SlideShare a Scribd company logo

1.3 Introduction-To-Nginx-Slides.pptx

Download as PPTX, PDF
A
AbdulazizAljbri3

Introduction-To-Nginx-Slides

Education
1 of 31
Introduction to NGINX NGINX Web Server / Reverse Proxy husseinnasser.com
Agenda ● What is NGINX? ● Current & Desired Architecture ● Layer 4 and Layer 7 Proxying in NGINX ● TLS Termination vs TLS Passthrough ● Timeouts in NGINX ● Example ○ NGINX as a Web Server, Layer 7 and Layer 4 Proxy ○ Enable HTTPS, TLS 1.3 & HTTP/2 on NGINX ● Summary
What is NGINX?
What is NGINX? ● Web Server ○ Serves web content ● Reverse Proxy ○ Load Balancing ○ Backend Routing ○ Caching ○ API Gateway
Current vs Desired Architecture
Current Architecture GET /employees JSON { } GET /employees JSON { } GET /employees JSON { } db:5432 http:3001
Desired Architecture http:3001 GET /employees JSON { } GET /employees JSON { } GET /employees JSON { } db:5432 NGINX HTTPS:443 h/2 http:3002 http:3003 Frontend Backend
NGINX Layer 4 vs Layer 7 proxying
Layer 4 and Layer 7 ● Layer 4/7 refers to OSI model layers ● In Layer 4 we see TCP/IP stack only nothing about the app, we have access to ○ Source IP, Source Port ○ Destination IP, Destination Port ○ Simple packet inspection (SYN/TLS hello) ● In Layer 7 we see the application, HTTP/ gRPC etc.. ○ We have access to more context ○ I know where the client is going, which page they are visiting ○ Require decryption
Layer 4 and Layer 7 proxying in NGINX ● NGINX can operate in Layer 7 (e.g. http) or Layer 4 (tcp) ● Layer 4 proxying is useful when NGINX doesn’t understand the protocol (MySQL database protocol) ● Layer 7 proxying is useful when NGINX want to share backend connections and cache results ● Using stream context it becomes a layer 4 proxy ● Using http context it becomes a layer 7 proxy
TLS Termination vs TLS Passthrough
TLS ● TLS stands for Transport Layer Security ● It is a way to establish end-to-end encryption between one another ● Symmetric encryption is used for communication (client/server has the same key) ● Asymmetric encryption is used initially to exchange the symmetric key (diffie hellman) ● Server (sometimes even the client) need to authenticate themselves by supplying a certificate signed by a certificate authority
TLS Termination ● NGINX has TLS (e.g. HTTPS) backend is not ( HTTP ) ● NGINX terminates TLS and decrypts and send unencrypted. ● NGINX is TLS and backend is also TLS ( HTTPS ) ● NGINX terminates TLS, decrypted, optionally rewrite and then re- encrypt the content to the backend. ● NGINX NGINX can look at the L7 data, re-write headers, cache but needs to share the backend certificate or at least has its own
TLS Passthrough ● Backend is TLS ● NGINX proxies/streams the packets directly to the backend. ● The TLS handshake is forwarded all the way to the backend. ● Just like a tunnel ● No caching, L4 check only, but more secure, NGINX doesn’t need the backend certificate.
NGINX Timeouts
NGINX Timeouts Frontend Timeouts ● client_header_timeout ● client_body_timeout ● send_timeout ● keepalive_timeout ● lingering_timeout ● resolver_timeout Backend Timeouts ● proxy_connect_timeout ● proxy_send_timeout ● proxy_read_timeout ● keepalive_timeout ● proxy_next_upstream_timeout
NGINX Frontend Timeouts Frontend Timeouts ● client_header_timeout ● client_body_timeout ● send_timeout ● keepalive_timeout ● lingering_timeout ● resolver_timeout
client_header_timeout Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the request is terminated with the 408 (Request Time-out) error. Default 60s GET / HTTP/1.1 . . . content-length:13 content-type:app/json > 60 s Close connection
client_body_timeout Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the request is terminated with the 408 (Request Time-out) error. Default 60s POST / HTTP/1.1 content-length:1M content-type :text . . . body:this is a I’m going to take time.. > 60 s Close connection A very large file..
send_timeout Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed. (Default 60s) GET / HTTP/1.1 content-length:13 content-type :text . . . > 60 s Close connection Here is the very very... Large response that.
keepalive_timeout The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. (default 75 seconds) GET / HTTP/1.1 Connection: keep-alive . . . > 75 s Close connection
lingering_timeout When lingering_close is in effect, this directive specifies the maximum waiting time for more client data to arrive. If data are not received during this time, the connection is closed. Otherwise, the data are read and ignored, and nginx starts waiting for more data again. The “wait-read-ignore” cycle is repeated, but no longer than specified by the lingering_time directive. GET / . . . > 60 s Close connection Physical close FIN
resolver_timeout Sets a timeout for name resolution, 30 seconds GET / HTTP/1.1 Connection: keep-alive . . . > 30 s server1.test.com What is the IP of server1.test.com?
NGINX Backend Timeouts Backend Timeouts ● proxy_connect_timeout ● proxy_send_timeout ● proxy_read_timeout ● keepalive_timeout ● proxy_next_upstream_timeout
proxy_connect_timeout Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds. . . . > 60 s server1.test.com Connecting to server1.test.com
proxy_send_timeout Sets a timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. server1.test.com POST / HTTP/1.1 content-length:1M content-type :text body:this is a I’m going to take time.. A very large file.. POST / HTTP/1.1 content-length:1M content-type :text . . . body:this is a > 60 s Close connection A very large file.. Note (body_timeout may trigger before) so we don’t even bother the backend..
proxy_read_timeout Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. GET / HTTP/1.1 content-length:13 content-type :text . . . Here is the very very... Large response that. Note (send_timeout may trigger before or after) . . . > 60 s
proxy_next_upstream_timeout Limits the time during which a request can be passed to the next server. The 0 value turns off this limitation. Default 0 GET /
Keepalive_timeout (Backend) Sets a timeout during which an idle keepalive connection to an upstream server will stay open. Connect idle.. > 60 s Close connection
Example ● Install NGINX (mac) ● NGINX as a Web Server ● NGINX as a Layer 7 Proxy ○ Proxy to 4 backend NodeJS services (docker) ○ Split load to multiple backends (app1/app2) ○ Block certain requests (/admin) ● NGINX as a Layer 4 Proxy ● Enable HTTPS on NGINX (lets encrypt) ● Enable TLS 1.3 on NGINX ● Enable HTTP/2 on NGINX
Summary ● What is NGINX? ● Current & Desired Architecture ● Layer 4 and Layer 7 Proxying in NGINX ● TLS Termination vs TLS Passthrough ● Timeouts in NGINX ● Example ○ NGINX as a Web Server, Layer 7 Proxy & Layer 4 Proxy ○ Enable HTTPS, TLS 1.3 & HTTP/2 on NGINX ● Summary

Recommended

Nginx
NginxNginx
Nginx
Dhrubaji Mandal ♛
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
HTTP
HTTPHTTP
HTTP
altaykarakus
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
Julien Pivotto
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.
 
Socket programming, and openresty
Socket programming, and openrestySocket programming, and openresty
Socket programming, and openresty
Tavish Naruka
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
All Things Open
 
Http caching
Http cachingHttp caching
Http caching
Samsarabbi
 

Recommended

Nginx
NginxNginx
Nginx
Dhrubaji Mandal ♛
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
HTTP
HTTPHTTP
HTTP
altaykarakus
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
Julien Pivotto
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.
 
Socket programming, and openresty
Socket programming, and openrestySocket programming, and openresty
Socket programming, and openresty
Tavish Naruka
 
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure WebLinux HTTPS/TCP/IP Stack for the Fast and Secure Web
Linux HTTPS/TCP/IP Stack for the Fast and Secure Web
All Things Open
 
Http caching
Http cachingHttp caching
Http caching
Samsarabbi
 
Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013
Santiago Aimetta
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Http/2
Http/2Http/2
Http/2
GeekNightHyderabad
 
Go 1.8 'new' networking features
Go 1.8 'new' networking featuresGo 1.8 'new' networking features
Go 1.8 'new' networking features
strikr .
 
Web performance optimization - MercadoLibre
Web performance optimization - MercadoLibreWeb performance optimization - MercadoLibre
Web performance optimization - MercadoLibre
Pablo Moretti
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
Think async
Think asyncThink async
Think async
Bhakti Mehta
 
Internet
InternetInternet
Internet
Jack Nicole
 
What’s New in NGINX Plus R15? - EMEA
What’s New in NGINX Plus R15? - EMEAWhat’s New in NGINX Plus R15? - EMEA
What’s New in NGINX Plus R15? - EMEA
NGINX, Inc.
 
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
Arvind Mani
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity
sarahnovotny
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Ontico
 
CN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdfCN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdf
AsifSalim12
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
Varnish Software
 
CN 6131(15) Module IV.docx
CN 6131(15) Module IV.docxCN 6131(15) Module IV.docx
CN 6131(15) Module IV.docx
AkhilMS30
 
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorTroubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
WSO2
 
Caching in Drupal 8
Caching in Drupal 8Caching in Drupal 8
Caching in Drupal 8
valuebound
 
Transaction TCP
Transaction TCPTransaction TCP
Transaction TCP
amardeepsingh1902
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
Patrick Meenan
 
An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
Dabee Kamal
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
Vivekanand Anglo Vedic Academy
 

More Related Content

Similar to 1.3 Introduction-To-Nginx-Slides.pptx

TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
CN 6131(15) Module IV.docx
CN 6131(15) Module IV.docxCN 6131(15) Module IV.docx
CN 6131(15) Module IV.docx
AkhilMS30
 

Similar to 1.3 Introduction-To-Nginx-Slides.pptx (20)

Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Http/2
Http/2Http/2
Http/2
 
Go 1.8 'new' networking features
Go 1.8 'new' networking featuresGo 1.8 'new' networking features
Go 1.8 'new' networking features
 
Web performance optimization - MercadoLibre
Web performance optimization - MercadoLibreWeb performance optimization - MercadoLibre
Web performance optimization - MercadoLibre
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
 
Think async
Think asyncThink async
Think async
 
Internet
InternetInternet
Internet
 
What’s New in NGINX Plus R15? - EMEA
What’s New in NGINX Plus R15? - EMEAWhat’s New in NGINX Plus R15? - EMEA
What’s New in NGINX Plus R15? - EMEA
 
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity5 things you didn't know nginx could do velocity
5 things you didn't know nginx could do velocity
 
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
Tempesta FW - Framework и Firewall для WAF и DDoS mitigation, Александр Крижа...
 
CN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdfCN 6131(15) Module IV.pdf
CN 6131(15) Module IV.pdf
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
 
CN 6131(15) Module IV.docx
CN 6131(15) Module IV.docxCN 6131(15) Module IV.docx
CN 6131(15) Module IV.docx
 
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise IntegratorTroubleshooting and Best Practices with WSO2 Enterprise Integrator
Troubleshooting and Best Practices with WSO2 Enterprise Integrator
 
Caching in Drupal 8
Caching in Drupal 8Caching in Drupal 8
Caching in Drupal 8
 
Transaction TCP
Transaction TCPTransaction TCP
Transaction TCP
 
TLS - 2016 Velocity Training
TLS - 2016 Velocity TrainingTLS - 2016 Velocity Training
TLS - 2016 Velocity Training
 

Recently uploaded

Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
expandedwebsite
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
中 央社
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
Peter Brusilovsky
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
中 央社
 

Recently uploaded (20)

An overview of the various scriptures in Hinduism
An overview of the various scriptures in HinduismAn overview of the various scriptures in Hinduism
An overview of the various scriptures in Hinduism
 
The Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDFThe Story of Village Palampur Class 9 Free Study Material PDF
The Story of Village Palampur Class 9 Free Study Material PDF
 
Supporting Newcomer Multilingual Learners
Supporting Newcomer Multilingual LearnersSupporting Newcomer Multilingual Learners
Supporting Newcomer Multilingual Learners
 
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...When Quality Assurance Meets Innovation in Higher Education - Report launch w...
When Quality Assurance Meets Innovation in Higher Education - Report launch w...
 
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of TransportBasic Civil Engineering notes on Transportation Engineering & Modes of Transport
Basic Civil Engineering notes on Transportation Engineering & Modes of Transport
 
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community PartnershipsSpring gala 2024 photo slideshow - Celebrating School-Community Partnerships
Spring gala 2024 photo slideshow - Celebrating School-Community Partnerships
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
demyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptxdemyelinated disorder: multiple sclerosis.pptx
demyelinated disorder: multiple sclerosis.pptx
 
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinhĐề tieng anh thpt 2024 danh cho cac ban hoc sinh
Đề tieng anh thpt 2024 danh cho cac ban hoc sinh
 
Observing-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptxObserving-Correct-Grammar-in-Making-Definitions.pptx
Observing-Correct-Grammar-in-Making-Definitions.pptx
 
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文會考英文
 
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptxAnalyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
Analyzing and resolving a communication crisis in Dhaka textiles LTD.pptx
 
OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...OS-operating systems- ch05 (CPU Scheduling) ...
OS-operating systems- ch05 (CPU Scheduling) ...
 
Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"Mattingly "AI and Prompt Design: LLMs with NER"
Mattingly "AI and Prompt Design: LLMs with NER"
 
SPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code ExamplesSPLICE Working Group: Reusable Code Examples
SPLICE Working Group: Reusable Code Examples
 
How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17How To Create Editable Tree View in Odoo 17
How To Create Editable Tree View in Odoo 17
 
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjjStl Algorithms in C++ jjjjjjjjjjjjjjjjjj
Stl Algorithms in C++ jjjjjjjjjjjjjjjjjj
 
8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management8 Tips for Effective Working Capital Management
8 Tips for Effective Working Capital Management
 
VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .VAMOS CUIDAR DO NOSSO PLANETA! .
VAMOS CUIDAR DO NOSSO PLANETA! .
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
 

1.3 Introduction-To-Nginx-Slides.pptx

  • 1. Introduction to NGINX NGINX Web Server / Reverse Proxy husseinnasser.com
  • 2. Agenda ● What is NGINX? ● Current & Desired Architecture ● Layer 4 and Layer 7 Proxying in NGINX ● TLS Termination vs TLS Passthrough ● Timeouts in NGINX ● Example ○ NGINX as a Web Server, Layer 7 and Layer 4 Proxy ○ Enable HTTPS, TLS 1.3 & HTTP/2 on NGINX ● Summary
  • 4. What is NGINX? ● Web Server ○ Serves web content ● Reverse Proxy ○ Load Balancing ○ Backend Routing ○ Caching ○ API Gateway
  • 6. Current Architecture GET /employees JSON { } GET /employees JSON { } GET /employees JSON { } db:5432 http:3001
  • 7. Desired Architecture http:3001 GET /employees JSON { } GET /employees JSON { } GET /employees JSON { } db:5432 NGINX HTTPS:443 h/2 http:3002 http:3003 Frontend Backend
  • 8. NGINX Layer 4 vs Layer 7 proxying
  • 9. Layer 4 and Layer 7 ● Layer 4/7 refers to OSI model layers ● In Layer 4 we see TCP/IP stack only nothing about the app, we have access to ○ Source IP, Source Port ○ Destination IP, Destination Port ○ Simple packet inspection (SYN/TLS hello) ● In Layer 7 we see the application, HTTP/ gRPC etc.. ○ We have access to more context ○ I know where the client is going, which page they are visiting ○ Require decryption
  • 10. Layer 4 and Layer 7 proxying in NGINX ● NGINX can operate in Layer 7 (e.g. http) or Layer 4 (tcp) ● Layer 4 proxying is useful when NGINX doesn’t understand the protocol (MySQL database protocol) ● Layer 7 proxying is useful when NGINX want to share backend connections and cache results ● Using stream context it becomes a layer 4 proxy ● Using http context it becomes a layer 7 proxy
  • 11. TLS Termination vs TLS Passthrough
  • 12. TLS ● TLS stands for Transport Layer Security ● It is a way to establish end-to-end encryption between one another ● Symmetric encryption is used for communication (client/server has the same key) ● Asymmetric encryption is used initially to exchange the symmetric key (diffie hellman) ● Server (sometimes even the client) need to authenticate themselves by supplying a certificate signed by a certificate authority
  • 13. TLS Termination ● NGINX has TLS (e.g. HTTPS) backend is not ( HTTP ) ● NGINX terminates TLS and decrypts and send unencrypted. ● NGINX is TLS and backend is also TLS ( HTTPS ) ● NGINX terminates TLS, decrypted, optionally rewrite and then re- encrypt the content to the backend. ● NGINX NGINX can look at the L7 data, re-write headers, cache but needs to share the backend certificate or at least has its own
  • 14. TLS Passthrough ● Backend is TLS ● NGINX proxies/streams the packets directly to the backend. ● The TLS handshake is forwarded all the way to the backend. ● Just like a tunnel ● No caching, L4 check only, but more secure, NGINX doesn’t need the backend certificate.
  • 16. NGINX Timeouts Frontend Timeouts ● client_header_timeout ● client_body_timeout ● send_timeout ● keepalive_timeout ● lingering_timeout ● resolver_timeout Backend Timeouts ● proxy_connect_timeout ● proxy_send_timeout ● proxy_read_timeout ● keepalive_timeout ● proxy_next_upstream_timeout
  • 17. NGINX Frontend Timeouts Frontend Timeouts ● client_header_timeout ● client_body_timeout ● send_timeout ● keepalive_timeout ● lingering_timeout ● resolver_timeout
  • 18. client_header_timeout Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the request is terminated with the 408 (Request Time-out) error. Default 60s GET / HTTP/1.1 . . . content-length:13 content-type:app/json > 60 s Close connection
  • 19. client_body_timeout Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the request is terminated with the 408 (Request Time-out) error. Default 60s POST / HTTP/1.1 content-length:1M content-type :text . . . body:this is a I’m going to take time.. > 60 s Close connection A very large file..
  • 20. send_timeout Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed. (Default 60s) GET / HTTP/1.1 content-length:13 content-type :text . . . > 60 s Close connection Here is the very very... Large response that.
  • 21. keepalive_timeout The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. (default 75 seconds) GET / HTTP/1.1 Connection: keep-alive . . . > 75 s Close connection
  • 22. lingering_timeout When lingering_close is in effect, this directive specifies the maximum waiting time for more client data to arrive. If data are not received during this time, the connection is closed. Otherwise, the data are read and ignored, and nginx starts waiting for more data again. The “wait-read-ignore” cycle is repeated, but no longer than specified by the lingering_time directive. GET / . . . > 60 s Close connection Physical close FIN
  • 23. resolver_timeout Sets a timeout for name resolution, 30 seconds GET / HTTP/1.1 Connection: keep-alive . . . > 30 s server1.test.com What is the IP of server1.test.com?
  • 24. NGINX Backend Timeouts Backend Timeouts ● proxy_connect_timeout ● proxy_send_timeout ● proxy_read_timeout ● keepalive_timeout ● proxy_next_upstream_timeout
  • 25. proxy_connect_timeout Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds. . . . > 60 s server1.test.com Connecting to server1.test.com
  • 26. proxy_send_timeout Sets a timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. server1.test.com POST / HTTP/1.1 content-length:1M content-type :text body:this is a I’m going to take time.. A very large file.. POST / HTTP/1.1 content-length:1M content-type :text . . . body:this is a > 60 s Close connection A very large file.. Note (body_timeout may trigger before) so we don’t even bother the backend..
  • 27. proxy_read_timeout Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. GET / HTTP/1.1 content-length:13 content-type :text . . . Here is the very very... Large response that. Note (send_timeout may trigger before or after) . . . > 60 s
  • 28. proxy_next_upstream_timeout Limits the time during which a request can be passed to the next server. The 0 value turns off this limitation. Default 0 GET /
  • 29. Keepalive_timeout (Backend) Sets a timeout during which an idle keepalive connection to an upstream server will stay open. Connect idle.. > 60 s Close connection
  • 30. Example ● Install NGINX (mac) ● NGINX as a Web Server ● NGINX as a Layer 7 Proxy ○ Proxy to 4 backend NodeJS services (docker) ○ Split load to multiple backends (app1/app2) ○ Block certain requests (/admin) ● NGINX as a Layer 4 Proxy ● Enable HTTPS on NGINX (lets encrypt) ● Enable TLS 1.3 on NGINX ● Enable HTTP/2 on NGINX
  • 31. Summary ● What is NGINX? ● Current & Desired Architecture ● Layer 4 and Layer 7 Proxying in NGINX ● TLS Termination vs TLS Passthrough ● Timeouts in NGINX ● Example ○ NGINX as a Web Server, Layer 7 Proxy & Layer 4 Proxy ○ Enable HTTPS, TLS 1.3 & HTTP/2 on NGINX ● Summary