NGINX for FUN& PERFORMANCE

PHILIPP KRENN @xeraa � ecosio

Vienna

ViennaDBPapers We Love Vienna

Electronic Data Interchange (EDI)

nginx

there's this russian server nginx. all the porn sites use it. it must be decent.

— Jonathan VanascoJV

JV http://www.destructuring.net/2006/10/09/nginx/

From Subversion to Git

UsersWORDPRESS.COM APP

SERVER + LOAD BALANCER

UsersSTATIC CONTENT GITHUB

UsersSSL TERMINATION WIKIPEDIA

http://w3techs.com/technologies/cross/web_server/ranking

http://news.netcraft.com/archives/2015/03/19/march-2015-web-server-survey.html

http://news.netcraft.com/archives/2015/03/19/march-2015-web-server-survey.html

Public launch in 2004 by IGOR SYSOEV

HTTPS://WWW.RAMBLER.RU

BSD LICENSEDCROSS-PLATFORM C

STABLE 1.6.2 (2014-09-16)PREVIEW 1.7.11 (2015-03-24)

SUPPORT FROM NGINX INC.

nginx is a lightweight event-driven reverse proxy for web and mail services.

— http://nginx.org

ApacheTHREAD / PROCESS-ORIENTED

SPAWN A PROCESS FOR EACH CONNECTION (1MB+ RAM)

APACHE 2.4 MULTI-PROCESS MODE REDUCES RAM USAGE

Problem200KB RESPONSE

MILLISECONDS TO GENERATE OR RETRIEVE10S TO TRANSMIT AT 160KBPS (20KB/S)

1000 CONNECTIONS !

it's time for web servers to handle ten thousand clients simultaneously

— Daniel Kegel

C10K challengeNGINX SOLUTION

EVENT-DRIVEN ARCHITECTURE

Event-drivenSINGLE NONBLOCKING THREAD

ONE PROCESS PER CORE — NODE.JS, REDIS,...

STABLE MEMORY USAGE, NO CONTEXT SWITCHES

Event-driven1. Receive request

2. Trigger events in a process3. Process handles events and returns output

http://en.wikipedia.org/wiki/Reactor_pattern

http://www.aosabook.org/en/nginx.html#fig.nginx.arch

!

EIERLEGENDE WOLLMILCHSAU

"EGG-LAYING WOOL-MILK-

SOW"

101Things nginx can do

000 SSL Termination

https://mozilla.github.io/server-side-tls/ssl-config-generator/

server { listen 443 ssl;

ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m;

# Better Perfect Forward Secrecy, generate: openssl dhparam 2048 ssl_dhparam /path/to/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256: kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA: ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256: DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA: DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES: CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK: !aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on;

# HSTS: 15768000 seconds = 6 months add_header Strict-Transport-Security max-age=15768000;

# OCSP Stapling resolver 8.8.8.8 8.8.4.4; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

....}

!

USEhttps://mozilla.github.io/server-side-tls/ssl-config-generator/

https://www.ssllabs.com/ssltest/

001 Load Balancing

upstream backend_hosts { server host0.example.com; server host1.example.com; server 10.10.10.10;}

server { listen 80; server_name example.com;

location / { proxy_pass http://backend_hosts; }}

location / { proxy_set_header HOST $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass http://backend_hosts;}

UPSTREAM BALANCING ALGORITHMDEFAULT: ROUND ROBIN

least_connip_hashhash

MOAR FEATURESCOOKIE STICKINESS

WEIGHTING OF NODES...

010 Proxying

location / { proxy_pass http://localhost:8000;}

011 Dynamic Pages

location ~* \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; include fastcgi.conf; fastcgi_read_timeout 120;}

100 A/B Testing

http { split_clients "${remote_addr}" $designtest { 10% ".first"; 10% ".second"; * ""; }

server { listen 80; server_name example.com; index index${designtest}.html; }}

101 Client-Side Caching

location ~* ^.+.(htm|html|jpg|jpeg|gif|png|ico|css| zip|tgz|gz|rar|bz2|doc|xls|exe|pdf| ppt|txt|tar|mid|midi|wav|bmp|rtf|js)$ { access_log off; expires max;}

!

Apache is like Microsoft Word, it has a million options but you only need six.

nginx does those six things, and it does five of them 50 times faster than

Apache.— Chris LeaCL

CL http://maisonbisson.com/post/12249/chris-lea-on-nginx-and-wordpress/

GREAT! BUT...

...IT DOESN'T WORK THE Apache WAY

FOR EXAMPLE .htaccess

FOR EVERY REQUEST, CHECK EVERY DIRECTORY, READ AND

PARSE EVERY FILEChanges effective immediately

http://example.com/assets/Uploads/gallery/image.jpg

DigitalOcean512MB RAM, 20GB SSD

UBUNTU 14.04 IN AMS2 + AMS3

ApacheBench$ sudo apt-get install apache2-utils

$ ab -n 25000 -c 10 http://example.com

25,000 REQUESTSCONCURRENCY 10, 50, 250, 1000

Vanilla installationsudo apt-get install apache2sudo apt-get install nginx

NO TWEAKS

BEWARE

Unstable

$ ab -n 25000 -c 10 http://188.226.151.84/codemotion_intro.png

...

Server Software: nginx/1.4.6Server Hostname: 188.226.151.84Server Port: 80

Document Path: /codemotion_intro.pngDocument Length: 2461 bytes

Concurrency Level: 10Time taken for tests: 7.734 secondsComplete requests: 25000Failed requests: 0Total transferred: 67575000 bytesHTML transferred: 61525000 bytesRequests per second: 3232.56 [#/sec] (mean)Time per request: 3.094 [ms] (mean)Time per request: 0.309 [ms] (mean, across all concurrent requests)Transfer rate: 8532.82 [Kbytes/sec] received

...

Benchmarking 178.62.213.21 (be patient)Completed 2500 requestsCompleted 5000 requestsCompleted 7500 requestsCompleted 10000 requestsCompleted 12500 requestsCompleted 15000 requestsCompleted 17500 requestsCompleted 20000 requestsCompleted 22500 requestsapr_socket_recv: Connection reset by peer (104)Total of 24847 requests completed

$ ab -n 25000 -c 10 http://188.226.151.84/assets/Uploads/gallery/codemotion_intro.png

Add PHPsudo apt-get install php5-fpmsudo apt-get install php5 libapache2-mod-php5

File<?php phpinfo();

ab -n 2500 -c 10 -l http://188.226.151.84/info.php

Concurrency Level: 10Time taken for tests: 4.920 secondsComplete requests: 2500Failed requests: 0Total transferred: 164667204 bytesHTML transferred: 164252204 bytesRequests per second: 508.18 [#/sec] (mean)Time per request: 19.678 [ms] (mean)Time per request: 1.968 [ms] (mean, across all concurrent requests)Transfer rate: 32687.80 [Kbytes/sec] received

BENCHMARK YOUR PROJECTSBUILD

BENCHMARKREPEAT

Say Apache one more time...

Questions?NOW OR @XERAA

HTTPS://SPEAKERDECK.COM/XERAA/

FeedbackHTTPS://JOIND.IN/14161HTTPS://JOIND.IN/EVENT/CODEMOTION-ROME-2015

IMAGE CREDITRome https://flic.kr/p/j9Lmu

Vienna https://flic.kr/p/4enYGHDatabase https://flic.kr/p/6QVfAK

Paper https://flic.kr/p/7Ahvn1Engine https://flic.kr/p/hD3SY4

X https://flic.kr/p/9vMs2Kiss https://flic.kr/p/z8Phh

Branches https://flic.kr/p/aDgLJx

Crowd https://flic.kr/p/Wd54ULaunch https://flic.kr/p/kjkJ5NLicense https://flic.kr/p/nxAfZ

Release https://flic.kr/p/4rDBEKLightweight https://flic.kr/p/6h98Li

Apache https://flic.kr/p/8m9Mf1Flow https://flic.kr/p/a5A3e1

Simultaneous https://flic.kr/p/easM1tSpeed https://flic.kr/p/afEu4oBlock https://flic.kr/p/8szrqe

Eierlegende Wollmilchsau https://flic.kr/p/GzQTT

Taipei https://flic.kr/p/4hi1jBTerminator https://flic.kr/p/6hDYBK

Load https://flic.kr/p/mhuXC5Balance https://flic.kr/p/bpeZXt

Huge https://flic.kr/p/p8tTGEBetween https://flic.kr/p/cXHXH3Dynamic https://flic.kr/p/qzpdr9

Two https://flic.kr/p/9JpzfzFixed https://flic.kr/p/21CsBVWord https://flic.kr/p/913FL2

Different https://flic.kr/p/aUwPzp

Access https://flic.kr/p/KA324Sad https://flic.kr/p/9g5Gg8

Ocean https://flic.kr/p/fQ3pxXBench https://flic.kr/p/kbpHr3Vanilla https://flic.kr/p/b4iChr

PHP https://flic.kr/p/4o1dFfTest https://flic.kr/p/adiTK3