Download pdf - NGINX Basics: Ask Me Anything – EMEA

NGINX:

Ask Me Anything

Who Are We?

Owen Garrett

Product Management

NGINX, Inc.

Liam Crilly

Product Management

NGINX, Inc.

MORE INFORMATION AT NGINX.COM

NGINX Open Source project published October 2004

NGINX, Inc. founded in 2011

NGINX Plus released in 2013

Offices in San Francisco, Cork Ireland, Cambridge UK, Moscow and Singapore

300m+ websites

1,200+ commercial customers (Nov. 2017)

170+ employees across engineering, support, sales and marketing (Nov. 2017)

“… when I started NGINX,

I focused on a very specific

problem – how to handle more

customers per a single server.”

- Igor Sysoev, NGINX creator and founder

Our Products

NGINX Plus

The only all-in-one load balancer, web server, application firewall and content cache.

Simplify your architecture while reducing costs.

NGINX Controller

Centralized monitoring and management for

NGINX Plus. Deploy and automate virtual

load balancers with a beautiful interface and

API.

NGINX Unit

The new, open source application server

from NGINX, Inc. Lightweight, with multi-

language support and an API-driven

configuration.

NGINX

Industry-defining, open source webserver, reverse proxy and web accelerator

NGINX Amplify

NGINX Monitoring Made Easy: out-of-the-box graphs for NGINX and OS metrics, static analyzer and

automated alerts

Q & A

Try NGINX Plus free for 30 days: nginx.com/free-trial-request


NGINX Installation Options

• Official NGINX repo

• Mainline (recommended) -- Actively developed; new minor releases

made every 4-6 weeks with new features and enhancements.

• Stable -- Updated only when critical issues or security vulnerabilities

need to be fixed.

• OS vendor and other 3rd party repos

• Not as frequently updated; e.g. Debian Jessie (8.9) has NGINX 1.6.2

• Typically built off NGINX Stable branch, sometimes with 3rd party

mods

• Third-Party (dynamic) Modules

• Compile yourself against the equivalent NGINX oss source

• Get from a module-enabled repo

Open Source Release process

http://nginx.org/en/CHANGES

NGINX Plus release process

Why NGINX Plus?

Network Firewall Load BalancerWeb Application

Firewall

Authentication

Gateway Load Balancer Application

NGINX Plus with:

• ModSecurity Web Application Firewall

• OAuth2 and JWT validation

• Third-party Certified Authentication Modules

Cache

ModSecurity and the NGINX Plus WAF

https://github.com/SpiderLabs/ModSecurity-nginx

Sophisticated web application

firewall:

• Layer 7 attack protection

• DDoS mitigation

• IP reputation

• Standard PCRE regex rules

language

• Audit logs

• PCI-DSS 6.6 compliance

• Built on ModSecurity

Ingress Controller for NGINX and NGINX Plus

K8s API ServerIngress

Controlle

r

https://github.com/nginxinc/kubernetes-ingress

nginMesh – Istio-compatible Service Mesh

https://github.com/nginmesh


Amplify is NGINX Monitoring, made easy.

• Get out-of-the-box graphs for NGINX and OS metrics.

• Easily compare NGINX, system, and application performance.

• Use static analyzer to improve NGINX configuration.

• Measure application SLAs and stay alert with automated notifications.

Introducing NGINX Unit

The new, open source App Server platform

from NGINX

• Multi-languages and version support on the same

server instance:

• PHP

• Python

• Go

• REST API and JSON configuration for dynamic,

automated deployments

• Native Load Balancer for building service meshes

php

python

go

Introducing NGINX Controller

Policy Control and Workflow Automation for

Dynamic Applications in Multi-Cloud

Use Cases:

• Workflow and Policy Management

• Multi-Cloud Application Deployments

• Multi-Tenant with Role-Based Access (RBAC)

• Monitoring and Rapid Troubleshooting

• Compliance and Audit Trails


Key Files and Directories

• /etc/nginx/ -- Where all NGINX configuration is stored

• /etc/nginx/nginx.conf -- Top-level NGINX configuration, should not

require much modification

• /etc/nginx/conf.d/*.conf -- Where your configuration for virtual servers

and upstreams goes, e.g. www.example.com.conf

• /var/log/nginx/access.log -- Details about requests and responses

• /var/log/nginx/error.log -- Details about NGINX errors

NGINX Market Share – Key stats – Nov. 2017

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

03/2

012

09/2

012

03/2

013

09/2

013

03/2

014

09/2

014

03/2

015

09/2

015

03/2

016

09/2

016

03/2

017

09/2

017

Market Share of major webservers - Top 10,000 sites

Apache Microsoft IIS NGINX

W3techs:

• 62.5% of 10k busiest sites

• Market leader for 1m busiest sites

NetCraft:

• 333m sites

• 1.5m public IPs hosting NGINX

SumoLogic:

• 58% of the webservers on AWS are NGINX

DigitalOcean Stream:

• 65% of the webservers on digitalocean are

NGINX

Dockerhub:

• NGINX is the most widely pulled and starred

container image from the DockerHub repository

From: https://w3techs.com/technologies/cross/web_server/ranking

Complexities of SSL

Enable SSL to client:listen 443 ssl;

Define the protocols (optional):ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

Authenticate NGINX with server cert (necessary):ssl_certificate file;

ssl_certificate_key file;

Authenticate the remote client’s cert (optional):ssl_verify_client on;

ssl_client_certificate file;

Enable SSL to upstream:proxy_pass https://upstream/;

Define the protocols (optional):proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

proxy_ssl_ciphers HIGH:!aNULL:!MD5;

Authenticate the upstream server’s cert (optional):proxy_ssl_verify on;

proxy_ssl_trusted_certificate file;

Authenticate NGINX with client cert (optional):proxy_ssl_certificate file;

proxy_ssl_certificate_key file;

SSL to upstreamSSL to client

Remote

client’s

certificate

NGINX’s

client

certificate

Upstream server’s

certificate

NGINX’s server

certificate

OpenSSL Dependencies

OS Distribution OpenSSL

version

High-Speed

RSA and ECC

HTTP/2

Support

CentOS/Oracle Linux/RHEL 6.5+, 7.0–7.3 1.0.1e NPN

CentOS/Oracle Linux/RHEL 7.4+ 1.0.2k Yes ALPN & NPN

Debian 7.0 1.0.1e NPN

Debian 8.0 1.0.1k NPN

Debian 9.0 1.1.0f Yes ALPN & NPN

Ubuntu 12.04 LTS 1.0.1 NPN

Ubuntu 14.04 LTS 1.0.1f NPN

Ubuntu 16.04 LTS 1.0.2g Yes ALPN & NPN

“With OpenSSL 1.0.1e, we were seeing ~7000 ECDHE/ECDSA handshake/s w/ 16 cores.

With OpenSSL 1.0.2g, we are now seeing ~38,000 handshake/s.”