NGINX Plus R19
New Features & Highlights
1
MORE INFORMATION AT NGINX.COM
Agenda
• Introducing NGINX and F5 Networks
• New features in NGINX Plus R19
- Monitoring and observability
- Dry-run mode for rate limiting
- Dynamic bandwidth limiting
• Summary and Q&A
2
Liam Crilly
Director, Product
Management, NGINX
l.crilly@f5.com
@liamcrilly
3
“... when I started NGINX,
I focused on a very specific
problem – how to handle more
customers per a single server.”
- Igor Sysoev, NGINX creator and founder
Introducing NGINX
4
2004
• NGINX 0.1
2007
• “Viable”
2011
• NGINX, Inc.
• NGINX 1.0
2013
• NGINX Plus R1
2018
• NGINX Unit 1.0
• Controller 1.0
2019
• Controller 2.0
(API mgmt.)
• NGINX Plus
R19
• Acquired by F5
Networks
Source: W3Techs Web server ranking, 15-Oct-2019
#1“Most websites use NGINX”
The busiest sites choose NGINX
33%
37%
41% 42%
Top 1M Top 100K Top 10K Top 1K
Source: Netcraft April 2019 Web Server Survey
What is NGINX?
Internet
Web Server
Serve content from disk
Reverse Proxy
FastCGI, uWSGI, gRPC…
Load Balancer
Caching, SSL termination…
HTTP traffic
- Basic load balancer
- Content Cache
- Web Server
- Reverse Proxy
- SSL termination
- Rate limiting
- Basic authentication
- 7 metrics
NGINX Open Source NGINX Plus
+ Advanced load balancer
+ Health checks
+ Session persistence
+ Least time algos
+ Cache purging
+ HA/Clustering
+ JWT Authentication
+ OpenID Connect SSO
+ NGINX Plus API
+ Key-value store
+ Dynamic modules
+ 90+ metrics
Previously on NGINX Plus R18
• Dynamic SSL/TLS certificate loading – provisioning options:
◦ Copy to NGINX without configuration reload
◦ POST to key-value store through the NGINX Plus API so that private key is never-on-disk
• OpenID Connect enhancements
◦ Opaque session tokens with key-value store as JWT cache for enhanced security
◦ https://github.com/nginxinc/nginx-openid-connect for our OIDC reference implementation
• Port ranges for virtual servers
◦ Support a broader range of applications
• Define health checks by testing the value of any variables
◦ Increased flexibility in active health checks
Visit https://www.nginx.com/blog/nginx-plus-r18-released/ for all details
Monitoring and observability
R19
Per location metrics
•Collect metrics anywhere
DNS resolver metrics
•Track DNS request types and
error responses
Extended Activity Dashboard
•Live dashboard extended to include the
new metrics and cluster-wide state sharing
Prometheus Module
•Export NGINX Plus metrics
to Prometheus
Rate limiting in dry-run mode
•Log excessive requests without
enforcing the rate limit
Per-location metrics
11
• Just use status_zone
anywhere!
• Differentiate multiple apps
on same hostname
• Debug complex rewrites (did
I get here?)
• API endpoint
/api/5/http/location_zones
• Appears under “HTTP Zones”
in dashboard
server {
listen 80;
server_name www.example.com;
status_zone www.example.com; # Collect metrics
location / {
root /var/docroot/www.example.com;
}
location /admin/ {
status_zone www_admin; # Collect metrics
if ($is_args) {
status_zone www_admin_query; # Conditional
}
proxy_pass http://my_backend;
}
}
NGINX Plus
Resolver metrics
13
• API endpoint
/api/5/resolvers
• Single resolver directive may
specifiy multiple DNS servers
◦ Metrics collected under single
status_zone
resolver 8.8.8.8 8.8.4.4 valid=5s status_zone=google8888;
resolver_timeout 10ms;
upstream f1_api {
zone f1_api 64k;
server ergast.com resolve;
}
server {
listen 80;
server_name api.example.com;
location /api/f1/ {
proxy_pass http://f1_api;
}
location / {
resolver 1.1.1.1 valid=5s status_zone=cloudflare1111;
proxy_pass http://sports.example.com;
}
}
NGINX Plus
Dashboard Update
14
• Per-location metrics
◦ Under “HTTP Zones”
• Resolver metrics
• Cluster state sharing metrics
NGINX Plus
Dry-run mode for rate limiting
15
• limit_req_dry_run directive
• Monitors limit_req zone only
• Logs excess events to
error_log
• Logs marked with dry run
limit_req_zone $binary_remote_addr zone=ip:1m rate=1r/s;
limit_req_status 429;
server {
listen 80;
location / {
limit_req_dry_run on;
limit_req zone=ip burst=2 delay=1;
limit_req_log_level warn;
error_page 429 @too_many_requests;
proxy_pass http://my_backend;
add_header Duration $request_time;
}
}
NGINX OSS
Prometheus Module
17
• Export all NGINX Plus
metrics in Prometheus
format
• JavaScript module converts
JSON to ”prom” text/plain
format load_module modules/ngx_http_js_module.so;
http {
js_include /usr/share/nginx-plus-module-prometheus/main.js;
server {
location = /metrics {
js_content prometheus_metrics;
}
}
}
NGINX Plus
$ … install nginx-plus-module-prometheus
Additional Features
• Enhancements to the Key-Value Store
◦ Support for Network Ranges – Dynamically blacklist/whitelist IP subnets using
CIDR annotations.
◦ Entry Expiration Timeouts – Set specific timeouts for individual Key-Value store
entries.
• Apply bandwidth limits based on attributes of incoming traffic
◦ limit_rate directive – Sets the rate (in bytes per second) that NGINX Plus will
issue an HTTP response back to the client.
◦ limit_rate_after directive – Sets the number of bytes NGINX sends before the
rate is applied.
Keyval with networks
20
• type=ip parameter to
keyval_zone
• curl -X POST -d
'{"192.168.13.0/24":"1"}'
http://localhost:8080/api/5/h
ttp/keyvals/whitelist
keyval_zone zone=whitelist:128K type=ip timeout=2m;
keyval $remote_addr $client_net zone=whitelist;
server {
listen 80;
location / {
default_type text/plain;
if ($client_net) {
return 200 'Hello $remote_addr you are from
$client_netn';
}
return 403 'Goodbye $remote_addr, you are not on
the listn';
}
}
NGINX Plus
Dynamic Bandwith Limits
21
• Limit bandwith based on TLS
version
• Apply rate limit after headers are
sent back to the client
map $ssl_protocol $response_rate {
"TLSv1.1" 10k;
"TLSv1.2" 100k;
"TLSv1.3" 1000k;
}
server {
listen 443 ssl;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_certificate /etc/ssl/nginx/example.crt;
ssl_certificate_key /etc/ssl/nginx/example.key;
location / {
limit_rate $response_rate;
limit_rate_after 512;
proxy_pass http://my_backend;
}
}
NGINX OSS
Summary
• Per-location metrics
• Resolver metrics
• Dashboard updated with new metrics, and zone_sync
• Prometheus module
• Dry-run mode for rate limiting
• CIDR notation for keyval (type=ip)
• Per-entry timeout for keyval
• Variables support for bandwidth limiting
nginx.com | @nginxnginx.com | @nginx
Q&A

NGINX Plus R19 : EMEA

  • 1.
    NGINX Plus R19 NewFeatures & Highlights 1
  • 2.
    MORE INFORMATION ATNGINX.COM Agenda • Introducing NGINX and F5 Networks • New features in NGINX Plus R19 - Monitoring and observability - Dry-run mode for rate limiting - Dynamic bandwidth limiting • Summary and Q&A 2 Liam Crilly Director, Product Management, NGINX l.crilly@f5.com @liamcrilly
  • 3.
    3 “... when Istarted NGINX, I focused on a very specific problem – how to handle more customers per a single server.” - Igor Sysoev, NGINX creator and founder
  • 4.
    Introducing NGINX 4 2004 • NGINX0.1 2007 • “Viable” 2011 • NGINX, Inc. • NGINX 1.0 2013 • NGINX Plus R1 2018 • NGINX Unit 1.0 • Controller 1.0 2019 • Controller 2.0 (API mgmt.) • NGINX Plus R19 • Acquired by F5 Networks
  • 5.
    Source: W3Techs Webserver ranking, 15-Oct-2019 #1“Most websites use NGINX” The busiest sites choose NGINX 33% 37% 41% 42% Top 1M Top 100K Top 10K Top 1K Source: Netcraft April 2019 Web Server Survey
  • 7.
    What is NGINX? Internet WebServer Serve content from disk Reverse Proxy FastCGI, uWSGI, gRPC… Load Balancer Caching, SSL termination… HTTP traffic - Basic load balancer - Content Cache - Web Server - Reverse Proxy - SSL termination - Rate limiting - Basic authentication - 7 metrics NGINX Open Source NGINX Plus + Advanced load balancer + Health checks + Session persistence + Least time algos + Cache purging + HA/Clustering + JWT Authentication + OpenID Connect SSO + NGINX Plus API + Key-value store + Dynamic modules + 90+ metrics
  • 8.
    Previously on NGINXPlus R18 • Dynamic SSL/TLS certificate loading – provisioning options: ◦ Copy to NGINX without configuration reload ◦ POST to key-value store through the NGINX Plus API so that private key is never-on-disk • OpenID Connect enhancements ◦ Opaque session tokens with key-value store as JWT cache for enhanced security ◦ https://github.com/nginxinc/nginx-openid-connect for our OIDC reference implementation • Port ranges for virtual servers ◦ Support a broader range of applications • Define health checks by testing the value of any variables ◦ Increased flexibility in active health checks Visit https://www.nginx.com/blog/nginx-plus-r18-released/ for all details
  • 10.
    Monitoring and observability R19 Perlocation metrics •Collect metrics anywhere DNS resolver metrics •Track DNS request types and error responses Extended Activity Dashboard •Live dashboard extended to include the new metrics and cluster-wide state sharing Prometheus Module •Export NGINX Plus metrics to Prometheus Rate limiting in dry-run mode •Log excessive requests without enforcing the rate limit
  • 11.
    Per-location metrics 11 • Justuse status_zone anywhere! • Differentiate multiple apps on same hostname • Debug complex rewrites (did I get here?) • API endpoint /api/5/http/location_zones • Appears under “HTTP Zones” in dashboard server { listen 80; server_name www.example.com; status_zone www.example.com; # Collect metrics location / { root /var/docroot/www.example.com; } location /admin/ { status_zone www_admin; # Collect metrics if ($is_args) { status_zone www_admin_query; # Conditional } proxy_pass http://my_backend; } } NGINX Plus
  • 13.
    Resolver metrics 13 • APIendpoint /api/5/resolvers • Single resolver directive may specifiy multiple DNS servers ◦ Metrics collected under single status_zone resolver 8.8.8.8 8.8.4.4 valid=5s status_zone=google8888; resolver_timeout 10ms; upstream f1_api { zone f1_api 64k; server ergast.com resolve; } server { listen 80; server_name api.example.com; location /api/f1/ { proxy_pass http://f1_api; } location / { resolver 1.1.1.1 valid=5s status_zone=cloudflare1111; proxy_pass http://sports.example.com; } } NGINX Plus
  • 14.
    Dashboard Update 14 • Per-locationmetrics ◦ Under “HTTP Zones” • Resolver metrics • Cluster state sharing metrics NGINX Plus
  • 15.
    Dry-run mode forrate limiting 15 • limit_req_dry_run directive • Monitors limit_req zone only • Logs excess events to error_log • Logs marked with dry run limit_req_zone $binary_remote_addr zone=ip:1m rate=1r/s; limit_req_status 429; server { listen 80; location / { limit_req_dry_run on; limit_req zone=ip burst=2 delay=1; limit_req_log_level warn; error_page 429 @too_many_requests; proxy_pass http://my_backend; add_header Duration $request_time; } } NGINX OSS
  • 17.
    Prometheus Module 17 • Exportall NGINX Plus metrics in Prometheus format • JavaScript module converts JSON to ”prom” text/plain format load_module modules/ngx_http_js_module.so; http { js_include /usr/share/nginx-plus-module-prometheus/main.js; server { location = /metrics { js_content prometheus_metrics; } } } NGINX Plus $ … install nginx-plus-module-prometheus
  • 19.
    Additional Features • Enhancementsto the Key-Value Store ◦ Support for Network Ranges – Dynamically blacklist/whitelist IP subnets using CIDR annotations. ◦ Entry Expiration Timeouts – Set specific timeouts for individual Key-Value store entries. • Apply bandwidth limits based on attributes of incoming traffic ◦ limit_rate directive – Sets the rate (in bytes per second) that NGINX Plus will issue an HTTP response back to the client. ◦ limit_rate_after directive – Sets the number of bytes NGINX sends before the rate is applied.
  • 20.
    Keyval with networks 20 •type=ip parameter to keyval_zone • curl -X POST -d '{"192.168.13.0/24":"1"}' http://localhost:8080/api/5/h ttp/keyvals/whitelist keyval_zone zone=whitelist:128K type=ip timeout=2m; keyval $remote_addr $client_net zone=whitelist; server { listen 80; location / { default_type text/plain; if ($client_net) { return 200 'Hello $remote_addr you are from $client_netn'; } return 403 'Goodbye $remote_addr, you are not on the listn'; } } NGINX Plus
  • 21.
    Dynamic Bandwith Limits 21 •Limit bandwith based on TLS version • Apply rate limit after headers are sent back to the client map $ssl_protocol $response_rate { "TLSv1.1" 10k; "TLSv1.2" 100k; "TLSv1.3" 1000k; } server { listen 443 ssl; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /etc/ssl/nginx/example.crt; ssl_certificate_key /etc/ssl/nginx/example.key; location / { limit_rate $response_rate; limit_rate_after 512; proxy_pass http://my_backend; } } NGINX OSS
  • 23.
    Summary • Per-location metrics •Resolver metrics • Dashboard updated with new metrics, and zone_sync • Prometheus module • Dry-run mode for rate limiting • CIDR notation for keyval (type=ip) • Per-entry timeout for keyval • Variables support for bandwidth limiting
  • 24.