,  scalable,  fast  and   secure.  Then  it’s  2me  to  get  started  with  NGINX.  In  this  webinar,  you  will   learn  how  to  install  NGINX  from  a  package  or  from  source  onto  a  Linux   host.  We’ll  then  look  at  some  common  opera2ng  system  tunings  you  could   make  to  ensure  your  NGINX  install  is  ready  for  prime  2me.   

Agenda   •  Installing  NGINX   –  Installa2on  source,  NGINX  features   •  Tuning  NGINX   –  Opera2ng  System  tuning   –  NGINX  soHware  tuning   •  Benchmarking  NGINX   We’re  covering  a  lot  of  material.     Please  feel  free  to  take  screenshots   and  read  up  a9erwards.   

BEFORE  YOU  INSTALL  NGINX…   

What  can  NGINX  do  for  you?   Internet N Web  Server   Serve  content  from  disk   Applica2on  Gateway   FastCGI,  uWSGI,  Passenger…   Proxy   Caching,  Load  Balancing…   HTTP  traffic   þ Applica2on  Accelera2on   þ SSL  and  SPDY  termina2on   þ Performance  Monitoring   þ High  Availability   Advanced  Features:   þ Bandwidth  Management   þ Content-­‐based  Rou2ng   þ Request  Manipula2on   þ Response  Rewri2ng   þ Authen2ca2on   þ Video  Delivery   þ Mail  Proxy   þ GeoLoca2on   

Deployment  Plan   Determine  the  func2onality  you’ll  need   from  NGINX:     •  Authen2ca2on   •  Proxy  to  API  gateways   •  GZIP   •  GeoIP   •  etc.  etc.   Modules  list  at  nginx.org   

Three  ques2ons  before  installing  NGINX   1.  What  func

Recommended  Install   1.  Standard  modules  (nginx.org)  or  NGINX  Plus   2.  Mainline  (1.7)   3.  Install  from  nginx.org  or  nginx-­‐plus  repository   nginx.org  builds  do  not  include:     •  Modules  with  complex  3rd-­‐party  dependencies:   •  GeoIP,  Image_Filter,  Perl,  XSLT   •  Modules  that  are  part  of  NGINX  Plus   •  Third-­‐party  modules  e.g.  Lua,  Phusion  Passenger   h`p://nginx.com/products/technical-­‐specs/       

Difference  between  NGINX  and  NGINX  Plus   h`p://nginx.com/products/feature-­‐matrix/     NGINX   •  High-­‐performance,  open   source  web  server  and   accelera2ng  proxy.   •  Community  support  through   mailing  lists  on  nginx.org,   stackoverflow,  subject   experts  etc.   NGINX  Plus   •  Adds  Enterprise  Load   Balancing  and  Applica2on   Delivery  features.   •  Full  support  and  updates   from  NGINX  Inc.,  the  team   who  built  and  manage   NGINX.   

INSTALLING  NGINX   

Installa2on  process   $ wget http://nginx.org/keys/nginx_signing.key! $ sudo apt-key add nginx_signing.key! ! # cat > /etc/apt/sources.list.d/nginx.list! deb http://nginx.org/packages/mainline/ubuntu/ trusty nginx! deb-src http://nginx.org/packages/mainline/ubuntu/ trusty nginx! ! # apt-get update! # apt-cache policy nginx! nginx:! Installed: (none)! Candidate: 1.7.0-1~trusty! Version table:! 1.7.0-1~trusty 0! 500 http://nginx.org/packages/mainline/ubuntu/ trusty/nginx amd64 Packages! 1.4.6-1ubuntu3 0! 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages! h`p://nginx.org/en/linux_packages.html#mainline     

Verify  that  it  is  working   # /etc/init.d/nginx status! * nginx is running! ! # /usr/sbin/nginx –v! nginx version: nginx/1.7.0! 

TUNING  NGINX   #1:  UNDERSTAND  WHAT’S  HAPPENING   

Common  tools   •  vmstat     

Common  tools   •  strace   

Other  tools   •  tcpdump  /   wireshark   •  Chrome     dev  tools   •  System  log    (dmesg –c)   

TUNING  NGINX:   #2:  TUNING  THE  OPERATING  SYSTEM   

Tuning  the  opera2ng  system   •  Basic  tunables:   –  Backlog  queue:  limits  number  of   pending  connec2ons   –  File  descriptors:  limit  number  of   ac2ve  connec2ons   –  Ephemeral  ports:  limit  number  of   upstream  connec2ons   

Configuring  Tunables  -­‐  HOWTO   •  /proc:   ! !! ! !# echo "1" > /proc/sys/net/ipv4/tcp_syncookies! ! •  sysctl.conf:   ! !! ! !# vi /etc/sysctl.conf! ! ! ! !# Prevent against the common 'syn flood attack'! ! ! !net.ipv4.tcp_syncookies = 1! ! !! ! !# sysctl –p! 

The  Backlog  Queue   •  What  happens  when  a  connec2on  is  received?   –  èSYN  /  çSYNACK  [syn_backlog  queue]  or  syncookie   –  èACK  [listen  backlog  queue]  /  NGINX:accept()! –  net.ipv4.tcp_max_syn_backlog! –  net.ipv4.tcp_syncookies! –  net.core.somaxconn! •  NGINX: listen backlog=1024! –  net.core.netdev_max_backlog ! 

File  Descriptors   •  What  happens  when  a  connec2on  is  processed?   File  descriptors  are  the  key  resource  –  es2mate  2  per  connec2on.   –  fs.file_max! –  /etc/security/limits.conf! –  worker_rlimit_nofile 200000;! 

Ephemeral  Ports   •  What  happens  when  NGINX  proxies  connec2ons?   Each  TCP  connec2on  requires  a  unique  4-­‐tuple:   [src_ip:src_port, dst_ip:dst_port] ! Ephemeral  port  range  and  life2me:   –  net.ipv4.ip_local_port_range! –  net.ipv4.tcp_fin_timeout! 

Keep  checking  kernel  messages        # dmesg -c! ! ! !# tail -f /var/log/kern.log!   

TUNING  NGINX:   #3:  TUNING  THE  SOFTWARE   

Tuning  NGINX     #1:  You  don’t  need  to  “tune”  very  much     #2:  Don’t  tune  just  for  a  benchmark     #3:  Use  our  Prof  Services  team  to  help   

Common  tunings   ! worker_processes auto;  –  set  to  ‘auto’  or  higher! worker_connections  –  set  to  less  than  file  descriptor   count.   accept_mutex:  disable  for  busy  services   

The  proxy  should  use  keepalives   Close  TCP  Connec

BENCHMARKING  NGINX   

Why  benchmark  NGINX?   1.  To find how fast NGINX can go 2.  To tune NGINX for your workload 3.  To find where the bottlenecks are 4.  All of the above 

IN  CONCLUSION…   

In  conclusion:   •  Install  from  the  nginx  repo   –  NGINX  or  NGINX  Plus   •  Basic  tuning  and  configura2on   –  dmesg  /  kern.log   •  Benchmark  /  stress  test   •  NGINX  Professional  Services  and  Training   h`p://nginx.com/     

No content

h`ps://speakerdeck.com/dctrwatson/c1m-­‐and-­‐nginx     h`ps://www.youtube.com/watch?v=yL4Q7D4ynxU     h`ps://gist.github.com/dctrwatson/0b3b52050254e273ff11