Nginx Workshop Aftermath

3,239 views

Published on

My upcoming presentation for Kiev.PM meeting

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,239
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
41
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Nginx Workshop Aftermath

  1. 1. Nginx Workshop AftermathKiev.PM technical meeting, 16th Feb 2012 Denis Zhdanov denis.zhdanov@gmail.com
  2. 2. DisclaimerMay 29, 2010 - Nginx workshop by Igor Sysoevwas organized by SmartMe (http://www.smartme.com.ua/nginx-workshop/)Thanks Igor, thanks SmartMe.Based on workshop, but Nginx was changed,so caching and many other docs are onwebsite now (http://wiki.nginx.org), so I addsome things from me."Scooter is ... ? "
  3. 3. Nginx / Apache - why we need what ?1. Static files2. Proxying / Slow client (No dialup but Mobile)Why Apache is bad / Nginx is good - size ofworker.Apache is prefork / 1 proc/thread per request -its too expensive.Nginx - Proc/thread also, but event driven.
  4. 4. Nginx is fast?"Nginx is not fast - but scalable", (c) IgorSysoev.Tens and hundreds of 1000s requests perworker - quite fast, butApache can do this also - but with much moreresources.Nginx also has SCALABLE configuration.What is it means?
  5. 5. How we can configure Apache ?1. .htaccess / rewrite rules - ugly, but singleway on shared hostings ( I hope they all gonenow :) )2. Virtual hosts - but global (default) serverconfiguration could mess all things.3. Virtual hosts but default server do nothing(deny all, for example)
  6. 6. locationslocation /images/location = /location ^~ /images/ - plain strings, no orderlocation ~ .phplocation ~* .php - regexp rules, orderedlocation @php - named
  7. 7. plain vs regexplocation /location /admin/ VS - no difference !location /admin/location /But regexp is ordered, so ...
  8. 8. location ~* .(gif|jpe?g|png)$ { root /var/www/images/;}location ~* .php$ { fastcgi_pass ...}location /images/ { root /var/www/images/;}location /scripts/ { fastcgi_pass ...}
  9. 9. Real examplelocation / {if ($uri ~ ^/login.php$) {...}if ($uri ~ ^/admin/) {...}
  10. 10. Nested locationslocation /images/ { root /var/www/images;}location /admin/ { location ^/admin*..php$ { fastcgi_pass.... }}...
  11. 11. Directives: declarative vs runtimeDeclarative - no ordering, inheritanceproxy_connect_timeout 25s;server { location / { } location = / { } location = /x { proxy_pass http://backend; } root /var/www/;}
  12. 12. Runtime directivesRuns every time, no inheritance !if (....) { set ... rewrite ... break return ....}
  13. 13. Bad exampleslocation /images/ { root /var/www/images/; break; # <---- WHY???}if (-e $request_filename) { expire 1y; break; # totally wrong !!}
  14. 14. Igor says: Do not use rewrites! :)if (...) { return 403; # good usage}location ~ ^/images/(.+)$ { root /var/www/img/$1; # bad}Why ?
  15. 15. Root semantic VS alias semanticGET /images/test/one.jpglocation /images/ { root /var/www/; # path - /var/www/images/test/one.jpg}location /images/ { alias /var/www/img/; # path - /var/www/img/test/one.jpg}
  16. 16. Alias instead of rootlocation /images/ { alias /var/www/images/;}location /images/ { root /var/www;}
  17. 17. Alias and root with variablesGET /images/one.jpglocation /images/ { root /var/www/$host;} # real path - /var/www/SITE/images/one.jpglocation ~ ^/images/(.)(.+)$ { alias /var/www/img/$1/$1$2;} # real path - /var/www/img/o/one.jpgAlias make complete path, no replacementMUST use $1/$2 if location contains captures
  18. 18. proxy_pass semanticGET /images/test/one.jpglocation /images/ { proxy_path http://backend; # <-- no URI} # Root semantic -GET http://backend/images/test/one.jpglocation /images/ { proxy_path http://backend/img/;} # Alias semanticGhttp://backend/img/test/one.jpg
  19. 19. proxy_pass with variablesGET /images/one.jpglocation ^/images/(.)(.+)$ { proxy_pass http://backend/$1/$1$2;} # --> http://backend/o/one.jpg# Alias semantic, but path is replacedlocation ^/images/(.).+$ { proxy_pass $1; # not part of URI} # --> http://o/images/one.jpg# Root semantic
  20. 20. location handlersproxy_pass, fastcgi_pass, memcached_pass,empty_gif, flv, stub_status, perltrailing slash -random index / index / auto indexno trailing slash -gzip static / static
  21. 21. Why "if" is bad - its "location" toogzip on;keepalive on;if ($no_gzip) { gzip off; # gzip off}if ($no_keepalive) { keepalive off; # gzip on, keepalive off}# gzip on, keepalive on
  22. 22. Fix - but its not recommendedgzip on;keepalive on;if ($no_gzip) { gzip off; break;}if ($no_keepalive) { keepalive off; break;}
  23. 23. Caching
  24. 24. Couple of caveatsfrom my Apache to Nginx migration
  25. 25. Migration from Apache to NginxApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L]# www redirect, common stuff out thereNginx:if ($host = site.com) { rewrite ^(.*)$ http://www.site.com/$1 permanent; # MY EYES!!!}
  26. 26. Right way to do itApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L]# www redirect, common stuff out thereNginx:server { server_name site.com; rewrite ^ http://www.site.com/$request_uri? permanent; # NOT BAD}
  27. 27. Another common thingRewriteCond %{REQUEST_FILENAME} -dRewriteCond %{REQUEST_FILENAME} -fRewriteRule .* index.php# right waylocation / { try files $uri $uri index.php$is_args$args;}
  28. 28. FCGI security caveatlocation ~* .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $script; fastcgi_param PATH_INFO $path_info; ....}This PHP app supports upload of files...Do you mention possible security breach? :)
  29. 29. PATHINFO linksGET /index.php/article/0001 =>SCRIPT_NAME = 0001PATH_INFO = /index.php/article/ - WRONGFix pathinfo magic -SCRIPT_NAME = index.phpPATH_INFO = /article/0001
  30. 30. GET /upload/evil.jpg/notexist.phpSCRIPT_NAME = notexist.phpPATH_INFO = /upload/evil.jpg/cgi.fix_pathinfo = 1 (yep, its default) - ifSCRIPT_NAME not found - lets "FIX" it -SCRIPT_NAME = evil.jpgPATH_INFO = /notexist.phpLets RUN evil.jpg ! :)
  31. 31. Solutionlocation ~* .php$ { try_files $uri = 404; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; ....}- if you do not need PATHINFO links OR
  32. 32. Use fastcgi_split_path_infolocation ~* ^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo;}GET /index.php/article/0001 =>SCRIPT_FILENAME = index.php,PATH_INFO = /article/0001
  33. 33. Please checkhttp://wiki.nginx.org/Pitfalls - lot of stuff there
  34. 34. Nginx optimization Just couple of words
  35. 35. Case 1. Big static filesWhat is BIG file? Size is >2Mb (mp3, zip, iso etc)a)RAID - use big stripe size (>128K)b) output_buffers 1 1m; # need to tunec) AIO:Freebsd:sendfile on;aio sendfile;Linuxaio on;directio on; # required but drops sendfile()
  36. 36. Case 2. Lot of small filesa). There is NO MAGICHot files must reside in RAM cache or else... itwill be slow.b) Tune open_file_cacheFreebsd: see dirhash, vfs.ufs.dirhash_maxmem
  37. 37. Common highload advicesa) tune hardware and OS - disks, NICs, OSlimitations (open files, limits, network stack etc.)worker_rlmit_nofile + kern.maxfiles/maxfilesperproc (FreeBSD) + fs.filemax(Linux)b) tune workers (number / threads). Start fromCPU or disks numbers.c) sendfile, tcp_nopush, tcp_nodelay - ?d) timeouts, keepalive,reset_timedout_connection on - checkhttp://calomel.org/nginx.html
  38. 38. Case 3. Light DDOS fightingWhat is "light" DDOS ?1) 1000 - 5000 - 7000 bots max.2) HTTP GET/HEAD/POST,e.g. GET /script.php?<random>3) "slowpoke" - time of attack vector changingis big.4) "dumb" - dumb behaviour can be detected -no/bad referrers, no redirects, bad/same ormissing HTTP headers etc.REMOVE NGINX FROM AUTOSTART !!!!
  39. 39. a) "Heavy" (e.g. search) scripts floodhttp {...limit_req_zone $binary_remote_addr zone=SLOW:10mrate=1r/s;# 64byte per record, 16000 record per MB, 503 error ifoverflow!...location =/search.php { limit_req SLOW burst=2; proxy_pass ....}
  40. 40. b) "flooders" detectionerror_log /var/log/nginx/error.log;limit_conn_zone $binary_remote_addr zone=CONN:10m;...location =/attacked_url { limit_conn CONN 4; #4-8, but beware of proixes! ....}grep "limiting connections by zone" | grep "/attacked_url" |awk .. - get list of them and add it to firewall (ipset)Beware - you can easily "shoot yourself in the foot"!
  41. 41. c) Geo limitingCompile geoip module with --with-http_geoip_module first.http { geo_country /usr/local/nginx/etc/GeoIP.dat; map $geoip_country_code $bad_country { default 0; include /usr/local/nginx/etc/bad_countries; # } server { .... if ($bad_country) { return 403; }bad_countries:CN 1;TZ 1;...
  42. 42. d) Aggresive caching"Slow is better than dead"location=/ { rewrite ^ main.html last; }# main.html - temporary static page with link to real homelocation=/main.html { internal; root /var/nginx/cache/; error_page 404 = /cached$uri;}location /cached/ { internal; alias /var/nginx/cache/; proxy_pass http://backend; proxy_store_on; proxy_store_temp_path /var/nginx/tmp/;}
  43. 43. The ENDPlease check http://wiki.nginx.org - many nice hings there. :) Questions ?

×