NI
Uploaded byNGINX, Inc.
PDF, PPTX294 views

What’s New in NGINX Plus R15? - EMEA

The document outlines the new features in NGINX Plus R15, including enhancements to HTTP/2, gRPC proxy support, HTTP/2 server push, improved clustering, and additions to the NGINX JavaScript module. It discusses how these updates improve performance, state sharing across clusters, and enhanced security via OpenID Connect integration. Additionally, it provides configuration examples and highlights how these updates meet the needs of a growing user base with increasing demands for efficient server management.

Embed presentation

Download as PDF, PPTX
What’s new in NGINX Plus R15 Liam Crilly Director of Product Management
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
“... when I started NGINX, I focused on a very specific problem – how to handle more customers per a single server.” - Igor Sysoev, NGINX creator and founder
1. Netcraft Web Server Survey, 26-Apr-2018 2. W3Techs Web server ranking, 22-May-2018 403 millionTotal sites on NGINX¹ The busiest sites choose NGINX² 45% 56% 64% Top 1M Top 100K Top 10K
Where NGINX Plus fits 5
• Offices in San Francisco, Cork, Cambridge (UK), Moscow, Singapore and Sydney • 5 products • 1,500+ commercial customers • 200+ employees
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
Source: W3Techs Site Elements Data, 22-May-2018 78%HTTP/2 sites on NGINX Sites offering HTTP/2 0% 5% 10% 15% 20% 25% 30% May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18 Apr-18 May-18
NGINX Plus HTTP/2 Support HTTP/2 Release History • NGINX Plus R7 – Initial availability • NGINX Plus R8 – Production ready • HTTP/2 termination • NGINX Plus R15 • gRPC – Load balancing, routing, and TLS termination • HTTP/2 Server Push – Push resources to clients, improve performance.
NGINX Plus HTTP/2 Configuration • Add http2 argument to listen directive • For clear text HTTP/2, remove SSL configuration server { listen 80; server_name www.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; }
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
gRPC Overview • gRPC is transported over HTTP/2. Does not work with HTTP/1. • Can be cleartext or SSL-encrypted • A gRPC call is implemented as an HTTP POST request • Uses compact “protocol buffers” to exchange data between client and server • Protocol buffers are implemented in C++ as a class • Support originally added in NGINX Open Source 1.13.10
gRPC Proxying server { listen 80 http2; location / { grpc_pass grpc://localhost:50051; } } • grpc_pass – Use like fastcgi_pass, proxy_pass, etc. • grpc:// – Use instead of http://.
gRPC Proxying with SSL Termination server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; location / { grpc_pass grpc://localhost:50051; } } • Configure SSL and HTTP/2 as usual • Go sample application needs to modified to point to NGINX IP Address and port.
gRPC Routing location /helloworld.ServiceA { grpc_pass grpc://192.168.20.11:50051; } location /helloworld.ServiceB { grpc_pass grpc://192.168.20.12:50052; } • Usually structured as application_name.method
gRPC Load Balancing upstream grpcservers { server 192.168.20.21:50051; server 192.168.20.22:50052; } server { listen 443 ssl http2; ssl_certificate ssl/certificate.pem; ssl_certificate_key ssl/key.pem; location /helloworld.Greeter { grpc_pass grpc://grpcservers; error_page 502 = /error502grpc; } location = /error502grpc { internal; default_type application/grpc; add_header grpc-status 14; add_header grpc-message "unavailable"; return 204; } } • gRPC server work with standard upstream blocks. • Can use grpcs for encrypted gRPC • If no servers are available, the /error502grpc location returns a gRPC-compliant error message.
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
HTTP/2 Server Push Overview • User requests /demo.html • Server responds with /demo.html • Server pre-emptively sends style.css and image.jpg • Stored in separate browser push cache until needed • Support added in NGINX 1.13.9
HTTP/2 Server Push Testing • HTTP/2 and HTTPS introduce one additional RTT for SSL handshake • HTTP/2 Server push eliminates stylesheet RTT • Reduces 2 RTT overall compared to unoptimized HTTP/2
HTTP/2 Server Push Config (Method 1) server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; root /var/www/html; # whenever a client requests demo.html # push /style.css, /image1.jpg, and # /image2.jpg location = /demo.html { http2_push /style.css; http2_push /image1.jpg; http2_push /image2.jpg; } } • http2_push – Defines resources to be pushed to clients. When NGINX receives a request for /demo.html, it will request and push style.css, image1.jpg, and image2.jpg.
HTTP/2 Server Push Config (Method 2) server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; root /var/www/html; # whenever a client requests demo.html # push /style.css, /image1.jpg, and # /image2.jpg location = /demo.html { http2_push_preload on; } } • http2_push_preload – Instructs NGINX to parse HTTP Link: headers and push specified resources. • Link: </style.css>; as=style; rel=preload, </favicon.ico>; as=image; rel=preload • Useful if you want application server to control what gets pushed.
HTTP/2 Server Push Verification • Chrome Developer Tools: The Initiator column on the Network tab indicates several resources were pushed to the client as part of a request for /demo.html.
More Information • NGINX: gRPC and HTTP/2 Server Push (webinar) • https://www.nginx.com/webinars/nginx-http2-server-push-grpc-emea/ • Introducing HTTP/2 Server Push with NGINX 1.13.9 (blog) • https://www.nginx.com/blog/nginx-1-13-9-http2-server-push/ • Introducing gRPC Support with NGINX 1.13.10 (blog) • https://www.nginx.com/blog/nginx-1-13-10-grpc/
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
NGINX Plus Clustering Clustering Release History • NGINX Plus R1 • High Availability based on keepalived package • NGINX Plus R12 • Configuration synchronization using nginx-sync package. Configure only one master server. • NGINX Plus R15 • State sharing for sticky learn session persistence
NGINX Plus Clustering stream { resolver 10.0.0.53 valid=20s; server { listen 9000; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; } } Shared memory zones are identified in NGINX Plus with the zone directive (example on next slide) for data to be shared between processors on the same server. The new zone_sync functionality extends this memory to be shared across different servers. • zone_sync -- Enables synchronization of shared memory zones in a cluster. • zone_sync_server -- Identifies the other NGINX Plus instances in the cluster. You create a separate zone_sync_server for each server in the cluster. • Add into main nginx.conf for each server
NGINX Plus Clustering upstream my_backend { zone my_backend 64k; server backends.example.com resolve; sticky learn zone=sessions:1m create=$upstream_cookie_session lookup=$cookie_session sync; } server { listen 80; location / { proxy_pass http://my_backend; } } • zone – Identifies the shared memory zone. This configuration is unchanged from before. • sync – Enables cluster-wide state sharing
NGINX Plus Clustering (Advanced) stream { resolver 10.0.0.53 valid=20s; server { listen 10.0.0.1:9000 ssl; ssl_certificate_key /etc/ssl/key.pem; ssl_certificate /etc/ssl/cert.pem; allow 10.0.0.0/24; # Only accept internal conns deny all; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; zone_sync_ssl_verify on; # Peers must connect with client cert zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.pem; zone_sync_ssl_verify_depth 2; zone_sync_ssl on; # Connect to peers with TLS, offer client cert zone_sync_ssl_certificate /etc/ssl/nginx1.example.com.client_cert.pem; zone_sync_ssl_certificate_key /etc/ssl/nginx1.example.com.key.pem; } } Enabling encrypted communication between cluster members. • zone_sync_ssl_verify – Mandates peers present client cert when enabled. • zone_sync_ssl_trusted_certificate – Specifies trusted cert chain to verify client certs with • zone_sync_ssl – Tells this server to present client certs • zone_sync_ssl_certificate – Public key for client cert • zone_sync_ssl_certificate_key – Private key for client cert
Clustering demo 30 • Edge load balancing is random • Backends are stateful, issue cookies • Client refresh must reach the same backend • 36 routes! Edge L/B NGINX gurston NGINX shesley NGINX harewood Backend 1001 Backend 2002 Backend 3003 Backend 4004 Backend 5005 Backend … Backend 9009 NGINX prescott
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
NGINX JavaScript module JavaScript Release History • NGINX Plus R10 – Initial release • NGINX Plus R11 – Added support for stream module (TCP/UDP) • NGINX Plus R12 – Add ECMAScript 6 math methods, production-ready • NGINX Plus R14 – JSON object support • NGINX Plus R15 • Sub requests – Issue new HTTP requests asynchronous of client request • Crypto library – Hash functions and HMAC with SHA and MD5. Base64 and hex encoding
Getting Started Debian/Ubuntu: $ sudo apt-get update $ sudo apt-get install nginx-plus-module-njs Centos/RedHat: $ sudo yum update $ sudo yum install nginx-plus-module-njs In top-level ("main") context of the nginx.conf add: load_module modules/ngx_http_js_module.so; load_module modules/ngx_stream_js_module.so; Restart NGINX Plus: $ sudo nginx -t && sudo nginx -s reload • Install the module from our repository for your choice of OS • Top-level means outside of any http{} or stream{} blocks • After reload you can start using the NGINX JavaScript module
Sub Requests function sendFastest(req, res) { var n = 0; function done(reply) { // Callback for subrequests if (n++ == 0) { req.log("WINNER is " + reply.uri); res.return(reply.status, reply.body); } } req.subrequest("/server_one", req.variables.args, done); req.subrequest("/server_two", req.variables.args, done); } • req.subrequest – Initiates asynchronous subrequest with callback function done() in this example. • js_content – Calls JavaScript function to provide response. js_include fastest_wins.js; server { listen 80; location / { js_content sendFastest; } location /server_one { proxy_pass http://10.0.0.1$request_uri; # Pass URI } location /server_two { proxy_pass http://10.0.0.2$request_uri; } }
Hash Functions function signCookie(req, res) { if (res.headers["set-cookie"].length) { // Response includes a new cookie var cookie_data = res.headers["set-cookie"].split(";"); var c = require('crypto’); var h = c.createHmac('sha256').update(cookie_data[0] + req.remoteAddress); return "signature=" + h.digest('hex'); } return ""; } • c.createHmac – Calls crypto library to provide HMAC of specified data. • js_set – Sets variable to return value from JavaScript function Supported crypto library functions: • Hash functions: MD5, SHA-1, SHA-256 • HMAC using: MD5, SHA-1, SHA-256 • Digest formats: Base64, Base64URL, hex js_include cookie_signing.js; js_set $signed_cookie signCookie; server { listen 80; location / { proxy_pass http://my_backend; add_header Set-Cookie $signed_cookie; } }
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
OpenID Connect is the missing piece that carries identity information in OAuth 2.0 access tokens. – NGINX blog “
NGINX Plus JWT Authentication JWT Release History • NGINX Plus R10 – Standards compliant JWT • NGINX Plus R12 – Custom claims • NGINX Plus R14 – Nested claims and arrays • NGINX Plus R15 • OpenID Connect 1.0 • Integrate with IdP vendors/products
“Using OpenID Connect with NGINX Plus enabled us to quickly and easily integrate with our identity provider and, at the same time, simplify our application architecture.” - Scott Macleod, Software Engineer, NHS Digital
OpenID Connect Authorization Flow
How to use it Clone GitHub repo: $ git clone https://github.com/nginxinc/nginx- openid-connect Copy files to /etc/nginx/conf.d: $ cp nginx-openid-connect/* /etc/nginx/conf.d Configure for your environment (to be covered in demo): 1. Configure IdP 2. Put IdP configuration into frontend.conf Restart NGINX Plus: $ sudo nginx -t && sudo nginx -s reload https://github.com/nginxinc/nginx-openid-connect • Requires NGINX JavaScript module • Our GitHub repo contains 3 important files: • frontend.conf – Reverse proxy configuration and where the IdP is configured. • openid_connect.server_conf – NGINX configuration for handling the various stages of OpenID Connect authorization code flow. Should not require any changes. • openid_connect.js – JavaScript code for performing the authorization code exchange, nonce hashing and token validation. Should not require any changes.
Agenda • Introducing NGINX • HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
Additional New Features • $ssl_preread_alpn_protocols – Comma-separated list of client protocols advertised through ALPN (NGINX Open Source 1.13.10). • $upstream_queue_time – Captures the amount of time a request spends in the queue, when using upstream queueing. Can be outputted to log to monitor performance (NGINX Open Source 1.13.9). • log_format escape=none – Disable escaping in the NGINX Plus access log, in addition to previous support for JSON and default escaping (NGINX Open Source 1.1310). • Transparent Proxying without root – Worker processes can now inherit the CAP_NET_RAW Linux capability from the master process so that NGINX Plus no longer requires special privileges for transparent proxying. • New Cookie-Flag module – Third party module for setting cookie flags is now available in our dynamic modules respository
Summary • HTTP/2 server push -- Use h2_push to have NGINX push resources or use h2_push_preload on; to have NGINX use the Link: header • gRPC proxying -- Use grpc_pass like proxy_pass, fastcgi_pass, etc. to proxy gRPC connections • State sharing -- Sticky learn session persistence now works across a cluster with new zone_sync feature • NGINX JavaScript module -- New support for sub requests and crypto hash functions • OpenID Connect SSO -- New integrations with IdPs such as CA SSO, Okta, OneLogin, etc.
Q & ATry NGINX Plus free for 30 days: nginx.com/free-trial-request

More Related Content

PPTX
What’s New in NGINX Plus R15?
byNGINX, Inc.
 
PPTX
What's new in NGINX Plus R19
byNGINX, Inc.
 
PPTX
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
byNGINX, Inc.
 
PDF
NGINX Plus R19 : EMEA
byNGINX, Inc.
 
PPTX
Analyzing NGINX Logs with Datadog
byNGINX, Inc.
 
PPTX
NGINX, Istio, and the Move to Microservices and Service Mesh
byNGINX, Inc.
 
PPTX
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
byNGINX, Inc.
 
PPTX
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
byNGINX, Inc.
 
What’s New in NGINX Plus R15?
byNGINX, Inc.
 
What's new in NGINX Plus R19
byNGINX, Inc.
 
Dynamic SSL Certificates and Other New Features in NGINX Plus R18 and NGINX O...
byNGINX, Inc.
 
NGINX Plus R19 : EMEA
byNGINX, Inc.
 
Analyzing NGINX Logs with Datadog
byNGINX, Inc.
 
NGINX, Istio, and the Move to Microservices and Service Mesh
byNGINX, Inc.
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
byNGINX, Inc.
 
MRA AMA Part 10: Kubernetes and the Microservices Reference Architecture
byNGINX, Inc.
 

What's hot

PDF
NGINX: HTTP/2 Server Push and gRPC – EMEA
byNGINX, Inc.
 
PDF
NGINX: Basics and Best Practices EMEA
byNGINX, Inc.
 
PPTX
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
byNGINX, Inc.
 
PPTX
What’s New in NGINX Plus R16?
byNGINX, Inc.
 
PPTX
NGINX: HTTP/2 Server Push and gRPC
byNGINX, Inc.
 
PPTX
NGINX Plus R20 Webinar
byNGINX, Inc.
 
PPTX
NGINX Plus R20 Webinar EMEA
byNGINX, Inc.
 
PDF
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
byNGINX, Inc.
 
PDF
APIs: Intelligent Routing, Security, & Management
byNGINX, Inc.
 
PPTX
The 3 Models in the NGINX Microservices Reference Architecture
byNGINX, Inc.
 
PDF
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
PPTX
Scale your application to new heights with NGINX and AWS
byNGINX, Inc.
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started
byNGINX, Inc.
 
PPTX
NGINX Plus R18: What's new
byNGINX, Inc.
 
PDF
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
PDF
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
PPTX
Introducing the Microservices Reference Architecture Version 1.2
byNGINX, Inc.
 
PDF
MRA AMA Part 8: Secure Inter-Service Communication
byNGINX, Inc.
 
PDF
Architecting for now & the future with NGINX London April 19
byNGINX, Inc.
 
PPTX
Simplify Microservices with the NGINX Application Platform
byNGINX, Inc.
 
NGINX: HTTP/2 Server Push and gRPC – EMEA
byNGINX, Inc.
 
NGINX: Basics and Best Practices EMEA
byNGINX, Inc.
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
byNGINX, Inc.
 
What’s New in NGINX Plus R16?
byNGINX, Inc.
 
NGINX: HTTP/2 Server Push and gRPC
byNGINX, Inc.
 
NGINX Plus R20 Webinar
byNGINX, Inc.
 
NGINX Plus R20 Webinar EMEA
byNGINX, Inc.
 
NGINX Microservices Reference Architecture: What’s in Store for 2019 – EMEA
byNGINX, Inc.
 
APIs: Intelligent Routing, Security, & Management
byNGINX, Inc.
 
The 3 Models in the NGINX Microservices Reference Architecture
byNGINX, Inc.
 
From Code to Customer with F5 and NGNX London Nov 19
byNGINX, Inc.
 
Scale your application to new heights with NGINX and AWS
byNGINX, Inc.
 
ModSecurity 3.0 and NGINX: Getting Started
byNGINX, Inc.
 
NGINX Plus R18: What's new
byNGINX, Inc.
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
byKevin Jones
 
Using NGINX and NGINX Plus as a Kubernetes Ingress
byKevin Jones
 
Introducing the Microservices Reference Architecture Version 1.2
byNGINX, Inc.
 
MRA AMA Part 8: Secure Inter-Service Communication
byNGINX, Inc.
 
Architecting for now & the future with NGINX London April 19
byNGINX, Inc.
 
Simplify Microservices with the NGINX Application Platform
byNGINX, Inc.
 

Similar to What’s New in NGINX Plus R15? - EMEA

PPTX
NGINX: Basics and Best Practices
byNGINX, Inc.
 
PPTX
Nginx Deep Dive Kubernetes Ingress
byKnoldus Inc.
 
PDF
What’s New in NGINX Plus R16? – EMEA
byNGINX, Inc.
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
PPTX
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
PDF
NGINX ADC: Basics and Best Practices
byNGINX, Inc.
 
PPTX
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
PDF
What's New in NGINX Plus R12?
byNGINX, Inc.
 
PDF
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
PDF
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
PPTX
What's New in NGINX Plus R8
byNGINX, Inc.
 
PPTX
What's New in NGINX Plus R10?
byNGINX, Inc.
 
PPTX
What's New in NGINX Plus R7?
byNGINX, Inc.
 
PDF
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
PDF
NGINX ADC: Basics and Best Practices – EMEA
byNGINX, Inc.
 
PDF
ITB2017 - Nginx ppf intothebox_2017
byOrtus Solutions, Corp
 
PDF
NGINX: The Past, Present and Future of the Modern Web
byKevin Jones
 
PPTX
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
PPTX
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
PPTX
What's New in HTTP/2
byNGINX, Inc.
 
NGINX: Basics and Best Practices
byNGINX, Inc.
 
Nginx Deep Dive Kubernetes Ingress
byKnoldus Inc.
 
What’s New in NGINX Plus R16? – EMEA
byNGINX, Inc.
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
NGINX: High Performance Load Balancing
byNGINX, Inc.
 
NGINX ADC: Basics and Best Practices
byNGINX, Inc.
 
NGINX: Basics & Best Practices - EMEA Broadcast
byNGINX, Inc.
 
What's New in NGINX Plus R12?
byNGINX, Inc.
 
Kubernetes and the NGINX Plus Ingress Controller
byKatherine Bagood
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
byNGINX, Inc.
 
What's New in NGINX Plus R8
byNGINX, Inc.
 
What's New in NGINX Plus R10?
byNGINX, Inc.
 
What's New in NGINX Plus R7?
byNGINX, Inc.
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
byOrtus Solutions, Corp
 
NGINX ADC: Basics and Best Practices – EMEA
byNGINX, Inc.
 
ITB2017 - Nginx ppf intothebox_2017
byOrtus Solutions, Corp
 
NGINX: The Past, Present and Future of the Modern Web
byKevin Jones
 
NGINX Basics: Ask Me Anything – EMEA
byNGINX, Inc.
 
NGINX Lunch and Learn Event: Kubernetes and the NGINX Plus Ingress controller
byKatherine Bagood
 
What's New in HTTP/2
byNGINX, Inc.
 

More from NGINX, Inc.

PDF
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
PDF
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
PDF
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
PPTX
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
PDF
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
PDF
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
PPTX
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
PDF
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
PDF
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
PPTX
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
PPTX
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
PDF
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
PDF
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
PDF
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
PDF
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
PPTX
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
PPTX
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
PPTX
NGINX Kubernetes API
byNGINX, Inc.
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
PPTX
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 
NGINX基本セミナー(セキュリティ編)~NGINXでセキュアなプラットフォームを実現する方法!
byNGINX, Inc.
 
NGINXセミナー(基本編)~いまさら聞けないNGINXコンフィグなど基本がわかる!
byNGINX, Inc.
 
Manage Microservices Chaos and Complexity with Observability
byNGINX, Inc.
 
Install and Configure NGINX Unit, the Universal Application, Web, and Proxy S...
byNGINX, Inc.
 
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナー
byNGINX, Inc.
 
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法
byNGINX, Inc.
 
Get Hands-On with NGINX and QUIC+HTTP/3
byNGINX, Inc.
 
Unit 1: Apply the Twelve-Factor App to Microservices Architectures
byNGINX, Inc.
 
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法
byNGINX, Inc.
 
Managing Kubernetes Cost and Performance with NGINX & Kubecost
byNGINX, Inc.
 
Installing and Configuring NGINX Open Source
byNGINX, Inc.
 
Accelerate Microservices Deployments with Automation
byNGINX, Inc.
 
Unit 2: Microservices Secrets Management 101
byNGINX, Inc.
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
byNGINX, Inc.
 
Easily View, Manage, and Scale Your App Security with F5 NGINX
byNGINX, Inc.
 
Protecting Apps from Hacks in Kubernetes with NGINX
byNGINX, Inc.
 
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
byNGINX, Inc.
 
NGINX Kubernetes API
byNGINX, Inc.
 
Shift Left for More Secure Apps with F5 NGINX
byNGINX, Inc.
 
Successfully Implement Your API Strategy with NGINX
byNGINX, Inc.
 

Recently uploaded

PPTX
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PPTX
Code Assessment Tools .pptx
byCodexpro
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PDF
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
PPTX
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PPTX
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PPTX
AI Agent Overview - Why we need AI Agent
byAlokGope
 
PPTX
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PDF
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
PDF
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
PDF
BCS-FACS Peter Landin Semantics Seminar - Formal Methods: Whence and Whither?
byJonathan Bowen
 
PPTX
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
PDF
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
PDF
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
PDF
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
Code Assessment Tools .pptx
byCodexpro
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Week 7 Introduction to HTML PowerPoint Notes.pptx
bylesandawelgens
 
Custom chat gpt integration services.pptx
byChetu
 
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
AI Agent Overview - Why we need AI Agent
byAlokGope
 
OTT Content Analytics Enhanced by ALTBalaji Data Scraping.pptx
byyashpatric
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
DSD-INT 2025 Introduction to Hydrology Suite - Slootjes
byDeltares
 
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
BCS-FACS Peter Landin Semantics Seminar - Formal Methods: Whence and Whither?
byJonathan Bowen
 
List on Python Programming Language.pptx
byRICHARDALONSAGAY1
 
DSD-INT 2025 Hydrological response of the Puget Sound area to a changing clim...
byDeltares
 
DSD-INT 2025 Hydrological Modelling in Society Assumptions, Impacts, and Appl...
byDeltares
 
DSD-INT 2025 Stochastic flood event generation using wflow and a diffusion do...
byDeltares
 

What’s New in NGINX Plus R15? - EMEA

  • 1.
    What’s new in NGINXPlus R15 Liam Crilly Director of Product Management
  • 2.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 3.
    “... when Istarted NGINX, I focused on a very specific problem – how to handle more customers per a single server.” - Igor Sysoev, NGINX creator and founder
  • 4.
    1. Netcraft WebServer Survey, 26-Apr-2018 2. W3Techs Web server ranking, 22-May-2018 403 millionTotal sites on NGINX¹ The busiest sites choose NGINX² 45% 56% 64% Top 1M Top 100K Top 10K
  • 5.
  • 6.
    • Offices inSan Francisco, Cork, Cambridge (UK), Moscow, Singapore and Sydney • 5 products • 1,500+ commercial customers • 200+ employees
  • 7.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 8.
    Source: W3Techs SiteElements Data, 22-May-2018 78%HTTP/2 sites on NGINX Sites offering HTTP/2 0% 5% 10% 15% 20% 25% 30% May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18 Apr-18 May-18
  • 9.
    NGINX Plus HTTP/2Support HTTP/2 Release History • NGINX Plus R7 – Initial availability • NGINX Plus R8 – Production ready • HTTP/2 termination • NGINX Plus R15 • gRPC – Load balancing, routing, and TLS termination • HTTP/2 Server Push – Push resources to clients, improve performance.
  • 10.
    NGINX Plus HTTP/2Configuration • Add http2 argument to listen directive • For clear text HTTP/2, remove SSL configuration server { listen 80; server_name www.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; }
  • 11.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 12.
    gRPC Overview • gRPCis transported over HTTP/2. Does not work with HTTP/1. • Can be cleartext or SSL-encrypted • A gRPC call is implemented as an HTTP POST request • Uses compact “protocol buffers” to exchange data between client and server • Protocol buffers are implemented in C++ as a class • Support originally added in NGINX Open Source 1.13.10
  • 13.
    gRPC Proxying server { listen80 http2; location / { grpc_pass grpc://localhost:50051; } } • grpc_pass – Use like fastcgi_pass, proxy_pass, etc. • grpc:// – Use instead of http://.
  • 14.
    gRPC Proxying withSSL Termination server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; location / { grpc_pass grpc://localhost:50051; } } • Configure SSL and HTTP/2 as usual • Go sample application needs to modified to point to NGINX IP Address and port.
  • 15.
    gRPC Routing location /helloworld.ServiceA{ grpc_pass grpc://192.168.20.11:50051; } location /helloworld.ServiceB { grpc_pass grpc://192.168.20.12:50052; } • Usually structured as application_name.method
  • 16.
    gRPC Load Balancing upstreamgrpcservers { server 192.168.20.21:50051; server 192.168.20.22:50052; } server { listen 443 ssl http2; ssl_certificate ssl/certificate.pem; ssl_certificate_key ssl/key.pem; location /helloworld.Greeter { grpc_pass grpc://grpcservers; error_page 502 = /error502grpc; } location = /error502grpc { internal; default_type application/grpc; add_header grpc-status 14; add_header grpc-message "unavailable"; return 204; } } • gRPC server work with standard upstream blocks. • Can use grpcs for encrypted gRPC • If no servers are available, the /error502grpc location returns a gRPC-compliant error message.
  • 17.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 18.
    HTTP/2 Server PushOverview • User requests /demo.html • Server responds with /demo.html • Server pre-emptively sends style.css and image.jpg • Stored in separate browser push cache until needed • Support added in NGINX 1.13.9
  • 19.
    HTTP/2 Server PushTesting • HTTP/2 and HTTPS introduce one additional RTT for SSL handshake • HTTP/2 Server push eliminates stylesheet RTT • Reduces 2 RTT overall compared to unoptimized HTTP/2
  • 20.
    HTTP/2 Server PushConfig (Method 1) server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; root /var/www/html; # whenever a client requests demo.html # push /style.css, /image1.jpg, and # /image2.jpg location = /demo.html { http2_push /style.css; http2_push /image1.jpg; http2_push /image2.jpg; } } • http2_push – Defines resources to be pushed to clients. When NGINX receives a request for /demo.html, it will request and push style.css, image1.jpg, and image2.jpg.
  • 21.
    HTTP/2 Server PushConfig (Method 2) server { listen 443 ssl http2; ssl_certificate server.crt; ssl_certificate_key server.key; root /var/www/html; # whenever a client requests demo.html # push /style.css, /image1.jpg, and # /image2.jpg location = /demo.html { http2_push_preload on; } } • http2_push_preload – Instructs NGINX to parse HTTP Link: headers and push specified resources. • Link: </style.css>; as=style; rel=preload, </favicon.ico>; as=image; rel=preload • Useful if you want application server to control what gets pushed.
  • 22.
    HTTP/2 Server PushVerification • Chrome Developer Tools: The Initiator column on the Network tab indicates several resources were pushed to the client as part of a request for /demo.html.
  • 23.
    More Information • NGINX:gRPC and HTTP/2 Server Push (webinar) • https://www.nginx.com/webinars/nginx-http2-server-push-grpc-emea/ • Introducing HTTP/2 Server Push with NGINX 1.13.9 (blog) • https://www.nginx.com/blog/nginx-1-13-9-http2-server-push/ • Introducing gRPC Support with NGINX 1.13.10 (blog) • https://www.nginx.com/blog/nginx-1-13-10-grpc/
  • 24.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 25.
    NGINX Plus Clustering ClusteringRelease History • NGINX Plus R1 • High Availability based on keepalived package • NGINX Plus R12 • Configuration synchronization using nginx-sync package. Configure only one master server. • NGINX Plus R15 • State sharing for sticky learn session persistence
  • 26.
    NGINX Plus Clustering stream{ resolver 10.0.0.53 valid=20s; server { listen 9000; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; } } Shared memory zones are identified in NGINX Plus with the zone directive (example on next slide) for data to be shared between processors on the same server. The new zone_sync functionality extends this memory to be shared across different servers. • zone_sync -- Enables synchronization of shared memory zones in a cluster. • zone_sync_server -- Identifies the other NGINX Plus instances in the cluster. You create a separate zone_sync_server for each server in the cluster. • Add into main nginx.conf for each server
  • 27.
    NGINX Plus Clustering upstreammy_backend { zone my_backend 64k; server backends.example.com resolve; sticky learn zone=sessions:1m create=$upstream_cookie_session lookup=$cookie_session sync; } server { listen 80; location / { proxy_pass http://my_backend; } } • zone – Identifies the shared memory zone. This configuration is unchanged from before. • sync – Enables cluster-wide state sharing
  • 28.
    NGINX Plus Clustering(Advanced) stream { resolver 10.0.0.53 valid=20s; server { listen 10.0.0.1:9000 ssl; ssl_certificate_key /etc/ssl/key.pem; ssl_certificate /etc/ssl/cert.pem; allow 10.0.0.0/24; # Only accept internal conns deny all; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; zone_sync_ssl_verify on; # Peers must connect with client cert zone_sync_ssl_trusted_certificate /etc/ssl/ca_chain.pem; zone_sync_ssl_verify_depth 2; zone_sync_ssl on; # Connect to peers with TLS, offer client cert zone_sync_ssl_certificate /etc/ssl/nginx1.example.com.client_cert.pem; zone_sync_ssl_certificate_key /etc/ssl/nginx1.example.com.key.pem; } } Enabling encrypted communication between cluster members. • zone_sync_ssl_verify – Mandates peers present client cert when enabled. • zone_sync_ssl_trusted_certificate – Specifies trusted cert chain to verify client certs with • zone_sync_ssl – Tells this server to present client certs • zone_sync_ssl_certificate – Public key for client cert • zone_sync_ssl_certificate_key – Private key for client cert
  • 30.
    Clustering demo 30 • Edgeload balancing is random • Backends are stateful, issue cookies • Client refresh must reach the same backend • 36 routes! Edge L/B NGINX gurston NGINX shesley NGINX harewood Backend 1001 Backend 2002 Backend 3003 Backend 4004 Backend 5005 Backend … Backend 9009 NGINX prescott
  • 31.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 32.
    NGINX JavaScript module JavaScriptRelease History • NGINX Plus R10 – Initial release • NGINX Plus R11 – Added support for stream module (TCP/UDP) • NGINX Plus R12 – Add ECMAScript 6 math methods, production-ready • NGINX Plus R14 – JSON object support • NGINX Plus R15 • Sub requests – Issue new HTTP requests asynchronous of client request • Crypto library – Hash functions and HMAC with SHA and MD5. Base64 and hex encoding
  • 33.
    Getting Started Debian/Ubuntu: $ sudoapt-get update $ sudo apt-get install nginx-plus-module-njs Centos/RedHat: $ sudo yum update $ sudo yum install nginx-plus-module-njs In top-level ("main") context of the nginx.conf add: load_module modules/ngx_http_js_module.so; load_module modules/ngx_stream_js_module.so; Restart NGINX Plus: $ sudo nginx -t && sudo nginx -s reload • Install the module from our repository for your choice of OS • Top-level means outside of any http{} or stream{} blocks • After reload you can start using the NGINX JavaScript module
  • 34.
    Sub Requests function sendFastest(req,res) { var n = 0; function done(reply) { // Callback for subrequests if (n++ == 0) { req.log("WINNER is " + reply.uri); res.return(reply.status, reply.body); } } req.subrequest("/server_one", req.variables.args, done); req.subrequest("/server_two", req.variables.args, done); } • req.subrequest – Initiates asynchronous subrequest with callback function done() in this example. • js_content – Calls JavaScript function to provide response. js_include fastest_wins.js; server { listen 80; location / { js_content sendFastest; } location /server_one { proxy_pass http://10.0.0.1$request_uri; # Pass URI } location /server_two { proxy_pass http://10.0.0.2$request_uri; } }
  • 35.
    Hash Functions function signCookie(req,res) { if (res.headers["set-cookie"].length) { // Response includes a new cookie var cookie_data = res.headers["set-cookie"].split(";"); var c = require('crypto’); var h = c.createHmac('sha256').update(cookie_data[0] + req.remoteAddress); return "signature=" + h.digest('hex'); } return ""; } • c.createHmac – Calls crypto library to provide HMAC of specified data. • js_set – Sets variable to return value from JavaScript function Supported crypto library functions: • Hash functions: MD5, SHA-1, SHA-256 • HMAC using: MD5, SHA-1, SHA-256 • Digest formats: Base64, Base64URL, hex js_include cookie_signing.js; js_set $signed_cookie signCookie; server { listen 80; location / { proxy_pass http://my_backend; add_header Set-Cookie $signed_cookie; } }
  • 36.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 37.
    OpenID Connect is themissing piece that carries identity information in OAuth 2.0 access tokens. – NGINX blog “
  • 38.
    NGINX Plus JWTAuthentication JWT Release History • NGINX Plus R10 – Standards compliant JWT • NGINX Plus R12 – Custom claims • NGINX Plus R14 – Nested claims and arrays • NGINX Plus R15 • OpenID Connect 1.0 • Integrate with IdP vendors/products
  • 39.
    “Using OpenID Connectwith NGINX Plus enabled us to quickly and easily integrate with our identity provider and, at the same time, simplify our application architecture.” - Scott Macleod, Software Engineer, NHS Digital
  • 40.
  • 41.
    How to useit Clone GitHub repo: $ git clone https://github.com/nginxinc/nginx- openid-connect Copy files to /etc/nginx/conf.d: $ cp nginx-openid-connect/* /etc/nginx/conf.d Configure for your environment (to be covered in demo): 1. Configure IdP 2. Put IdP configuration into frontend.conf Restart NGINX Plus: $ sudo nginx -t && sudo nginx -s reload https://github.com/nginxinc/nginx-openid-connect • Requires NGINX JavaScript module • Our GitHub repo contains 3 important files: • frontend.conf – Reverse proxy configuration and where the IdP is configured. • openid_connect.server_conf – NGINX configuration for handling the various stages of OpenID Connect authorization code flow. Should not require any changes. • openid_connect.js – JavaScript code for performing the authorization code exchange, nonce hashing and token validation. Should not require any changes.
  • 43.
    Agenda • Introducing NGINX •HTTP/2 enhancements • gRPC Proxy • HTTP/2 Server Push • Enhanced Clustering and State Sharing • NGINX JavaScript module enhancements • OpenID Connect SSO with Demo • Summary and Q&A
  • 44.
    Additional New Features •$ssl_preread_alpn_protocols – Comma-separated list of client protocols advertised through ALPN (NGINX Open Source 1.13.10). • $upstream_queue_time – Captures the amount of time a request spends in the queue, when using upstream queueing. Can be outputted to log to monitor performance (NGINX Open Source 1.13.9). • log_format escape=none – Disable escaping in the NGINX Plus access log, in addition to previous support for JSON and default escaping (NGINX Open Source 1.1310). • Transparent Proxying without root – Worker processes can now inherit the CAP_NET_RAW Linux capability from the master process so that NGINX Plus no longer requires special privileges for transparent proxying. • New Cookie-Flag module – Third party module for setting cookie flags is now available in our dynamic modules respository
  • 45.
    Summary • HTTP/2 serverpush -- Use h2_push to have NGINX push resources or use h2_push_preload on; to have NGINX use the Link: header • gRPC proxying -- Use grpc_pass like proxy_pass, fastcgi_pass, etc. to proxy gRPC connections • State sharing -- Sticky learn session persistence now works across a cluster with new zone_sync feature • NGINX JavaScript module -- New support for sub requests and crypto hash functions • OpenID Connect SSO -- New integrations with IdPs such as CA SSO, Okta, OneLogin, etc.
  • 46.
    Q & ATryNGINX Plus free for 30 days: nginx.com/free-trial-request