What’s New in NGINX Plus R15? - EMEA

What’s new in
NGINX Plus R15
Liam Crilly
Director of Product Management

Agenda
• Introducing NGINX
• HTTP/2 enhancements
• gRPC Proxy
• HTTP/2 Server Push
• Enhanced Clustering and State Sharing
• NGINX JavaScript module enhancements
• OpenID Connect SSO with Demo
• Summary and Q&A

“... when I started NGINX,
I focused on a very specific
problem – how to handle more
customers per a single server.”
- Igor Sysoev, NGINX creator and founder

1. Netcraft Web Server Survey, 26-Apr-2018
2. W3Techs Web server ranking, 22-May-2018
403
millionTotal sites on NGINX¹
The busiest sites choose NGINX²
45%
56%
64%
Top 1M Top 100K Top 10K

• Offices in San Francisco, Cork, Cambridge (UK), Moscow,
Singapore and Sydney
• 5 products
• 1,500+ commercial customers
• 200+ employees

Source: W3Techs Site Elements Data, 22-May-2018
78%HTTP/2 sites on NGINX
Sites offering HTTP/2
0%
5%
10%
15%
20%
25%
30%
May-17
Jun-17
Jul-17
Aug-17
Sep-17
Oct-17
Nov-17
Dec-17
Jan-18
Feb-18
Mar-18
Apr-18
May-18

NGINX Plus HTTP/2 Support
HTTP/2 Release History
• NGINX Plus R7 – Initial availability
• NGINX Plus R8 – Production ready
• HTTP/2 termination
• NGINX Plus R15
• gRPC – Load balancing, routing, and
TLS termination
• HTTP/2 Server Push – Push
resources to clients, improve
performance.

NGINX Plus HTTP/2 Configuration
• Add http2 argument to listen
directive
• For clear text HTTP/2, remove SSL
configuration
server {
listen 80;
server_name www.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}

gRPC Overview
• gRPC is transported over HTTP/2. Does not work with HTTP/1.
• Can be cleartext or SSL-encrypted
• A gRPC call is implemented as an HTTP POST request
• Uses compact “protocol buffers” to exchange data between client and server
• Protocol buffers are implemented in C++ as a class
• Support originally added in NGINX Open Source 1.13.10

gRPC Proxying
server {
listen 80 http2;
location / {
grpc_pass grpc://localhost:50051;
}
}
• grpc_pass – Use like fastcgi_pass,
proxy_pass, etc.
• grpc:// – Use instead of http://.

gRPC Proxying with SSL Termination
server {
location / {
grpc_pass grpc://localhost:50051;
}
}
• Configure SSL and HTTP/2 as usual
• Go sample application needs to modified to
point to NGINX IP Address and port.

gRPC Routing
location /helloworld.ServiceA {
grpc_pass grpc://192.168.20.11:50051;
}
location /helloworld.ServiceB {
grpc_pass grpc://192.168.20.12:50052;
}
• Usually structured as
application_name.method

gRPC Load Balancing
upstream grpcservers {
server 192.168.20.21:50051;
server 192.168.20.22:50052;
}
server {
ssl_certificate ssl/certificate.pem;
ssl_certificate_key ssl/key.pem;
location /helloworld.Greeter {
grpc_pass grpc://grpcservers;
error_page 502 = /error502grpc;
}
location = /error502grpc {
internal;
default_type application/grpc;
add_header grpc-status 14;
add_header grpc-message "unavailable";
return 204;
}
}
• gRPC server work with standard upstream
blocks.
• Can use grpcs for encrypted gRPC
• If no servers are available, the
/error502grpc location returns a
gRPC-compliant error message.

HTTP/2 Server Push Overview
• User requests /demo.html
• Server responds with /demo.html
• Server pre-emptively sends style.css and image.jpg
• Stored in separate browser push cache until needed
• Support added in NGINX 1.13.9

HTTP/2 Server Push Testing
• HTTP/2 and HTTPS introduce one additional RTT for SSL handshake
• HTTP/2 Server push eliminates stylesheet RTT
• Reduces 2 RTT overall compared to unoptimized HTTP/2

HTTP/2 Server Push Config (Method 1)
server {
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push /style.css;
http2_push /image1.jpg;
http2_push /image2.jpg;
}
}
• http2_push – Defines resources to be pushed
to clients. When NGINX receives a request for
/demo.html, it will request and push
style.css, image1.jpg, and image2.jpg.

HTTP/2 Server Push Config (Method 2)
server {
root /var/www/html;
# whenever a client requests demo.html
# push /style.css, /image1.jpg, and
# /image2.jpg
location = /demo.html {
http2_push_preload on;
}
}
• http2_push_preload – Instructs NGINX to
parse HTTP Link: headers and push specified
resources.
• Link: </style.css>; as=style;
rel=preload, </favicon.ico>; as=image;
rel=preload
• Useful if you want application server to control
what gets pushed.

HTTP/2 Server Push Verification
• Chrome Developer Tools: The Initiator column on the Network tab indicates several resources were
pushed to the client as part of a request for /demo.html.

More Information
• NGINX: gRPC and HTTP/2 Server Push (webinar)
• https://www.nginx.com/webinars/nginx-http2-server-push-grpc-emea/
• Introducing HTTP/2 Server Push with NGINX 1.13.9 (blog)
• https://www.nginx.com/blog/nginx-1-13-9-http2-server-push/
• Introducing gRPC Support with NGINX 1.13.10 (blog)
• https://www.nginx.com/blog/nginx-1-13-10-grpc/

NGINX Plus Clustering
Clustering Release History
• NGINX Plus R1
• High Availability based on
keepalived package
• NGINX Plus R12
• Configuration synchronization
using nginx-sync package.
Configure only one master server.
• NGINX Plus R15
• State sharing for sticky learn
session persistence

stream {
resolver 10.0.0.53 valid=20s;
server {
listen 9000;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
}
}
Shared memory zones are identified in NGINX
Plus with the zone directive (example on next
slide) for data to be shared between processors
on the same server. The new zone_sync
functionality extends this memory to be shared
across different servers.
• zone_sync -- Enables synchronization of
shared memory zones in a cluster.
• zone_sync_server -- Identifies the other
NGINX Plus instances in the cluster. You
create a separate zone_sync_server for
each server in the cluster.
• Add into main nginx.conf for each server

upstream my_backend {
zone my_backend 64k;
server backends.example.com resolve;
sticky learn zone=sessions:1m
create=$upstream_cookie_session
lookup=$cookie_session
sync;
}
server {
listen 80;
location / {
proxy_pass http://my_backend;
}
}
• zone – Identifies the shared memory zone.
This configuration is unchanged from
before.
• sync – Enables cluster-wide state sharing

NGINX Plus Clustering (Advanced)
stream {
resolver 10.0.0.53 valid=20s;
server {
listen 10.0.0.1:9000 ssl;
ssl_certificate_key /etc/ssl/key.pem;
ssl_certificate /etc/ssl/cert.pem;
allow 10.0.0.0/24; # Only accept internal conns
deny all;
zone_sync;
zone_sync_server nginx1.example.com:9000 resolve;
zone_sync_ssl_verify on; # Peers must connect with client cert
zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.pem;
zone_sync_ssl_verify_depth 2;
zone_sync_ssl on; # Connect to peers with TLS, offer client cert
zone_sync_ssl_certificate /etc/ssl/nginx1.example.com.client_cert.pem;
zone_sync_ssl_certificate_key /etc/ssl/nginx1.example.com.key.pem;
}
}
Enabling encrypted communication between
cluster members.
• zone_sync_ssl_verify – Mandates
peers present client cert when enabled.
• zone_sync_ssl_trusted_certificate
– Specifies trusted cert chain to verify
client certs with
• zone_sync_ssl – Tells this server to
present client certs
• zone_sync_ssl_certificate – Public
key for client cert
• zone_sync_ssl_certificate_key –
Private key for client cert

Clustering demo
30
• Edge load balancing is random
• Backends are stateful, issue
cookies
• Client refresh must reach the
same backend
• 36 routes!
Edge L/B
NGINX
gurston
NGINX
shesley
NGINX
harewood
Backend
1001
Backend
2002
Backend
3003
Backend
4004
Backend
5005
Backend
…
Backend
9009
NGINX
prescott

NGINX JavaScript module
JavaScript Release History
• NGINX Plus R10 – Initial release
• NGINX Plus R11 – Added support for stream
module (TCP/UDP)
• NGINX Plus R12 – Add ECMAScript 6 math
methods, production-ready
• NGINX Plus R14 – JSON object support
• NGINX Plus R15
• Sub requests – Issue new HTTP requests
asynchronous of client request
• Crypto library – Hash functions and HMAC
with SHA and MD5. Base64 and hex encoding

Getting Started
Debian/Ubuntu:
$ sudo apt-get update
$ sudo apt-get install nginx-plus-module-njs
Centos/RedHat:
$ sudo yum update
$ sudo yum install nginx-plus-module-njs
In top-level ("main") context of the nginx.conf add:
load_module modules/ngx_http_js_module.so;
load_module modules/ngx_stream_js_module.so;
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
• Install the module from our repository for
your choice of OS
• Top-level means outside of any http{} or
stream{} blocks
• After reload you can start using the NGINX
JavaScript module

Sub Requests
function sendFastest(req, res) {
var n = 0;
function done(reply) { // Callback for subrequests
if (n++ == 0) {
req.log("WINNER is " + reply.uri);
res.return(reply.status, reply.body);
}
}
req.subrequest("/server_one", req.variables.args, done);
req.subrequest("/server_two", req.variables.args, done);
}
• req.subrequest – Initiates
asynchronous subrequest with callback
function done() in this example.
• js_content – Calls JavaScript function
to provide response.
js_include fastest_wins.js;
server {
listen 80;
location / {
js_content sendFastest;
}
location /server_one {
proxy_pass http://10.0.0.1$request_uri; # Pass URI
}
location /server_two {
proxy_pass http://10.0.0.2$request_uri;
}
}

Hash Functions
function signCookie(req, res) {
if (res.headers["set-cookie"].length) {
// Response includes a new cookie
var cookie_data = res.headers["set-cookie"].split(";");
var c = require('crypto’);
var h = c.createHmac('sha256').update(cookie_data[0] +
req.remoteAddress);
return "signature=" + h.digest('hex');
}
return "";
}
• c.createHmac – Calls crypto library to
provide HMAC of specified data.
• js_set – Sets variable to return value
from JavaScript function
Supported crypto library functions:
• Hash functions: MD5, SHA-1, SHA-256
• HMAC using: MD5, SHA-1, SHA-256
• Digest formats: Base64, Base64URL, hex
js_include cookie_signing.js;
js_set $signed_cookie signCookie;
server {
listen 80;
location / {
proxy_pass http://my_backend;
add_header Set-Cookie $signed_cookie;
}
}

OpenID Connect
is the missing piece
that carries identity
information in OAuth
2.0 access tokens.
– NGINX blog
“

NGINX Plus JWT Authentication
JWT Release History
• NGINX Plus R10 – Standards compliant JWT
• NGINX Plus R12 – Custom claims
• NGINX Plus R14 – Nested claims and arrays
• NGINX Plus R15
• OpenID Connect 1.0
• Integrate with IdP vendors/products

“Using OpenID Connect with
NGINX Plus enabled us to
quickly and easily integrate
with our identity provider and,
at the same time, simplify our
application architecture.”
- Scott Macleod, Software Engineer,
NHS Digital

OpenID Connect Authorization Flow

How to use it
Clone GitHub repo:
$ git clone https://github.com/nginxinc/nginx-
openid-connect
Copy files to /etc/nginx/conf.d:
$ cp nginx-openid-connect/* /etc/nginx/conf.d
Configure for your environment (to be covered in demo):
1. Configure IdP
2. Put IdP configuration into frontend.conf
Restart NGINX Plus:
$ sudo nginx -t && sudo nginx -s reload
https://github.com/nginxinc/nginx-openid-connect
• Requires NGINX JavaScript module
• Our GitHub repo contains 3 important files:
• frontend.conf – Reverse proxy
configuration and where the IdP is configured.
• openid_connect.server_conf – NGINX
configuration for handling the various stages
of OpenID Connect authorization code flow.
Should not require any changes.
• openid_connect.js – JavaScript code for
performing the authorization code exchange,
nonce hashing and token validation. Should
not require any changes.

Additional New Features
• $ssl_preread_alpn_protocols – Comma-separated list of client protocols advertised
through ALPN (NGINX Open Source 1.13.10).
• $upstream_queue_time – Captures the amount of time a request spends in the queue,
when using upstream queueing. Can be outputted to log to monitor performance (NGINX
Open Source 1.13.9).
• log_format escape=none – Disable escaping in the NGINX Plus access log, in addition
to previous support for JSON and default escaping (NGINX Open Source 1.1310).
• Transparent Proxying without root – Worker processes can now inherit
the CAP_NET_RAW Linux capability from the master process so that NGINX Plus no longer
requires special privileges for transparent proxying.
• New Cookie-Flag module – Third party module for setting cookie flags is now available
in our dynamic modules respository

Summary
• HTTP/2 server push -- Use h2_push to have NGINX push resources or
use h2_push_preload on; to have NGINX use the Link: header
• gRPC proxying -- Use grpc_pass like proxy_pass, fastcgi_pass, etc.
to proxy gRPC connections
• State sharing -- Sticky learn session persistence now works across a
cluster with new zone_sync feature
• NGINX JavaScript module -- New support for sub requests and crypto
hash functions
• OpenID Connect SSO -- New integrations with IdPs such as CA SSO,
Okta, OneLogin, etc.

Q & ATry NGINX Plus free for 30 days: nginx.com/free-trial-request

What’s New in NGINX Plus R15? - EMEA

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to What’s New in NGINX Plus R15? - EMEA

Similar to What’s New in NGINX Plus R15? - EMEA (20)

More from NGINX, Inc.

More from NGINX, Inc. (20)

Recently uploaded

Recently uploaded (20)

What’s New in NGINX Plus R15? - EMEA