Recommended
More Related Content
What's hot
What's hot (20)
Similar to What’s New in NGINX Plus R16? – EMEA
Similar to What’s New in NGINX Plus R16? – EMEA (20)
More from NGINX, Inc.
More from NGINX, Inc. (20)
Recently uploaded
Recently uploaded (13)
What’s New in NGINX Plus R16? – EMEA
- 1. What’s New in NGINX Plus R16?
- 2. What is NGINX? Internet Web Server Serve content from disk Reverse Proxy FastCGI, uWSGI, gRPC… Load Balancer Caching, SSL termination… HTTP traffic - Basic load balancer - Content Cache - Web Server - Reverse Proxy - SSL termination - Rate limiting - Basic authentication - 7 metrics NGINX Open Source NGINX Plus + Advanced load balancer + Health checks + Session persistence + Least time alg + Cache purging + HA/Clustering + JWT Authentication + OpenID Connect SSO + NGINX Plus API + Dynamic modules + 90+ metrics
- 3. Previously on… • gRPC support • HTTP/2 Server Push • NGINX JavaScript sub requests • Clustering support for Sticky Learn * • OpenID Connect Authorization Code Workflow for SSO * • Watch on demand: nginx.com/webinars/whats-new-nginx- plus-r15/ * NGINX Plus Exclusive 3
- 4. Agenda • NGINX Plus R16 overview • New Features in detail • Summary
- 5. NGINX Plus R16 Overview Many customers run in NGINX Plus in multi-node clusters. NGINX Plus R16 adds new clustering features: • Global rate limiting – Rate Limiting is now cluster-aware. Specify global rate limits enforced by all nodes in cluster. • Cluster-aware key-value store – Key-value pairs are synced across the cluster. New timeout value. New DDoS mitigation use case. • Random with Two Choices – New algorithm. Select two backend servers at random, send request to one with lowest load. 5
- 6. NGINX Plus R16 Overview Additional features in NGINX Plus R16 include: • Enhanced UDP load balancing – Support for multiple UDP packets from client as part of same session. Support for more complex UDP protocols: OpenVPN, VoIP, VDI, DTLS. • PROXY Protocol v2– Support for the PROXY protocol v2 (PPv2) header, ability to inspect custom type-length-value (TLV) values. AWS PrivateLink support. • New dynamic module, NGINX JavaScript updates, and more 6
- 7. Agenda • NGINX Plus R16 overview • New Features in detail • Summary
- 8. NGINX Plus Clustering Review • NGINX Plus R1 (2013) – Support for HA using keepalived • NGINX Plus R12 (2017) – Configuration synchronization • NGINX Plus R15 (2018) – State sharing for Sticky Learn session persistence • NGINX Plus R16 (2018) – State sharing for Rate Limiting and Key-Value Store • All HA/clustering features exclusive to NGINX Plus 8
- 9. NGINX Plus State Sharing stream { resolver 10.0.0.53 valid=20s; server { listen 1.2.3.4:9000; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; } } Shared memory zones are identified in NGINX Plus with the zone keyword (example on next slide) for data to be shared between processes on the same server. The new zone_sync functionality extends this memory to be shared across different servers. • zone_sync -- Enables synchronization of shared memory zones in a cluster. • zone_sync_server -- Identifies the other NGINX Plus instances in the cluster. You create a separate zone_sync_server for each server in the cluster. • Add into main nginx.conf for each server in the cluster
- 10. Global Rate Limiting limit_req_zone $binary_remote_addr zone=global:1M rate=40r/s sync; server { listen 80; server_name www.example.com; location / { limit_req zone=global; proxy_set_header Host $host; proxy_pass http://my_server; } } • Rate limiting is to control the amount of requests sent to backend servers. The limit can be applied per IP Address, or other parts of the request. • Add the sync parameter at the end of rate limit definition (limit_req_zone) • The shared memory zone (global) that holds the current per ip rate are synced across all nodes in the cluster • All nodes will collectively enforce the rate limit, 40 requests/second in this example
- 11. Cluster-Aware Key-Value Store keyval_zone zone=blacklist:1M timeout=600 sync; keyval $remote_addr $target zone=blacklist; server { listen 80; server_name www.example.com; if ($target) { return 403; } location / { proxy_set_header Host $host; proxy_pass http://my_server; } location /api { api write=on; } } • Add the sync parameter at the end of key-value store definition (keyval_zone) • The timeout parameter specfies how long key- value pairs are valid, in seconds. The timeout is required if syncing the key-value store. • In this example we are creating a dynamic IP blacklist. Any IP addresses in the key-value store are blocked. • curl -X POST -d '{"192.0.2.26": "1"}' http://www.example.com/api/3/http/keyval s/blacklist • Access to /api should be restricted using IP access controls (allow, deny)
- 12. Check out the videos! 12 https://www.nginx.com/nginxconf/2018/#livestream Keynote 2: NGINX and NGINX Plus Update and Demo
- 13. Random with Two Choices upstream my_backend { server server1.example.com; server server2.example.com; server server3.example.com; random two least_time=last_byte; } server { listen 80; location / { proxy_set_header Host $host; proxy_pass http://my_backend; } } • Pick two servers at random, send request to the one with the quickest response time. • Suitable for clusters with multiple active NGINX Plus servers • Due to workload variance, regular least_time not always accurate • Can alternatively use least_conn instead of least_time • Can also specify just random for pure random load balancing • The least_time parameter and response time metrics are NGINX Plus exclusive
- 14. Enhanced UDP Load Balancing stream { server { listen 1195 udp; proxy_pass 127.0.0.1:1194; } } • NGINX Plus R9 first introduced UDP load balancing but was limited to one packet per client. Only simple protocols such as DNS and RADIUS were supported. • NGINX Plus R16 UDP load balancing can handle multiple packets from a client. More complex UDP protocols such as OpenVPN, VOIP, VDI are now supported. • UDP load balancing is configured in a stream block by adding the udp parameter to the listen directive. • The example to the left is a suitable configuration for OpenVPN.
- 15. PROXY Protocol v2 (PPv2) server { listen 80 proxy_protocol; location /app/ { proxy_pass http://backend1; proxy_set_header Host $host; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; } } • PROXY Protocol is used to obtain original client IP/Port when multiple load balancers and proxies are chained. • PROXY Protocol v2 moves from text to binary header • Add proxy_protocol as parameter to listen • $proxy_protocol_addr, $proxy_protocol_port are populated with original client IP/Port • Supported for HTTP and Stream • Can also add PROXY Protocol header using proxy_protocol directive. (Stream only) stream { server { listen 12345; proxy_pass example.com:12345; proxy_protocol on; } }
- 16. AWS PrivateLink Support server { listen 80 proxy_protocol; location /app/ { proxy_pass http://backend1; proxy_set_header Host $host; proxy_set_header X-Cluster-VPC $proxy_protocol_tlv_0xEA; } } • AWS PrivateLink is for secure VPC to VPC communication without going over public internet or using VPNs. • The Provider VPC (server-side) has an NLB that adds PROXY Protocol header with custom field that holds client VPC Endpoint ID. • NGINX Plus reads this value into variable named $proxy_protocol_tlv_0xEA • Variable can be passed to application server, logged, used as rate limiting key, etc. • Exclusive to NGINX Plus log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$proxy_protocol_tlv_0xEA"';
- 17. 17 • OpenID opaque session tokens -- Actual JWT not sent to client, random string instead. • Support for SSL/clear traffic on same port – New variable $ssl_preread_protocol allows you to distinguish between the two. • New Encrypted Session Dynamic Module -- Provides encryption and decryption support for NGINX variables based on AES-256 with MAC • NGINX JavaScript enhancements -- Simplified request/response handling, new support for: bytesFrom(), padStart(), padEnd(), getrandom(), getentropy(), and binary literals Miscellaneous New Features
- 18. Changes in Behavior • upstream_conf and extended status APIs now removed, replaced by NGINX Plus API. See transition guide on our blog: • nginx.com/blog/transitioning-to-nginx-plus-api-configuration-monitoring • NGINX Plus is no longer supported on Ubuntu 17.10 (Artful), FreeBSD 10.3, or FreeBSD 11.0. • Ubuntu 14.04, 16.04, and 18.04 • FreeBSD 10.4+, 11.1+ • New Relic plugin open sourced and available on GitHub, but no longer supported • github.com/nginxinc/new-relic-agent
- 19. Agenda • NGINX Plus R16 overview • New Features in detail • Summary
- 20. Summary • NGINX Plus R16 has new clustering features for active/active deployments • Rate limiting is cluster-aware, enabling you to configure global rate limits • Key-value store is cluster-aware, key-value pairs are synced to all cluster nodes • New Random with Two Choices algorithm recommended for all clustered deployments with variable workloads • Enhanced UDP Load Balancing support multiple packets from a client and more complex protocols such as OpenVPN • Proxy Protocol v2 (PPv2) is now supported, along with AWS PrivateLink
- 21. Download our Free Ebook 21 • How NGINX fits as a complement or replacement for existing API gateway and API management approaches • How to take an existing NGINX Open Source or NGINX Plus configuration and extend it to also manage API traffic • How to create a range of safeguards that can be applied to protect and secure backend API services in production • How to deploy NGINX Plus as an API gateway for gRPC services Download now: nginx.com/resources/library/ nginx-api-gateway-deployment/
- 22. Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request