NGINX Basics: Ask Me Anything – EMEA
Transcript of NGINX Basics: Ask Me Anything – EMEA
NGINX:
Ask Me Anything
Who Are We?
Owen Garrett
Product Management
NGINX, Inc.
Liam Crilly
Product Management
NGINX, Inc.
MORE INFORMATION AT NGINX.COM
NGINX Open Source project published October 2004
NGINX, Inc. founded in 2011
NGINX Plus released in 2013
Offices in San Francisco, Cork Ireland, Cambridge UK, Moscow and Singapore
300m+ websites
1,200+ commercial customers (Nov. 2017)
170+ employees across engineering, support, sales and marketing (Nov. 2017)
“… when I started NGINX,
I focused on a very specific
problem – how to handle more
customers per a single server.”
- Igor Sysoev, NGINX creator and founder
Our Products
NGINX Plus
The only all-in-one load balancer, web server, application firewall and content cache.
Simplify your architecture while reducing costs.
NGINX Controller
Centralized monitoring and management for
NGINX Plus. Deploy and automate virtual
load balancers with a beautiful interface and
API.
NGINX Unit
The new, open source application server
from NGINX, Inc. Lightweight, with multi-
language support and an API-driven
configuration.
NGINX
Industry-defining, open source webserver, reverse proxy and web accelerator
NGINX Amplify
NGINX Monitoring Made Easy: out-of-the-box graphs for NGINX and OS metrics, static analyzer and
automated alerts
Q & A
Try NGINX Plus free for 30 days: nginx.com/free-trial-request
MORE INFORMATION AT NGINX.COM
NGINX Installation Options
• Official NGINX repo
• Mainline (recommended) -- Actively developed; new minor releases
made every 4-6 weeks with new features and enhancements.
• Stable -- Updated only when critical issues or security vulnerabilities
need to be fixed.
• OS vendor and other 3rd party repos
• Not as frequently updated; e.g. Debian Jessie (8.9) has NGINX 1.6.2
• Typically built off NGINX Stable branch, sometimes with 3rd party
mods
• Third-Party (dynamic) Modules
• Compile yourself against the equivalent NGINX oss source
• Get from a module-enabled repo
Open Source Release process
http://nginx.org/en/CHANGES
NGINX Plus release process
Why NGINX Plus?
Network Firewall Load BalancerWeb Application
Firewall
Authentication
Gateway Load Balancer Application
NGINX Plus with:
• ModSecurity Web Application Firewall
• OAuth2 and JWT validation
• Third-party Certified Authentication Modules
Cache
ModSecurity and the NGINX Plus WAF
https://github.com/SpiderLabs/ModSecurity-nginx
Sophisticated web application
firewall:
• Layer 7 attack protection
• DDoS mitigation
• IP reputation
• Standard PCRE regex rules
language
• Audit logs
• PCI-DSS 6.6 compliance
• Built on ModSecurity
Ingress Controller for NGINX and NGINX Plus
K8s API ServerIngress
Controlle
r
https://github.com/nginxinc/kubernetes-ingress
nginMesh – Istio-compatible Service Mesh
https://github.com/nginmesh
MORE INFORMATION AT NGINX.COM
Amplify is NGINX Monitoring, made easy.
• Get out-of-the-box graphs for NGINX and OS metrics.
• Easily compare NGINX, system, and application performance.
• Use static analyzer to improve NGINX configuration.
• Measure application SLAs and stay alert with automated notifications.
Introducing NGINX Unit
The new, open source App Server platform
from NGINX
• Multi-languages and version support on the same
server instance:
• PHP
• Python
• Go
• REST API and JSON configuration for dynamic,
automated deployments
• Native Load Balancer for building service meshes
php
python
go
Introducing NGINX Controller
Policy Control and Workflow Automation for
Dynamic Applications in Multi-Cloud
Use Cases:
• Workflow and Policy Management
• Multi-Cloud Application Deployments
• Multi-Tenant with Role-Based Access (RBAC)
• Monitoring and Rapid Troubleshooting
• Compliance and Audit Trails
MORE INFORMATION AT NGINX.COM
Key Files and Directories
• /etc/nginx/ -- Where all NGINX configuration is stored
• /etc/nginx/nginx.conf -- Top-level NGINX configuration, should not
require much modification
• /etc/nginx/conf.d/*.conf -- Where your configuration for virtual servers
and upstreams goes, e.g. www.example.com.conf
• /var/log/nginx/access.log -- Details about requests and responses
• /var/log/nginx/error.log -- Details about NGINX errors
NGINX Market Share – Key stats – Nov. 2017
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
03/2
012
09/2
012
03/2
013
09/2
013
03/2
014
09/2
014
03/2
015
09/2
015
03/2
016
09/2
016
03/2
017
09/2
017
Market Share of major webservers - Top 10,000 sites
Apache Microsoft IIS NGINX
W3techs:
• 62.5% of 10k busiest sites
• Market leader for 1m busiest sites
NetCraft:
• 333m sites
• 1.5m public IPs hosting NGINX
SumoLogic:
• 58% of the webservers on AWS are NGINX
DigitalOcean Stream:
• 65% of the webservers on digitalocean are
NGINX
Dockerhub:
• NGINX is the most widely pulled and starred
container image from the DockerHub repository
From: https://w3techs.com/technologies/cross/web_server/ranking
Complexities of SSL
Enable SSL to client:listen 443 ssl;
Define the protocols (optional):ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
Authenticate NGINX with server cert (necessary):ssl_certificate file;
ssl_certificate_key file;
Authenticate the remote client’s cert (optional):ssl_verify_client on;
ssl_client_certificate file;
Enable SSL to upstream:proxy_pass https://upstream/;
Define the protocols (optional):proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
Authenticate the upstream server’s cert (optional):proxy_ssl_verify on;
proxy_ssl_trusted_certificate file;
Authenticate NGINX with client cert (optional):proxy_ssl_certificate file;
proxy_ssl_certificate_key file;
SSL to upstreamSSL to client
Remote
client’s
certificate
NGINX’s
client
certificate
Upstream server’s
certificate
NGINX’s server
certificate
OpenSSL Dependencies
OS Distribution OpenSSL
version
High-Speed
RSA and ECC
HTTP/2
Support
CentOS/Oracle Linux/RHEL 6.5+, 7.0–7.3 1.0.1e NPN
CentOS/Oracle Linux/RHEL 7.4+ 1.0.2k Yes ALPN & NPN
Debian 7.0 1.0.1e NPN
Debian 8.0 1.0.1k NPN
Debian 9.0 1.1.0f Yes ALPN & NPN
Ubuntu 12.04 LTS 1.0.1 NPN
Ubuntu 14.04 LTS 1.0.1f NPN
Ubuntu 16.04 LTS 1.0.2g Yes ALPN & NPN
“With OpenSSL 1.0.1e, we were seeing ~7000 ECDHE/ECDSA handshake/s w/ 16 cores.
With OpenSSL 1.0.2g, we are now seeing ~38,000 handshake/s.”