What’s New in NGINX Plus R15?

What’s New in
NGINX Plus R15?

Faisal Memon
Product Marketing Manager, NGINX
Formerly:
• Sr. Technical Marketing Engineer, Riverbed
• Technical Marketing Engineer, Cisco
• Software Engineer, Cisco
Who am I?

Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A

“I wanted people to use it, so I
made it open source.”
- Igor Sysoev, NGINX creator and founder

403 million
Total sites running on NGINX
Source: Netcraft April 2018 Web Server Survey

What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time alg
+ Cache purging
+ High Availability
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Dynamic modules
+ 90+ metrics

About NGINX, Inc.
• Founded in 2011, NGINX Plus first released in
2013
• VC-backed by enterprise software industry
leaders
• Offices in SF, London, Cork, Singapore,
Sydney, and Moscow
• 1,500+ commercial customers
• 200+ employees

NGINX Plus HTTP/2 Support
Existing functionality :
• NGINX Plus R7 -- Initial release
• NGINX Plus R8 -- Production-ready release
New in NGINX Plus R15:
• gRPC -- Load balancing, routing, and SSL termination for
gRPC
• HTTP/2 Server Push -- Push resources to clients, improve
performance.

NGINX Plus HTTP/2 Configuration
• Add http2 argument to listen directive
• For clear text HTTP/2, remove SSL configuration
server {
listen 80;
server_name www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}

gRPC Overview
• gRPC is transported over HTTP/2. Does not work with HTTP/1.
• Can be cleartext or SSL-encrypted
• A gRPC call is implemented as an HTTP POST request
• Uses compact “protocol buffers” to exchange data between client and server
• Protocol buffers are implemented in C++ as a class
• Support originally added in NGINX Open Source 1.13.10

gRPC Proxying
server {
listen 80 http2;
location / {
grpc_pass grpc://localhost:50051;
}
}
• grpc_pass – Use like fastcgi_pass,
proxy_pass, etc.
• grpc:// – Use instead of http://.

gRPC Proxying with SSL Termination
server {
location / {
grpc_pass grpc://localhost:50051;
}
}
• Configure SSL and HTTP/2 as usual
• Go sample application needs to modified to point to NGINX IP
Address and port.

gRPC Routing
location /helloworld.ServiceA {
grpc_pass grpc://192.168.20.11:50051;
}
location /helloworld.ServiceB {
grpc_pass grpc://192.168.20.12:50052;
}
• Usually structured as application_name.method

gRPC Load Balancing
upstream grpcservers {
server 192.168.20.21:50051;
server 192.168.20.22:50052;
}
server {
ssl_certificate ssl/certificate.pem;
ssl_certificate_key ssl/key.pem;
location /helloworld.Greeter {
grpc_pass grpc://grpcservers;
error_page 502 = /error502grpc;
}
location = /error502grpc {
internal;
default_type application/grpc;
add_header grpc-status 14;
add_header grpc-message "unavailable";
return 204;
}
}
• gRPC server work with standard upstream blocks.
• Can use grpcs for encrypted gRPC
• If no servers are available, the /error502grpc location
returns a gRPC-compliant error message.

HTTP/2 Server Push Overview
• User requests /demo.html
• Server responds with /demo.html
• Server pre-emptively sends style.css and image.jpg
• Stored in separate browser push cache until needed
• Support added in NGINX 1.13.9

HTTP/2 Server Push Testing
• HTTP/2 and HTTPS introduce one additional RTT for SSL handshake
• HTTP/2 Server push eliminates stylesheet RTT
• Reduces 2 RTT overall compared to unoptimized HTTP/2

HTTP/2 Server Push Config (Method 1)
server {
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push /style.css;
http2_push /image1.jpg;
http2_push /image2.jpg;
}
}
• http2_push – Defines resources to be pushed
to clients. When NGINX receives a request for
/demo.html, it will request and push
image1.jpg, and image2.jpg.

HTTP/2 Server Push Config (Method 2)
server {
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push_preload on;
}
}
• http2_push_preload – Instructs NGINX to parse HTTP
Link: headers and push specified resources.
• Link: </style.css>; as=style;
rel=preload, </favicon.ico>; as=image;
rel=preload
• Useful if you want application server to control what gets pushed.

HTTP/2 Server Push Verification
• Chrome Developer Tools: The Initiator column on the Network tab indicates several resources were pushed to the client as part of a
request for /demo.html.

More Information
• NGINX: gRPC and HTTP/2 Server Push (webinar)
• nginx.com/webinars/nginx-http2-server-push-grpc/
• Introducing HTTP/2 Server Push with NGINX 1.13.9 (blog)
• nginx.com/blog/nginx-1-13-9-http2-server-push/
• Introducing gRPC Support with NGINX 1.13.10 (blog)
• nginx.com/blog/nginx-1-13-10-grpc/

NGINX Plus Clustering
• NGINX Plus R1 -- High Availability based on
keepalived package
• NGINX Plus R12 -- Configuration synchronization using
nginx-sync package. Configure only one master
server.
• State sharing for sticky learn session persistence
High availability is exclusive to NGINX Plus

stream {
resolver 10.0.0.53 valid=20s;
server {
listen 9000;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
}
}
Shared memory zones are identified in NGINX Plus with the zone
directive (example on next slide) for data to be shared between
processors on the same server. The new zone_sync functionality
extends this memory to be shared across different servers.
• zone_sync -- Enables synchronization of shared memory zones
in a cluster.
• zone_sync_server -- Identifies the other NGINX Plus
instances in the cluster. You create a separate
zone_sync_server for each server in the cluster.
• Add into main nginx.conf for each server

upstream my_backend {
zone my_backend 64k;
server backends.example.com resolve;
sticky learn zone=sessions:1m
create=$upstream_cookie_session
lookup=$cookie_session
sync;
}
server {
listen 80;
location / {
proxy_pass http://my_backend;
}
}
• zone – Identifies the shared memory zone. This configuration is
unchanged from before.
• sync -- Enables cluster-wide state sharing

NGINX Plus Clustering (Advanced)
stream {
resolver 10.0.0.53 valid=20s;
server {
listen 10.0.0.1:9000 ssl;
ssl_certificate_key /etc/ssl/key.pem;
ssl_certificate /etc/ssl/cert.pem;
allow 10.0.0.0/24; # Only accept internal conns
deny all;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
zone_sync_ssl_verify on; # Peers must connect with client cert
zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.pem;
zone_sync_ssl_verify_depth 2;
zone_sync_ssl on; # Connect to peers with TLS, offer client cert
zone_sync_ssl_certificate /etc/ssl/nginx1.example.com.client_cert.pem;
zone_sync_ssl_certificate_key /etc/ssl/nginx1.example.com.key.pem;
}
}
Enabling encrypted communication between cluster members.
• zone_sync_ssl_verify -- Mandates peers
present client cert when enabled.
• zone_sync_ssl_trusted_certificate
-- Specifies trusted cert chain to verify client certs with
• zone_sync_ssl -- Tells this server to present client
certs
• zone_sync_ssl_certificate -- Public key for
client cert
• zone_sync_ssl_certificate_key -- Private
key for client cert

NGINX JavaScript module
• NGINX Plus R10 -- Initial release
• NGINX Plus R11 -- Added support for stream module (TCP/UDP)
• NGINX Plus R12 -- Add ECMAScript 6 math methods, production-ready
• NGINX Plus R14 -- JSON object support
• Sub requests -- Issue new HTTP requests independent of and
asynchronous to client req
• Hash functions -- New crypto library with SHA-256, MD5, etc.

Getting Started
Debian/Ubuntu:
$ sudo apt-get update
$ sudo apt-get install nginx-plus-module-njs
Centos/RedHat:
$ sudo yum update
$ sudo yum install nginx-plus-module-njs
In top-level ("main") context of the nginx.conf add:
load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
• Install the module from our repository for your choice of OS
• Top-level means outside of any http{} or stream{}
blocks
• After reload you can start using the NGINX JavaScript module

Sub Requests
function sendFastest(req, res) {
var n = 0;
function done(reply) { // Callback for subrequests
if (n++ == 0) {
req.log("WINNER is " + reply.uri);
res.return(reply.status, reply.body);
}
}
req.subrequest("/server_one", req.variables.args, done);
req.subrequest("/server_two", req.variables.args, done);
}
• req.subrequest -- Initiates asynchronous
subrequest with callback function done() in this
example.
• js_content -- Calls JavaScript function to provide
response.
js_include fastest_wins.js;
server {
listen 80;
location / {
js_content sendFastest;
}
location /server_one {
proxy_pass http://10.0.0.1$request_uri; # Pass URI
}
location /server_two {
proxy_pass http://10.0.0.2$request_uri;
}
}

Hash Functions
function signCookie(req, res) {
if (res.headers["set-cookie"].length) {
// Response includes a new cookie
var cookie_data = res.headers["set-cookie"].split(";");
var c = require('crypto’);
var h = c.createHmac('sha256').update(cookie_data[0] +
req.remoteAddress);
return "signature=" + h.digest('hex’);
}
return "";
}
• c.createHmac – Calls crypto library to provide
HMAC of specified data.
• js_set – Sets variable to return value from JavaScript
function
Supported crypto library functions:
• Hash functions: MD5, SHA-1, SHA-256
• HMAC using: MD5, SHA-1, SHA-256
• Digest formats: Base64, Base64URL, hex
js_include cookie_signing.js;
js_set $signed_cookie signCookie;
server {
listen 80;
location / {
proxy_pass http://my_backend;
add_header Set-Cookie $signed_cookie;
}
}

“Using OpenID Connect with
NGINX Plus enabled us to
quickly and easily integrate with
our identity provider and, at the
same time, simplify our
application architecture.”
- Scott Macleod, Software Engineer,
NHS Digital

NGINX Plus JWT Authentication
• NGINX Plus R10 -- Initial support for native JWT authentication
added
• NGINX Plus R12 -- Support for custom fields
• NGINX Plus R14 -- Support for nested claims
• Support for OpenID Connect SSO. Link to Okta, OneLogin,
PingIdentity, and other IdPs.JWT Authentication and OpenID Connect
SSO are exclusive to NGINX Plus

How to use it
Clone GitHub repo:
$ git clone https://github.com/nginxinc/nginx-
openid-connect
Copy files to /etc/nginx/conf.d:
$ cp nginx-openid-connect/* /etc/nginx/conf.d
Configure for your environment (to be covered in demo):
1. Configure IdP
2. Put IdP configuration into frontend.conf
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
• Requires NGINX JavaScript module
• Our GitHub repo contains 3 important files:
• frontend.conf -- Reverse proxy configuration and where
the IdP is configured.
• openid_connect.server_conf -- NGINX
configuration for handling the various stages of OpenID Connect
authorization code flow.
• openid_connect.js -- JavaScript code for performing
the authorization code exchange and nonce hashing. Should not
require any changes.

Additional New Features
• $ssl_preread_alpn_protocols -- Comma-separated list of client protocols advertised
through ALPN (NGINX Open Source 1.13.10).
• $upstream_queue_time -- Captures the amount of time a request spends in the queue, when
using upstream queueing. Can be outputted to log to monitor performance (NGINX Open Source 1.13.9).
• log_format escape=none -- Disable escaping in the NGINX Plus access log, in addition to
previous support for JSON and default escaping (NGINX Open Source 1.1310).
• Transparent Proxying without root -- Worker processes can now inherit
the CAP_NET_RAW Linux capability from the master process so that NGINX Plus no longer requires special
privileges for transparent proxying.
• New Cookie-Flag module -- Third party module for setting cookie flags is now available in our
dynamic modules respository

NGINX Conf 2018
The official event for all things NGINX
October 8-11, 2018 | Atlanta, GA
Learn how to use NGINX to modernize existing applications and build new
microservice applications. There will be two session tracks:
• NGINX Builders: Hands-on insights for developers, IT ops, and DevOps
• NGINX Designers: Strategy and trends for architects and IT leaders
Early bird registration now open: nginx.com/nginxconf
How are you planning to use NGINX Plus R15?
Let us know: nginx-inquiries@nginx.com

Summary
• HTTP/2 server push -- Use h2_push to have NGINX push resources or
use h2_push_preload on; to have NGINX use the Link: header
• gRPC proxying -- Use grpc_pass like proxy_pass, fastcgi_pass, etc.
to proxy gRPC connections
• State sharing -- Sticky learn session persistence now works across a
cluster with new zone_sync feature
• NGINX JavaScript module -- New support for sub requests and crypto
hash functions
• OpenID Connect SSO -- New integrations with IdPs such as SiteMinder,
Okta, OneLogin, etc.

Q & ATry NGINX Plus free for 30 days: nginx.com/free-trial-request

What’s New in NGINX Plus R15?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What’s New in NGINX Plus R15?

Similar to What’s New in NGINX Plus R15? (20)

More from NGINX, Inc.

More from NGINX, Inc. (20)

Recently uploaded

Recently uploaded (20)

What’s New in NGINX Plus R15?

Editor's Notes