Group items tagged

Nginx is one of the most popular web servers in the world. It can successfully handle high loads with many concurrent client connections, and can easily function as a web server, a mail server, or a reverse proxy server.

The main server block directives that Nginx is concerned with during this process are the listen directive, and the server_name directive.

The listen directive typically defines which IP address and port that the server block will respond to.

Nginx translates all “incomplete” listen directives by substituting missing values with their default values so that each block can be evaluated by its IP address and port.

In any case, the port must be matched exactly.

If there are multiple server blocks with the same level of specificity matching, Nginx then begins to evaluate the server_name directive of each server block.

Nginx checks the request’s “Host” header. This value holds the domain or IP address that the client was actually trying to reach.

Nginx will first try to find a server block with a server_name that matches the value in the “Host” header of the request exactly.

If no exact match is found, Nginx will then try to find a server block with a server_name that matches using a leading wildcard (indicated by a * at the beginning of the name in the config).

If no match is found using a leading wildcard, Nginx then looks for a server block with a server_name that matches using a trailing wildcard (indicated by a server name ending with a * in the config)

If no match is found using a trailing wildcard, Nginx then evaluates server blocks that define the server_name using regular expressions (indicated by a ~ before the name).

If no regular expression match is found, Nginx then selects the default server block for that IP address and port.

If no modifiers are present, the location is interpreted as a prefix match.

=: If an equal sign is used, this block will be considered a match if the request URI exactly matches the location given.

~: If a tilde modifier is present, this location will be interpreted as a case-sensitive regular expression match.

~*: If a tilde and asterisk modifier is used, the location block will be interpreted as a case-insensitive regular expression match.

^~: If a carat and tilde modifier is present, and if this block is selected as the best non-regular expression match, regular expression matching will not take place.

Keep in mind that if this block is selected and the request is fulfilled using an index page, an internal redirect will take place to another location that will be the actual handler of the request

Keeping in mind the types of location declarations we described above, Nginx evaluates the possible location contexts by comparing the request URI to each of the locations.

Nginx begins by checking all prefix-based location matches (all location types not involving a regular expression).

First, Nginx looks for an exact match.

If no exact (with the = modifier) location block matches are found, Nginx then moves on to evaluating non-exact prefixes.

After the longest matching prefix location is determined and stored, Nginx moves on to evaluating the regular expression locations (both case sensitive and insensitive).

by default, Nginx will serve regular expression matches in preference to prefix matches.

regular expression matches within the longest prefix match will “jump the line” when Nginx evaluates regex locations.

The exceptions to the “only one location block” rule may have implications on how the request is actually served and may not align with the expectations you had when designing your location blocks.

The index directive always leads to an internal redirect if it is used to handle the request.

In the case above, if you really need the execution to stay in the first block, you will have to come up with a different method of satisfying the request to the directory.

one way of preventing an index from switching contexts, but it’s probably not useful for most configurations

the try_files directive. This directive tells Nginx to check for the existence of a named set of files or directories.

the rewrite directive. When using the last parameter with the rewrite directive, or when using no parameter at all, Nginx will search for a new matching location based on the results of the rewrite.

The error_page directive can lead to an internal redirect similar to that created by try_files.

when certain status codes are encountered.

Nginx is built to handle many concurrent connections at the same time.

provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance

Proxying in Nginx is accomplished by manipulating a request aimed at the Nginx server and passing it to other servers for the actual processing

When a request matches a location with a proxy_pass directive inside, the request is forwarded to the URL given by the directive

The request coming from Nginx on behalf of a client will look different than a request coming directly from a client

Nginx gets rid of any empty headers

Nginx, by default, will consider any header that contains underscores as invalid. It will remove these from the proxied request

The "Host" header is re-written to the value defined by the $proxy_host variable.

The upstream should not expect this connection to be persistent

Headers with empty values are completely removed from the passed request.

by default, this will be set to the value of $proxy_host, a variable that will contain the domain name or IP address and port taken directly from the proxy_pass definition

This is selected by default as it is the only address Nginx can be sure the upstream server responds to

$http_host: Sets the "Host" header to the "Host" header from the client request.

preference to: the host name from the request line itself

set the "Host" header to the $host variable. It is the most flexible and will usually provide the proxied servers with a "Host" header filled in as accurately as possible

This variable takes the value of the original X-Forwarded-For header retrieved from the client and adds the Nginx server's IP address to the end.

Once defined, this name will be available for use within proxy passes as if it were a regular domain name

By default, this is just a simple round-robin selection process (each request will be routed to a different host in turn)

Specifies that new connections should always be given to the backend that has the least number of active connections.

distributes requests to different servers based on the client's IP address.

mainly used with memcached proxying

As for the hash method, you must provide the key to hash against

Server Weight

Nginx's buffering and caching capabilities

Without buffers, data is sent from the proxied server and immediately begins to be transmitted to the client.

With buffers, the Nginx proxy will temporarily store the backend's response and then feed this data to the client

Nginx defaults to a buffering design

can be set in the http, server, or location contexts.

the sizing directives are configured per request, so increasing them beyond your need can affect your performance

When buffering is "off" only the buffer defined by the proxy_buffer_size directive will be used

A high availability (HA) setup is an infrastructure without a single point of failure, and your load balancers are a part of this configuration.

multiple load balancers (one active and one or more passive) behind a static IP address that can be remapped from one server to another.

Nginx also provides a way to cache content from backend servers

proxy_cache backcache;

The proxy_cache_bypass directive is set to the $http_cache_control variable. This will contain an indicator as to whether the client is explicitly requesting a fresh, non-cached version of the resource

For private content, you should set the Cache-Control header to "no-cache", "no-store", or "private" depending on the nature of the data

contexts can be layered within one another

The children contexts can override these values at will

Nginx will error out on reading a configuration file with directives that are declared in the wrong context.

The most general context is the "main" or "global" context

Any directive that exist entirely outside of these blocks is said to inhabit the "main" context

The main context represents the broadest environment for Nginx configuration.

The "events" context is contained within the "main" context. It is used to set global options that affect how Nginx handles connections at a general level.

Nginx uses an event-based connection processing model, so the directives defined within this context determine how worker processes should handle connections.

the connection processing method is automatically selected based on the most efficient choice that the platform has available

a worker will only take a single connection at a time

When configuring Nginx as a web server or reverse proxy, the "http" context will hold the majority of the configuration.

fine-tune the TCP keep alive settings (keepalive_disable, keepalive_requests, and keepalive_timeout)

multiple declarations

each instance defines a specific virtual server to handle client requests

Each client request will be handled according to the configuration defined in a single server context, so Nginx must decide which server context is most appropriate based on details of the request.

listen: The ip address / port combination that this server block is designed to respond to.

server_name: This directive is the other component used to select a server block for processing.

configure files to try to respond to requests (try_files)

issue redirects and rewrites (return and rewrite)

set arbitrary variables (set)

Location contexts share many relational qualities with server contexts

multiple location contexts can be defined, each location is used to handle a certain type of client request, and each location is selected by virtue of matching the location definition against the client request through a selection algorithm

Location blocks live within server contexts and, unlike server blocks, can be nested inside one another.

The request URI is the portion of the request that comes after the domain name or IP address/port combination.

New directives at this level allow you to reach locations outside of the document root (alias), mark the location as only internally accessible (internal), and proxy to other servers or locations (using http, fastcgi, scgi, and uwsgi proxying).

These can then be used to do A/B testing by providing different content to different hosts.

configures Perl handlers for the location they appear in

set the value of a variable depending on the value of another variable

used to map MIME types to the file extensions that should be associated with them.

this context defines a named pool of servers that Nginx can then proxy requests to

The upstream context can then be referenced by name within server or location blocks to pass requests of a certain type to the pool of servers that have been defined.

function as a high performance mail proxy server

The mail context is defined within the "main" or "global" context (outside of the http context).

Nginx has the ability to redirect authentication requests to an external authentication server

the if directive in Nginx will execute the instructions contained if a given test returns "true".

The limit_except context is used to restrict the use of certain HTTP methods within a location context.

The result of the above example is that any client can use the GET and HEAD verbs, but only clients coming from the 192.168.1.1/24 subnet are allowed to use other methods.

Many directives are valid in more than one context

Declaring at higher levels provides you with a sane default

Nginx already engages in a well-documented selection algorithm for things like selecting server blocks and location blocks.

incorrect requests can get by with a redirect rather than a rewrite, which should execute with lower overhead.

A build system, git, and development headers for many popular libraries, so that the most popular Ruby, Python and Node.js native extensions can be compiled without problems.

Nginx 1.18. Disabled by default

production-grade features, such as process monitoring, administration and status inspection.

Redis 5.0. Not installed by default.

The image has an app user with UID 9999 and home directory /home/app. Your application is supposed to run as this user.

Passenger works like a mod_ruby, mod_nodejs, etc. It changes Nginx into an application server and runs your app from Nginx.

placing a .conf file in the directory /etc/nginx/sites-enabled

The best way to configure Nginx is by adding .conf files to /etc/nginx/main.d and /etc/nginx/conf.d

To preserve these variables, place an Nginx config file ending with *.conf in the directory /etc/nginx/main.d, in which you tell Nginx to preserve these variables.

By default, Phusion Passenger sets all of the following environment variables to the value production

PASSENGER_APP_ENV environment variable

passenger-docker autogenerates an Nginx configuration file (/etc/nginx/conf.d/00_app_env.conf) during container boot.

The configuration file is in /etc/redis/redis.conf. Modify it as you see fit, but make sure daemonize no is set.

You can add additional daemons to the image by creating runit entries.

the shell script must run the daemon without letting it daemonize/fork it.

We use RVM to install and to manage Ruby interpreters.

$upstream_response_time – Time between establishing a connection to an upstream server and receiving the last byte of the response body

capture timings in the application itself and include them as response headers, which NGINX then captures in its access log.

$upstream_header_time – Time between establishing a connection to an upstream server and receiving the first byte of the response header

support multiple virtual hosts for a container

to connect to your backend using HTTPS instead of HTTP, set VIRTUAL_PROTO=https on the backend container.

The contents of /path/to/certs should contain the certificates and private keys for any virtual hosts in use.

to replace the default proxy settings for the nginx container, add a configuration file at /etc/nginx/proxy.conf

The default configuration blocks the Proxy HTTP request header from being sent to downstream servers

add your configuration file under /etc/nginx/conf.d using a name ending in .conf

If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one.

To add settings on a per-VIRTUAL_HOST basis, add your configuration file under /etc/nginx/vhost.d

SNI

The default behavior for the proxy when port 80 and 443 are exposed is as follows: If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS is always preferred when available. If the container does not have a usable cert, a 503 will be returned.

Client body and buffers are key because nginx must buffer incoming data.

The clean setting frees up memory and consumption limits by instructing nginx to store incoming buffer in a file and then clean this file later from disk by deleting it.

we like HTTPS/non-www since HTTPS is needed for current browsers and non-www is short.

visit the Mozilla TLS Generator to get the latest cipher suites and TLS versions

add the necessary headers for GeoIP and proper logging.

HTML5 SSE simpler than websockets

nginx -t

Scan your site with SSL Labs scan

nginx template can be used to generate a reverse proxy configuration for docker containers using virtual hosts for routing.

Vegeta was designed to be run on the command line; it reads from stdin a list of HTTP transactions to generate, and sends results in binary format to stdout,

Vegeta is a really strong tool that caters to people who want a tool to test simple, static URLs (perhaps API end points) but also want a bit more functionality.

Vegeta can even be used as a Golang library/package if you want to create your own load testing tool.

Wrk is so damn fast

being fast and measuring correctly is about all that Wrk does

k6 is scriptable in plain Javascript

k6 is average or better. In some categories (documentation, scripting API, command line UX) it is outstanding.

Jmeter is a huge beast compared to most other tools.

Siege is a simple tool, similar to e.g. Apachebench in that it has no scripting and is primarily used when you want to hit a single, static URL repeatedly.

A good way of testing the testing tools is to not test them on your code, but on some third-party thing that is sure to be very high-performing.

use a tool like e.g. top to keep track of Nginx CPU usage while testing. If you see just one process, and see it using close to 100% CPU, it means you could be CPU-bound on the target side.

If you see multiple Nginx processes but only one is using a lot of CPU, it means your load testing tool is only talking to that particular worker process.

Network delay is also important to take into account as it sets an upper limit on the number of requests per second you can push through.

If, say, the Nginx default page requires a transfer of 250 bytes to load, it means that if the servers are connected via a 100 Mbit/s link, the theoretical max RPS rate would be around 100,000,000 divided by 8 (bits per byte) divided by 250 => 100M/2000 = 50,000 RPS. Though that is a very optimistic calculation - protocol overhead will make the actual number a lot lower so in the case above I would start to get worried bandwidth was an issue if I saw I could push through max 30,000 RPS, or something like that.

Wrk managed to push through over 50,000 RPS and that made 8 Nginx workers on the target system consume about 600% CPU.

ngress controller helps to consolidate routing rules of multiple applications into one entity.

cloud load balancers are not necessary. Load balancer can also be implemented with MetalLB, which can be deployed in the same Kubernetes cluster.

Installing NGINX using NodePort is the most simple example for Ingress Controller as we can avoid the load balancer dependency. NodePort is used for exposing the NGINX Ingress to the external network.

A sidecar proxy is a proxy instance that’s dedicated to a specific service instance.

The container management framework keeps a list of instances that are ready to receive requests.

The service mesh can encrypt and decrypt requests and responses

a service mesh application also includes a monitoring and management layer, called the control plane.

Service mesh architectures are not ever likely to be the answer to all application development and delivery problems

cert-manager mainly uses two different custom Kubernetes resources - known as CRDs - to configure and control how it operates, as well as to store state. These resources are Issuers and Certificates.

using annotations on the ingress with ingress-shim or directly creating a certificate resource.

a typo will result in the ingress-nginx-controller falling back to its self-signed certificate.

Apache/Nginx + FastCGI + PHP-FPM(+PHP-CGI)