NI
Uploaded byNGINX, Inc.
1,130 views

NGINX ADC: Basics and Best Practices

The document provides a comprehensive guide on NGINX, detailing its functionalities as a web server, load balancer, reverse proxy, and API gateway, alongside installation, configuration, and monitoring processes. It covers basic and advanced configurations including SSL settings, caching, and load balancing, as well as integration with modern application architectures like Kubernetes and multi-cloud environments. Additionally, it highlights essential commands, directories, and file structures associated with NGINX for effective management and optimization.

Downloaded 117 times
Agenda • Introducing NGINX • ADC Augment and Modernization • Installing NGINX and NGINX Plus • Essential files, commands, and directories • Basic configurations • Advanced configurations • Monitoring and Logging • Summary
nginx.com Introducing Nginx
NGINX is the most used web server on the internet Source: w3techs, May 2019
| ©2019 F5 NETWORKS​7 LOAD BALANCER REVERSE PROXY API GATEWAY CACHE WAF APPLICATION SERVERS WEB SERVER REVERSE PROXY What is NGINX? NGINX ● Basic load balancer ● Reverse Proxy and Web Server ● Content Cache ● SSL termination ● Rate limiting ● Basic authentication NGINX PLUS ● Active health checks ● Session persistence ● DNS service discovery integration ● Cache-purging API ● JWT authentication and OpenID Connect ● Live Activity monitoring (100+ real time metrics) ● Dynamic Modules ● API for Dynamic reconfiguration, Cache-purge, key-value store ● High Availability, Cluster State sync …...much more.
nginx.com ADC Augment and Modernization
10 What’s happening now Traditional Application Infrastructure are being augmented
| ©2019 F5 NETWORKS​9 ADC Augment - key use cases Key use cases ​ADC Augment ​Enhancing existing app environments ​Kubernetes Integration ​Flexible and scalable app services ​ADC for Multi-Cloud ​Scale and Secure Apps across multi-cloud ​API Management ​End-to-end API lifecycle services
11 • Easiest way to introduce NGINX into your network • Hardware layer 4 load balancer to NGINX • Can start small with one application being behind NGINX and then expand Traditional Application Infrastructure are being augmented 1. Augment Traditional Load Balancers
12 • Parallel NGINX deployment • Good architecture if adopting public cloud while still keeping private datacenter • Can also start small with one application being behind NGINX and then expand Offload or Migrate new application workloads 2. NGINX Alongside Hardware ADCs
13 • Load balancer per application • Load balancer per customer for SaaS providers • Configuration stored along with application in GitHub • Fully portable Legacy Hardware ADC replace to a application centric architecture 3. Micro Load Balancers/Gateways
| ©2019 F5 NETWORKS​15 • Alerting • API management • Load balancer management • Configuration analysis • Customizable dashboards • Monitoring Centralized Monitoring and management What is the NGINX Controller?
14 Web Server What is NGINX and NGINX Controller? Nginx and the Nginx Controller NGINX Controller Admin Control Plane Data Plane Policy Application Gateway Web Server Serve content from disk Application Gateway FastCGI, uWSGI, gRPC… Load Balancer / Reverse Proxy Caching, SSL termination…
nginx.com Installing NGINX
● Official NGINX repo ○ Mainline (recommended) - Actively developed; new minor releases made every 4-6 weeks with new features and enhancements. ○ Stable - Updated only when critical issues or security vulnerabilities need to be fixed. ○ NGINX PLUS - receives all new features, once they have been tested and proven in NGINX mainline. Additional enterprise-specific features are included in NGINX Plus. ● OS vendor and other 3rd party repos ○ Not as frequently updated; e.g. Debian Jessie (8.9) has NGINX 1.6.2 ○ Typically built off NGINX mainline branch, sometimes with 3rd party mods ● Compile from source ○ Most difficult.-Download the latest version of the NGINX source code, configure, build and install it. You will have the option of building various Nginx module Nginx Installation Options 17
NGINX Installation: Debian/Ubuntu deb http://nginx.org/packages/mainline/OS/ CODENAME nginx deb-src http://nginx.org/packages/mainline/OS/ CODENAME nginx Create /etc/apt/sources.list.d/nginx.list with the following contents: • OS – ubuntu or debian depending on your distro • CODENAME: - jessie or stretch for debian - trusty, xenial, artful, or bionic for ubuntu $ wget http://nginx.org/keys/nginx_signing.key $ apt-key add nginx_signing.key $ apt-get update $ apt-get install –y nginx $ /etc/init.d/nginx start
NGINX Installation: CentOS/Red Hat [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/ gpgcheck=0 enabled=1 Create /etc/yum.repos.d/nginx.repo with the following contents: • OS -- rhel or centos depending on your distro • OSRELEASE -- 6 or 7 for 6.x or 7.x versions, respectively $ yum –y install nginx $ systemctl enable nginx $ systemctl start nginx $ firewall-cmd --permanent --zone=public --add-port=80/tcp $ firewall-cmd --reload
NGINX Plus Installation • Visit cs.nginx.com/repo_setup • Select OS from drop down list • Instructions similar to OSS installation • Mostly just using a different repo and installing client certificate
Verifying Installation $ nginx -v nginx version: nginx version: nginx/1.15.7 (nginx-plus-r17) $ ps -ef | grep nginx root 1088 1 0 19:59 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 1092 1088 0 19:59 ? 00:00:00 nginx: worker process
MORE INFORMATION AT NGINX.COM Verifying Installation
NGINX Installation Misc • For more installation details: http://nginx.org/en/linux_packages.html - List of all supported distros and CPUs • For NGINX Plus, see: https://cs.nginx.com/repo_setup - List of all supported distros and CPUs, including FreeBSD
nginx.com Essential files, commands and directories
MORE INFORMATION AT NGINX.COM Key NGINX Commands nginx -h Shows all command line options nginx -t Configuration syntax check nginx -T Displays full, concatenated configuration nginx -V Shows version and build details nginx –s reload Gracefully reload NGINX processes $ sudo nginx –t && sudo nginx –s reload nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful $ sudo nginx -T > nginx_support_mm-dd-yy.txt
MORE INFORMATION AT NGINX.COM Key System Commands ps aux | grep nginx To check running processes ps -ef --forest | grep nginx To check running processes (Show Process Hierarchy in Forest Format) service nginx status systemctl status nginx Show Nginx Status netstat -tulpn Information and statistics about protocols in use and current TCP/IP network connections. sudo lsof -i -P -n Check the listening ports and applications on linux # Path to executable path $ /usr/sbin/nginx # Default Log Path $ /var/log/nginx
Key Files and Directories ● /etc/nginx/ # Where all NGINX configuration is stored ● /etc/nginx/nginx.conf # Top-level NGINX configuration, should not require much modification ● /etc/nginx/conf.d/*.conf # Where your HTTP/S configuration for virtual servers and upstreams goes, e.g. www.example.com.conf ● /etc/nginx/stream.d/*.conf # Where your TCP/UDP Streams for virtual servers and upstreams goes, e.g. DNS_53.conf ● /var/log/nginx/access.log # Details about requests and responses ● /var/log/nginx/error.log # Details about NGINX errors 27
server { listen <parameters>; location <url> { ---------------- } } upstream { ------------------- } server { listen <parameters>; location <url> { ---------------- } } upstream { ------------------- } Key Files and Directories /etc/nginx/ #global settings here http { # HTTP global settings here include conf.d/*.conf; } Global settings (tunings, logs, etc) HTTP block nginx.conf example.com.conf server { listen <parameters>; location <url> { ---------------- } } upstream { ------------------- } /etc/nginx/conf.d/ Listen for requests Rules to handle each request Optional: upstreams configurations in same file, something.com.conf.disabled Not loaded
nginx.com Basic configurations
Simple Virtual Server server { listen 80 default_server; server_name www.example.com; # ... } • server defines the context for a virtual server • listen specifies IP/port NGINX should listen on. No IP means bind to all IPs on system • server_name specifies hostname of virtual server
Basic Web Server Configuration server { listen 80 default_server; server_name www.example.com; location / { root /usr/share/nginx/html; index index.html index.htm; } } • www.example.com maps to /usr/share/nginx/html/index.html (then index.htm) • www.example.com/i/file.txt -> /usr/share/nginx/html/i/file.txt • root specifies directory where files are stored • index defines files that will be used as an index
Multiplexing Multiple Sites on One IP server { listen 80 default_server; server_name www.example.com; # ... } server { listen 80; server_name www.example2.com; # ... } server { listen 80; server_name www.example3.com; # ... } • NGINX can multiplex a single IP/port using the Host: header. • default_server defines the virtual server to use if Host header is empty. It is best practice to have a default_server.
Basic SSL Configuration server { listen 80 default_server; server_name www.example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; ssl_ciphers HIGH; location / { root /usr/share/nginx/html; index index.html index.htm; } } • Force all traffic to SSL is good for security, customer trust and SEO • Use Let’s Encrypt to get free SSL certificates • Use Mozilla SSL Configuration Generator to generate recommended nginx SSL configurations: https://mozilla.github.io/se rver-side-tls/ssl-config- generator/
Basic HTTP/2 Configuration server { listen 443 ssl http2 default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; } • HTTP/2 improves performance with little to no backend changes • Add http2 parameter to listen directive of existing SSL-enabled virtual server. HTTP/2 is only supported with SSL in all browsers. • NGINX only does HTTP/2 client side, server side is still HTTP/1.1. gRPC is a special case. • Note: HTTP/2 requires OpenSSL 1.0.2 or later to work properly
Basic Reverse Proxy Configuration server { location ~ ^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; # fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; } } • Requires PHP FPM: apt-get install –y php7.0-fpm • Can also use PHP 5 • Similar directives available for uWSGI and SCGI. • Additional PHP FPM configuration may be required
Basic Load Balancing Configuration upstream my_upstream { server server1.example.com:80; server server2.example.com:80; least_conn; } server { location / { proxy_set_header Host $host; proxy_pass http://my_upstream; } } • upstream defines the load balancing pool • Default load balancing algorithm is round robin. Others available: • least_conn selects server with least amount of active connections • least_time factors in connection count and server response time. Available in NGINX Plus only. • proxy_pass links virtual server to upstream • By default NGINX rewrites Host header to name and port of proxied server. proxy_set_header overrides and passes through original client Host header.
Layer 7 Request Routing server { # ... location /service1 { proxy_pass http://upstream1; } location /service2 { proxy_pass http://upstream2; } location /service3 { proxy_pass http://upstream3; } } • location blocks are used to do Layer 7 routing based on URL • Regex matching can also be used in location blocks
Basic Caching Configuration proxy_cache_path /path/to/cache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off; server { location / { proxy_cache my_cache; # proxy_cache_valid 5m; proxy_set_header Host $host; proxy_pass http://my_upstream; } } • proxy_cache_path defines the parameters of the cache. • keys_zone defines the size of memory to store cache keys in. A 1 MB zone can store data for about 8,000 keys. • max_size sets upper limit of cache size. Optional. • inactive defines how long an object can stay in cache without being accessed. Default is 10 m. • proxy_cache enables caching for the context it is in
nginx.com Advanced configurations
Modifications to main nginx.conf user nginx; worker_processes auto; # ... http { # ... keepalive_timeout 300s; keepalive_requests 100000; } • Set in main nginx.conf file • Default value for worker_processes varies on system and installation source • auto means to create one worker process per core. This is recommended for most deployments. • keepalive_timeout controls how long to keep idle connections to clients open. Default: 75s • keeplive_requests Max requests on a single client connection before its closed.Default: 100 • keepalive_* can also be set per virtual server
HTTP/1.1 Keepalive to Upstreams upstream my_upstream { server server1.example.com; keepalive 32; } server { location / { proxy_set_header Host $host; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass http://my_upstream; } } • keepalive enables TCP connection cache • By default NGINX uses HTTP/1.0 with Connection: Close • proxy_http_version upgrades connection to HTTP/1.1 • proxy_set_header enables keepalive by clearing Connection: Close HTTP header
SSL Session Caching server { listen 443 ssl default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; } • Improves SSL/TLS performance • 1 MB session cache can store about 4,000 sessions • Cache shared across all NGINX workers
Advanced Caching Configuration proxy_cache_path /path/to/cache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off; server { location / { proxy_cache my_cache; proxy_cache_lock on; proxy_cache_revalidate on; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_set_header Host $host; proxy_pass http://my_upstream; } } • proxy_cache_lock instructs NGINX to only send one request to the upstream when there are multiple cache misses for the same file. • proxy_cache_revalidate instructs NGINX to use If-Modified-Since when refreshing cache. • proxy_cache_use_stale instructs NGINX to serve stale content instead of an error. • proxy_cache_background_update instructs NGINX to do all cache updates in the background. Combined with proxy_cache_use_stale updating, stale content will be served.
gRPC Proxying with SSL Termination server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; location / { grpc_pass grpc://localhost:50051; } } • Configure SSL and HTTP/2 as usual • Go sample application needs to modified to point to NGINX IP Address and port.
d Active Health Checks upstream my_upstream { zone my_upstream 64k; server server1.example.com slow_start=30s; server server2.example.com slow_start=30s; } server { # ... location @health { internal; health_check interval=5s uri=/test match=statusok; proxy_set_header HOST www.example.com; proxy_pass http://my_upstream; } match statusok { # Used for /test.php health check status 200; header Content-Type = text/html; body ~ "i’m is alive"; } • Polls /test every 5 seconds • If response is not 200, server marked as failed • If response body does not contain “I’m alive”, server marked as failed • Recovered/new servers will slowly ramp up traffic over 30 seconds • Exclusive to NGINX Plus
Sticky Cookie Session Persistence upstream my_upstream { server server1.example.com; server server2.example.com; sticky cookie name expires=1h domain=.example.com path=/; } • NGINX will insert a cookie using the specified name • expires defines how long the cookie is valid for. The default is for the cookie to expire at the end of the browser session. • domain specifies the domain the cookie is valid for. If not specified, domain field of cookie is left blank • path specifies the path the cookie is set for. If not specified, path field of cookie is left blank • Exclusive to NGINX Plus
nginx.com Monitoring and Logging
MORE INFORMATION AT NGINX.COM NGINX Access Logs 192.168.179.1 - - [15/May/2017:16:36:25 -0700] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" 192.168.179.1 - - [15/May/2017:16:36:26 -0700] "GET /favicon.ico HTTP/1.1" 404 571 "http://fmemon-redhat.local/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" 192.168.179.1 - - [15/May/2017:16:36:31 -0700] "GET /basic_status HTTP/1.1" 200 100 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" ● Enabled by default. Can be disabled with the access_log off directive. ● Nginx uses the combined log format (also used by Apache) and includes IP address, date, request , referrer, user agent, etc. You can add additional NGINX variables, e.g. timing and a Log format configurable with the log_format directive ● Can enable access logs at a virtual server scope access_log /var/log/nginx/access.log;
MORE INFORMATION AT NGINX.COM NGINX Error Logs 2018/03/22 11:29:08 [error] 12696#12696: upstream timed out (110: Connection timed out) while connecting to upstream, health check "" of peer 10.70.88.24:8832 in upstream "Dev.InternalApi" 2018/03/22 11:29:23 [error] 12696#12696: upstream timed out (110: Connection timed out) while connecting to upstream, health check "" of peer 10.70.88.15:8832 in upstream "Dev.InternalApi" 2018/03/23 15:25:35 [error] 19997#0: *1 open() "/var/www/nginx-default/phpmy-admin/scripts/setup.php" failed (2: No such file or directory), client: 80.154.42.54, server: localhost, request: "GET /phpmy-admin/scripts/setup.php HTTP/1.1", host: "www.example.com" • Enabled by default. Can be disabled with the error_log off directive. • Can enable access logs at a virtual server scope • Log to file, stderr, syslog or memory • Option to log for selected clients error_log /var/log/nginx/error.log [level];
MORE INFORMATION AT NGINX.COM Error Log Levels debug Detailed Trace info General Info notice Something Normal warn Something Strange error Unsuccessful crit Important Issue(s) alert Fix Now! emerg Unusable error_log /var/log/nginx/error.log [level];
MORE INFORMATION AT NGINX.COM Extra examples log_format simple escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr","uri":"$uri","status":"$status"}'; server { server_name www.example.com; access_log /var/log/nginx/example.log simple; error_log syslog:server=192.168.1.1 debug; } server { server_name www.example2.com; map $status $condition { ~^[23] 0; default 1; } access_log /var/log/nginx/example2.log simple custom if=$condition; error_log /var/log/nginx/example2_error.log info; }
MORE INFORMATION AT NGINX.COM Example log parsing commands: tail -f 10 error.log Tail error logs (last 10 lines) tail -f 10 access.log | grep 127.0.0.1 Tail and grep (filter) access logs cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn Sort access by Response Codes awk '($9 ~ /404/)' access.log | awk '{print $7}' | sort | uniq -c | sort -rn Which links are broken (HTTP 404)? awk -F" '{print $2}' access.log | awk '{print $2}' | sort | uniq -c | sort -r What are my most requested links?
MORE INFORMATION AT NGINX.COM NGINX Stub Status Module server { location /basic_status { stub_status; } } • Provides aggregated NGINX statistics • Restrict access so it’s not publicly visible $ curl http://127.0.0.1/basic_status Active connections: 1 server accepts handled requests 7 7 7 Reading: 0 Writing: 1 Waiting: 0
MORE INFORMATION AT NGINX.COM NGINX Plus Extended Status Module • Provides detailed NGINX Plus statistics • Over 100+ additional metrics • Monitoring GUI also available; see demo.nginx.com • Exclusive to NGINX Plus upstream my_upstream { #... zone my_upstream 64k; } server { #... status_zone my_virtual_server; }
MORE INFORMATION AT NGINX.COM ● Over 0 metrics compared to open source NGINX ● Per virtual server and per backend server statistics ● JSON output to export to your favorite monitoring tool ● See demo.nginx.com for live demo "nginx_build": "nginx-plus-r12-p2", "nginx_version": "1.11.10", "pid": 98240, "ppid": 50622, "processes": { "respawned": 0 }, "requests": { "current": 1, "total": 9915307 }, "server_zones": { "hg.nginx.org": { "discarded": 9150, "processing": 0, "received": 146131844, "requests": 597471, "responses": { "1xx": 0, "2xx": 561986, "3xx": 12839, "4xx": 7081, "5xx": 6415, "total": 588321 }, "sent": 14036626711 }, NGINX Plus Dashboard
MORE INFORMATION AT NGINX.COM NGINX Controller
nginx.com Summary
Summary ● It is recommended to use the NGINX mainline branch for most deployments ● All configuration should go into separate files in /etc/nginx/conf.d/*.conf ● Forcing all traffic to SSL improves security and improves search rankings ● Keepalive connections improve performance by reusing TCP connections ● SSL session caching and HTTP/2 improve SSL performance ● NGINX status module and logging capability provide visibility ● NGINX Plus is recommended for all production, load balancing, API gateway deployements Try NGINX Plus for free at nginx.com/free-trial-request
Q & ATry NGINX Plus free for 30 days: nginx.com/free-trial-request
MORE INFORMATION AT NGINX.COM FAQs ● Is NGINX Plus a software package or a “virtual appliance” (an image of a virtual machine for ESX/Xen/etc.) ● What kind of 3rd party software is bundled along with NGINX Plus? ● Does NGINX Plus gather user details or installation details, or phone home? ● Can we leave everything as-is after we successfully do a trial of NGINX Plus and have purchased subscriptions, or will we need to re-install/re-deploy NGINX Plus? ● What happens when my NGINX Plus subscription expires?

More Related Content

PPTX
NGINX: Basics and Best Practices
byNGINX, Inc.
 
PPTX
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
PPTX
NGINX Installation and Tuning
byNGINX, Inc.
 
PPTX
High Availability Content Caching with NGINX
byNGINX, Inc.
 
PPTX
Learn nginx in 90mins
byLarry Cai
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
PDF
Nginx dhruba mandal
byDhrubaji Mandal ♛
 
PPTX
Introduction to NGINX web server
byMd Waresul Islam
 
NGINX: Basics and Best Practices
byNGINX, Inc.
 
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
NGINX Installation and Tuning
byNGINX, Inc.
 
High Availability Content Caching with NGINX
byNGINX, Inc.
 
Learn nginx in 90mins
byLarry Cai
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
Nginx dhruba mandal
byDhrubaji Mandal ♛
 
Introduction to NGINX web server
byMd Waresul Islam
 

What's hot

PDF
NGINX: Basics and Best Practices EMEA
byNGINX, Inc.
 
ODP
Introduction to Nginx
byKnoldus Inc.
 
PPTX
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
byAmit Aggarwal
 
PPTX
Nginx
byGeeta Vinnakota
 
PPTX
5 things you didn't know nginx could do
bysarahnovotny
 
PPTX
Nginx
byDhrubaji Mandal ♛
 
PDF
Using NGINX as an Effective and Highly Available Content Cache
byKevin Jones
 
PDF
Nginx Essential
byGong Haibing
 
PDF
IT Automation with Ansible
byRayed Alrashed
 
PDF
VM Autoscaling With CloudStack VR As Network Provider
byShapeBlue
 
PPTX
암호화 이것만 알면 된다.
byKwangSeob Jeong
 
PPTX
Load Balancing and Scaling with NGINX
byNGINX, Inc.
 
PDF
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
byOpenStack Korea Community
 
PDF
스프링 시큐리티 구조 이해
bybeom kyun choi
 
PDF
Introduction to container based virtualization with docker
byBangladesh Network Operators Group
 
PPTX
ProxySQL for MySQL
byMydbops
 
PDF
Percona XtraDB Cluster ( Ensure high Availability )
byMydbops
 
PDF
An introduction to SSH
bynussbauml
 
PPTX
NMAP
byPrateekAryan1
 
PPT
Introduction to SSH
byHemant Shah
 
NGINX: Basics and Best Practices EMEA
byNGINX, Inc.
 
Introduction to Nginx
byKnoldus Inc.
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
byAmit Aggarwal
 
Nginx
byGeeta Vinnakota
 
5 things you didn't know nginx could do
bysarahnovotny
 
Nginx
byDhrubaji Mandal ♛
 
Using NGINX as an Effective and Highly Available Content Cache
byKevin Jones
 
Nginx Essential
byGong Haibing
 
IT Automation with Ansible
byRayed Alrashed
 
VM Autoscaling With CloudStack VR As Network Provider
byShapeBlue
 
암호화 이것만 알면 된다.
byKwangSeob Jeong
 
Load Balancing and Scaling with NGINX
byNGINX, Inc.
 
[OpenInfra Days Korea 2018] (Track 2) Neutron LBaaS 어디까지 왔니? - Octavia 소개
byOpenStack Korea Community
 
스프링 시큐리티 구조 이해
bybeom kyun choi
 
Introduction to container based virtualization with docker
byBangladesh Network Operators Group
 
ProxySQL for MySQL
byMydbops
 
Percona XtraDB Cluster ( Ensure high Availability )
byMydbops
 
An introduction to SSH
bynussbauml
 
NMAP
byPrateekAryan1
 
Introduction to SSH
byHemant Shah
 

Similar to NGINX ADC: Basics and Best Practices

PDF
How to Get Started With NGINX
byNGINX, Inc.
 
PDF
Complete-NGINX-Cookbook-2019.pdf
byTomaszWojciechowski22
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
PPTX
5 things you didn't know nginx could do velocity
bysarahnovotny
 
PPTX
Basics of NGINX
bySquash Apps Pvt Ltd
 
PPTX
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 
PPTX
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 
PDF
Install nginx on ubuntu 21.04 server
byLinuxConcept
 
PPTX
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
PPTX
Load Balancing Container with Nginx
byKumar Mayank
 
PDF
NginX - good practices, tips and advanced techniques
byClaudio Borges
 
PDF
NGINX ADC: Basics and Best Practices – EMEA
byNGINX, Inc.
 
PDF
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
PDF
Nginx
byShaopeng He
 
PDF
Стажировка 2015. Разработка. Занятие 5. Использование nginx
by7bits
 
PPTX
NGINX 101 - now with more Docker
bySarah Novotny
 
PPTX
NGINX 101 - now with more Docker
bysarahnovotny
 
PPTX
What's New in NGINX Plus R7?
byNGINX, Inc.
 
PDF
NGINX: The Past, Present and Future of the Modern Web
byKevin Jones
 
PDF
ITB2017 - Nginx ppf intothebox_2017
byOrtus Solutions, Corp
 
How to Get Started With NGINX
byNGINX, Inc.
 
Complete-NGINX-Cookbook-2019.pdf
byTomaszWojciechowski22
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
5 things you didn't know nginx could do velocity
bysarahnovotny
 
Basics of NGINX
bySquash Apps Pvt Ltd
 
NGINX Basics and Best Practices Workshop
byNGINX, Inc.
 
NGINX: Back to Basics – APCJ
byNGINX, Inc.
 
Install nginx on ubuntu 21.04 server
byLinuxConcept
 
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
Load Balancing Container with Nginx
byKumar Mayank
 
NginX - good practices, tips and advanced techniques
byClaudio Borges
 
NGINX ADC: Basics and Best Practices – EMEA
byNGINX, Inc.
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
Nginx
byShaopeng He
 
Стажировка 2015. Разработка. Занятие 5. Использование nginx
by7bits
 
NGINX 101 - now with more Docker
bySarah Novotny
 
NGINX 101 - now with more Docker
bysarahnovotny
 
What's New in NGINX Plus R7?
byNGINX, Inc.
 
NGINX: The Past, Present and Future of the Modern Web
byKevin Jones
 
ITB2017 - Nginx ppf intothebox_2017
byOrtus Solutions, Corp
 

More from NGINX, Inc.

PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
PPTX
NGINX Kubernetes API
byNGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
NGINX Kubernetes API
byNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 

Recently uploaded

PDF
Comprehensive Logging with mORMot 2 on Delphi and FPC
byArnaud Bouchez
 
PDF
Alluxio Webinar | Alluxio + S3 A Tiered Architecture for Latency-Critical, Se...
byAlluxio, Inc.
 
PDF
Test Driven Development with mORMot 2 with Delphi and FPC
byArnaud Bouchez
 
PDF
SoftCorePC Full Updated Software Link Here
bySoftCore
 
PPTX
Building smarter with AI - From Idea to Market at Warp Speed
byLuca Grulla
 
PPTX
Trailblazer Community Session - Patterns & Anti-Patterns_ The Good, The Bad, ...
bymansoorahmad941764
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PDF
Insurance Underwriting Software for Smarter Operations
byInsurance Tech Services
 
PPTX
Best Stepwise Approach to Scrape IMDb Data Effectively.pptx
byArcTechnolbs
 
PPTX
Empower Your Business with Busy Software from MovingCloud360.pptx
byMoving Cloud
 
PPTX
LLM_Evaluation_Frameworks_Comparison.pptx
bymdqansari1
 
PDF
Claims Software Features That Improve Accuracy & Efficiency
byDataGenix
 
DOCX
A A Comprehensive Guide on Unicode Text Converter
byJosh Bell
 
PDF
AI and Generative AI: Dual-Use Risks and Autonomous Threats.pdf
byCyberneticGI
 
PDF
VADY GenAI Dashboards: From KPIs to Executive-Ready Decisions in Seconds
byNewFangledVision
 
PPTX
LangSmith_and_LLM_Evaluation_Session 1.pptx
bymdqansari1
 
PPTX
Digital Twins for RolandRust U Maryland 20251030 v14.pptx
byhome
 
PDF
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
PDF
Chpetwr two Health Survey for - (2).pdf
byAhmedAlhadiAbduselam
 
PPTX
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
Comprehensive Logging with mORMot 2 on Delphi and FPC
byArnaud Bouchez
 
Alluxio Webinar | Alluxio + S3 A Tiered Architecture for Latency-Critical, Se...
byAlluxio, Inc.
 
Test Driven Development with mORMot 2 with Delphi and FPC
byArnaud Bouchez
 
SoftCorePC Full Updated Software Link Here
bySoftCore
 
Building smarter with AI - From Idea to Market at Warp Speed
byLuca Grulla
 
Trailblazer Community Session - Patterns & Anti-Patterns_ The Good, The Bad, ...
bymansoorahmad941764
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
Insurance Underwriting Software for Smarter Operations
byInsurance Tech Services
 
Best Stepwise Approach to Scrape IMDb Data Effectively.pptx
byArcTechnolbs
 
Empower Your Business with Busy Software from MovingCloud360.pptx
byMoving Cloud
 
LLM_Evaluation_Frameworks_Comparison.pptx
bymdqansari1
 
Claims Software Features That Improve Accuracy & Efficiency
byDataGenix
 
A A Comprehensive Guide on Unicode Text Converter
byJosh Bell
 
AI and Generative AI: Dual-Use Risks and Autonomous Threats.pdf
byCyberneticGI
 
VADY GenAI Dashboards: From KPIs to Executive-Ready Decisions in Seconds
byNewFangledVision
 
LangSmith_and_LLM_Evaluation_Session 1.pptx
bymdqansari1
 
Digital Twins for RolandRust U Maryland 20251030 v14.pptx
byhome
 
Evolution and Examples of Java Features, from Java 1.7 to Java 25
byYann-Gaël Guéhéneuc
 
Chpetwr two Health Survey for - (2).pdf
byAhmedAlhadiAbduselam
 
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
In this document
Powered by AI

Introduces NGINX as a leading web server, its functionalities like load balancing, reverse proxy, and features of NGINX Plus.

Discusses augmenting traditional infrastructure with NGINX, addressing Kubernetes integration, multi-cloud support, and API management.

Covers installation methods for different systems including Debian/Ubuntu, CentOS/Red Hat, and verifying installation.

Details essential commands, key files, and directories relevant to NGINX configuration and management.

Explains fundamental configurations like server directives, SSL, HTTP/2, load balancing, and caching setups.

Focuses on advanced configurations including keepalive settings, SSL caching, active health checks, and session persistence.

Explores NGINX monitoring and logging capabilities, including access and error logs, status modules, and NGINX Plus features.

Summarizes NGINX deployment best practices, configuration management, traffic SSL enforcement, and emphasizes NGINX Plus advantages.

Addresses common questions regarding NGINX Plus, installation, subscriptions, and user data collection.

NGINX ADC: Basics and Best Practices

  • 2.
    Agenda • Introducing NGINX •ADC Augment and Modernization • Installing NGINX and NGINX Plus • Essential files, commands, and directories • Basic configurations • Advanced configurations • Monitoring and Logging • Summary
  • 3.
  • 4.
    NGINX is the mostused web server on the internet Source: w3techs, May 2019
  • 5.
    | ©2019 F5NETWORKS​7 LOAD BALANCER REVERSE PROXY API GATEWAY CACHE WAF APPLICATION SERVERS WEB SERVER REVERSE PROXY What is NGINX? NGINX ● Basic load balancer ● Reverse Proxy and Web Server ● Content Cache ● SSL termination ● Rate limiting ● Basic authentication NGINX PLUS ● Active health checks ● Session persistence ● DNS service discovery integration ● Cache-purging API ● JWT authentication and OpenID Connect ● Live Activity monitoring (100+ real time metrics) ● Dynamic Modules ● API for Dynamic reconfiguration, Cache-purge, key-value store ● High Availability, Cluster State sync …...much more.
  • 6.
  • 7.
    10 What’s happening now TraditionalApplication Infrastructure are being augmented
  • 8.
    | ©2019 F5NETWORKS​9 ADC Augment - key use cases Key use cases ​ADC Augment ​Enhancing existing app environments ​Kubernetes Integration ​Flexible and scalable app services ​ADC for Multi-Cloud ​Scale and Secure Apps across multi-cloud ​API Management ​End-to-end API lifecycle services
  • 9.
    11 • Easiest wayto introduce NGINX into your network • Hardware layer 4 load balancer to NGINX • Can start small with one application being behind NGINX and then expand Traditional Application Infrastructure are being augmented 1. Augment Traditional Load Balancers
  • 10.
    12 • Parallel NGINXdeployment • Good architecture if adopting public cloud while still keeping private datacenter • Can also start small with one application being behind NGINX and then expand Offload or Migrate new application workloads 2. NGINX Alongside Hardware ADCs
  • 11.
    13 • Load balancerper application • Load balancer per customer for SaaS providers • Configuration stored along with application in GitHub • Fully portable Legacy Hardware ADC replace to a application centric architecture 3. Micro Load Balancers/Gateways
  • 12.
    | ©2019 F5NETWORKS​15 • Alerting • API management • Load balancer management • Configuration analysis • Customizable dashboards • Monitoring Centralized Monitoring and management What is the NGINX Controller?
  • 13.
    14 Web Server What isNGINX and NGINX Controller? Nginx and the Nginx Controller NGINX Controller Admin Control Plane Data Plane Policy Application Gateway Web Server Serve content from disk Application Gateway FastCGI, uWSGI, gRPC… Load Balancer / Reverse Proxy Caching, SSL termination…
  • 14.
  • 15.
    ● Official NGINXrepo ○ Mainline (recommended) - Actively developed; new minor releases made every 4-6 weeks with new features and enhancements. ○ Stable - Updated only when critical issues or security vulnerabilities need to be fixed. ○ NGINX PLUS - receives all new features, once they have been tested and proven in NGINX mainline. Additional enterprise-specific features are included in NGINX Plus. ● OS vendor and other 3rd party repos ○ Not as frequently updated; e.g. Debian Jessie (8.9) has NGINX 1.6.2 ○ Typically built off NGINX mainline branch, sometimes with 3rd party mods ● Compile from source ○ Most difficult.-Download the latest version of the NGINX source code, configure, build and install it. You will have the option of building various Nginx module Nginx Installation Options 17
  • 16.
    NGINX Installation: Debian/Ubuntu debhttp://nginx.org/packages/mainline/OS/ CODENAME nginx deb-src http://nginx.org/packages/mainline/OS/ CODENAME nginx Create /etc/apt/sources.list.d/nginx.list with the following contents: • OS – ubuntu or debian depending on your distro • CODENAME: - jessie or stretch for debian - trusty, xenial, artful, or bionic for ubuntu $ wget http://nginx.org/keys/nginx_signing.key $ apt-key add nginx_signing.key $ apt-get update $ apt-get install –y nginx $ /etc/init.d/nginx start
  • 17.
    NGINX Installation: CentOS/RedHat [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/ gpgcheck=0 enabled=1 Create /etc/yum.repos.d/nginx.repo with the following contents: • OS -- rhel or centos depending on your distro • OSRELEASE -- 6 or 7 for 6.x or 7.x versions, respectively $ yum –y install nginx $ systemctl enable nginx $ systemctl start nginx $ firewall-cmd --permanent --zone=public --add-port=80/tcp $ firewall-cmd --reload
  • 18.
    NGINX Plus Installation •Visit cs.nginx.com/repo_setup • Select OS from drop down list • Instructions similar to OSS installation • Mostly just using a different repo and installing client certificate
  • 19.
    Verifying Installation $ nginx-v nginx version: nginx version: nginx/1.15.7 (nginx-plus-r17) $ ps -ef | grep nginx root 1088 1 0 19:59 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 1092 1088 0 19:59 ? 00:00:00 nginx: worker process
  • 20.
  • 21.
    NGINX Installation Misc •For more installation details: http://nginx.org/en/linux_packages.html - List of all supported distros and CPUs • For NGINX Plus, see: https://cs.nginx.com/repo_setup - List of all supported distros and CPUs, including FreeBSD
  • 22.
  • 23.
    MORE INFORMATION AT NGINX.COM KeyNGINX Commands nginx -h Shows all command line options nginx -t Configuration syntax check nginx -T Displays full, concatenated configuration nginx -V Shows version and build details nginx –s reload Gracefully reload NGINX processes $ sudo nginx –t && sudo nginx –s reload nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful $ sudo nginx -T > nginx_support_mm-dd-yy.txt
  • 24.
    MORE INFORMATION AT NGINX.COM KeySystem Commands ps aux | grep nginx To check running processes ps -ef --forest | grep nginx To check running processes (Show Process Hierarchy in Forest Format) service nginx status systemctl status nginx Show Nginx Status netstat -tulpn Information and statistics about protocols in use and current TCP/IP network connections. sudo lsof -i -P -n Check the listening ports and applications on linux # Path to executable path $ /usr/sbin/nginx # Default Log Path $ /var/log/nginx
  • 25.
    Key Files andDirectories ● /etc/nginx/ # Where all NGINX configuration is stored ● /etc/nginx/nginx.conf # Top-level NGINX configuration, should not require much modification ● /etc/nginx/conf.d/*.conf # Where your HTTP/S configuration for virtual servers and upstreams goes, e.g. www.example.com.conf ● /etc/nginx/stream.d/*.conf # Where your TCP/UDP Streams for virtual servers and upstreams goes, e.g. DNS_53.conf ● /var/log/nginx/access.log # Details about requests and responses ● /var/log/nginx/error.log # Details about NGINX errors 27
  • 26.
    server { listen <parameters>; location<url> { ---------------- } } upstream { ------------------- } server { listen <parameters>; location <url> { ---------------- } } upstream { ------------------- } Key Files and Directories /etc/nginx/ #global settings here http { # HTTP global settings here include conf.d/*.conf; } Global settings (tunings, logs, etc) HTTP block nginx.conf example.com.conf server { listen <parameters>; location <url> { ---------------- } } upstream { ------------------- } /etc/nginx/conf.d/ Listen for requests Rules to handle each request Optional: upstreams configurations in same file, something.com.conf.disabled Not loaded
  • 27.
  • 28.
    Simple Virtual Server server{ listen 80 default_server; server_name www.example.com; # ... } • server defines the context for a virtual server • listen specifies IP/port NGINX should listen on. No IP means bind to all IPs on system • server_name specifies hostname of virtual server
  • 29.
    Basic Web ServerConfiguration server { listen 80 default_server; server_name www.example.com; location / { root /usr/share/nginx/html; index index.html index.htm; } } • www.example.com maps to /usr/share/nginx/html/index.html (then index.htm) • www.example.com/i/file.txt -> /usr/share/nginx/html/i/file.txt • root specifies directory where files are stored • index defines files that will be used as an index
  • 30.
    Multiplexing Multiple Siteson One IP server { listen 80 default_server; server_name www.example.com; # ... } server { listen 80; server_name www.example2.com; # ... } server { listen 80; server_name www.example3.com; # ... } • NGINX can multiplex a single IP/port using the Host: header. • default_server defines the virtual server to use if Host header is empty. It is best practice to have a default_server.
  • 31.
    Basic SSL Configuration server{ listen 80 default_server; server_name www.example.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; ssl_ciphers HIGH; location / { root /usr/share/nginx/html; index index.html index.htm; } } • Force all traffic to SSL is good for security, customer trust and SEO • Use Let’s Encrypt to get free SSL certificates • Use Mozilla SSL Configuration Generator to generate recommended nginx SSL configurations: https://mozilla.github.io/se rver-side-tls/ssl-config- generator/
  • 32.
    Basic HTTP/2 Configuration server{ listen 443 ssl http2 default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; } • HTTP/2 improves performance with little to no backend changes • Add http2 parameter to listen directive of existing SSL-enabled virtual server. HTTP/2 is only supported with SSL in all browsers. • NGINX only does HTTP/2 client side, server side is still HTTP/1.1. gRPC is a special case. • Note: HTTP/2 requires OpenSSL 1.0.2 or later to work properly
  • 33.
    Basic Reverse ProxyConfiguration server { location ~ ^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; # fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; } } • Requires PHP FPM: apt-get install –y php7.0-fpm • Can also use PHP 5 • Similar directives available for uWSGI and SCGI. • Additional PHP FPM configuration may be required
  • 34.
    Basic Load BalancingConfiguration upstream my_upstream { server server1.example.com:80; server server2.example.com:80; least_conn; } server { location / { proxy_set_header Host $host; proxy_pass http://my_upstream; } } • upstream defines the load balancing pool • Default load balancing algorithm is round robin. Others available: • least_conn selects server with least amount of active connections • least_time factors in connection count and server response time. Available in NGINX Plus only. • proxy_pass links virtual server to upstream • By default NGINX rewrites Host header to name and port of proxied server. proxy_set_header overrides and passes through original client Host header.
  • 35.
    Layer 7 RequestRouting server { # ... location /service1 { proxy_pass http://upstream1; } location /service2 { proxy_pass http://upstream2; } location /service3 { proxy_pass http://upstream3; } } • location blocks are used to do Layer 7 routing based on URL • Regex matching can also be used in location blocks
  • 36.
    Basic Caching Configuration proxy_cache_path/path/to/cache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off; server { location / { proxy_cache my_cache; # proxy_cache_valid 5m; proxy_set_header Host $host; proxy_pass http://my_upstream; } } • proxy_cache_path defines the parameters of the cache. • keys_zone defines the size of memory to store cache keys in. A 1 MB zone can store data for about 8,000 keys. • max_size sets upper limit of cache size. Optional. • inactive defines how long an object can stay in cache without being accessed. Default is 10 m. • proxy_cache enables caching for the context it is in
  • 37.
  • 38.
    Modifications to mainnginx.conf user nginx; worker_processes auto; # ... http { # ... keepalive_timeout 300s; keepalive_requests 100000; } • Set in main nginx.conf file • Default value for worker_processes varies on system and installation source • auto means to create one worker process per core. This is recommended for most deployments. • keepalive_timeout controls how long to keep idle connections to clients open. Default: 75s • keeplive_requests Max requests on a single client connection before its closed.Default: 100 • keepalive_* can also be set per virtual server
  • 39.
    HTTP/1.1 Keepalive toUpstreams upstream my_upstream { server server1.example.com; keepalive 32; } server { location / { proxy_set_header Host $host; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass http://my_upstream; } } • keepalive enables TCP connection cache • By default NGINX uses HTTP/1.0 with Connection: Close • proxy_http_version upgrades connection to HTTP/1.1 • proxy_set_header enables keepalive by clearing Connection: Close HTTP header
  • 40.
    SSL Session Caching server{ listen 443 ssl default_server; server_name www.example.com; ssl_certificate cert.crt; ssl_certificate_key cert.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; } • Improves SSL/TLS performance • 1 MB session cache can store about 4,000 sessions • Cache shared across all NGINX workers
  • 41.
    Advanced Caching Configuration proxy_cache_path/path/to/cache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off; server { location / { proxy_cache my_cache; proxy_cache_lock on; proxy_cache_revalidate on; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_background_update on; proxy_set_header Host $host; proxy_pass http://my_upstream; } } • proxy_cache_lock instructs NGINX to only send one request to the upstream when there are multiple cache misses for the same file. • proxy_cache_revalidate instructs NGINX to use If-Modified-Since when refreshing cache. • proxy_cache_use_stale instructs NGINX to serve stale content instead of an error. • proxy_cache_background_update instructs NGINX to do all cache updates in the background. Combined with proxy_cache_use_stale updating, stale content will be served.
  • 42.
    gRPC Proxying withSSL Termination server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; location / { grpc_pass grpc://localhost:50051; } } • Configure SSL and HTTP/2 as usual • Go sample application needs to modified to point to NGINX IP Address and port.
  • 43.
    d Active Health Checks upstreammy_upstream { zone my_upstream 64k; server server1.example.com slow_start=30s; server server2.example.com slow_start=30s; } server { # ... location @health { internal; health_check interval=5s uri=/test match=statusok; proxy_set_header HOST www.example.com; proxy_pass http://my_upstream; } match statusok { # Used for /test.php health check status 200; header Content-Type = text/html; body ~ "i’m is alive"; } • Polls /test every 5 seconds • If response is not 200, server marked as failed • If response body does not contain “I’m alive”, server marked as failed • Recovered/new servers will slowly ramp up traffic over 30 seconds • Exclusive to NGINX Plus
  • 44.
    Sticky Cookie SessionPersistence upstream my_upstream { server server1.example.com; server server2.example.com; sticky cookie name expires=1h domain=.example.com path=/; } • NGINX will insert a cookie using the specified name • expires defines how long the cookie is valid for. The default is for the cookie to expire at the end of the browser session. • domain specifies the domain the cookie is valid for. If not specified, domain field of cookie is left blank • path specifies the path the cookie is set for. If not specified, path field of cookie is left blank • Exclusive to NGINX Plus
  • 45.
  • 46.
    MORE INFORMATION AT NGINX.COM NGINXAccess Logs 192.168.179.1 - - [15/May/2017:16:36:25 -0700] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" 192.168.179.1 - - [15/May/2017:16:36:26 -0700] "GET /favicon.ico HTTP/1.1" 404 571 "http://fmemon-redhat.local/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" 192.168.179.1 - - [15/May/2017:16:36:31 -0700] "GET /basic_status HTTP/1.1" 200 100 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "-" ● Enabled by default. Can be disabled with the access_log off directive. ● Nginx uses the combined log format (also used by Apache) and includes IP address, date, request , referrer, user agent, etc. You can add additional NGINX variables, e.g. timing and a Log format configurable with the log_format directive ● Can enable access logs at a virtual server scope access_log /var/log/nginx/access.log;
  • 47.
    MORE INFORMATION AT NGINX.COM NGINXError Logs 2018/03/22 11:29:08 [error] 12696#12696: upstream timed out (110: Connection timed out) while connecting to upstream, health check "" of peer 10.70.88.24:8832 in upstream "Dev.InternalApi" 2018/03/22 11:29:23 [error] 12696#12696: upstream timed out (110: Connection timed out) while connecting to upstream, health check "" of peer 10.70.88.15:8832 in upstream "Dev.InternalApi" 2018/03/23 15:25:35 [error] 19997#0: *1 open() "/var/www/nginx-default/phpmy-admin/scripts/setup.php" failed (2: No such file or directory), client: 80.154.42.54, server: localhost, request: "GET /phpmy-admin/scripts/setup.php HTTP/1.1", host: "www.example.com" • Enabled by default. Can be disabled with the error_log off directive. • Can enable access logs at a virtual server scope • Log to file, stderr, syslog or memory • Option to log for selected clients error_log /var/log/nginx/error.log [level];
  • 48.
    MORE INFORMATION AT NGINX.COM ErrorLog Levels debug Detailed Trace info General Info notice Something Normal warn Something Strange error Unsuccessful crit Important Issue(s) alert Fix Now! emerg Unusable error_log /var/log/nginx/error.log [level];
  • 49.
    MORE INFORMATION AT NGINX.COM Extraexamples log_format simple escape=json '{"timestamp":"$time_iso8601","client":"$remote_addr","uri":"$uri","status":"$status"}'; server { server_name www.example.com; access_log /var/log/nginx/example.log simple; error_log syslog:server=192.168.1.1 debug; } server { server_name www.example2.com; map $status $condition { ~^[23] 0; default 1; } access_log /var/log/nginx/example2.log simple custom if=$condition; error_log /var/log/nginx/example2_error.log info; }
  • 50.
    MORE INFORMATION AT NGINX.COM Examplelog parsing commands: tail -f 10 error.log Tail error logs (last 10 lines) tail -f 10 access.log | grep 127.0.0.1 Tail and grep (filter) access logs cat access.log | cut -d '"' -f3 | cut -d ' ' -f2 | sort | uniq -c | sort -rn Sort access by Response Codes awk '($9 ~ /404/)' access.log | awk '{print $7}' | sort | uniq -c | sort -rn Which links are broken (HTTP 404)? awk -F" '{print $2}' access.log | awk '{print $2}' | sort | uniq -c | sort -r What are my most requested links?
  • 51.
    MORE INFORMATION AT NGINX.COM NGINXStub Status Module server { location /basic_status { stub_status; } } • Provides aggregated NGINX statistics • Restrict access so it’s not publicly visible $ curl http://127.0.0.1/basic_status Active connections: 1 server accepts handled requests 7 7 7 Reading: 0 Writing: 1 Waiting: 0
  • 52.
    MORE INFORMATION AT NGINX.COM NGINXPlus Extended Status Module • Provides detailed NGINX Plus statistics • Over 100+ additional metrics • Monitoring GUI also available; see demo.nginx.com • Exclusive to NGINX Plus upstream my_upstream { #... zone my_upstream 64k; } server { #... status_zone my_virtual_server; }
  • 53.
    MORE INFORMATION AT NGINX.COM ●Over 0 metrics compared to open source NGINX ● Per virtual server and per backend server statistics ● JSON output to export to your favorite monitoring tool ● See demo.nginx.com for live demo "nginx_build": "nginx-plus-r12-p2", "nginx_version": "1.11.10", "pid": 98240, "ppid": 50622, "processes": { "respawned": 0 }, "requests": { "current": 1, "total": 9915307 }, "server_zones": { "hg.nginx.org": { "discarded": 9150, "processing": 0, "received": 146131844, "requests": 597471, "responses": { "1xx": 0, "2xx": 561986, "3xx": 12839, "4xx": 7081, "5xx": 6415, "total": 588321 }, "sent": 14036626711 }, NGINX Plus Dashboard
  • 54.
  • 55.
  • 56.
    Summary ● It isrecommended to use the NGINX mainline branch for most deployments ● All configuration should go into separate files in /etc/nginx/conf.d/*.conf ● Forcing all traffic to SSL improves security and improves search rankings ● Keepalive connections improve performance by reusing TCP connections ● SSL session caching and HTTP/2 improve SSL performance ● NGINX status module and logging capability provide visibility ● NGINX Plus is recommended for all production, load balancing, API gateway deployements Try NGINX Plus for free at nginx.com/free-trial-request
  • 58.
    Q & ATryNGINX Plus free for 30 days: nginx.com/free-trial-request
  • 59.
    MORE INFORMATION AT NGINX.COM FAQs ●Is NGINX Plus a software package or a “virtual appliance” (an image of a virtual machine for ESX/Xen/etc.) ● What kind of 3rd party software is bundled along with NGINX Plus? ● Does NGINX Plus gather user details or installation details, or phone home? ● Can we leave everything as-is after we successfully do a trial of NGINX Plus and have purchased subscriptions, or will we need to re-install/re-deploy NGINX Plus? ● What happens when my NGINX Plus subscription expires?