Slide 1

Slide 1 text

Helgi Þormar Þorbjörnsson ZendCon, Santa Clara, 24th of Oct 2012 Cranking Nginx to 11 Wednesday, 24 October 12

Slide 2

Slide 2 text

Co-founded Orchestra.io Work at EngineYard PEAR Developer From Iceland @h on Twitter Helgi Wednesday, 24 October 12

Slide 3

Slide 3 text

Nginx Just a web server? Wednesday, 24 October 12

Slide 4

Slide 4 text

✓ Web Server ✓ Proxy ✓ Cache ✓ Mail Proxy ✓ And more! No! It’s so much more! Wednesday, 24 October 12

Slide 5

Slide 5 text

The journey to 11 Wednesday, 24 October 12

Slide 6

Slide 6 text

Important for tweaking Wednesday, 24 October 12

Slide 7

Slide 7 text

Always run configtest before doing anything! Wednesday, 24 October 12

Slide 8

Slide 8 text

Reload (HUP Signal) Wednesday, 24 October 12

Slide 9

Slide 9 text

Reload (HUP Signal) ‣ Reloads config ‣ Starts up new workers ‣ Old workers stop listening ‣ Finish up any work they have Wednesday, 24 October 12

Slide 10

Slide 10 text

Upgrade (USR2 Signal) Wednesday, 24 October 12

Slide 11

Slide 11 text

Upgrade (USR2 Signal) ‣ Live upgrade of Nginx executable ‣ Starts up a new Master ‣ Run in parallel ‣ Old Workers gracefully shutdown ‣ Old Master can be brought back Wednesday, 24 October 12

Slide 12

Slide 12 text

Location Blocks Wednesday, 24 October 12

Slide 13

Slide 13 text

Foundation of most things we will do Wednesday, 24 October 12

Slide 14

Slide 14 text

Most Common Block location / { try_files $uri $uri/ /index.php$is_args$args; } Wednesday, 24 October 12

Slide 15

Slide 15 text

location /helgi/is/awesome { return 202; } Wednesday, 24 October 12

Slide 16

Slide 16 text

Accepts Regex Done by adding ~ in front of the regular expression Wednesday, 24 October 12

Slide 17

Slide 17 text

Accepts Regex # deny access to all .dot-files location ~ /\. { access_log off; log_not_found off; deny all; } # deny access to all backups location ~ ~$ { access_log off; log_not_found off; deny all; } Wednesday, 24 October 12

Slide 18

Slide 18 text

Error Pages Wednesday, 24 October 12

Slide 19

Slide 19 text

Basic Custom 404 error_page 404 /errors/404.html; Requires /errors/404.html to be in the document root Wednesday, 24 October 12

Slide 20

Slide 20 text

Basic Custom 404 root /var/www/public; error_page 404 /errors/404.html; location /errors/404.html { internal; root /var/www; } Wednesday, 24 October 12

Slide 21

Slide 21 text

Errors via PHP error_page 404 @four_oh_four; location @four_oh_four { if (!-f "/var/www/errors/404.php") { return 404; } include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/errors/404.php; fastcgi_pass web_workers; } Wednesday, 24 October 12

Slide 22

Slide 22 text

50x and others error_page 500 501 502 503 504 @five_oh_ex; location @five_oh_ex { } Most HTTP codes can be bunched together Wednesday, 24 October 12

Slide 23

Slide 23 text

Facebook Wednesday, 24 October 12

Slide 24

Slide 24 text

Official Solution error_page 405 =200 $uri; Wednesday, 24 October 12

Slide 25

Slide 25 text

My Hack error_page 405 =200 @four_oh_five; location @four_oh_five { if (!-f $request_filename) { return 404; } proxy_method GET; proxy_pass http://localhost:80; } Wednesday, 24 October 12

Slide 26

Slide 26 text

Health Checks Wednesday, 24 October 12

Slide 27

Slide 27 text

Nginx Check location = /health/ping { return 200 “ok”; } Wednesday, 24 October 12

Slide 28

Slide 28 text

Nginx + FPM [healthcheck] listen = /var/run/php/healthcheck.sock user = www-data pm = static pm.max_children = 1 pm.max_requests = 10000 ping.path = /health/ping ping.response = "pong" PHP FPM Config Wednesday, 24 October 12

Slide 29

Slide 29 text

Nginx + FPM location = /health/ping { fastcgi_pass healthcheck; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } upstream healthcheck { server unix:/var/run/php/healthcheck.sock; } Nginx Config Wednesday, 24 October 12

Slide 30

Slide 30 text

Rewrite Module Wednesday, 24 October 12

Slide 31

Slide 31 text

Regex (PCRE) Wednesday, 24 October 12

Slide 32

Slide 32 text

Responsible for all if statements, file exists checks, returns and more. Can work with most Nginx variables such as http_cookie, user agent, uri and countless others. Wednesday, 24 October 12

Slide 33

Slide 33 text

last break redirect permanent Finish rewrite and evaluates all rewrites again Finish rewrite does no further rewrite processing Returns a 302 on the rewrite Returns a 301 on the rewrite Wednesday, 24 October 12

Slide 34

Slide 34 text

server { server_name www.helgi.ws; rewrite ^/(.*)$ helgi.ws/$1 permanent; } server { server_name www.helgi.ws; rewrite ^ helgi.ws$request_uri permanent; } Forward Domains How to send www.helgi.ws to helgi.ws Wednesday, 24 October 12

Slide 35

Slide 35 text

Forward Domains server { server_name www.helgi.ws; return 301 $scheme://helgi.ws$request_uri; } The Correct Way™ Wednesday, 24 October 12

Slide 36

Slide 36 text

upstream web_workers { server unix:/var/run/php/www1.sock; } location ~ \.php$ { if (!-f $request_filename) { return 404; } fastcgi_pass web_workers; fastcgi_index index.php; fastcgi_intercept_errors off; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SERVER_NAME $host; } PHP + Nginx Wednesday, 24 October 12

Slide 37

Slide 37 text

SSL Wednesday, 24 October 12

Slide 38

Slide 38 text

ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_ecdh_curve secp521r1; Brain esplodes! Boom! Wednesday, 24 October 12

Slide 39

Slide 39 text

Lets break it down Wednesday, 24 October 12

Slide 40

Slide 40 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Wednesday, 24 October 12

Slide 41

Slide 41 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol Wednesday, 24 October 12

Slide 42

Slide 42 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Cache 1m of shared cache stores ~4000 connections Wednesday, 24 October 12

Slide 43

Slide 43 text

BEAST Wednesday, 24 October 12

Slide 44

Slide 44 text

CBC-mode ciphers can be exploited. Allowing the attacker to decrypt your traffic. Wednesday, 24 October 12

Slide 45

Slide 45 text

71% of popular sites still vulnerable according to SSL Pulse https://www.trustworthyinternet.org/ssl-pulse/ Wednesday, 24 October 12

Slide 46

Slide 46 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol Wednesday, 24 October 12

Slide 47

Slide 47 text

But stronger encryptions are slower! Wednesday, 24 October 12

Slide 48

Slide 48 text

Elliptic Curve Improves the Diffie-Hellmann performance... A LOT Wednesday, 24 October 12

Slide 49

Slide 49 text

ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256- SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_certificate /etc/nginx/ssl/foo.crt; ssl_certificate_key /etc/nginx/ssl/foo.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp521r1; Protocol 224bit = 2048bit RSA Key 521bit = 4096bit RSA Key Wednesday, 24 October 12

Slide 50

Slide 50 text

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; Strict Transport Security Wednesday, 24 October 12

Slide 51

Slide 51 text

Check SSL rating on SSLLabs.com Wednesday, 24 October 12

Slide 52

Slide 52 text

Headers Wednesday, 24 October 12

Slide 53

Slide 53 text

add_header add_header Set-Cookie "_orchestra=1; Max-Age=2; Path=/"; Wednesday, 24 October 12

Slide 54

Slide 54 text

expires location ~* ^.+\.(jpg|js|jpeg|png)$ { expires 1h; } Wednesday, 24 October 12

Slide 55

Slide 55 text

wiki.nginx.org/NginxHttpHeadersMoreModule Introducing Wednesday, 24 October 12

Slide 56

Slide 56 text

more_set_headers 'Server: My-Temple'; # set and clear output headers location /bar { more_set_headers 'X-MyHeader: blah' 'X-MyHeader2: foo'; more_set_headers -t 'text/plain text/css' 'Content-Type: text/foo'; more_set_headers -s '400 404 500 503' -s 413 'Foo: Bar'; more_clear_headers 'Transfer-Encoding' 'Content-Type'; } # set output headers location /type { more_set_headers 'Content-Type: text/plain'; } Wednesday, 24 October 12

Slide 57

Slide 57 text

# set input headers location /foo { more_set_input_headers 'Host: ShoelessJoes'; more_set_input_headers -t 'text/plain' 'X-Tek: bah'; } # replace input header X-Tek *only* if it already exists more_set_input_headers -r 'X-Tek: howdy'; Wednesday, 24 October 12

Slide 58

Slide 58 text

Load Balancing Wednesday, 24 October 12

Slide 59

Slide 59 text

upstream web_workers { server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Simple Round Robin Wednesday, 24 October 12

Slide 60

Slide 60 text

upstream web_workers { ip_hash; server www1.example.com; server www2.example.com; server www3.example.com; server www4.example.com; } Consistent IP Routing Wednesday, 24 October 12

Slide 61

Slide 61 text

upstream web_workers { server www1.example.com; server www2.example.com weight=2 max_fails=2 fail_timeout=15; server www3.example.com weight=4 max_fails=3; server www4.example.com weight=4 max_fails=4 fail_timeout=20; keepalive 8; } Different Weights weight and ip_hash can work together in Nginx 1.3.1+ Wednesday, 24 October 12

Slide 62

Slide 62 text

Cache Wednesday, 24 October 12

Slide 63

Slide 63 text

http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=my-cache:8m max_size=2g inactive=600m; proxy_temp_path /dev/shm/nginx/tmp; proxy_cache_use_stale updating; server { location / { proxy_pass http://example.net; proxy_cache my-cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; } } } Wednesday, 24 October 12

Slide 64

Slide 64 text

Modules Wednesday, 24 October 12

Slide 65

Slide 65 text

cd /path/to/your/nginx/source ./configure --add-module=/usr/local/nginx/mod/headers-more/ make make install How to compile modules into nginx Wednesday, 24 October 12

Slide 66

Slide 66 text

Blue Sky thinking! Wednesday, 24 October 12

Slide 67

Slide 67 text

Memcache Wednesday, 24 October 12

Slide 68

Slide 68 text

Nginx PHP Memcache Wednesday, 24 October 12

Slide 69

Slide 69 text

Nginx PHP Memcache Wednesday, 24 October 12

Slide 70

Slide 70 text

location / { if ($request_method != GET) { rewrite . @fallback last; } # append an extenstion for proper MIME type detection if ($args ~* format=json) { rewrite ^/$uri/?(.*)$ /$uri.json$1 break; } if ($args ~* format=xml) { rewrite ^/$uri/?(.*)$ /$uri.xml$1 break; } if ($args ~* format=html) { default_type text/html; add_header "Content" "text/html; charset=utf8"; charset utf-8; } set $memcached_key nginx_prefix$uri; memcached_pass memcache_backend; error_page 500 404 405 = @fallback; } location @fallback { /* pass to FastCGI */ } Wednesday, 24 October 12

Slide 71

Slide 71 text

MySQL Wednesday, 24 October 12

Slide 72

Slide 72 text

JSON + CSV Output Wednesday, 24 October 12

Slide 73

Slide 73 text

Questions? @h [email protected] Please rate at joind.in/7387 Wednesday, 24 October 12