Cranking Nginx to 11 - DPC 2012

Slide 1

Slide 1 text

Helgi Þormar Þorbjörnsson DPC, Amsterdam, 8th of June, 2012 Cranking Nginx to 11

Slide 2

Slide 2 text

Co-founded Orchestra.io Work at EngineYard PEAR Developer From Iceland @h on Twitter Helgi

Slide 3

Slide 3 text

Nginx Just a web server?

Slide 4

Slide 4 text

✓ Web Server ✓ Proxy ✓ Cache ✓ Mail Proxy ✓ And more! No! It’s so much more!

Slide 5

Slide 5 text

The journey to 11

Slide 6

Slide 6 text

Important for tweaking

Slide 7

Slide 7 text

Always run conﬁgtest before doing anything!

Slide 8

Slide 8 text

Reload (HUP Signal)

Slide 9

Slide 9 text

Reload (HUP Signal) ‣ Reloads conﬁg ‣ Starts up new workers ‣ Old workers stop listening ‣ Finish up any work they have

Slide 10

Slide 10 text

Upgrade (USR2 Signal)

Slide 11

Slide 11 text

Upgrade (USR2 Signal) ‣ Live upgrade of Nginx executable ‣ Starts up a new Master ‣ Run in parallel ‣ Old Workers gracefully shutdown ‣ Old Master can be brought back

Slide 12

Slide 12 text

Location Blocks

Slide 13

Slide 13 text

Foundation of most things we will do

Slide 14

Slide 14 text

Most Common Block location / { try_files $uri $uri/ /index.php$is_args$args; }

Slide 15

Slide 15 text

location /helgi/is/awesome { return 202; }

Slide 16

Slide 16 text

Accepts Regex Done by adding ~ in front of the regular expression

Slide 17

Slide 17 text

Accepts Regex # deny access to all .dot-files location ~ /\. { access_log off; log_not_found off; deny all; } # deny access to all backups location ~ ~$ { access_log off; log_not_found off; deny all; }

Slide 18

Slide 18 text

Error Pages

Slide 19

Slide 19 text

Basic Custom 404 error_page 404 /errors/404.html; Requires /errors/404.html to be in the document root

Slide 20

Slide 20 text

Basic Custom 404 root /var/www/public; error_page 404 /errors/404.html; location /errors/404.html { internal; root /var/www; }

Slide 21

Slide 21 text

Errors via PHP error_page 404 @four_oh_four; location @four_oh_four { if (!-f "/var/www/errors/404.php") { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/errors/404.php; fastcgi_pass web_workers; }

Slide 22

Slide 22 text

50x and others error_page 500 501 502 503 504 @five_oh_ex; location @five_oh_ex { } Most HTTP codes can be bunched together

Slide 23

Slide 23 text

Facebook

Slide 24

Slide 24 text

Official Solution error_page 405 =200 $uri;

Slide 25

Slide 25 text

My Hack error_page 405 =200 @four_oh_five; location @four_oh_five { if (!-f $request_filename) { return 404; } proxy_method GET; proxy_pass http://localhost:80; }

Slide 26

Slide 26 text

Health Checks

Slide 27

Slide 27 text

Nginx Check location = /health/ping { return 200; }

Slide 28

Slide 28 text

Nginx + FPM [healthcheck] listen = /var/run/php/healthcheck.sock user = www-data pm = static pm.max_children = 1 pm.max_requests = 10000 ping.path = /health/ping ping.response = "pong" PHP FPM Conﬁg

Slide 29

Slide 29 text

Nginx + FPM location = /health/ping { fastcgi_pass healthcheck; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } upstream healthcheck { server unix:/var/run/php/healthcheck.sock; } Nginx Conﬁg

Slide 30

Slide 30 text

Rewrite Module

Slide 31

Slide 31 text

Regex (PCRE)

Slide 32

Slide 32 text

Responsible for all if statements, ﬁle exists checks, returns and more. Can work with most Nginx variables such as http_cookie, user agent, uri and countless others.

Slide 33

Slide 33 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite Returns a 301 on the rewrite

Slide 34

Slide 34 text

server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Forward Domains server { server_name www.helgi.ws; return 301 $scheme://helgi.ws$request_uri; } The Correct Way™

Slide 37

Slide 37 text

upstream web_workers { server unix:/var/run/php/www1.sock; } location ~ \.php$ { if (!-f $request_filename) { return 404; } fastcgi_pass web_workers; fastcgi_index index.php; fastcgi_intercept_errors off; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $host; } PHP + Nginx

Slide 38

Slide 38 text

SSL

Slide 39

Slide 39 text

ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_ecdh_curve secp521r1; Brain esplodes! Boom!

Slide 40

Slide 40 text

Lets break it down

Slide 41

Slide 41 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1;

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

BEAST

Slide 45

Slide 45 text

CBC-mode ciphers can be exploited. Allowing the attacker to decrypt your traﬃc.

Slide 46

Slide 46 text

75% of popular sites still vulnerable according to SSL Pulse https://www.trustworthyinternet.org/ssl-pulse/

Slide 47

Slide 47 text

Slide 48

Slide 48 text

But stronger encryptions are slower!

Slide 49

Slide 49 text

Elliptic Curve Improves the Diﬃe-Hellmann performance... A LOT

Slide 50

Slide 50 text

Slide 51

Slide 51 text

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; Strict Transport Security

Slide 52

Slide 52 text

Check SSL rating on SSLLabs.com

Slide 53

Slide 53 text

Headers

Slide 54

Slide 54 text

add_header add_header Set-Cookie "_orchestra=1; Max-Age=2; Path=/";

Slide 55

Slide 55 text

expires location ~* ^.+\.(jpg|js|jpeg|png)$ { expires 1h; }

Slide 56

Slide 56 text

wiki.nginx.org/NginxHttpHeadersMoreModule Introducing

Slide 57

Slide 57 text

more_set_headers 'Server: My-Temple'; # set and clear output headers location /bar { more_set_headers 'X-MyHeader: blah' 'X-MyHeader2: foo'; more_set_headers -t 'text/plain text/css' 'Content-Type: text/foo'; more_set_headers -s '400 404 500 503' -s 413 'Foo: Bar'; more_clear_headers 'Transfer-Encoding' 'Content-Type'; } # set output headers location /type { more_set_headers 'Content-Type: text/plain'; }

Slide 58

Slide 58 text

# set input headers location /foo { more_set_input_headers 'Host: ShoelessJoes'; more_set_input_headers -t 'text/plain' 'X-Tek: bah'; } # replace input header X-Tek *only* if it already exists more_set_input_headers -r 'X-Tek: howdy';

Slide 59

Slide 59 text

Load Balancing

Slide 60

Slide 60 text

upstream web_workers { server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Simple Round Robin

Slide 61

Slide 61 text

upstream web_workers { ip_hash; server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Consistent IP Routing

Slide 62

Slide 62 text

upstream web_workers { server www1.example.com; server www2.example.com weight=2 max_fails=2 fail_timeout=15; server www3.example.com weight=4 max_fails=3; server www4.example.com weight=4 max_fails=4 fail_timeout=20; keepalive 8; } Different Weights weight and ip_hash can work together in Nginx 1.3.1+

Slide 63

Slide 63 text

Cache

Slide 64

Slide 64 text

http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=my-cache:8m max_size=2g inactive=600m; proxy_temp_path /dev/shm/nginx/tmp; proxy_cache_use_stale updating; server { location / { proxy_pass http://example.net; proxy_cache my-cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; } } }

Slide 65

Slide 65 text

Modules

Slide 66

Slide 66 text

cd /path/to/your/nginx/source ./configure --add-module=/usr/local/nginx/mod/headers-more/ make make install How to compile modules into nginx

Slide 67

Slide 67 text

Blue Sky thinking!

Slide 68

Slide 68 text

Memcache

Slide 69

Slide 69 text

Nginx PHP Memcache

Slide 70

Slide 70 text

Nginx PHP Memcache

Slide 71

Slide 71 text

location / { if ($request_method != GET) { rewrite . @fallback last; } # append an extenstion for proper MIME type detection if ($args ~* format=json) { rewrite ^/$uri/?(.*)$ /$uri.json$1 break; } if ($args ~* format=xml) { rewrite ^/$uri/?(.*)$ /$uri.xml$1 break; } if ($args ~* format=html) { default_type text/html; add_header "Content" "text/html; charset=utf8"; charset utf-8; } set $memcached_key nginx_prefix$uri; memcached_pass memcache_backend; error_page 500 404 405 = @fallback; } location @fallback { /* pass to FastCGI */ }