Understanding and Tuning NGINX

Héctor F. Jiménez Saldarriaga

@c1b3rh4ck              @h3ctorjs

¯\_(ツ)_/¯

NGINX 2017

  • 2002 Needs of an extremely high-traffic Russian website, call Rambler(c10k problem).
  • 2004 - 2007 Public Release[2] and improvements
  • 2008 September over 500 million HTTP requests per day.
  • Current Version 1.13.7[1] Mainline, Stable, Legacy

[1] http://nginx.org/en/download.html

[2]http://mailman.nginx.org/pipermail/nginx/2008-May/004816.html?_ga=2.197930799.1225486779.1512942014-1868207263.1512942014 

Igor Sysoev, CTO and CO-Founder Nginx inc

Open Source project released under a BSD-like license

Who uses NGINX?

Autodesk, Atlassian, Intuit, T-Mobile, GitLab, DuckDuckGo, Microsoft, IBM, Google, Adobe, Salesforce, VMWare, Xerox, LinkedIn, Cisco, Facebook, Target, Citrix Systems, Twitter, Siemens, AT&T, PayPal, Vodafones, Nike, EMC, SAP, Yahoo!, Apple, Intel, eBay, JP Morgan chase, Oracle, Airbnb, Groupon, Uber, HubSpot, Spotify, Electronic Arts (EA), Yelp and many more...[3]

[3] Customers, https://siftery.com/nginx

Usage

  • Web Server
  • Load Balancer
  • Content Cache
  • Application Server
  • WAF
  • M&M

Usage

  • Web Server
  • Load Balancer
  • Content Cache
  • Application Server
  • WAF
  • M&M

Features

  1. Serving static and index files, autoindexing.
  2. Accelerated reverse proxying with caching, memcache integrations and other cache servers.
  3. Modular architecture.
  4. Support for HTTP/2 with weighted and dependency-based prioritization.
  5. Generic proxying of TCP and UDP.
  6. SSL and TLS SNI support for TCP.

Apache Design!

-_-

Installation


#Debian and Derivatives
user@evilmachine$ sudo apt-get install nginx 
#Based on RHEL
user@evilmachine$ yum -y install nginx
#Based on Open Suse 
user@evilmachine$ zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/12' nginx
user@evilmachine$ zypper install nginx

Modules

Core module: Consists of essential features and directives such as process management and security
Events module: Lets you configure the inner mechanisms of the networking capabilities
Configuration module: Enables the inclusion mechanism

Settings

rootuser@evilmachine# ls -la /etc/nginx
total 92
drwxr-xr-x   8 root root  4096 dic 10 22:35 .
drwxr-xr-x 160 root root 12288 dic 10 22:18 ..
drwxr-xr-x   2 root root  4096 oct 13 04:59 conf.d
-rw-r--r--   1 root root  1077 oct 13 04:59 fastcgi.conf
-rw-r--r--   1 root root  1007 oct 13 04:59 fastcgi_params
-rw-r--r--   1 root root  2837 oct 13 04:59 koi-utf
-rw-r--r--   1 root root  2223 oct 13 04:59 koi-win
-rw-r--r--   1 root root  3957 oct 13 04:59 mime.types
drwxr-xr-x   2 root root  4096 oct 13 04:59 modules-available
drwxr-xr-x   2 root root  4096 dic 10 22:18 modules-enabled
-rw-r--r--   1 root root  1479 dic 10 22:35 nginx.conf  #Important! ptt
-rw-r--r--   1 root root   180 oct 13 04:59 proxy_params
-rw-r--r--   1 root root   636 oct 13 04:59 scgi_params
drwxr-xr-x   2 root root  4096 dic 10 22:18 sites-available
drwxr-xr-x   2 root root  4096 dic 10 22:18 sites-enabled
drwxr-xr-x   2 root root  4096 dic 10 22:18 snippets
-rw-r--r--   1 root root   664 oct 13 04:59 uwsgi_params
-rw-r--r--   1 root root  3071 oct 13 04:59 win-utf

Default Modules

rootuser@evilmachine:/etc/nginx/modules-enabled# ls -la
total 24
drwxr-xr-x 2 root root 4096 dic 10 22:18 .
drwxr-xr-x 8 root root 4096 dic 10 22:45 ..
lrwxrwxrwx 1 root root   57 dic 10 22:18 50-mod-http-auth-pam.conf -> /usr/share/nginx/modules-available/mod-http-auth-pam.conf
lrwxrwxrwx 1 root root   56 dic 10 22:18 50-mod-http-dav-ext.conf -> /usr/share/nginx/modules-available/mod-http-dav-ext.conf
lrwxrwxrwx 1 root root   53 dic 10 22:18 50-mod-http-echo.conf -> /usr/share/nginx/modules-available/mod-http-echo.conf
lrwxrwxrwx 1 root root   54 dic 10 22:18 50-mod-http-geoip.conf -> /usr/share/nginx/modules-available/mod-http-geoip.conf
lrwxrwxrwx 1 root root   61 dic 10 22:18 50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
lrwxrwxrwx 1 root root   60 dic 10 22:18 50-mod-http-subs-filter.conf -> /usr/share/nginx/modules-available/mod-http-subs-filter.conf
lrwxrwxrwx 1 root root   62 dic 10 22:18 50-mod-http-upstream-fair.conf -> /usr/share/nginx/modules-available/mod-http-upstream-fair.conf
lrwxrwxrwx 1 root root   60 dic 10 22:18 50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
lrwxrwxrwx 1 root root   48 dic 10 22:18 50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
lrwxrwxrwx 1 root root   50 dic 10 22:18 50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf

User and Group

  • Master Process :
    • It is started as root, root account are allowed to open TCP sockets like port 80 and 443.
    • It will read and evaluate the configuration file, and maintain worker processes.
  • Worker processes:
    • Spawned by the master process.
    • They will do the actual processing of requests.
    • They will be run in a group or different user.

[4] Nginx, https://www.nginx.com/blog/inside-nginx-how-we-designed-for-performance-scale/

Demo 1

Web Server

site-sample conf

Nginx's configuration files use a micro programming language
influenced by Perl and Bourne Shell

server {
	listen 80 default_server;
	listen [::]:80 default_server;
        set $a a ;
	root /var/www/html;
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
	server_name ninja.co;
	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

Load Balancer  

Load Balancer  

Techniques: 

  • round-robin
  • least-connected
  • ip-hashing

 

Load Balancer  

Load Balancer  

Demo 2

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Content Cache   

Demo3

Docker to the rescue!

Thank you So Much!

and go ahead and build great products using NGINX

  • Optimizing web servers for high throughput and low latency
  • Enabling HTTP/2 for Dropbox web services:experiences and observations
  • Serving 100 Gbps from an Open Connect Appliance
  • Advanced nginx configuration: Extra security & performance tuning
  • Nginx Load Balancing — Advanced Configuration Future Studio.
  • https://github.com/million12/docker-nginx

References

Understanding and Tuning Nginx

By Hector F. Jimenez Saldarriaga

Understanding and Tuning Nginx

Pereira Tech Talks Nginx Talk.

  • 344

More from Hector F. Jimenez Saldarriaga