Denis Zhdanov, profile picture
Uploaded byDenis Zhdanov
PDF, PPTX2,797 views

Nginx Workshop Aftermath

This document summarizes Denis Zhdanov's presentation on optimizing and securing Nginx configurations. Some key points include: - Nginx is more scalable than Apache because it uses an event-driven model instead of preforking separate processes per request. - Locations, variables, and directives like proxy_pass, root, and alias allow complex routing and rewriting of requests. Care must be taken to avoid security issues when passing variables to backends. - Caching can be optimized for large static files and many small files through tuning buffers, caches, and disk settings. - Light DDoS attacks can be mitigated using rate limiting, geo blocking, and aggressive caching

Embed presentation

Download as PDF, PPTX
Nginx Workshop Aftermath Kiev.PM technical meeting, 16th Feb 2012 Denis Zhdanov denis.zhdanov@gmail.com
Disclaimer May 29, 2010 - Nginx workshop by Igor Sysoev was organized by SmartMe (http://www. smartme.com.ua/nginx-workshop/) Thanks Igor, thanks SmartMe. Based on workshop, but Nginx was changed, so caching and many other docs are on website now (http://wiki.nginx.org), so I add some things from me. "Scooter is ... ? "
Nginx / Apache - why we need what ? 1. Static files 2. Proxying / Slow client (No dialup but Mobile) Why Apache is bad / Nginx is good - size of worker. Apache is prefork / 1 proc/thread per request - it's too expensive. Nginx - Proc/thread also, but event driven.
Nginx is fast? "Nginx is not fast - but scalable", (c) Igor Sysoev. Tens and hundreds of 1000's requests per worker - quite fast, but Apache can do this also - but with much more resources. Nginx also has SCALABLE configuration. What is it means?
How we can configure Apache ? 1. .htaccess / rewrite rules - ugly, but single way on shared hostings ( I hope they all gone now :) ) 2. Virtual hosts - but global (default) server configuration could mess all things. 3. Virtual hosts but default server do nothing (deny all, for example)
locations location /images/ location = / location ^~ /images/ - plain strings, no order location ~ .php location ~* .php - regexp rules, ordered location @php - named
plain vs regexp location / location /admin/ VS - no difference ! location /admin/ location / But regexp is ordered, so ...
location ~* .(gif|jpe?g|png)$ { root /var/www/images/; } location ~* .php$ { fastcgi_pass ... } location /images/ { root /var/www/images/; } location /scripts/ { fastcgi_pass ... }
Real example location / { if ($uri ~ ^/login.php$) { ... } if ($uri ~ ^/admin/) { ... }
Nested locations location /images/ { root /var/www/images; } location /admin/ { location ^/admin*..php$ { fastcgi_pass.... } } ...
Directives: declarative vs runtime Declarative - no ordering, inheritance proxy_connect_timeout 25s; server { location / { } location = / { } location = /x { proxy_pass http://backend; } root /var/www/; }
Runtime directives Runs every time, no inheritance ! if (....) { set ... rewrite ... break return .... }
Bad examples location /images/ { root /var/www/images/; break; # <---- WHY??? } if (-e $request_filename) { expire 1y; break; # totally wrong !! }
Igor says: Do not use rewrites! :) if (...) { return 403; # good usage } location ~ ^/images/(.+)$ { root /var/www/img/$1; # bad } Why ?
Root semantic VS alias semantic GET /images/test/one.jpg location /images/ { root /var/www/; # path - /var/www/images/test/one.jpg } location /images/ { alias /var/www/img/; # path - /var/www/img/test/one.jpg }
Alias instead of root location /images/ { alias /var/www/images/; } location /images/ { root /var/www; }
Alias and root with variables GET /images/one.jpg location /images/ { root /var/www/$host; } # real path - /var/www/SITE/images/one.jpg location ~ ^/images/(.)(.+)$ { alias /var/www/img/$1/$1$2; } # real path - /var/www/img/o/one.jpg Alias make complete path, no replacement MUST use $1/$2 if location contains captures
proxy_pass semantic GET /images/test/one.jpg location /images/ { proxy_path http://backend; # <-- no URI } # Root semantic - GET http://backend/images/test/one.jpg location /images/ { proxy_path http://backend/img/; } # Alias semantic Ghttp://backend/img/test/one.jpg
proxy_pass with variables GET /images/one.jpg location ^/images/(.)(.+)$ { proxy_pass http://backend/$1/$1$2; } # --> http://backend/o/one.jpg # Alias semantic, but path is replaced location ^/images/(.).+$ { proxy_pass $1; # not part of URI } # --> http://o/images/one.jpg # Root semantic
location handlers proxy_pass, fastcgi_pass, memcached_pass, empty_gif, flv, stub_status, perl trailing slash - random index / index / auto index no trailing slash - gzip static / static
Why "if" is bad - it's "location" too gzip on; keepalive on; if ($no_gzip) { gzip off; # gzip off } if ($no_keepalive) { keepalive off; # gzip on, keepalive off } # gzip on, keepalive on
Fix - but it's not recommended gzip on; keepalive on; if ($no_gzip) { gzip off; break; } if ($no_keepalive) { keepalive off; break; }
Caching
Couple of caveats from my Apache to Nginx migration
Migration from Apache to Nginx Apache: RewriteCond %{HTTP_HOST} ^site.com$ [NC] RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L] # www redirect, common stuff out there Nginx: if ($host = 'site.com') { rewrite ^(.*)$ http://www.site.com/$1 permanent; # MY EYES!!! }
Right way to do it Apache: RewriteCond %{HTTP_HOST} ^site.com$ [NC] RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L] # www redirect, common stuff out there Nginx: server { server_name site.com; rewrite ^ http://www.site.com/$request_uri? permanent; # NOT BAD }
Another common thing RewriteCond %{REQUEST_FILENAME} -d RewriteCond %{REQUEST_FILENAME} -f RewriteRule .* index.php # right way location / { try files $uri $uri index.php$is_args$args; }
FCGI security caveat location ~* .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $script; fastcgi_param PATH_INFO $path_info; .... } This PHP app supports upload of files... Do you mention possible security breach? :)
PATHINFO links GET /index.php/article/0001 => SCRIPT_NAME = 0001 PATH_INFO = /index.php/article/ - WRONG Fix pathinfo magic - SCRIPT_NAME = index.php PATH_INFO = /article/0001
GET /upload/evil.jpg/notexist.php SCRIPT_NAME = notexist.php PATH_INFO = /upload/evil.jpg/ cgi.fix_pathinfo = 1 (yep, it's default) - if SCRIPT_NAME not found - let's "FIX" it - SCRIPT_NAME = evil.jpg PATH_INFO = /notexist.php Let's RUN evil.jpg ! :)
Solution location ~* .php$ { try_files $uri = 404; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; .... } - if you do not need PATHINFO links OR
Use fastcgi_split_path_info location ~* ^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; } GET /index.php/article/0001 => SCRIPT_FILENAME = index.php, PATH_INFO = /article/0001
Please check http://wiki.nginx.org/Pitfalls - lot of stuff there
Nginx optimization Just couple of words
Case 1. Big static files What is BIG file? Size is >2Mb (mp3, zip, iso etc) a)RAID - use big stripe size (>128K) b) output_buffers 1 1m; # need to tune c) AIO: Freebsd: sendfile on; aio sendfile; Linux aio on; directio on; # required but drops sendfile()
Case 2. Lot of small files a). There is NO MAGIC Hot files must reside in RAM cache or else... it will be slow. b) Tune open_file_cache Freebsd: see dirhash, vfs.ufs.dirhash_maxmem
Common highload advices a) tune hardware and OS - disks, NICs, OS limitations (open files, limits, network stack etc.) worker_rlmit_nofile + kern.maxfiles/maxfilesperproc (FreeBSD) + fs.filemax (Linux) b) tune workers (number / threads). Start from CPU or disks numbers. c) sendfile, tcp_nopush, tcp_nodelay - ? d) timeouts, keepalive, reset_timedout_connection on - check http://calomel.org/nginx.html
Case 3. Light DDOS fighting What is "light" DDOS ? 1) 1000 - 5000 - 7000 bots max. 2) HTTP GET/HEAD/POST, e.g. GET /script.php?<random> 3) "slowpoke" - time of attack vector changing is big. 4) "dumb" - dumb behaviour can be detected - no/bad referrers, no redirects, bad/same or missing HTTP headers etc. REMOVE NGINX FROM AUTOSTART !!!!
a) "Heavy" (e.g. search) scripts flood http { ... limit_req_zone $binary_remote_addr zone=SLOW:10m rate=1r/s; # 64byte per record, 16000 record per MB, 503 error if overflow! ... location =/search.php { limit_req SLOW burst=2; proxy_pass .... }
b) "flooders" detection error_log /var/log/nginx/error.log; limit_conn_zone $binary_remote_addr zone=CONN:10m; ... location =/attacked_url { limit_conn CONN 4; #4-8, but beware of proixes! .... } grep "limiting connections by zone" | grep "/attacked_url" | awk .. - get list of them and add it to firewall (ipset) Beware - you can easily "shoot yourself in the foot"!
c) Geo limiting Compile geoip module with --with-http_geoip_module first. http { geo_country /usr/local/nginx/etc/GeoIP.dat; map $geoip_country_code $bad_country { default 0; include /usr/local/nginx/etc/bad_countries; # } server { .... if ($bad_country) { return 403; } bad_countries: CN 1; TZ 1; ...
d) Aggresive caching "Slow is better than dead" location=/ { rewrite ^ main.html last; } # main.html - temporary static page with link to real home location=/main.html { internal; root /var/nginx/cache/; error_page 404 = /cached$uri; } location /cached/ { internal; alias /var/nginx/cache/; proxy_pass http://backend; proxy_store_on; proxy_store_temp_path /var/nginx/tmp/; }
The END Please check http://wiki.nginx.org - many nice hings there. :) Questions ?

More Related Content

PDF
EC2
byIgor Kapkov
 
PPT
Rush, a shell that will yield to you
byguestdd9d06
 
ODP
Writing webapps with Perl Dancer
byAlexis Sukrieh
 
PDF
Lights, Camera, Docker: Streaming Video at DramaFever
bybridgetkromhout
 
PPTX
2012 coscup - Build your PHP application on Heroku
byronnywang_tw
 
PDF
A reviravolta do desenvolvimento web
byWallace Reis
 
PDF
Ansible leveraging 2.0
bybcoca
 
PDF
More tips n tricks
bybcoca
 
EC2
byIgor Kapkov
 
Rush, a shell that will yield to you
byguestdd9d06
 
Writing webapps with Perl Dancer
byAlexis Sukrieh
 
Lights, Camera, Docker: Streaming Video at DramaFever
bybridgetkromhout
 
2012 coscup - Build your PHP application on Heroku
byronnywang_tw
 
A reviravolta do desenvolvimento web
byWallace Reis
 
Ansible leveraging 2.0
bybcoca
 
More tips n tricks
bybcoca
 

What's hot

KEY
Sprockets
byChristophe Porteneuve
 
PDF
Unit Testing Lots of Perl
byWorkhorse Computing
 
PDF
Asynchronous PHP and Real-time Messaging
bySteve Rhoades
 
PDF
Ansible tips & tricks
bybcoca
 
PDF
Hacking ansible
bybcoca
 
PDF
Memory Manglement in Raku
byWorkhorse Computing
 
PDF
Ethiopian multiplication in Perl6
byWorkhorse Computing
 
KEY
Plack - LPW 2009
byTatsuhiko Miyagawa
 
KEY
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
byTatsuhiko Miyagawa
 
ODP
Exploiting the newer perl to improve your plugins
byMarian Marinov
 
PDF
Puppet Camp 2012
byServer Density
 
KEY
Sinatra for REST services
byEmanuele DelBono
 
PDF
Building and Testing Puppet with Docker
bycarlaasouza
 
PDF
Medicine show2 Drupal Bristol Camp 2015
byGeorge Boobyer
 
PDF
BASH Variables Part 1: Basic Interpolation
byWorkhorse Computing
 
PDF
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byCarlos Sanchez
 
PDF
AnsibleFest 2014 - Role Tips and Tricks
byjimi-c
 
PDF
ChefConf 2012 Spiceweasel
byMatt Ray
 
PDF
V2 and beyond
byjimi-c
 
PDF
はじめてのSymfony2
byTomohiro MITSUMUNE
 
Sprockets
byChristophe Porteneuve
 
Unit Testing Lots of Perl
byWorkhorse Computing
 
Asynchronous PHP and Real-time Messaging
bySteve Rhoades
 
Ansible tips & tricks
bybcoca
 
Hacking ansible
bybcoca
 
Memory Manglement in Raku
byWorkhorse Computing
 
Ethiopian multiplication in Perl6
byWorkhorse Computing
 
Plack - LPW 2009
byTatsuhiko Miyagawa
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
byTatsuhiko Miyagawa
 
Exploiting the newer perl to improve your plugins
byMarian Marinov
 
Puppet Camp 2012
byServer Density
 
Sinatra for REST services
byEmanuele DelBono
 
Building and Testing Puppet with Docker
bycarlaasouza
 
Medicine show2 Drupal Bristol Camp 2015
byGeorge Boobyer
 
BASH Variables Part 1: Basic Interpolation
byWorkhorse Computing
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byCarlos Sanchez
 
AnsibleFest 2014 - Role Tips and Tricks
byjimi-c
 
ChefConf 2012 Spiceweasel
byMatt Ray
 
V2 and beyond
byjimi-c
 
はじめてのSymfony2
byTomohiro MITSUMUNE
 

Similar to Nginx Workshop Aftermath

PDF
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
byOntico
 
PDF
Apache and PHP: Why httpd.conf is your new BFF!
byJeff Jones
 
PPTX
WordPress + NGINX Best Practices with EasyEngine
byNGINX, Inc.
 
PDF
Using NGINX as an Effective and Highly Available Content Cache
byKevin Jones
 
PPTX
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
byAmit Aggarwal
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes
byNGINX, Inc.
 
KEY
Nginx - Tips and Tricks.
byHarish S
 
PDF
10 Million hits a day with WordPress using a $15 VPS
byPaolo Tonin
 
PPTX
Boost your website by running PHP on Nginx
byHarald Zeitlhofer
 
PDF
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
PPTX
Nginx [engine x] and you (and WordPress)
byJustin Foell
 
PPTX
PHP conference Berlin 2015: running PHP on Nginx
byHarald Zeitlhofer
 
PDF
Nginx pres
byJames Fuller
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
PDF
Deploying nginx with minimal system resources
byMax Ukhanov
 
PPT
WE18_Performance_Up.ppt
bywebhostingguy
 
PDF
Running php on nginx
byHarald Zeitlhofer
 
PPTX
NGINX 101 - now with more Docker
bysarahnovotny
 
PPTX
NGINX 101 - now with more Docker
bySarah Novotny
 
PDF
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 
Масштабируемая конфигурация Nginx, Игорь Сысоев (Nginx)
byOntico
 
Apache and PHP: Why httpd.conf is your new BFF!
byJeff Jones
 
WordPress + NGINX Best Practices with EasyEngine
byNGINX, Inc.
 
Using NGINX as an Effective and Highly Available Content Cache
byKevin Jones
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
byAmit Aggarwal
 
How to Avoid the Top 5 NGINX Configuration Mistakes
byNGINX, Inc.
 
Nginx - Tips and Tricks.
byHarish S
 
10 Million hits a day with WordPress using a $15 VPS
byPaolo Tonin
 
Boost your website by running PHP on Nginx
byHarald Zeitlhofer
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
Nginx [engine x] and you (and WordPress)
byJustin Foell
 
PHP conference Berlin 2015: running PHP on Nginx
byHarald Zeitlhofer
 
Nginx pres
byJames Fuller
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
Deploying nginx with minimal system resources
byMax Ukhanov
 
WE18_Performance_Up.ppt
bywebhostingguy
 
Running php on nginx
byHarald Zeitlhofer
 
NGINX 101 - now with more Docker
bysarahnovotny
 
NGINX 101 - now with more Docker
bySarah Novotny
 
What is Nginx and Why You Should to Use it with Wordpress Hosting
byWPSFO Meetup Group
 

Recently uploaded

PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
January Patch Tuesday
byIvanti
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
January Patch Tuesday
byIvanti
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Just Eat Data Scraping For Restaurant Reviews And Pricing.pdf
byfusiondata2026
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
How Automation Powers Data Quality and Governance at Scale
bySafe Software
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
About Computer Hardware ................
bymaratiakshaya07
 

Nginx Workshop Aftermath

  • 1.
    Nginx Workshop Aftermath Kiev.PM technical meeting, 16th Feb 2012 Denis Zhdanov denis.zhdanov@gmail.com
  • 2.
    Disclaimer May 29, 2010- Nginx workshop by Igor Sysoev was organized by SmartMe (http://www. smartme.com.ua/nginx-workshop/) Thanks Igor, thanks SmartMe. Based on workshop, but Nginx was changed, so caching and many other docs are on website now (http://wiki.nginx.org), so I add some things from me. "Scooter is ... ? "
  • 3.
    Nginx / Apache- why we need what ? 1. Static files 2. Proxying / Slow client (No dialup but Mobile) Why Apache is bad / Nginx is good - size of worker. Apache is prefork / 1 proc/thread per request - it's too expensive. Nginx - Proc/thread also, but event driven.
  • 4.
    Nginx is fast? "Nginxis not fast - but scalable", (c) Igor Sysoev. Tens and hundreds of 1000's requests per worker - quite fast, but Apache can do this also - but with much more resources. Nginx also has SCALABLE configuration. What is it means?
  • 5.
    How we canconfigure Apache ? 1. .htaccess / rewrite rules - ugly, but single way on shared hostings ( I hope they all gone now :) ) 2. Virtual hosts - but global (default) server configuration could mess all things. 3. Virtual hosts but default server do nothing (deny all, for example)
  • 6.
    locations location /images/ location =/ location ^~ /images/ - plain strings, no order location ~ .php location ~* .php - regexp rules, ordered location @php - named
  • 7.
    plain vs regexp location/ location /admin/ VS - no difference ! location /admin/ location / But regexp is ordered, so ...
  • 8.
    location ~* .(gif|jpe?g|png)${ root /var/www/images/; } location ~* .php$ { fastcgi_pass ... } location /images/ { root /var/www/images/; } location /scripts/ { fastcgi_pass ... }
  • 9.
    Real example location /{ if ($uri ~ ^/login.php$) { ... } if ($uri ~ ^/admin/) { ... }
  • 10.
    Nested locations location /images/{ root /var/www/images; } location /admin/ { location ^/admin*..php$ { fastcgi_pass.... } } ...
  • 11.
    Directives: declarative vsruntime Declarative - no ordering, inheritance proxy_connect_timeout 25s; server { location / { } location = / { } location = /x { proxy_pass http://backend; } root /var/www/; }
  • 12.
    Runtime directives Runs everytime, no inheritance ! if (....) { set ... rewrite ... break return .... }
  • 13.
    Bad examples location /images/{ root /var/www/images/; break; # <---- WHY??? } if (-e $request_filename) { expire 1y; break; # totally wrong !! }
  • 14.
    Igor says: Donot use rewrites! :) if (...) { return 403; # good usage } location ~ ^/images/(.+)$ { root /var/www/img/$1; # bad } Why ?
  • 15.
    Root semantic VSalias semantic GET /images/test/one.jpg location /images/ { root /var/www/; # path - /var/www/images/test/one.jpg } location /images/ { alias /var/www/img/; # path - /var/www/img/test/one.jpg }
  • 16.
    Alias instead ofroot location /images/ { alias /var/www/images/; } location /images/ { root /var/www; }
  • 17.
    Alias and rootwith variables GET /images/one.jpg location /images/ { root /var/www/$host; } # real path - /var/www/SITE/images/one.jpg location ~ ^/images/(.)(.+)$ { alias /var/www/img/$1/$1$2; } # real path - /var/www/img/o/one.jpg Alias make complete path, no replacement MUST use $1/$2 if location contains captures
  • 18.
    proxy_pass semantic GET /images/test/one.jpg location/images/ { proxy_path http://backend; # <-- no URI } # Root semantic - GET http://backend/images/test/one.jpg location /images/ { proxy_path http://backend/img/; } # Alias semantic Ghttp://backend/img/test/one.jpg
  • 19.
    proxy_pass with variables GET/images/one.jpg location ^/images/(.)(.+)$ { proxy_pass http://backend/$1/$1$2; } # --> http://backend/o/one.jpg # Alias semantic, but path is replaced location ^/images/(.).+$ { proxy_pass $1; # not part of URI } # --> http://o/images/one.jpg # Root semantic
  • 20.
    location handlers proxy_pass, fastcgi_pass,memcached_pass, empty_gif, flv, stub_status, perl trailing slash - random index / index / auto index no trailing slash - gzip static / static
  • 21.
    Why "if" isbad - it's "location" too gzip on; keepalive on; if ($no_gzip) { gzip off; # gzip off } if ($no_keepalive) { keepalive off; # gzip on, keepalive off } # gzip on, keepalive on
  • 22.
    Fix - butit's not recommended gzip on; keepalive on; if ($no_gzip) { gzip off; break; } if ($no_keepalive) { keepalive off; break; }
  • 23.
  • 24.
    Couple of caveats frommy Apache to Nginx migration
  • 25.
    Migration from Apacheto Nginx Apache: RewriteCond %{HTTP_HOST} ^site.com$ [NC] RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L] # www redirect, common stuff out there Nginx: if ($host = 'site.com') { rewrite ^(.*)$ http://www.site.com/$1 permanent; # MY EYES!!! }
  • 26.
    Right way todo it Apache: RewriteCond %{HTTP_HOST} ^site.com$ [NC] RewriteRule ^(.*)$ http://www.site.com/$1 [R=301,L] # www redirect, common stuff out there Nginx: server { server_name site.com; rewrite ^ http://www.site.com/$request_uri? permanent; # NOT BAD }
  • 27.
    Another common thing RewriteCond%{REQUEST_FILENAME} -d RewriteCond %{REQUEST_FILENAME} -f RewriteRule .* index.php # right way location / { try files $uri $uri index.php$is_args$args; }
  • 28.
    FCGI security caveat location~* .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $script; fastcgi_param PATH_INFO $path_info; .... } This PHP app supports upload of files... Do you mention possible security breach? :)
  • 29.
    PATHINFO links GET /index.php/article/0001=> SCRIPT_NAME = 0001 PATH_INFO = /index.php/article/ - WRONG Fix pathinfo magic - SCRIPT_NAME = index.php PATH_INFO = /article/0001
  • 30.
    GET /upload/evil.jpg/notexist.php SCRIPT_NAME =notexist.php PATH_INFO = /upload/evil.jpg/ cgi.fix_pathinfo = 1 (yep, it's default) - if SCRIPT_NAME not found - let's "FIX" it - SCRIPT_NAME = evil.jpg PATH_INFO = /notexist.php Let's RUN evil.jpg ! :)
  • 31.
    Solution location ~* .php${ try_files $uri = 404; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; .... } - if you do not need PATHINFO links OR
  • 32.
    Use fastcgi_split_path_info location ~*^(.+.php)(.*)$ { fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_scriptname; fastcgi_param PATH_INFO $fastcgi_pathinfo; } GET /index.php/article/0001 => SCRIPT_FILENAME = index.php, PATH_INFO = /article/0001
  • 33.
  • 34.
    Nginx optimization Just couple of words
  • 35.
    Case 1. Bigstatic files What is BIG file? Size is >2Mb (mp3, zip, iso etc) a)RAID - use big stripe size (>128K) b) output_buffers 1 1m; # need to tune c) AIO: Freebsd: sendfile on; aio sendfile; Linux aio on; directio on; # required but drops sendfile()
  • 36.
    Case 2. Lotof small files a). There is NO MAGIC Hot files must reside in RAM cache or else... it will be slow. b) Tune open_file_cache Freebsd: see dirhash, vfs.ufs.dirhash_maxmem
  • 37.
    Common highload advices a)tune hardware and OS - disks, NICs, OS limitations (open files, limits, network stack etc.) worker_rlmit_nofile + kern.maxfiles/maxfilesperproc (FreeBSD) + fs.filemax (Linux) b) tune workers (number / threads). Start from CPU or disks numbers. c) sendfile, tcp_nopush, tcp_nodelay - ? d) timeouts, keepalive, reset_timedout_connection on - check http://calomel.org/nginx.html
  • 38.
    Case 3. LightDDOS fighting What is "light" DDOS ? 1) 1000 - 5000 - 7000 bots max. 2) HTTP GET/HEAD/POST, e.g. GET /script.php?<random> 3) "slowpoke" - time of attack vector changing is big. 4) "dumb" - dumb behaviour can be detected - no/bad referrers, no redirects, bad/same or missing HTTP headers etc. REMOVE NGINX FROM AUTOSTART !!!!
  • 39.
    a) "Heavy" (e.g.search) scripts flood http { ... limit_req_zone $binary_remote_addr zone=SLOW:10m rate=1r/s; # 64byte per record, 16000 record per MB, 503 error if overflow! ... location =/search.php { limit_req SLOW burst=2; proxy_pass .... }
  • 40.
    b) "flooders" detection error_log/var/log/nginx/error.log; limit_conn_zone $binary_remote_addr zone=CONN:10m; ... location =/attacked_url { limit_conn CONN 4; #4-8, but beware of proixes! .... } grep "limiting connections by zone" | grep "/attacked_url" | awk .. - get list of them and add it to firewall (ipset) Beware - you can easily "shoot yourself in the foot"!
  • 41.
    c) Geo limiting Compilegeoip module with --with-http_geoip_module first. http { geo_country /usr/local/nginx/etc/GeoIP.dat; map $geoip_country_code $bad_country { default 0; include /usr/local/nginx/etc/bad_countries; # } server { .... if ($bad_country) { return 403; } bad_countries: CN 1; TZ 1; ...
  • 42.
    d) Aggresive caching "Slowis better than dead" location=/ { rewrite ^ main.html last; } # main.html - temporary static page with link to real home location=/main.html { internal; root /var/nginx/cache/; error_page 404 = /cached$uri; } location /cached/ { internal; alias /var/nginx/cache/; proxy_pass http://backend; proxy_store_on; proxy_store_temp_path /var/nginx/tmp/; }
  • 43.
    The END Please checkhttp://wiki.nginx.org - many nice hings there. :) Questions ?