NGINX is a well kept secret of high performance web service. Many people know NGINX as an Open Source web server that delivers static content blazingly fast. But, it has many more features to help accelerate delivery of bits to your end users even in more complicated application environments. In this talk we’ll cover several things that most developers or administrators could implement to further delight their end users.

1. 5 things
you didn’t know
NGINX could do
Sarah Novotny
Nginx, Inc.

2. Many people know NGINX as an HTTP request and load
balancing server that powers many of the world's busiest
websites. But, there are a lot of ancillary pieces that go into
the software to make it a whole web application accelerator.

3. What is NGINX?
Internet
N
Web Server
Serve content from disk
Application Server
FastCGI, uWSGI, Passenger…
Proxy
Caching, Load Balancing… HTTP traffic

4. 146,000,000
Websites
NGINX Accelerates

5. Advanced Features
Bandwidth Management
Content-based Routing
Request Manipulation
Response Rewriting
Application Acceleration
SSL and SPDY termination
Authentication
Video Delivery
Mail Proxy
GeoLocation
Performance Monitoring
High Availability

6. 23%
Top 1 million websites
39%
Top 10,000 websites

7. Some things you might not know
Form
spamming
Compress
assets
Thread
exhaustion
Rewrite
content
Online
upgrades
Configure
flags
A/B testing Include
directive
Manipulate
proxy
headers

8. Compress data to reduce
bandwidth
• Reduce bandwidth requirements per client
– Content Compression reduces text and HTML
– Image resampling reduces image sizes

9. HTTP gzip module
• Provides Gzip capabilities so that responses from
NGINX are compressed to reduce file size
• Directives can be used in the http, server and
location contexts
• Key directives
– gzip
– gzip_types
– gzip_proxied

10. Gzip example
Enable gzip
gzip on;
Apply gzip for text, html and
CSS
gzip_types text/plain text/html text/css;
Enable gzip compression for
any proxied request
gzip_proxy any;
It is not
advisable to
enable gzip for
binary content
types such as
images, word
documents or
videos

11. HTTP image filter
• Provides inline image manipulation to
transform images for optimal delivery
• Directives can be used in the location context
• Key directives
– image_filter size;
– image_filter resize width height;
– image_filter crop width height;

12. HTTP image filter example
location /img/ {
proxy_pass http://backend;
image_filter resize 150 100;
image_filter rotate 90;
error_page 415 = /empty;
}
location = /empty {
empty_gif;
}

13. We talk about the ‘N second rule’:
– 10 seconds
(Jakob Nielsen, March 1997)
– 8 seconds
(Zona Research, June 2001)
– 4 seconds
(Jupiter Research, June 2006)
– 3 seconds
(PhocusWright, March 2010)

14. Stop brute force retries
• Stop brute force password attacks
• Stop form spamming
– Use the NGINX limit request module

15. HTTP limit req module
• Allows granular control of request processing
rate
• Directives an be used in http, server and
location contexts
• Key directives
– limit_req_zone
– limit_req

16. HTTP limit req module
http {
limit_req_zone $binary_remote_addr zone=one:10m
rate=1r/s;
…
server {
…
location /search/ {
limit_req zone=one burst=5;
}
}
}

17. Protect Apache from thread
exhaustion attacks
• Use NGINX in front of Apache
• Mitigates ‘slow loris’, ‘keep dead’ and ‘front
page of hacker news’ attacks

18. What is thread exhaustion?
http process
http process
http process
http process
http process
http process
http process
Client-side:
Multiple
Connections
HTTP Keepalives
Server-side:
Limited
concurrency

19. How NGINX mitigates thread
exhaustion
N
Large numbers of clients,
with long-term keepalive connections
NGINX reduces connections
to the minimum number
necessary

20. Rewrite content inline
• Use the power of substitution to simplify updates
• Directives can be used in the http, server and location
contexts
• Key directives
– sub_filter_once
– sub_filter
– sub_filter_types

21. HTTP sub filter example
location / {
sub_filter_once off;
sub_filter_types text/html;
sub_filter “__copyright_date__” “2014”;
}

22. Online Binary updates and
configuration changes
• Update either the configuration files or the
binary without losing any connections

23. Configuration file update
[root@localhost ~]# nginx -s reload
[root@localhost ~]#

24. Yep. It’s that simple

25. Binary Upgrade
[root@localhost ~]# cat /var/run/nginx.pid
1991
[root@localhost ~]# kill –USR2 1991
• Choose your method of binary installation
• Replace the binary

26. Binary Upgrade
[root@localhost ~]# ps -ef |grep nginx
root 1991 1 0 08:06 ? 00:00:00 nginx: master
process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 2974 1991 0 08:22 ? 00:00:00 nginx: worker
process
nginx 2975 1991 0 08:22 ? 00:00:00 nginx: worker
process
root 3123 2948 0 08:43 pts/0 00:00:00 grep nginx
root 3124 1991 0 08:43 ? 00:00:00 nginx: master
process /usr/sbin/nginx -c /etc/nginx/nginx.conf

27. Binary Upgrade
[root@localhost ~]# kill –WINCH 1991
[root@localhost ~]# kill –QUIT 1991
• Verify things are working as expected
(you can still back out gracefully at this point)

28. nginx –V gives a nearly
complete configuration
script for compiling
Configure Flags

29. [root@localhost ~]# nginx -V
nginx version: nginx/1.5.7
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx/ --sbin-
path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-
log-path=/var/log/nginx/error.log --http-log-
path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --
lock-path=/var/run/nginx.lock --http-client-body-temp-
path=/var/cache/nginx/client_temp --http-proxy-temp-
path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-
path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-
path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-
path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-
http_ssl_module --with-http_spdy_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-
http_dav_module
--etc

30. A/B testing
Internet
N
Content A
HTTP traffic
Content B

31. Split Clients Module
http {
split_clients "${remote_addr}AAA" $variant {
0.5% .A;
2.0% .B;
* "”;
}
server {
location / {
index index${variant}.html;

32. Measurement
and analysis is left as
an exercise to the
reader

33. Include Directive
• Includes files
• Directives can be used in the any context
• Key directives
– include

34. HTTP include example
http {
include /etc/nginx/conf.d/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

35. Manipulate proxy headers
• Mask content source (like assets in S3)
• Manage proxy behavior
• Inject your own headers (host header or x-
forward-for etc)

36. Proxy Header Manipulation
• Allows perception management of content
delivery through headers
• Directives can be used in the http, server and
location contexts
• Key directives
– proxy_hide_header
– proxy_set_header
– proxy_ignore_header

37. Proxy hide header example
location / {
proxy_pass http://your_bucket.s3.amazonaws.com;
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-meta-s3fox-filesize;
proxy_hide_header x-amz-request-id;
proxy_hide_header x-amz-meta-s3fox-modifiedtime;
...
}

38. Proxy set header example
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
...
}

39. More resources
• Check out our blog on nginx.com
• Webinars: nginx.com/webinars
Try:
NGINX F/OSS (nginx.org)
NGINX Plus (nginx.com)

40. Thanks for your time!
@sarahnovotny
Evangelist, NGINX
Program Chair, OSCON