Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Nginx Workshop        AftermathKiev.PM technical meeting, 16th Feb 2012             Denis Zhdanov       denis.zhdanov@gmai...
DisclaimerMay 29, 2010 - Nginx workshop by Igor Sysoevwas organized by SmartMe (http://www.smartme.com.ua/nginx-workshop/)...
Nginx / Apache - why we need what ?1. Static files2. Proxying / Slow client (No dialup but Mobile)Why Apache is bad / Ngin...
Nginx is fast?"Nginx is not fast - but scalable", (c) IgorSysoev.Tens and hundreds of 1000s requests perworker - quite fas...
How we can configure Apache ?1. .htaccess / rewrite rules - ugly, but singleway on shared hostings ( I hope they all gonen...
locationslocation /images/location = /location ^~ /images/ - plain strings, no orderlocation ~ .phplocation ~* .php - rege...
plain vs regexplocation /location /admin/                    VS          - no difference !location /admin/location /But re...
location ~* .(gif|jpe?g|png)$ {           root /var/www/images/;}location ~* .php$ {           fastcgi_pass ...}location /...
Real examplelocation / {if ($uri ~ ^/login.php$) {...}if ($uri ~ ^/admin/) {...}
Nested locationslocation /images/ {      root /var/www/images;}location /admin/ {      location ^/admin*..php$ {         f...
Directives: declarative vs runtimeDeclarative - no ordering, inheritanceproxy_connect_timeout 25s;server {         locatio...
Runtime directivesRuns every time, no inheritance !if (....) {    set ...    rewrite ...    break    return ....}
Bad exampleslocation /images/ {      root /var/www/images/;      break; # <---- WHY???}if (-e $request_filename) {       e...
Igor says: Do not use rewrites! :)if (...) {        return 403; # good usage}location ~ ^/images/(.+)$ {      root /var/ww...
Root semantic VS alias semanticGET /images/test/one.jpglocation /images/ {      root /var/www/;      # path - /var/www/ima...
Alias instead of rootlocation /images/ {      alias /var/www/images/;}location /images/ {      root /var/www;}
Alias and root with variablesGET /images/one.jpglocation /images/ {   root /var/www/$host;} # real path - /var/www/SITE/im...
proxy_pass semanticGET /images/test/one.jpglocation /images/ {    proxy_path http://backend; # <-- no URI} # Root semantic...
proxy_pass with variablesGET /images/one.jpglocation ^/images/(.)(.+)$ {    proxy_pass http://backend/$1/$1$2;} # --> http...
location handlersproxy_pass, fastcgi_pass, memcached_pass,empty_gif, flv, stub_status, perltrailing slash -random index / ...
Why "if" is bad - its "location" toogzip on;keepalive on;if ($no_gzip) {    gzip off; # gzip off}if ($no_keepalive) {    k...
Fix - but its not recommendedgzip on;keepalive on;if ($no_gzip) {     gzip off;    break;}if ($no_keepalive) {    keepaliv...
Caching
Couple of caveatsfrom my Apache to Nginx migration
Migration from Apache to NginxApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=...
Right way to do itApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L]# www ...
Another common thingRewriteCond %{REQUEST_FILENAME} -dRewriteCond %{REQUEST_FILENAME} -fRewriteRule .* index.php# right wa...
FCGI security caveatlocation ~* .php$ {   fastcgi_pass 127.0.0.1:9000;   fastcgi_param SCRIPT_FILENAME $script;   fastcgi_...
PATHINFO linksGET /index.php/article/0001 =>SCRIPT_NAME = 0001PATH_INFO = /index.php/article/ - WRONGFix pathinfo magic -S...
GET /upload/evil.jpg/notexist.phpSCRIPT_NAME = notexist.phpPATH_INFO = /upload/evil.jpg/cgi.fix_pathinfo = 1 (yep, its def...
Solutionlocation ~* .php$ {      try_files $uri = 404;      fastcgi_pass 127.0.0.1:9000;   fastcgi_param SCRIPT_FILENAME $...
Use fastcgi_split_path_infolocation ~* ^(.+.php)(.*)$ {   fastcgi_split_path_info ^(.+.php)(.*)$;     fastcgi_pass 127.0.0...
Please checkhttp://wiki.nginx.org/Pitfalls - lot of stuff there
Nginx optimization   Just couple of words
Case 1. Big static filesWhat is BIG file? Size is >2Mb (mp3, zip, iso etc)a)RAID - use big stripe size (>128K)b) output_bu...
Case 2. Lot of small filesa). There is NO MAGICHot files must reside in RAM cache or else... itwill be slow.b) Tune open_f...
Common highload advicesa) tune hardware and OS - disks, NICs, OSlimitations (open files, limits, network stack etc.)worker...
Case 3. Light DDOS fightingWhat is "light" DDOS ?1) 1000 - 5000 - 7000 bots max.2) HTTP GET/HEAD/POST,e.g. GET /script.php...
a) "Heavy" (e.g. search) scripts floodhttp {...limit_req_zone $binary_remote_addr zone=SLOW:10mrate=1r/s;# 64byte per reco...
b) "flooders" detectionerror_log /var/log/nginx/error.log;limit_conn_zone $binary_remote_addr zone=CONN:10m;...location =/...
c) Geo limitingCompile geoip module with --with-http_geoip_module first.http {    geo_country /usr/local/nginx/etc/GeoIP.d...
d) Aggresive caching"Slow is better than dead"location=/ { rewrite ^ main.html last; }# main.html - temporary static page ...
The ENDPlease check http://wiki.nginx.org - many          nice hings there. :)             Questions ?
Upcoming SlideShare
Loading in …5
×

Nginx Workshop Aftermath

3,417 views

Published on

My upcoming presentation for Kiev.PM meeting

Published in: Technology
  • Be the first to comment

Nginx Workshop Aftermath

  1. 1. Nginx Workshop AftermathKiev.PM technical meeting, 16th Feb 2012 Denis Zhdanov denis.zhdanov@gmail.com
  2. 2. DisclaimerMay 29, 2010 - Nginx workshop by Igor Sysoevwas organized by SmartMe (http://www.smartme.com.ua/nginx-workshop/)Thanks Igor, thanks SmartMe.Based on workshop, but Nginx was changed,so caching and many other docs are onwebsite now (http://wiki.nginx.org), so I addsome things from me."Scooter is ... ? "
  3. 3. Nginx / Apache - why we need what ?1. Static files2. Proxying / Slow client (No dialup but Mobile)Why Apache is bad / Nginx is good - size ofworker.Apache is prefork / 1 proc/thread per request -its too expensive.Nginx - Proc/thread also, but event driven.
  4. 4. Nginx is fast?"Nginx is not fast - but scalable", (c) IgorSysoev.Tens and hundreds of 1000s requests perworker - quite fast, butApache can do this also - but with much moreresources.Nginx also has SCALABLE configuration.What is it means?
  5. 5. How we can configure Apache ?1. .htaccess / rewrite rules - ugly, but singleway on shared hostings ( I hope they all gonenow :) )2. Virtual hosts - but global (default) serverconfiguration could mess all things.3. Virtual hosts but default server do nothing(deny all, for example)
  6. 6. locationslocation /images/location = /location ^~ /images/ - plain strings, no orderlocation ~ .phplocation ~* .php - regexp rules, orderedlocation @php - named
  7. 7. plain vs regexplocation /location /admin/ VS - no difference !location /admin/location /But regexp is ordered, so ...
  8. 8. location ~* .(gif|jpe?g|png)$ { root /var/www/images/;}location ~* .php$ { fastcgi_pass ...}location /images/ { root /var/www/images/;}location /scripts/ { fastcgi_pass ...}
  9. 9. Real examplelocation / {if ($uri ~ ^/login.php$) {...}if ($uri ~ ^/admin/) {...}
  10. 10. Nested locationslocation /images/ { root /var/www/images;}location /admin/ { location ^/admin*..php$ { fastcgi_pass.... }}...
  11. 11. Directives: declarative vs runtimeDeclarative - no ordering, inheritanceproxy_connect_timeout 25s;server { location / { } location = / { } location = /x { proxy_pass http://backend; } root /var/www/;}
  12. 12. Runtime directivesRuns every time, no inheritance !if (....) { set ... rewrite ... break return ....}
  13. 13. Bad exampleslocation /images/ { root /var/www/images/; break; # <---- WHY???}if (-e $request_filename) { expire 1y; break; # totally wrong !!}
  14. 14. Igor says: Do not use rewrites! :)if (...) { return 403; # good usage}location ~ ^/images/(.+)$ { root /var/www/img/$1; # bad}Why ?
  15. 15. Root semantic VS alias semanticGET /images/test/one.jpglocation /images/ { root /var/www/; # path - /var/www/images/test/one.jpg}location /images/ { alias /var/www/img/; # path - /var/www/img/test/one.jpg}
  16. 16. Alias instead of rootlocation /images/ { alias /var/www/images/;}location /images/ { root /var/www;}
  17. 17. Alias and root with variablesGET /images/one.jpglocation /images/ { root /var/www/$host;} # real path - /var/www/SITE/images/one.jpglocation ~ ^/images/(.)(.+)$ { alias /var/www/img/$1/$1$2;} # real path - /var/www/img/o/one.jpgAlias make complete path, no replacementMUST use $1/$2 if location contains captures
  18. 18. proxy_pass semanticGET /images/test/one.jpglocation /images/ { proxy_path http://backend; # <-- no URI} # Root semantic -GET http://backend/images/test/one.jpglocation /images/ { proxy_path http://backend/img/;} # Alias semanticGhttp://backend/img/test/one.jpg
  19. 19. proxy_pass with variablesGET /images/one.jpglocation ^/images/(.)(.+)$ { proxy_pass http://backend/$1/$1$2;} # --> http://backend/o/one.jpg# Alias semantic, but path is replacedlocation ^/images/(.).+$ { proxy_pass $1; # not part of URI} # --> http://o/images/one.jpg# Root semantic
  20. 20. location handlersproxy_pass, fastcgi_pass, memcached_pass,empty_gif, flv, stub_status, perltrailing slash -random index / index / auto indexno trailing slash -gzip static / static
  21. 21. Why "if" is bad - its "location" toogzip on;keepalive on;if ($no_gzip) { gzip off; # gzip off}if ($no_keepalive) { keepalive off; # gzip on, keepalive off}# gzip on, keepalive on
  22. 22. Fix - but its not recommendedgzip on;keepalive on;if ($no_gzip) { gzip off; break;}if ($no_keepalive) { keepalive off; break;}
  23. 23. Caching
  24. 24. Couple of caveatsfrom my Apache to Nginx migration
  25. 25. Migration from Apache to NginxApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L]# www redirect, common stuff out thereNginx:if ($host = site.com) { rewrite ^(.*)$ http://www.site.com/$1 permanent; # MY EYES!!!}
  26. 26. Right way to do itApache:RewriteCond %{HTTP_HOST} ^site.com$ [NC]RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L]# www redirect, common stuff out thereNginx:server { server_name site.com; rewrite ^ http://www.site.com/$request_uri? permanent; # NOT BAD}
  27. 27. Another common thingRewriteCond %{REQUEST_FILENAME} -dRewriteCond %{REQUEST_FILENAME} -fRewriteRule .* index.php# right waylocation / { try files $uri $uri index.php$is_args$args;}
  28. 28. FCGI security caveatlocation ~* .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $script; fastcgi_param PATH_INFO $path_info; ....}This PHP app supports upload of files...Do you mention possible security breach? :)
  29. 29. PATHINFO linksGET /index.php/article/0001 =>SCRIPT_NAME = 0001PATH_INFO = /index.php/article/ - WRONGFix pathinfo magic -SCRIPT_NAME = index.phpPATH_INFO = /article/0001
  30. 30. GET /upload/evil.jpg/notexist.phpSCRIPT_NAME = notexist.phpPATH_INFO = /upload/evil.jpg/cgi.fix_pathinfo = 1 (yep, its default) - ifSCRIPT_NAME not found - lets "FIX" it -SCRIPT_NAME = evil.jpgPATH_INFO = /notexist.phpLets RUN evil.jpg ! :)
  31. 31. Solutionlocation ~* .php$ { try_files $uri = 404; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; ....}- if you do not need PATHINFO links OR
  32. 32. Use fastcgi_split_path_infolocation ~* ^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo;}GET /index.php/article/0001 =>SCRIPT_FILENAME = index.php,PATH_INFO = /article/0001
  33. 33. Please checkhttp://wiki.nginx.org/Pitfalls - lot of stuff there
  34. 34. Nginx optimization Just couple of words
  35. 35. Case 1. Big static filesWhat is BIG file? Size is >2Mb (mp3, zip, iso etc)a)RAID - use big stripe size (>128K)b) output_buffers 1 1m; # need to tunec) AIO:Freebsd:sendfile on;aio sendfile;Linuxaio on;directio on; # required but drops sendfile()
  36. 36. Case 2. Lot of small filesa). There is NO MAGICHot files must reside in RAM cache or else... itwill be slow.b) Tune open_file_cacheFreebsd: see dirhash, vfs.ufs.dirhash_maxmem
  37. 37. Common highload advicesa) tune hardware and OS - disks, NICs, OSlimitations (open files, limits, network stack etc.)worker_rlmit_nofile + kern.maxfiles/maxfilesperproc (FreeBSD) + fs.filemax(Linux)b) tune workers (number / threads). Start fromCPU or disks numbers.c) sendfile, tcp_nopush, tcp_nodelay - ?d) timeouts, keepalive,reset_timedout_connection on - checkhttp://calomel.org/nginx.html
  38. 38. Case 3. Light DDOS fightingWhat is "light" DDOS ?1) 1000 - 5000 - 7000 bots max.2) HTTP GET/HEAD/POST,e.g. GET /script.php?<random>3) "slowpoke" - time of attack vector changingis big.4) "dumb" - dumb behaviour can be detected -no/bad referrers, no redirects, bad/same ormissing HTTP headers etc.REMOVE NGINX FROM AUTOSTART !!!!
  39. 39. a) "Heavy" (e.g. search) scripts floodhttp {...limit_req_zone $binary_remote_addr zone=SLOW:10mrate=1r/s;# 64byte per record, 16000 record per MB, 503 error ifoverflow!...location =/search.php { limit_req SLOW burst=2; proxy_pass ....}
  40. 40. b) "flooders" detectionerror_log /var/log/nginx/error.log;limit_conn_zone $binary_remote_addr zone=CONN:10m;...location =/attacked_url { limit_conn CONN 4; #4-8, but beware of proixes! ....}grep "limiting connections by zone" | grep "/attacked_url" |awk .. - get list of them and add it to firewall (ipset)Beware - you can easily "shoot yourself in the foot"!
  41. 41. c) Geo limitingCompile geoip module with --with-http_geoip_module first.http { geo_country /usr/local/nginx/etc/GeoIP.dat; map $geoip_country_code $bad_country { default 0; include /usr/local/nginx/etc/bad_countries; # } server { .... if ($bad_country) { return 403; }bad_countries:CN 1;TZ 1;...
  42. 42. d) Aggresive caching"Slow is better than dead"location=/ { rewrite ^ main.html last; }# main.html - temporary static page with link to real homelocation=/main.html { internal; root /var/nginx/cache/; error_page 404 = /cached$uri;}location /cached/ { internal; alias /var/nginx/cache/; proxy_pass http://backend; proxy_store_on; proxy_store_temp_path /var/nginx/tmp/;}
  43. 43. The ENDPlease check http://wiki.nginx.org - many nice hings there. :) Questions ?

×