NGINX Plus R18: What's new

NGINX Plus R18:
What’s new
08-May-2019

MORE INFORMATION AT NGINX.COM
Agenda
• Introducing NGINX
• New features in NGINX Plus R18
- Dynamic certificate loading
- Listen port ranges
- OpenID Connect enhancements
- Active health check options
- JavaScript module updates and more
• Summary and Q&A
2
Liam Crilly
Director of Product
Management, NGINX
liam@nginx.com
@liamcrilly

3
“... when I started NGINX,
I focused on a very specific problem –
how to handle more customers per a
single server.”
- Igor Sysoev, NGINX creator and founder

Introducing NGINX
4
2004
• NGINX 0.1
2007
• “Viable”
2011
• NGINX, Inc.
• NGINX 1.0
2013
• NGINX Plus R1
2018
• NGINX Unit 1.0
• Controller 1.0
2019
• Controller 2.0
(API mgmt.)
• NGINX Plus R18
• Acquired by F5 Networks

Source: W3Techs Web server ranking, 07-May-2019
#1“Most websites use NGINX”
The busiest sites choose NGINX
50%
61%
67%
Top 1M Top 100K Top 10K
Source: Netcraft April 2019 Web Server Survey

Office in San Francisco, Cork, Cambridge, Moscow, Singapore , Tokyo,
Sydney
400M websites
1,500+ commercial customers
250+ employees across engineering, support, sales and marketing

NGINX + F5: Complementary Approaches
Open Source-Driven
375M websites powered worldwide
66% of the 10,000 busiest sites
90M downloads per year
Enterprise-Driven
25,000 customers worldwide
49 of the Fortune 50
10 of the world’s top 10 brands

What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time algos
+ Cache purging
+ HA/Clustering
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Key-value store
+ Dynamic modules
+ 90+ metrics

Previously on…
• TLS 1.3 support
• Two Stage Rate Limiting
• Easier OpenID Connect Configuration *
• 2x faster ModSecurity Performance
• NGINX Ingress Controller for Kubernetes 1.4.0
* NGINX Plus Exclusive feature
9
Watch On Demand: search “r17 webinar” at nginx.com

Agenda
• Dynamic SSL Certificates
• OpenID Connect Enhancements
• Listen Port Ranges, FTP Proxy Support
• Key-Value Definition in the Configuration
• Greater Flexibility for Active Health Checks
• NGINX JavaScript Module and other updates
• Demo
• Summary and Q&A

With end-to-end encryption now
the default deployment pattern
for websites and applications,
organizations are managing an
explosion in SSL certificates.
This calls for a flexible approach
to how we deploy and configure
those SSL certificates.
Source: https://w3techs.com/technologies/history_overview/ssl_certificate/all/y11
66%
72%
77%
88%
35%
29%
23%
12%
2016 2017 2018 2019
SSL/TLS Adoption
HTTPS HTTP

Standard SSL Configuration
server {
listen 443 ssl;
ssl_certificate cert.crt;
ssl_certificate_key cert.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
• Manually specify each certificate and key
to be loaded from disk
• If you have a 1,000+ certificates:
• Need to specify 1,000+ cert/key pairs
• Long load and reload times
• High memory consumption during
reload
• Adding new site means updating config
and reload

SSL Configuration using SNI
server {
listen 443 ssl;
ssl_certificate $ssl_server_name.crt;
ssl_certificate_key $ssl_server_name.key;
location / {
}
}
• $ssl_server_name holds hostname
requested through SNI
• Files will be loaded on demand
• Single configuration for all SSL-enabled
sites
• To create a new site, simply upload the
appropriately named cert/key pair, no
reloads
• Up to 30% performance penalty to load
certificate from disk. Uses OS file cache
to improve performance.

SSL Configuration using Key-Value
Storekeyval_zone zone=ssl_crt:10m;
keyval $ssl_server_name $crt_pem zone=ssl_crt;
keyval_zone zone=ssl_key:10m;
keyval $ssl_server_name $key_pem zone=ssl_key;
server {
listen 443 ssl;
ssl_certificate data:$crt_pem;
ssl_certificate_key data:$key_pem;
location / {
}
}
• data: means the following variable
holds the certificate or key in memory.
• $crt_pem and $key_pem are looked
up from the Key-Value Store using
$ssl_server_name
• Key-Value Store can be programmed
through the NGINX Plus API for
automated provisioning
• Ideal for short-lived certificates or
integrations with issuers such as Let’s
Encrypt and Hashicorp Vault.
* NGINX Plus exclusive

NGINX Plus JWT Authentication
Support timeline:
• R10 -- Initial support for native JWT
authentication added
• R12 -- Support for custom fields
• R14 -- Support for nested claims
• R15 -- Support for OpenID Connect SSO.
Link to Okta, OneLogin, PingIdentity, etc.
• R17 -- Support for fetching JWK from URL
• R18 – Support for opaque session tokens,
refresh tokens, and a logout URL for
OpenID Connect
JWT Authentication and OpenID Connect
SSO are exclusive to NGINX Plus

New OpenID Connect Features
• Opaque Session Tokens – Can now authenticate clients with opaque session
tokens in the form of a browser cookie. Opaque tokens contain no personally
identifiable information about the user.
• Refresh Tokens – New support for refresh tokens so that expired ID tokens
are seamlessly refreshed. NGINX Plus stores the refresh token in the
key-value store and associates it with the opaque session token. When the
ID token expires, NGINX Plus sends the refresh token to the authorization
server. If the session is still valid, the authorization server issues a new ID
token.
• Logout URL -- When logged-in users visit the /logout URI, their ID and
refresh tokens are deleted from the key-value store, and they must
reauthenticate when making a future request.

Agenda
• Dynamic SSL Certificates
• OpenID Connect Enhancements
• Listen Port Ranges, FTP Proxy Support
• Key-Value Definition in the Configuration
• Greater Flexibility for Active Health Checks
• NGINX JavaScript Module and other updates
• Summary and Q&A

Listen Port Ranges and FTP Proxying
server {
listen 21; # FTP control port
listen 40000-45000; # Data port range
proxy_pass <FTP-server>:$server_port;
}
• Previously could only specific a single
port per listen directive
• Multiple ports required multiple listen
directives
• Now can specify a range of ports
• Passive FTP opens up data port
amongst a large range of ports

Key-Value Definition in Configuration
keyval_zone zone=recents:10m timeout=2m;
keyval $remote_addr $last_uri zone=recents;
server {
listen 80;
location / {
set $last_uri $uri;
proxy_pass http://my_backend;
}
}
• Previously only way to update the Key-
Value Store was with NGINX Plus API
• Now can be updated by using the set
directive
• $last_uri holds key-value entry with
last URI accesses by IP address
• set over writes with last URI. If no
entry present, it creates it
* NGINX Plus exclusive$ curl http://localhost:8080/api/4/http/keyvals/recents
{
"10.19.245.68": "/blog/nginx-plus-r18-released/",
"172.216.80.227": "/products/nginx/",
"10.29.110.168": "/blog/nginx-unit-1-8-0-now-available"
}

Health check arbitrary variables
js_set $response_is_fast checkHeaderTime;
match circuit_breaker {
status 200;
require $response_is_fast;
}
server {
listen 80;
location / {
proxy_pass http://my_backend;
health_check uri=/ match=circuit_breaker;
}
}
• New require directive requires all
specified variables to be non-zero for
health check to pass
• In this example we combine with
JavaScript module to check response
times
• Responses longer than 100ms are
considered unhealthy
function checkHeaderTime(r) {
if (r.variables.upstream_header_time > 0.1) {
return(0); // Too slow
}
return(1);
}

New proxy_session_drop Directive
server {
listen 12345;
proxy_pass my_tcp_backend;
health_check;
proxy_session_drop on;
}
• Previously when using NGINX to
reverse proxy TCP/UDP, backend
server’s health status is considered
only for new connections.
• With new proxy_session_drop
directive enabled you can immediately
close the connection when the next
packet is received from, or sent to, the
offline server.
• Also triggered by other dynamic
upstream changes, e.g. resolver

JavaScript module updates
export default {maskIp}; // Only expose maskIp()
function maskIp(addr) { // Public (exported) function
return i2ipv4(fnv32a(addr));
}
...
• Previously, all JavaScript code had to
reside in a single file.
• With new import and export JavaScript
modules, code can be organized into
multiple function-specific files.
• New js_path directive sets additional
directories to search
import masker from 'mask_ip_module.js';
function maskRemoteAddress(r) {
return(masker.maskIp(r.remoteAddress));
}
js_include main.js;
js_path /etc/nginx/njs_modules;
js_set $remote_addr_masked maskRemoteAddress;
log_format masked '$remote_addr_masked ...
mask_ip_module.jsmain.jsnginx.conf

Additional features
• Clustering Enhancement – A single zone_sync configuration can now be used for all
instances in a cluster with the help of wildcard support in the listen directive.
(NGINX Plus exclusive)
• New Variable -- $upstream_bytes_sent, contains number of bytes sent to an
upstream server.
• NGINX Ingress Controller for Kubernetes – Can now be installed directly from our new
Helm repository, without having to download Helm chart source files.
• New/Updated Dynamic Modules –
◦ Brotli (New): A general-purpose, lossless data compression algorithm.
◦ OpenTracing (New): Ability to instrument NGINX Plus with OpenTracing-compliant requests for a
range of distributed tracing services, such as Datadog, Jaeger, and Zipkin.
◦ Lua (Updated): A scripting language for NGINX Plus, updated to use LuaJIT 2.1.
29

Summary
• SSL certificates can be dynamically loaded using SNI hostname
• SSL certificates can be added dynamically using the NGINX Plus API
• The listen directive now accepts port ranges, enabling FTP proxy
support
• Key-Value pairs can now be set directly in NGINX Plus configuration
• New require directive for health checks can test the value of NGINX
Plus variables to fail/pass servers
• NGINX JavaScript module supports import and export for better code
organization

Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-
request

NGINX Plus R18: What's new

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to NGINX Plus R18: What's new

Similar to NGINX Plus R18: What's new (20)

More from NGINX, Inc.

More from NGINX, Inc. (20)

Recently uploaded

Recently uploaded (20)

NGINX Plus R18: What's new