Slide 1

Slide 1 text

Helgi Þormar Þorbjörnsson PHPTek, Chicago, 25th May, 2012 Cranking Nginx to 11

Slide 2

Slide 2 text

Helgi

Slide 3

Slide 3 text

Co-founded Orchestra.io Helgi

Slide 4

Slide 4 text

Co-founded Orchestra.io Work at EngineYard Helgi

Slide 5

Slide 5 text

Co-founded Orchestra.io Work at EngineYard PEAR Developer Helgi

Slide 6

Slide 6 text

Co-founded Orchestra.io Work at EngineYard PEAR Developer From Iceland Helgi

Slide 7

Slide 7 text

Co-founded Orchestra.io Work at EngineYard PEAR Developer From Iceland @h on Twitter Helgi

Slide 8

Slide 8 text

Nginx Just a web server?

Slide 9

Slide 9 text

No! It’s so much more!

Slide 10

Slide 10 text

✓ Web Server ✓ Proxy ✓ Cache ✓ Mail Proxy ✓ And more!

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Extensible

Slide 13

Slide 13 text

Extensible Flexible

Slide 14

Slide 14 text

Extensible Flexible FFFFFFast

Slide 15

Slide 15 text

Important for tweaking

Slide 16

Slide 16 text

Reload (HUP Signal)

Slide 17

Slide 17 text

Reload (HUP Signal) ‣ Reloads config ‣ Starts up new workers ‣ Old workers stop listening ‣ Finish up any work they have

Slide 18

Slide 18 text

Upgrade (USR2 Signal)

Slide 19

Slide 19 text

Upgrade (USR2 Signal) ‣ Live upgrade of Nginx executable ‣ Starts up a new Master ‣ Run in parallel ‣ Old Workers gracefully shutdown ‣ Old Master can be brought back

Slide 20

Slide 20 text

And always run configtest before doing anything!

Slide 21

Slide 21 text

The journey to 11

Slide 22

Slide 22 text

Location Blocks

Slide 23

Slide 23 text

Foundation of most things we will do

Slide 24

Slide 24 text

Most Common Block location / { try_files $uri $uri/ /index.php$is_args$args; }

Slide 25

Slide 25 text

location /helgi/is/awesome { return 202; }

Slide 26

Slide 26 text

Accepts Regex Done by adding ~ in front of the regular expression

Slide 27

Slide 27 text

Accepts Regex # deny access to all .dot-files location ~ /\. { access_log off; log_not_found off; deny all; } # deny access to all backups location ~ ~$ { access_log off; log_not_found off; deny all; }

Slide 28

Slide 28 text

Error Pages

Slide 29

Slide 29 text

Basic Custom 404 error_page 404 /errors/404.html;

Slide 30

Slide 30 text

Basic Custom 404 error_page 404 /errors/404.html; Requires /errors/404.html to be in the document root

Slide 31

Slide 31 text

Basic Custom 404 error_page 404 /errors/404.html; location /errors/404.html { internal; }

Slide 32

Slide 32 text

Basic Custom 404 root /var/www/public; error_page 404 /errors/404.html; location /errors/404.html { internal; root /var/www; }

Slide 33

Slide 33 text

Errors via PHP error_page 404 @four_oh_four; location @four_oh_four { if (!-f "/var/www/errors/404.php") { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/errors/404.php; fastcgi_pass web_workers; }

Slide 34

Slide 34 text

Combo! error_page 404 @four_oh_four; location @four_oh_four { if (-f "/var/www/errors/404.html") { rewrite ^ /errors/404.html last; } if (!-f "/var/www/errors/404.php") { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/errors/404.php; fastcgi_pass web_workers; } error_page 404 /errors/404.html; location /errors/404.html { internal; root /var/www; }

Slide 35

Slide 35 text

50x and others error_page 500 501 502 503 504 @five_oh_ex; location @five_oh_ex { }

Slide 36

Slide 36 text

50x and others error_page 500 501 502 503 504 @five_oh_ex; location @five_oh_ex { } Most HTTP codes can be bunched together

Slide 37

Slide 37 text

Facebook

Slide 38

Slide 38 text

Official Solution error_page 405 =200 $uri;

Slide 39

Slide 39 text

My Hack error_page 405 =200 @four_oh_five; location @four_oh_five { if (!-f $request_filename) { return 404; } proxy_method GET; proxy_pass http://localhost:80; }

Slide 40

Slide 40 text

Health Checks

Slide 41

Slide 41 text

Nginx Check location = /health/ping { return 200; }

Slide 42

Slide 42 text

Nginx + FPM [healthcheck] listen = /var/run/php/healthcheck.sock user = www-data pm = static pm.max_children = 1 pm.max_requests = 10000 ping.path = /health/ping ping.response = "pong" PHP FPM Config

Slide 43

Slide 43 text

Nginx + FPM location = /health/ping { fastcgi_pass healthcheck; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } upstream healthcheck { server unix:/var/run/php/healthcheck.sock; } Nginx Config

Slide 44

Slide 44 text

Rewrite Module

Slide 45

Slide 45 text

Regex (PCRE)

Slide 46

Slide 46 text

Responsible for all if statements, file exists checks, returns and more.

Slide 47

Slide 47 text

Can work with most Nginx variables such as http_cookie, user agent, uri and countless others.

Slide 48

Slide 48 text

last break redirect permanent

Slide 49

Slide 49 text

last break redirect permanent Finish rewrite and evaluates all rewrites again

Slide 50

Slide 50 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing

Slide 51

Slide 51 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite

Slide 52

Slide 52 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite Returns a 301 on the rewrite

Slide 53

Slide 53 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite Returns a 301 on the rewrite

Slide 54

Slide 54 text

Forward Domains How to send www.helgi.ws to helgi.ws

Slide 55

Slide 55 text

server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

Slide 56

Slide 56 text

server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

Slide 57

Slide 57 text

server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

Slide 58

Slide 58 text

Forward Domains server { server_name www.helgi.ws; return 301 $scheme://helgi.ws$request_uri; } The Correct Way™

Slide 59

Slide 59 text

Moving on!

Slide 60

Slide 60 text

upstream web_workers { server unix:/var/run/php/www1.sock; } location ~ \.php$ { if (!-f $request_filename) { return 404; } fastcgi_pass web_workers; fastcgi_index index.php; fastcgi_intercept_errors off; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $host; }

Slide 61

Slide 61 text

SSL

Slide 62

Slide 62 text

ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_ecdh_curve secp521r1; Brain esplodes! Boom!

Slide 63

Slide 63 text

Lets break it down

Slide 64

Slide 64 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1;

Slide 65

Slide 65 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol

Slide 66

Slide 66 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Cache

Slide 67

Slide 67 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Cache 1m of shared cache stores ~4000 connections

Slide 68

Slide 68 text

BEAST

Slide 69

Slide 69 text

CBC-mode ciphers can be exploited. Allowing the attacker to decrypt your traffic.

Slide 70

Slide 70 text

75% of popular sites still vulnerable according to SSL Pulse https://www.trustworthyinternet.org/ssl-pulse/

Slide 71

Slide 71 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol

Slide 72

Slide 72 text

But stronger encryptions are slower!

Slide 73

Slide 73 text

AES128-SHA

Slide 74

Slide 74 text

AES128-SHA Traffic can be recorded and decoded at later time

Slide 75

Slide 75 text

Diffie-Hellman DHE

Slide 76

Slide 76 text

Elliptic Curve ECDHE

Slide 77

Slide 77 text

Elliptic Curve ECDHE ECDHE

Slide 78

Slide 78 text

Elliptic Curve Improves the DHE performance... A LOT

Slide 79

Slide 79 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol 224bit = 2048bit RSA Key 521bit = 4096bit RSA Key

Slide 80

Slide 80 text

Strict Transport Security Header

Slide 81

Slide 81 text

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

Slide 82

Slide 82 text

Check SSL rating on SSLLabs.com

Slide 83

Slide 83 text

Headers

Slide 84

Slide 84 text

By default only add and expires

Slide 85

Slide 85 text

add_header add_header Set-Cookie "_orchestra=1; Max-Age=2; Path=/";

Slide 86

Slide 86 text

expires location ~* ^.+\.(jpg|js|jpeg|png)$ { expires 1h; } location ~* helgi.jpg$ { expires epoch; } location ~* kittie.jpg$ { expires max; }

Slide 87

Slide 87 text

wiki.nginx.org/NginxHttpHeadersMoreModule Introducing

Slide 88

Slide 88 text

more_set_headers 'Server: My-Temple'; # set and clear output headers location /bar { more_set_headers 'X-MyHeader: blah' 'X-MyHeader2: foo'; more_set_headers -t 'text/plain text/css' 'Content-Type: text/foo'; more_set_headers -s '400 404 500 503' -s 413 'Foo: Bar'; more_clear_headers 'Transfer-Encoding' 'Content-Type'; } # set output headers location /type { more_set_headers 'Content-Type: text/plain'; }

Slide 89

Slide 89 text

# set input headers location /foo { more_set_input_headers 'Host: ShoelessJoes'; more_set_input_headers -t 'text/plain' 'X-Tek: bah'; } # replace input header X-Tek *only* if it already exists more_set_input_headers -r 'X-Tek: howdy';

Slide 90

Slide 90 text

Load Balaning

Slide 91

Slide 91 text

upstream web_workers { server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Simple Round Robin

Slide 92

Slide 92 text

upstream web_workers { ip_hash; server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Consistent IP Routing

Slide 93

Slide 93 text

upstream web_workers { server www1.example.com; server www2.example.com weight=2 max_fails=2 fail_timeout=15; server www3.example.com weight=4 max_fails=3; server www4.example.com weight=4 max_fails=4 fail_timeout=20; keepalive 8; } Different Weights weight and ip_hash don’t mix.

Slide 94

Slide 94 text

Cache

Slide 95

Slide 95 text

http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=my-cache:8m max_size=2g inactive=600m; proxy_temp_path /dev/shm/nginx/tmp; proxy_cache_use_stale updating; server { location / { proxy_pass http://example.net; proxy_cache my-cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; } } }

Slide 96

Slide 96 text

Modules

Slide 97

Slide 97 text

cd /path/to/your/nginx/source ./configure --add-module=/usr/local/nginx/mod/headers-more/ make make install How to compile modules into nginx

Slide 98

Slide 98 text

Blue Sky thinking!

Slide 99

Slide 99 text

Memcache

Slide 100

Slide 100 text

Nginx PHP Memcache

Slide 101

Slide 101 text

Nginx PHP Memcache

Slide 102

Slide 102 text

location / { if ($request_method != GET) { rewrite . @fallback last; } # append an extenstion for proper MIME type detection if ($args ~* format=json) { rewrite ^/$uri/?(.*)$ /$uri.json$1 break; } if ($args ~* format=xml) { rewrite ^/$uri/?(.*)$ /$uri.xml$1 break; } if ($args ~* format=html) { default_type text/html; add_header "Content" "text/html; charset=utf8"; charset utf-8; } set $memcached_key nginx_prefix$uri; memcached_pass memcache_backend; error_page 500 404 405 = @fallback; } location @fallback { /* pass to FastCGI */ }

Slide 103

Slide 103 text

MySQL

Slide 104

Slide 104 text

JSON + CSV Output

Slide 105

Slide 105 text

engineyardjaunt.eventbrite.com Tonight:

Slide 106

Slide 106 text

Questions? @h [email protected] Please rate at joind.in/6491