Weitere Ă€hnliche Inhalte Ăhnlich wie Best Practices for Getting Started with NGINX Open Source (20) Mehr von NGINX, Inc. (20) KĂŒrzlich hochgeladen (20) 1. Best Practices for Getting
Started with NGINX Open
Source
Alessandro Fael Garcia
Senior Solutions Engineer â Community & Alliances
2. ©2022 F5
2 Source: https://news.netcraft.com/archives/2022/06/30/june-2022-web-server-survey.html
5. ©2022 F5
5
Use the NGINX Open Source official repository!
https://nginx.org/en/linux_packages.html
6. ©2022 F5
6
TIL
âą nginx ât â Check if NGINX configuration is valid
âą nginx âT â Dump full NGINX configuration
âą nginx âv â Print NGINX version
âą nginx âV â Print NGINX package config arguments
âą nginx âs <start/stop/reload> â Start NGINX; stop (kill) NGINX; reload NGINX configuration (gracefully)
Key NGINX Commands
7. ©2022 F5
7
/etc/nginx/nginx.conf
âą Main NGINX configuration file
âą Global settings
âą Contains sensible defaults (when installing NGINX from our
official repositories)
âą Avoid modifying unless you know what you are doing
(defaults will work out of the box for >80% of use cases)
âą Includes HTTP block (adding a Stream block is one of the
few cases where youâd want to modify the file)
/etc/nginx/conf.d/*.conf
âą Default directory for additional NGINX configuration files
âą By default, files here are contained within the HTTP context
âą default.conf includes sample configuration with the NGINX
default landing page
âą Start with a single configuration file, split your configuration
into further files as necessary
Recommended NGINX Directory Structure
Defaults? What defaults?!
8. ©2022 F5
8
Use Letâs Encrypt and Certbot for easy certs!
https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal
12. ©2022 F5
12
worker_connections & worker_rlimit_nofile
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
...
worker_processes auto;
worker_rlimit_nofile 2048;
...
events {
worker_connections 1024;
}
http {
access_log off;
sendfile on;
tcp_nopush on;
...
upstream app {
server w.x.y.z;
keepalive 2;
...
}
server {
access_log /var/log/nginx/access.log main buffer=512k
flush=5m;
ssl_session_cache shared:SSL:10m;
...
location / {
proxy_http_version 1.1;
proxy_set_header Connection ââ;
proxy_pass http://app;
proxy_cache_lock on;
...
}
}
}
a) Increase the worker connections to >1024 (default: 512)
b) Increase the limit on the maximum number of open files
to at least twice the number of worker connections
(default: system limit)
17. ©2022 F5
17
Recap
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
...
worker_processes auto;
worker_rlimit_nofile 2048;
...
events {
worker_connections 1024;
}
http {
access_log off;
sendfile on;
tcp_nopush on;
...
upstream app {
server w.x.y.z;
keepalive 2;
...
}
server {
access_log /var/log/nginx/access.log main buffer=512k
flush=5m;
ssl_session_cache shared:SSL:10m;
...
location / {
proxy_http_version 1.1;
proxy_set_header Connection ââ;
proxy_pass http://app;
proxy_cache_lock on;
...
}
}
}
âą Make sure you spawn one NGINX worker process per
CPU core (default: 1)
âą Increase the worker connections to >1024 (default: 512)
âą Increase the limit on the maximum number of open files to
at least twice the number of worker connections (default:
system limit)
âą Turn off the access log for extra performance (default: on)
âą Set a buffer or a time to only write logs at an interval
(default: off)
âą Use keepalives to keep connections to upstream servers
open (default: 0) â You will need to set HTTP to 1.1 and
rewrite the Connection header
âą Cache and share your SSL sessions between all your
NGINX processes (default: disabled)
âą Send only one request to the upstream server when there
are multiple cache misses for the same file (default: off)
20. ©2022 F5
20
Directive inheritance is not additive
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
http {
add_header HTTP_HEADER;
...
server {
add_header HTTP_HEADER;
...
location / {
add_header HTTP_HEADER;
add_header LOCATION_HEADER:
...
}
}
}
Sets directive
Inherits directive
Overrides directive
23. ©2022 F5
23
stub_status
nginx.conf
1
2
3
4
5
6
server {
...
location = /status {
stub_status;
}
}
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
server {
...
location = /status {
satisfy any;
auth_basic âclosed siteâ;
auth_basic_user_file conf.d/.htpasswd;
allow 192.168.1.0/24;
deny all;
stub_status;
}
}
Everyone can access your data
Secure access to your data
24. ©2022 F5
24
proxy_pass
nginx.conf
1
2
3
4
5
6
7
8
9
10
http {
...
server {
...
location / {
...
proxy_pass http://localhost:3000/;
}
}
}
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
http {
...
upstream node_backend {
zone upstreams 64K;
hash;
server 127.0.0.1:3000 max_fails=1 fail_timeout=2s;
server 127.0.0.1:5000 max_fails=1 fail_timeout=2s;
keepalive 4;
}
server {
...
location / {
...
proxy_next_upstream error timeout http_500;
proxy_pass http://node_backend/;
}
}
}
Proxy to an upstream server directly
âą Load balance
âą Upstream stats
âą Keepalives
âą Passive health checks
âą Define behavior if the upstream servers go down
25. ©2022 F5
25
If is Evil
Much Computationally Expensive!
Very Segfaults đ±
If only works as intended if you use return or rewrite inside your if block
26. ©2022 F5
26
âą error_log off != turn off the error log
âą Directive inheritance is not additive
âą ip_hash does not work for addresses under the same CIDR block
âą proxy_buffering off might lead unexpected saturated connections
âą Beware of not properly securing your stat locations
âą Itâs better to proxy_pass to upstream groups than directly to an upstream server
âą If. Is. Evil.
Recap
29. ©2022 F5
29
Further Resources
âą Performance-Tuning NGINX https://www.youtube.com/watch?v=YEdhuC2muOE
âą Best Practices for NGINX https://www.youtube.com/watch?v=pkHQCPXaimU
âą Avoiding the Top 10 NGINX Configuration Mistakes https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes
âą Tuning NGINX for Performance https://www.nginx.com/blog/tuning-nginx/
