In this webinar we discuss new features in NGINX Plus R15, which includes support for gRPC, HTTP/2 Server Push, enhanced clustering, and OpenID Connect SSO integration.
Watch this webinar to learn:
- About new HTTP/2 enhancements: gRPC and HTTP/2 server push support
- About new state sharing and clustering support in NGINX Plus, with support for Sticky Learn session persistence
- How to integrate with Okta, OneLogin, and other identity providers to provide single sign on (SSO) for your applications
- How to initiate subrequests with the NGINX JavaScript module, new variables, and other great new enhancements in this release
https://www.nginx.com/resources/webinars/whats-new-nginx-plus-r15/
7. What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time alg
+ Cache purging
+ High Availability
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Dynamic modules
+ 90+ metrics
8. About NGINX, Inc.
• Founded in 2011, NGINX Plus first released in
2013
• VC-backed by enterprise software industry
leaders
• Offices in SF, London, Cork, Singapore,
Sydney, and Moscow
• 1,500+ commercial customers
• 200+ employees
9. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
10. NGINX Plus HTTP/2 Support
Existing functionality :
• NGINX Plus R7 -- Initial release
• NGINX Plus R8 -- Production-ready release
New in NGINX Plus R15:
• gRPC -- Load balancing, routing, and SSL termination for
gRPC
• HTTP/2 Server Push -- Push resources to clients, improve
performance.
11. NGINX Plus HTTP/2 Configuration
• Add http2 argument to listen directive
• For clear text HTTP/2, remove SSL configuration
server {
listen 80;
server_name www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}
12. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
13. gRPC Overview
• gRPC is transported over HTTP/2. Does not work with HTTP/1.
• Can be cleartext or SSL-encrypted
• A gRPC call is implemented as an HTTP POST request
• Uses compact “protocol buffers” to exchange data between client and server
• Protocol buffers are implemented in C++ as a class
• Support originally added in NGINX Open Source 1.13.10
14. gRPC Proxying
server {
listen 80 http2;
location / {
grpc_pass grpc://localhost:50051;
}
}
• grpc_pass – Use like fastcgi_pass,
proxy_pass, etc.
• grpc:// – Use instead of http://.
15. gRPC Proxying with SSL Termination
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
grpc_pass grpc://localhost:50051;
}
}
• Configure SSL and HTTP/2 as usual
• Go sample application needs to modified to point to NGINX IP
Address and port.
16. gRPC Routing
location /helloworld.ServiceA {
grpc_pass grpc://192.168.20.11:50051;
}
location /helloworld.ServiceB {
grpc_pass grpc://192.168.20.12:50052;
}
• Usually structured as application_name.method
17. gRPC Load Balancing
upstream grpcservers {
server 192.168.20.21:50051;
server 192.168.20.22:50052;
}
server {
listen 443 ssl http2;
ssl_certificate ssl/certificate.pem;
ssl_certificate_key ssl/key.pem;
location /helloworld.Greeter {
grpc_pass grpc://grpcservers;
error_page 502 = /error502grpc;
}
location = /error502grpc {
internal;
default_type application/grpc;
add_header grpc-status 14;
add_header grpc-message "unavailable";
return 204;
}
}
• gRPC server work with standard upstream blocks.
• Can use grpcs for encrypted gRPC
• If no servers are available, the /error502grpc location
returns a gRPC-compliant error message.
18. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
19. HTTP/2 Server Push Overview
• User requests /demo.html
• Server responds with /demo.html
• Server pre-emptively sends style.css and image.jpg
• Stored in separate browser push cache until needed
• Support added in NGINX 1.13.9
20. HTTP/2 Server Push Testing
• HTTP/2 and HTTPS introduce one additional RTT for SSL handshake
• HTTP/2 Server push eliminates stylesheet RTT
• Reduces 2 RTT overall compared to unoptimized HTTP/2
21. HTTP/2 Server Push Config (Method 1)
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push /style.css;
http2_push /image1.jpg;
http2_push /image2.jpg;
}
}
• http2_push – Defines resources to be pushed
to clients. When NGINX receives a request for
/demo.html, it will request and push
image1.jpg, and image2.jpg.
22. HTTP/2 Server Push Config (Method 2)
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push_preload on;
}
}
• http2_push_preload – Instructs NGINX to parse HTTP
Link: headers and push specified resources.
• Link: </style.css>; as=style;
rel=preload, </favicon.ico>; as=image;
rel=preload
• Useful if you want application server to control what gets pushed.
23. HTTP/2 Server Push Verification
• Chrome Developer Tools: The Initiator column on the Network tab indicates several resources were pushed to the client as part of a
request for /demo.html.
24. More Information
• NGINX: gRPC and HTTP/2 Server Push (webinar)
• nginx.com/webinars/nginx-http2-server-push-grpc/
• Introducing HTTP/2 Server Push with NGINX 1.13.9 (blog)
• nginx.com/blog/nginx-1-13-9-http2-server-push/
• Introducing gRPC Support with NGINX 1.13.10 (blog)
• nginx.com/blog/nginx-1-13-10-grpc/
25. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
26. NGINX Plus Clustering
Existing functionality :
• NGINX Plus R1 -- High Availability based on
keepalived package
• NGINX Plus R12 -- Configuration synchronization using
nginx-sync package. Configure only one master
server.
New in NGINX Plus R15:
• State sharing for sticky learn session persistence
High availability is exclusive to NGINX Plus
27. NGINX Plus Clustering
stream {
resolver 10.0.0.53 valid=20s;
server {
listen 9000;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
}
}
Shared memory zones are identified in NGINX Plus with the zone
directive (example on next slide) for data to be shared between
processors on the same server. The new zone_sync functionality
extends this memory to be shared across different servers.
• zone_sync -- Enables synchronization of shared memory zones
in a cluster.
• zone_sync_server -- Identifies the other NGINX Plus
instances in the cluster. You create a separate
zone_sync_server for each server in the cluster.
• Add into main nginx.conf for each server
28. NGINX Plus Clustering
upstream my_backend {
zone my_backend 64k;
server backends.example.com resolve;
sticky learn zone=sessions:1m
create=$upstream_cookie_session
lookup=$cookie_session
sync;
}
server {
listen 80;
location / {
proxy_pass http://my_backend;
}
}
• zone – Identifies the shared memory zone. This configuration is
unchanged from before.
• sync -- Enables cluster-wide state sharing
29. NGINX Plus Clustering (Advanced)
stream {
resolver 10.0.0.53 valid=20s;
server {
listen 10.0.0.1:9000 ssl;
ssl_certificate_key /etc/ssl/key.pem;
ssl_certificate /etc/ssl/cert.pem;
allow 10.0.0.0/24; # Only accept internal conns
deny all;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
zone_sync_ssl_verify on; # Peers must connect with client cert
zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.pem;
zone_sync_ssl_verify_depth 2;
zone_sync_ssl on; # Connect to peers with TLS, offer client cert
zone_sync_ssl_certificate /etc/ssl/nginx1.example.com.client_cert.pem;
zone_sync_ssl_certificate_key /etc/ssl/nginx1.example.com.key.pem;
}
}
Enabling encrypted communication between cluster members.
• zone_sync_ssl_verify -- Mandates peers
present client cert when enabled.
• zone_sync_ssl_trusted_certificate
-- Specifies trusted cert chain to verify client certs with
• zone_sync_ssl -- Tells this server to present client
certs
• zone_sync_ssl_certificate -- Public key for
client cert
• zone_sync_ssl_certificate_key -- Private
key for client cert
30. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
31. NGINX JavaScript module
Existing functionality :
• NGINX Plus R10 -- Initial release
• NGINX Plus R11 -- Added support for stream module (TCP/UDP)
• NGINX Plus R12 -- Add ECMAScript 6 math methods, production-ready
• NGINX Plus R14 -- JSON object support
New in NGINX Plus R15:
• Sub requests -- Issue new HTTP requests independent of and
asynchronous to client req
• Hash functions -- New crypto library with SHA-256, MD5, etc.
32. Getting Started
Debian/Ubuntu:
$ sudo apt-get update
$ sudo apt-get install nginx-plus-module-njs
Centos/RedHat:
$ sudo yum update
$ sudo yum install nginx-plus-module-njs
In top-level ("main") context of the nginx.conf add:
load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
• Install the module from our repository for your choice of OS
• Top-level means outside of any http{} or stream{}
blocks
• After reload you can start using the NGINX JavaScript module
33. Sub Requests
function sendFastest(req, res) {
var n = 0;
function done(reply) { // Callback for subrequests
if (n++ == 0) {
req.log("WINNER is " + reply.uri);
res.return(reply.status, reply.body);
}
}
req.subrequest("/server_one", req.variables.args, done);
req.subrequest("/server_two", req.variables.args, done);
}
• req.subrequest -- Initiates asynchronous
subrequest with callback function done() in this
example.
• js_content -- Calls JavaScript function to provide
response.
js_include fastest_wins.js;
server {
listen 80;
location / {
js_content sendFastest;
}
location /server_one {
proxy_pass http://10.0.0.1$request_uri; # Pass URI
}
location /server_two {
proxy_pass http://10.0.0.2$request_uri;
}
}
34. Hash Functions
function signCookie(req, res) {
if (res.headers["set-cookie"].length) {
// Response includes a new cookie
var cookie_data = res.headers["set-cookie"].split(";");
var c = require('crypto’);
var h = c.createHmac('sha256').update(cookie_data[0] +
req.remoteAddress);
return "signature=" + h.digest('hex’);
}
return "";
}
• c.createHmac – Calls crypto library to provide
HMAC of specified data.
• js_set – Sets variable to return value from JavaScript
function
Supported crypto library functions:
• Hash functions: MD5, SHA-1, SHA-256
• HMAC using: MD5, SHA-1, SHA-256
• Digest formats: Base64, Base64URL, hex
js_include cookie_signing.js;
js_set $signed_cookie signCookie;
server {
listen 80;
location / {
proxy_pass http://my_backend;
add_header Set-Cookie $signed_cookie;
}
}
35. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
36. “Using OpenID Connect with
NGINX Plus enabled us to
quickly and easily integrate with
our identity provider and, at the
same time, simplify our
application architecture.”
- Scott Macleod, Software Engineer,
NHS Digital
37. NGINX Plus JWT Authentication
Existing functionality :
• NGINX Plus R10 -- Initial support for native JWT authentication
added
• NGINX Plus R12 -- Support for custom fields
• NGINX Plus R14 -- Support for nested claims
New in NGINX Plus R15:
• Support for OpenID Connect SSO. Link to Okta, OneLogin,
PingIdentity, and other IdPs.JWT Authentication and OpenID Connect
SSO are exclusive to NGINX Plus
39. How to use it
Clone GitHub repo:
$ git clone https://github.com/nginxinc/nginx-
openid-connect
Copy files to /etc/nginx/conf.d:
$ cp nginx-openid-connect/* /etc/nginx/conf.d
Configure for your environment (to be covered in demo):
1. Configure IdP
2. Put IdP configuration into frontend.conf
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
• Requires NGINX JavaScript module
• Our GitHub repo contains 3 important files:
• frontend.conf -- Reverse proxy configuration and where
the IdP is configured.
• openid_connect.server_conf -- NGINX
configuration for handling the various stages of OpenID Connect
authorization code flow.
• openid_connect.js -- JavaScript code for performing
the authorization code exchange and nonce hashing. Should not
require any changes.
41. Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A
42. Additional New Features
• $ssl_preread_alpn_protocols -- Comma-separated list of client protocols advertised
through ALPN (NGINX Open Source 1.13.10).
• $upstream_queue_time -- Captures the amount of time a request spends in the queue, when
using upstream queueing. Can be outputted to log to monitor performance (NGINX Open Source 1.13.9).
• log_format escape=none -- Disable escaping in the NGINX Plus access log, in addition to
previous support for JSON and default escaping (NGINX Open Source 1.1310).
• Transparent Proxying without root -- Worker processes can now inherit
the CAP_NET_RAW Linux capability from the master process so that NGINX Plus no longer requires special
privileges for transparent proxying.
• New Cookie-Flag module -- Third party module for setting cookie flags is now available in our
dynamic modules respository
43. NGINX Conf 2018
The official event for all things NGINX
October 8-11, 2018 | Atlanta, GA
Learn how to use NGINX to modernize existing applications and build new
microservice applications. There will be two session tracks:
• NGINX Builders: Hands-on insights for developers, IT ops, and DevOps
• NGINX Designers: Strategy and trends for architects and IT leaders
Early bird registration now open: nginx.com/nginxconf
How are you planning to use NGINX Plus R15?
Let us know: nginx-inquiries@nginx.com
44. Summary
• HTTP/2 server push -- Use h2_push to have NGINX push resources or
use h2_push_preload on; to have NGINX use the Link: header
• gRPC proxying -- Use grpc_pass like proxy_pass, fastcgi_pass, etc.
to proxy gRPC connections
• State sharing -- Sticky learn session persistence now works across a
cluster with new zone_sync feature
• NGINX JavaScript module -- New support for sub requests and crypto
hash functions
• OpenID Connect SSO -- New integrations with IdPs such as SiteMinder,
Okta, OneLogin, etc.
45. Q & ATry NGINX Plus free for 30 days: nginx.com/free-trial-request
Editor's Notes
- We will
NGINX was created by Igor Sysoev as a side project while he was working as a sysadmin at Ramblr, a Russian equivalent of Yahoo!. While at Ramblr, Igor was asked to look into enabling the Apache HTTP servers to better handle the influx of traffic the company was receiving.
While looking for ways to improve Apache's performance, Igor found himself blocked by several inherent design choices that hampered Apache's ability to handle 10,000 simultaneous users, commonly known as the C10K problem.
In the spring of 2002 Igor started developing NGINX with an event-driven architecture that addressed the shortcomings in Apache.
On October 4th, 2004, the anniversary of the launch of Sputnik, the first space satellite, Igor publicly released the source code of NGINX for free.
Source: https://news.netcraft.com/archives/category/web-server-survey/
From there NGINX grew rapidly and now is used by over 447 million websites world wide, including Uber, Netflix, Airbnb, Twitch, Stripe and other innovative companies.
NOTE: In “Misc. Extras” section, there is a slide of relevant OSS users.
There is our some of our most significant customers:
McDonalds is building apps in the AWS using NGINX Plus
Starbucks pivoted to a microservice architecture in the cloud using NGINX Plus
Some other notable names not listed here: Volvo, Carnival cruise lines, Liberty Mutual, BofA, Comcast, Footlocker, ARM.
NGINX Plus gives you all the tools you need to deliver your application reliably.
Web Server
NGINX is a fully featured web server that can directly serve static content. NGINX Plus can scale to handle hundreds of thousands of clients simultaneously, and serve hundreds of thousands of content resources per second.
Application Gateway
NGINX handles all HTTP traffic, and forwards requests in a smooth, controlled manner to PHP, Ruby, Java, and other application types, using FastCGI, uWSGI, and Linux sockets.
Reverse Proxy
NGINX is a reverse proxy that you can put in front of your applications. NGINX can cache both static and dynamic content to improve overall performance, as well as load balance traffic enabling you to scale-out.
- We will
Part of HTTP/2 specification
- We will
Part of HTTP/2 specification
Part of HTTP/2 specification
Part of HTTP/2 specification
Part of HTTP/2 specification
Part of HTTP/2 specification
- We will
Part of HTTP/2 specification
HTTP/2 requires one extra rtt.
- We will
- We will
Part of HTTP/2 specification
- We will
Part of HTTP/2 specification
- We will
NGINX was created by Igor Sysoev as a side project while he was working as a sysadmin at Ramblr, a Russian equivalent of Yahoo!. While at Ramblr, Igor was asked to look into enabling the Apache HTTP servers to better handle the influx of traffic the company was receiving.
While looking for ways to improve Apache's performance, Igor found himself blocked by several inherent design choices that hampered Apache's ability to handle 10,000 simultaneous users, commonly known as the C10K problem.
In the spring of 2002 Igor started developing NGINX with an event-driven architecture that addressed the shortcomings in Apache.
On October 4th, 2004, the anniversary of the launch of Sputnik, the first space satellite, Igor publicly released the source code of NGINX for free.