Nginx advanced configuration

From Training Material
Revision as of 17:31, 24 November 2014 by Cesar Chew (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
title
Nginx advanced configuration
author
Bernard Szlachta (NobleProg Ltd)

Overview ⌘

  • So far we have only configured virtual hosts
  • Less commonly, you may need to configure global server options
  • /etc/nginx/nginx.conf

nginx architecture: Master Process ⌘

  • Reads configurations
  • Handles sockets
  • Opens log files
  • Accepts signals (eg, to re-read configuration)

nginx architecture: Worker process ⌘

  • Single thread
  • Runs in an event loop
  • Handles incoming connections

Tuning worker processes ⌘

  • Rule of thumb: number of worker processes should be the same as number of cores
  • If much time is spent blocked on io (see vmstat), worker processes should be increased further

Worker connections ⌘

  • Number of concurrent connections available can be calculated:
worker_processes * max_connections = max clients
  • Default value is 1024; if necessary, typically can be raised with only positive effects. 4096 sensible

Logging ⌘

  • Logging can be set per vhost or globally
  • Log formats are defined in nginx.conf under http
log_format vhost '$host $remote_addr - $remote_user [$time_local]'
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';

Rate limiting/DoS mitigation ⌘

  • DoS - denial of service
  • Often takes the form of simply flooding the server with requests, hoping to saturate CPU resources and/or bandwidth
  • nginx has a number of features to mitigate such an attack

Limiting concurrent connections ⌘

  • nginx has a limit on the number of concurrent connections
  • We can prevent a single IP from tying up too many
  • NB - it is normal for a web browser to create up to 8 concurrent connections
  limit_zone   one  $binary_remote_addr  10m;
  server {
    location / {
      limit_conn   one  8;
    }
  }

Preventing repeated connections from the same IP ⌘

   limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;
   server {
     location /search/ {
       limit_req zone=one burst=5
     }
   }
  • allows a user no more than 1 request per second on average, with bursts up to 5

Limiting bandwidth usage ⌘

  • By default, nginx will send as fast as it can
  • nginx has a range of options for tuning this

Limiting bandwidth usage - streaming ⌘

  • When streaming video/audio from a server, generally you want to give the client a reasonable buffer, then maintain this buffer
  • Can be achieved with an initial fast connection, then rate limiting after

Streaming bandwidth limit example ⌘

 location /streamfiles {
   limit_conn connections 1;
   limit_rate_after 16m;
   limit_rate 512k;
 }
  • Limit each user to a single connection to files under this path
  • Allow them to download the first 16MB at maximum speed
  • After that, limit to 512KB (kiloBYTES, not kilobits) per second

Media streaming ⌘

  • nginx has support for pseudo-streaming for mp4 and flv files
  • Client can seek to a specific location in the file
 location /flash-videos {
    flv;
  }
  location /mp4-videos {
    mp4;
  }