NGINX is a well kept secret of high performance web service. Many people know NGINX as an Open Source web server that delivers static content blazingly fast. But, it has many more features to help accelerate delivery of bits to your end users even in more complicated application environments. In this talk we’ll cover several things that most developers or administrators could implement to further delight their end users.
2. Many people know NGINX as an HTTP request and load
balancing server that powers many of the world's busiest
websites. But, there are a lot of ancillary pieces that go into
the software to make it a whole web application accelerator.
3. What is NGINX?
Internet
N
Web Server
Serve content from disk
Application Server
FastCGI, uWSGI, Passenger…
Proxy
Caching, Load Balancing… HTTP traffic
7. Some things you might not know
Form
spamming
Compress
assets
Thread
exhaustion
Rewrite
content
Online
upgrades
Configure
flags
A/B testing Include
directive
Manipulate
proxy
headers
8. Compress data to reduce
bandwidth
• Reduce bandwidth requirements per client
– Content Compression reduces text and HTML
– Image resampling reduces image sizes
9. HTTP gzip module
• Provides Gzip capabilities so that responses from
NGINX are compressed to reduce file size
• Directives can be used in the http, server and
location contexts
• Key directives
– gzip
– gzip_types
– gzip_proxied
10. Gzip example
Enable gzip
gzip on;
Apply gzip for text, html and
CSS
gzip_types text/plain text/html text/css;
Enable gzip compression for
any proxied request
gzip_proxy any;
It is not
advisable to
enable gzip for
binary content
types such as
images, word
documents or
videos
11. HTTP image filter
• Provides inline image manipulation to
transform images for optimal delivery
• Directives can be used in the location context
• Key directives
– image_filter size;
– image_filter resize width height;
– image_filter crop width height;
13. We talk about the ‘N second rule’:
– 10 seconds
(Jakob Nielsen, March 1997)
– 8 seconds
(Zona Research, June 2001)
– 4 seconds
(Jupiter Research, June 2006)
– 3 seconds
(PhocusWright, March 2010)
14. Stop brute force retries
• Stop brute force password attacks
• Stop form spamming
– Use the NGINX limit request module
15. HTTP limit req module
• Allows granular control of request processing
rate
• Directives an be used in http, server and
location contexts
• Key directives
– limit_req_zone
– limit_req
17. Protect Apache from thread
exhaustion attacks
• Use NGINX in front of Apache
• Mitigates ‘slow loris’, ‘keep dead’ and ‘front
page of hacker news’ attacks
18. What is thread exhaustion?
http process
http process
http process
http process
http process
http process
http process
Client-side:
Multiple
Connections
HTTP Keepalives
Server-side:
Limited
concurrency
19. How NGINX mitigates thread
exhaustion
N
Large numbers of clients,
with long-term keepalive connections
NGINX reduces connections
to the minimum number
necessary
20. Rewrite content inline
• Use the power of substitution to simplify updates
• Directives can be used in the http, server and location
contexts
• Key directives
– sub_filter_once
– sub_filter
– sub_filter_types
21. HTTP sub filter example
location / {
sub_filter_once off;
sub_filter_types text/html;
sub_filter “__copyright_date__” “2014”;
}
22. Online Binary updates and
configuration changes
• Update either the configuration files or the
binary without losing any connections
27. Binary Upgrade
[root@localhost ~]# kill –WINCH 1991
[root@localhost ~]# kill –QUIT 1991
• Verify things are working as expected
(you can still back out gracefully at this point)
28. nginx –V gives a nearly
complete configuration
script for compiling
Configure Flags
34. HTTP include example
http {
include /etc/nginx/conf.d/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
35. Manipulate proxy headers
• Mask content source (like assets in S3)
• Manage proxy behavior
• Inject your own headers (host header or x-
forward-for etc)
36. Proxy Header Manipulation
• Allows perception management of content
delivery through headers
• Directives can be used in the http, server and
location contexts
• Key directives
– proxy_hide_header
– proxy_set_header
– proxy_ignore_header
38. Proxy set header example
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
...
}
39. More resources
• Check out our blog on nginx.com
• Webinars: nginx.com/webinars
Try:
NGINX F/OSS (nginx.org)
NGINX Plus (nginx.com)
40. Thanks for your time!
@sarahnovotny
Evangelist, NGINX
Program Chair, OSCON
Editor's Notes
Story starts with a single guy, Igor Sysoev
What was originally a tool for managing concurrency hos evolved into a Web Application Accelerator
Not because of vision but user driven innovation
Top 37%
These tend to be successful websites, generating revenue and featuring well in google search results
Top 37%
These tend to be successful websites, generating revenue and featuring well in google search results
Size: outputs json about image
Rotate is also an option.
You can also crop
Story about int’l flight with metered transfer
sets the shared memory zone and the maximum burst size of requests. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error 503 (Service Temporarily Unavailable). By default, the maximum burst size is equal to zero.
This can be granularly set up for specific portions of the site like /search or /registration or the like.
It’s all about concurrency…
It’s all about concurrency…
Sets a string to replace and a replacement string. The string to replace is matched ignoring the case. The replacement string can contain variables.
Google Tags
sub_filter_types is text/html by default
Gottchas --- compressed content
3rd party module that does regex and fixed string
Nginx_substitutitions_filter
You can also crop
You can also crop
You can also crop
You can also crop
You can also crop
value of the original string is hashed using MurmurHash2
“
By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed. If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.
X-Accel-Expires”, “Expires”, “Cache-Control”, and “Set-Cookie” set the parameters of response caching;
“X-Accel-Redirect” performs an internal redirect to the specified URI;
“X-Accel-Limit-Rate” sets the rate limit for transmission of a response to a client;
“X-Accel-Buffering” enables or disables buffering of a response;
“X-Accel-Charset” sets the desired charset of a response.