SlideShare a Scribd company logo

Best Practices for Getting Started with NGINX Open Source

N
NGINX, Inc.

The document outlines best practices for configuring and optimizing Nginx, emphasizing the importance of using the official repository, proper configuration file structure, and tuning various parameters for performance. Key recommendations include ensuring one worker process per CPU core, increasing worker connections, utilizing keepalives, and caching SSL sessions. Additionally, it addresses common mistakes and provides links for further resources on Nginx performance tuning and best practices.

Software
1 of 29
Downloaded 33 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Best Practices for Getting Started with NGINX Open Source Alessandro Fael Garcia Senior Solutions Engineer – Community & Alliances
©2022 F5 2 Source: https://news.netcraft.com/archives/2022/06/30/june-2022-web-server-survey.html
©2022 F5 3
©2022 F5 4 Installing NGINX Best practices
©2022 F5 5 Use the NGINX Open Source official repository! https://nginx.org/en/linux_packages.html
©2022 F5 6 TIL • nginx –t → Check if NGINX configuration is valid • nginx –T → Dump full NGINX configuration • nginx –v → Print NGINX version • nginx –V → Print NGINX package config arguments • nginx –s <start/stop/reload> → Start NGINX; stop (kill) NGINX; reload NGINX configuration (gracefully) Key NGINX Commands
©2022 F5 7 /etc/nginx/nginx.conf • Main NGINX configuration file • Global settings • Contains sensible defaults (when installing NGINX from our official repositories) • Avoid modifying unless you know what you are doing (defaults will work out of the box for >80% of use cases) • Includes HTTP block (adding a Stream block is one of the few cases where you’d want to modify the file) /etc/nginx/conf.d/*.conf • Default directory for additional NGINX configuration files • By default, files here are contained within the HTTP context • default.conf includes sample configuration with the NGINX default landing page • Start with a single configuration file, split your configuration into further files as necessary Recommended NGINX Directory Structure Defaults? What defaults?!
©2022 F5 8 Use Let’s Encrypt and Certbot for easy certs! https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal
©2022 F5 9 Tuning NGINX One step at a time
©2022 F5 10 nginx.conf nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; proxy_cache_lock on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; ... } } }
©2022 F5 11 worker_processes nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Make sure you spawn one NGINX worker process per CPU core (default: 1)
©2022 F5 12 worker_connections & worker_rlimit_nofile nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } a) Increase the worker connections to >1024 (default: 512) b) Increase the limit on the maximum number of open files to at least twice the number of worker connections (default: system limit)
©2022 F5 13 access_log nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } • Turn off the access log for extra performance (default: on) or • Set a buffer or a time to only write logs at an interval (default: off)
©2022 F5 14 keepalive nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Use keepalives to keep connections to upstream servers open (default: 0) → You will need to set HTTP to 1.1 and rewrite the Connection header
©2022 F5 15 ssl_session_cache nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Cache and share your SSL sessions between all your NGINX processes (default: disabled)
©2022 F5 16 proxy_cache_lock nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Send only one request to the upstream server when there are multiple cache misses for the same file (default: off)
©2022 F5 17 Recap nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } • Make sure you spawn one NGINX worker process per CPU core (default: 1) • Increase the worker connections to >1024 (default: 512) • Increase the limit on the maximum number of open files to at least twice the number of worker connections (default: system limit) • Turn off the access log for extra performance (default: on) • Set a buffer or a time to only write logs at an interval (default: off) • Use keepalives to keep connections to upstream servers open (default: 0) → You will need to set HTTP to 1.1 and rewrite the Connection header • Cache and share your SSL sessions between all your NGINX processes (default: disabled) • Send only one request to the upstream server when there are multiple cache misses for the same file (default: off)
©2022 F5 18 Common NGINX Mistakes That we’ve all made at some stage
©2022 F5 19 error_log nginx.conf 1 2 3 ... error_log off; ... nginx.conf 1 2 3 ... error_log /dev/null emerg; ... Creates an error log named off Redirects error log data to /dev/null
©2022 F5 20 Directive inheritance is not additive nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 http { add_header HTTP_HEADER; ... server { add_header HTTP_HEADER; ... location / { add_header HTTP_HEADER; add_header LOCATION_HEADER: ... } } } Sets directive Inherits directive Overrides directive
©2022 F5 21 ip_hash nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 http { ... upstream { ip_hash; server 10.10.20.105:8080; server 10.10.20.106:8080; server 10.10.20.108:8080; } server { ... } } If all your traffic comes from the same CIDR block, use hash or any other load balancing algorithm instead
©2022 F5 22 proxy_buffering nginx.conf 1 2 3 4 http { proxy_buffering off; ... } Avoiding buffers might speed up the initial response to your client, but it might also saturate your open connections
©2022 F5 23 stub_status nginx.conf 1 2 3 4 5 6 server { ... location = /status { stub_status; } } nginx.conf 1 2 3 4 5 6 7 8 9 10 11 server { ... location = /status { satisfy any; auth_basic “closed site”; auth_basic_user_file conf.d/.htpasswd; allow 192.168.1.0/24; deny all; stub_status; } } Everyone can access your data Secure access to your data
©2022 F5 24 proxy_pass nginx.conf 1 2 3 4 5 6 7 8 9 10 http { ... server { ... location / { ... proxy_pass http://localhost:3000/; } } } nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 http { ... upstream node_backend { zone upstreams 64K; hash; server 127.0.0.1:3000 max_fails=1 fail_timeout=2s; server 127.0.0.1:5000 max_fails=1 fail_timeout=2s; keepalive 4; } server { ... location / { ... proxy_next_upstream error timeout http_500; proxy_pass http://node_backend/; } } } Proxy to an upstream server directly • Load balance • Upstream stats • Keepalives • Passive health checks • Define behavior if the upstream servers go down
©2022 F5 25 If is Evil Much Computationally Expensive! Very Segfaults 😱 If only works as intended if you use return or rewrite inside your if block
©2022 F5 26 • error_log off != turn off the error log • Directive inheritance is not additive • ip_hash does not work for addresses under the same CIDR block • proxy_buffering off might lead unexpected saturated connections • Beware of not properly securing your stat locations • It’s better to proxy_pass to upstream groups than directly to an upstream server • If. Is. Evil. Recap
©2022 F5 27 Thankyouforattending! a.faelgarcia@f5.com alessfg @alessfg Alessandro Fael Garcia
Best Practices for Getting Started with NGINX Open Source
©2022 F5 29 Further Resources • Performance-Tuning NGINX https://www.youtube.com/watch?v=YEdhuC2muOE • Best Practices for NGINX https://www.youtube.com/watch?v=pkHQCPXaimU • Avoiding the Top 10 NGINX Configuration Mistakes https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes • Tuning NGINX for Performance https://www.nginx.com/blog/tuning-nginx/

More Related Content

PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes
NGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
PDF
Kubernetes
erialc_w
 
PDF
NGINX: Basics and Best Practices EMEA
NGINX, Inc.
 
PPTX
Spring Cloud Config
Theerut Bunkhanphol
 
PDF
Introduction to Docker Compose
Ajeet Singh Raina
 
PDF
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
PPTX
Getting started with Jenkins
Edureka!
 
How to Avoid the Top 5 NGINX Configuration Mistakes
NGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
NGINX, Inc.
 
Kubernetes
erialc_w
 
NGINX: Basics and Best Practices EMEA
NGINX, Inc.
 
Spring Cloud Config
Theerut Bunkhanphol
 
Introduction to Docker Compose
Ajeet Singh Raina
 
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
Getting started with Jenkins
Edureka!
 

What's hot (20)

PDF
Docker swarm introduction
Evan Lin
 
PPTX
Angular 4 and TypeScript
Ahmed El-Kady
 
PDF
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
PDF
Vault
dawnlua
 
PDF
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
PDF
Getting Started with Kubernetes
VMware Tanzu
 
PDF
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
PPTX
Introduction to Ansible
CoreStack
 
PPTX
Web API authentication and authorization
Chalermpon Areepong
 
PDF
Api Gateway
KhaqanAshraf
 
PDF
Istio : Service Mesh
Knoldus Inc.
 
PDF
Ansible
Rahul Bajaj
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
PPTX
Ansible presentation
Kumar Y
 
ODP
Kubernetes Architecture
Knoldus Inc.
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
PDF
DevOps with Ansible
Swapnil Jain
 
PDF
Keycloak Single Sign-On
Ravi Yasas
 
PDF
How to Deploy WSO2 Enterprise Integrator in Containers
WSO2
 
Docker swarm introduction
Evan Lin
 
Angular 4 and TypeScript
Ahmed El-Kady
 
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Vault
dawnlua
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Getting Started with Kubernetes
VMware Tanzu
 
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
Introduction to Ansible
CoreStack
 
Web API authentication and authorization
Chalermpon Areepong
 
Api Gateway
KhaqanAshraf
 
Istio : Service Mesh
Knoldus Inc.
 
Ansible
Rahul Bajaj
 
Kubernetes security
Thomas Fricke
 
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Ansible presentation
Kumar Y
 
Kubernetes Architecture
Knoldus Inc.
 
Microservices with Java, Spring Boot and Spring Cloud
Eberhard Wolff
 
DevOps with Ansible
Swapnil Jain
 
Keycloak Single Sign-On
Ravi Yasas
 
How to Deploy WSO2 Enterprise Integrator in Containers
WSO2
 
Ad

Similar to Best Practices for Getting Started with NGINX Open Source (20)

PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
PPTX
Warden @ Meet magento Romania 2021
alinalexandru
 
PDF
Load Balancing Applications with NGINX in a CoreOS Cluster
Kevin Jones
 
PPTX
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
PDF
Open Sourcing NGINX Agent and Demo
NGINX, Inc.
 
PPTX
NGINX Installation and Tuning
NGINX, Inc.
 
PDF
FaSilET² full end-to-end testing solution presented at OW2con'19, June 12-13,...
OW2
 
PDF
NGINX Unit: Rebooting our Universal Web App Server
NGINX, Inc.
 
PDF
NGINX ADC: Basics and Best Practices
NGINX, Inc.
 
PDF
Sprint 17
ManageIQ
 
PDF
Kubernetes laravel and kubernetes
William Stewart
 
PDF
OSMC 2021 | Icinga-Installer – the easy way to your Icinga
NETWAYS
 
PDF
Présentation "Docker + Kubernetes" @ Pastis.tech #2
Blue Forest
 
PDF
NGiNX, VHOSTS & SSL (let's encrypt)
Marcel Cattaneo
 
PDF
How to install nginx vs unicorn
baran19901990
 
PPTX
High Availability Content Caching with NGINX
NGINX, Inc.
 
PDF
NGINX ADC: Basics and Best Practices – EMEA
NGINX, Inc.
 
PDF
High Availability Content Caching with NGINX
Kevin Jones
 
PDF
3-sdn-lab.pdf
Vijesh Kannan Devan Nair
 
PDF
Capistrano deploy Magento project in an efficient way
Sylvain Rayé
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX, Inc.
 
Warden @ Meet magento Romania 2021
alinalexandru
 
Load Balancing Applications with NGINX in a CoreOS Cluster
Kevin Jones
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
Open Sourcing NGINX Agent and Demo
NGINX, Inc.
 
NGINX Installation and Tuning
NGINX, Inc.
 
FaSilET² full end-to-end testing solution presented at OW2con'19, June 12-13,...
OW2
 
NGINX Unit: Rebooting our Universal Web App Server
NGINX, Inc.
 
NGINX ADC: Basics and Best Practices
NGINX, Inc.
 
Sprint 17
ManageIQ
 
Kubernetes laravel and kubernetes
William Stewart
 
OSMC 2021 | Icinga-Installer – the easy way to your Icinga
NETWAYS
 
Présentation "Docker + Kubernetes" @ Pastis.tech #2
Blue Forest
 
NGiNX, VHOSTS & SSL (let's encrypt)
Marcel Cattaneo
 
How to install nginx vs unicorn
baran19901990
 
High Availability Content Caching with NGINX
NGINX, Inc.
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX, Inc.
 
High Availability Content Caching with NGINX
Kevin Jones
 
3-sdn-lab.pdf
Vijesh Kannan Devan Nair
 
Capistrano deploy Magento project in an efficient way
Sylvain Rayé
 
Ad

More from NGINX, Inc. (20)

PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
PPTX
NGINX Kubernetes API
NGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
PDF
Kubernetes環境で実現するWebアプリケーションセキュリティ
NGINX, Inc.
 
PDF
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
NGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
NGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
NGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
NGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
NGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
NGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
NGINX, Inc.
 
Accelerate Microservices Deployments with Automation
NGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
NGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
NGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
NGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
NGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
NGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
NGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
NGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
NGINX, Inc.
 
NGINX Kubernetes API
NGINX, Inc.
 
Installing and Configuring NGINX Open Source
NGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
Kubernetes環境で実現するWebアプリケーションセキュリティ
NGINX, Inc.
 
Software Delivery and the Rube Goldberg Machine: What Is the Problem We Are T...
NGINX, Inc.
 

Recently uploaded (20)

PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
System and Network Administration Chapter 2
jaramharo
 
AI in Product Development-omnex systems
omnex systems
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Transform Your Business with a Software ERP System
Canada Software Company
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
history of c programming in notes for students .pptx
Vijayakumari829030
 

Best Practices for Getting Started with NGINX Open Source

  • 1. Best Practices for Getting Started with NGINX Open Source Alessandro Fael Garcia Senior Solutions Engineer – Community & Alliances
  • 2. ©2022 F5 2 Source: https://news.netcraft.com/archives/2022/06/30/june-2022-web-server-survey.html
  • 5. ©2022 F5 5 Use the NGINX Open Source official repository! https://nginx.org/en/linux_packages.html
  • 6. ©2022 F5 6 TIL • nginx –t → Check if NGINX configuration is valid • nginx –T → Dump full NGINX configuration • nginx –v → Print NGINX version • nginx –V → Print NGINX package config arguments • nginx –s <start/stop/reload> → Start NGINX; stop (kill) NGINX; reload NGINX configuration (gracefully) Key NGINX Commands
  • 7. ©2022 F5 7 /etc/nginx/nginx.conf • Main NGINX configuration file • Global settings • Contains sensible defaults (when installing NGINX from our official repositories) • Avoid modifying unless you know what you are doing (defaults will work out of the box for >80% of use cases) • Includes HTTP block (adding a Stream block is one of the few cases where you’d want to modify the file) /etc/nginx/conf.d/*.conf • Default directory for additional NGINX configuration files • By default, files here are contained within the HTTP context • default.conf includes sample configuration with the NGINX default landing page • Start with a single configuration file, split your configuration into further files as necessary Recommended NGINX Directory Structure Defaults? What defaults?!
  • 8. ©2022 F5 8 Use Let’s Encrypt and Certbot for easy certs! https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal
  • 10. ©2022 F5 10 nginx.conf nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; proxy_cache_lock on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; ... } } }
  • 11. ©2022 F5 11 worker_processes nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Make sure you spawn one NGINX worker process per CPU core (default: 1)
  • 12. ©2022 F5 12 worker_connections & worker_rlimit_nofile nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } a) Increase the worker connections to >1024 (default: 512) b) Increase the limit on the maximum number of open files to at least twice the number of worker connections (default: system limit)
  • 13. ©2022 F5 13 access_log nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } • Turn off the access log for extra performance (default: on) or • Set a buffer or a time to only write logs at an interval (default: off)
  • 14. ©2022 F5 14 keepalive nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Use keepalives to keep connections to upstream servers open (default: 0) → You will need to set HTTP to 1.1 and rewrite the Connection header
  • 15. ©2022 F5 15 ssl_session_cache nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Cache and share your SSL sessions between all your NGINX processes (default: disabled)
  • 16. ©2022 F5 16 proxy_cache_lock nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } Send only one request to the upstream server when there are multiple cache misses for the same file (default: off)
  • 17. ©2022 F5 17 Recap nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ... worker_processes auto; worker_rlimit_nofile 2048; ... events { worker_connections 1024; } http { access_log off; sendfile on; tcp_nopush on; ... upstream app { server w.x.y.z; keepalive 2; ... } server { access_log /var/log/nginx/access.log main buffer=512k flush=5m; ssl_session_cache shared:SSL:10m; ... location / { proxy_http_version 1.1; proxy_set_header Connection “”; proxy_pass http://app; proxy_cache_lock on; ... } } } • Make sure you spawn one NGINX worker process per CPU core (default: 1) • Increase the worker connections to >1024 (default: 512) • Increase the limit on the maximum number of open files to at least twice the number of worker connections (default: system limit) • Turn off the access log for extra performance (default: on) • Set a buffer or a time to only write logs at an interval (default: off) • Use keepalives to keep connections to upstream servers open (default: 0) → You will need to set HTTP to 1.1 and rewrite the Connection header • Cache and share your SSL sessions between all your NGINX processes (default: disabled) • Send only one request to the upstream server when there are multiple cache misses for the same file (default: off)
  • 18. ©2022 F5 18 Common NGINX Mistakes That we’ve all made at some stage
  • 19. ©2022 F5 19 error_log nginx.conf 1 2 3 ... error_log off; ... nginx.conf 1 2 3 ... error_log /dev/null emerg; ... Creates an error log named off Redirects error log data to /dev/null
  • 20. ©2022 F5 20 Directive inheritance is not additive nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 http { add_header HTTP_HEADER; ... server { add_header HTTP_HEADER; ... location / { add_header HTTP_HEADER; add_header LOCATION_HEADER: ... } } } Sets directive Inherits directive Overrides directive
  • 21. ©2022 F5 21 ip_hash nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 http { ... upstream { ip_hash; server 10.10.20.105:8080; server 10.10.20.106:8080; server 10.10.20.108:8080; } server { ... } } If all your traffic comes from the same CIDR block, use hash or any other load balancing algorithm instead
  • 22. ©2022 F5 22 proxy_buffering nginx.conf 1 2 3 4 http { proxy_buffering off; ... } Avoiding buffers might speed up the initial response to your client, but it might also saturate your open connections
  • 23. ©2022 F5 23 stub_status nginx.conf 1 2 3 4 5 6 server { ... location = /status { stub_status; } } nginx.conf 1 2 3 4 5 6 7 8 9 10 11 server { ... location = /status { satisfy any; auth_basic “closed site”; auth_basic_user_file conf.d/.htpasswd; allow 192.168.1.0/24; deny all; stub_status; } } Everyone can access your data Secure access to your data
  • 24. ©2022 F5 24 proxy_pass nginx.conf 1 2 3 4 5 6 7 8 9 10 http { ... server { ... location / { ... proxy_pass http://localhost:3000/; } } } nginx.conf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 http { ... upstream node_backend { zone upstreams 64K; hash; server 127.0.0.1:3000 max_fails=1 fail_timeout=2s; server 127.0.0.1:5000 max_fails=1 fail_timeout=2s; keepalive 4; } server { ... location / { ... proxy_next_upstream error timeout http_500; proxy_pass http://node_backend/; } } } Proxy to an upstream server directly • Load balance • Upstream stats • Keepalives • Passive health checks • Define behavior if the upstream servers go down
  • 25. ©2022 F5 25 If is Evil Much Computationally Expensive! Very Segfaults 😱 If only works as intended if you use return or rewrite inside your if block
  • 26. ©2022 F5 26 • error_log off != turn off the error log • Directive inheritance is not additive • ip_hash does not work for addresses under the same CIDR block • proxy_buffering off might lead unexpected saturated connections • Beware of not properly securing your stat locations • It’s better to proxy_pass to upstream groups than directly to an upstream server • If. Is. Evil. Recap
  • 29. ©2022 F5 29 Further Resources • Performance-Tuning NGINX https://www.youtube.com/watch?v=YEdhuC2muOE • Best Practices for NGINX https://www.youtube.com/watch?v=pkHQCPXaimU • Avoiding the Top 10 NGINX Configuration Mistakes https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes • Tuning NGINX for Performance https://www.nginx.com/blog/tuning-nginx/