NGINX Cookbook Advanced Recipes for High Performance Load Balancing (Derek DeJonghe) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 3.1 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Derek DeJonghe NGINX Cookbook Advanced Recipes for High Performance Load Balancing 2019 Update Compliments of

📄 Page 2

Download at nginx.com/freetrial Cost Savings Over 80% cost savings compared to hardware application delivery con- trollers and WAFs, with all the performance and features you expect. Get high‑performance application delivery for microservices. NGINX Plus is a software load balancer, web server, and content cache. The NGINX Web Application Firewall (WAF) protects applications against sophisticated Layer 7 attacks. Try NGINX Plus and NGINX WAF free for 30 days NGINX WAF A trial of the NGINX WAF, based on ModSecurity, is included when you download a trial of NGINX Plus. Exclusive Features JWT authentication, high availability, the NGINX Plus API, and other advanced functionality are only available in NGINX Plus. Reduced Complexity The only all-in-one load balancer, content cache, web server, and web application firewall helps reduce infrastructure sprawl.

📄 Page 3

Derek DeJonghe NGINX Cookbook Advanced Recipes for High Performance Load Balancing 2019 UPDATE Boston Farnham Sebastopol TokyoBeijing

📄 Page 4

978-1-491-96893-2 [LSI] NGINX Cookbook by Derek DeJonghe Copyright © 2019 O’Reilly Media Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com/safari). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Development Editor: Virginia Wilson Acquisitions Editor: Brian Anderson Production Editor: Justin Billing Copyeditor: Octal Publishing, LLC Proofreader: Chris Edwards Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Rebecca Demarest March 2017: First Edition Revision History for the First Edition 2017-05-26: First Release 2018-11-21: Second Release The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. NGINX Cook‐ book, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limi‐ tation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsi‐ bility to ensure that your use thereof complies with such licenses and/or rights. This work is part of a collaboration between O’Reilly and NGINX. See our statement of editorial independence.

📄 Page 5

Table of Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1. Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.0 Introduction 1 1.1 Installing on Debian/Ubuntu 1 1.2 Installing on RedHat/CentOS 2 1.3 Installing NGINX Plus 3 1.4 Verifying Your Installation 4 1.5 Key Files, Commands, and Directories 5 1.6 Serving Static Content 7 1.7 Graceful Reload 8 2. High-Performance Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.0 Introduction 9 2.1 HTTP Load Balancing 10 2.2 TCP Load Balancing 11 2.3 UDP Load Balancing 13 2.4 Load-Balancing Methods 14 2.5 Sticky Cookie 17 2.6 Sticky Learn 18 2.7 Sticky Routing 19 2.8 Connection Draining 20 2.9 Passive Health Checks 21 2.10 Active Health Checks 22 2.11 Slow Start 24 iii

📄 Page 6

2.12 TCP Health Checks 25 3. Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.0 Introduction 27 3.1 A/B Testing 27 3.2 Using the GeoIP Module and Database 28 3.3 Restricting Access Based on Country 31 3.4 Finding the Original Client 32 3.5 Limiting Connections 33 3.6 Limiting Rate 34 3.7 Limiting Bandwidth 35 4. Massively Scalable Content Caching. . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.0 Introduction 37 4.1 Caching Zones 37 4.2 Caching Hash Keys 39 4.3 Cache Bypass 40 4.4 Cache Performance 41 4.5 Purging 41 4.6 Cache Slicing 42 5. Programmability and Automation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.0 Introduction 45 5.1 NGINX Plus API 46 5.2 Key-Value Store 49 5.3 Installing with Puppet 51 5.4 Installing with Chef 53 5.5 Installing with Ansible 54 5.6 Installing with SaltStack 56 5.7 Automating Configurations with Consul Templating 58 6. Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.0 Introduction 61 6.1 HTTP Basic Authentication 61 6.2 Authentication Subrequests 63 6.3 Validating JWTs 64 6.4 Creating JSON Web Keys 65 6.5 Authenticate Users via Existing OpenID Connect SSO 67 6.6 Obtaining the JSON Web Key from Google 68 iv | Table of Contents

📄 Page 7

7. Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 7.0 Introduction 71 7.1 Access Based on IP Address 71 7.2 Allowing Cross-Origin Resource Sharing 72 7.3 Client-Side Encryption 74 7.4 Upstream Encryption 75 7.5 Securing a Location 76 7.6 Generating a Secure Link with a Secret 77 7.7 Securing a Location with an Expire Date 78 7.8 Generating an Expiring Link 79 7.9 HTTPS Redirects 81 7.10 Redirecting to HTTPS where SSL/TLS Is Terminated Before NGINX 82 7.11 HTTP Strict Transport Security 83 7.12 Satisfying Any Number of Security Methods 83 7.13 Dynamic DDoS Mitigation 84 8. HTTP/2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 8.0 Introduction 87 8.1 Basic Configuration 87 8.2 gRPC 88 8.3 HTTP/2 Server Push 90 9. Sophisticated Media Streaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 9.0 Introduction 93 9.1 Serving MP4 and FLV 93 9.2 Streaming with HLS 94 9.3 Streaming with HDS 96 9.4 Bandwidth Limits 96 10. Cloud Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 10.0 Introduction 99 10.1 Auto-Provisioning on AWS 99 10.2 Routing to NGINX Nodes Without an AWS ELB 101 10.3 The NLB Sandwich 103 10.4 Deploying from the AWS Marketplace 105 10.5 Creating an NGINX Virtual Machine Image on Azure 107 10.6 Load Balancing Over NGINX Scale Sets on Azure 109 10.7 Deploying Through the Azure Marketplace 110 10.8 Deploying to Google Compute Engine 111 10.9 Creating a Google Compute Image 112 Table of Contents | v

📄 Page 8

10.10 Creating a Google App Engine Proxy 113 11. Containers/Microservices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 11.0 Introduction 115 11.1 DNS SRV Records 115 11.2 Using the Official NGINX Image 116 11.3 Creating an NGINX Dockerfile 118 11.4 Building an NGINX Plus Image 119 11.5 Using Environment Variables in NGINX 121 11.6 Kubernetes Ingress Controller 123 11.7 OpenShift Router 126 12. High-Availability Deployment Modes. . . . . . . . . . . . . . . . . . . . . . . . 129 12.0 Introduction 129 12.1 NGINX HA Mode 129 12.2 Load-Balancing Load Balancers with DNS 130 12.3 Load Balancing on EC2 131 12.4 Configuration Synchronization 132 12.5 State Sharing with Zone Sync 134 13. Advanced Activity Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 13.0 Introduction 137 13.1 Enable NGINX Open Source Stub Status 137 13.2 Enabling the NGINX Plus Monitoring Dashboard Provided by NGINX Plus 138 13.3 Collecting Metrics Using the NGINX Plus API 140 14. Debugging and Troubleshooting with Access Logs, Error Logs, and Request Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 14.0 Introduction 143 14.1 Configuring Access Logs 143 14.2 Configuring Error Logs 145 14.3 Forwarding to Syslog 146 14.4 Request Tracing 147 15. Performance Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 15.0 Introduction 149 15.1 Automating Tests with Load Drivers 149 15.2 Keeping Connections Open to Clients 150 15.3 Keeping Connections Open Upstream 151 15.4 Buffering Responses 152 vi | Table of Contents

📄 Page 9

15.5 Buffering Access Logs 153 15.6 OS Tuning 154 16. Practical Ops Tips and Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 16.0 Introduction 157 16.1 Using Includes for Clean Configs 157 16.2 Debugging Configs 158 16.3 Conclusion 160 Table of Contents | vii

📄 Page 10

(This page has no text content)

📄 Page 11

Foreword Welcome to the updated edition of the NGINX Cookbook. It has been nearly two years since O’Reilly published the original NGINX Cookbook. A lot has changed since then, but one thing hasn’t: every day more and more of the world’s websites choose to run on NGINX. Today there are 300 million, nearly double the number when the first cookbook was released. There are a lot of reasons NGINX use is still growing 14 years after its initial release. It’s a Swiss Army knife: NGINX can be a web server, load balancer, content cache, and API gateway. But perhaps more importantly, it’s reliable. The NGINX Cookbook shows you how to get the most out of NGINX Open Source and NGINX Plus. You will find over 150 pages of easy-to-follow recipes covering everything from how to properly install NGINX, to how to configure all the major features, to debug‐ ging and troubleshooting. This updated version also covers new open source features like gRPC support, HTTP/2 server push, and the Random with Two Choices load-balancing algorithm for clustered environments as well as new NGINX Plus features like support for state sharing, a new NGINX Plus API, and a key-value store. Almost everything you need to know about NGINX is covered in these pages. We hope you enjoy the NGINX Cookbook and that it contributes to your success in creating and deploying the applications we all rely on. — Faisal Memon Product Marketing Manager, NGINX, Inc. ix

📄 Page 12

(This page has no text content)

📄 Page 13

Preface The NGINX Cookbook aims to provide easy-to-follow examples to real-world problems in application delivery. Throughout this book you will explore the many features of NGINX and how to use them. This guide is fairly comprehensive, and touches most of the main capabilites of NGINX. Throughout this book, there will be references to both the free and open source NGINX software, as well as the commercial product from NGINX, Inc., NGINX Plus. Features and directives that are only available as part of the paid subscription to NGINX Plus will be denoted as such. Because NGINX Plus is an application delivery contoller and provides many advanced features, it’s important to highlight these features to gain a full view of the possibilities of the platform. The book will begin by explaining the installation process of NGINX and NGINX Plus, as well as some basic getting started steps for readers new to NGINX. From there, the sections will progress to load balancing in all forms, accompanied by chapters about traffic management, caching, and automation. The authentication and security controls chapters cover a lot of ground but are important as NGINX is often the first point of entry for web traffic to your application, and the first line of application layer defense. There are a number of chapters that cover cutting edge topics such as HTTP/2, media streaming, cloud and container environments, wrapping up with more traditional operational topics such as monitoring, debugging, performance, and operational tips. xi

📄 Page 14

I personally use NGINX as a multitool, and believe this book will enable you to do the same. It’s software that I believe in and enjoy working with. I’m happy to share this knowledge with you, and hope that as you read through this book you relate the recipes to your real world scenarios and employ these solutions. xii | Preface

📄 Page 15

CHAPTER 1 Basics 1.0 Introduction To get started with NGINX Open Source or NGINX Plus, you first need to install it on a system and learn some basics. In this chapter you will learn how to install NGINX, where the main configuration files are, and commands for administration. You will also learn how to verify your installation and make requests to the default server. 1.1 Installing on Debian/Ubuntu Problem You need to install NGINX Open Source on a Debian or Ubuntu machine. Solution Create a file named /etc/apt/sources.list.d/nginx.list that contains the following contents: deb http://nginx.org/packages/mainline/OS/ CODENAME nginx deb-src http://nginx.org/packages/mainline/OS/ CODENAME nginx Alter the file, replacing OS at the end of the URL with ubuntu or debian, depending on your distribution. Replace CODENAME with the code name for your distrobution; jessie or stretch for Debian, or 1

📄 Page 16

trusty, xenial, artful, or bionic for ubuntu. Then, run the fol‐ lowing commands: wget http://nginx.org/keys/nginx_signing.key apt-key add nginx_signing.key apt-get update apt-get install -y nginx /etc/init.d/nginx start Discussion The file you just created instructs the apt package management sys‐ tem to utilize the Official NGINX package repository. The com‐ mands that follow download the NGINX GPG package signing key and import it into apt. Providing apt the signing key enables the apt system to validate packages from the repository. The apt-get update command instructs the apt system to refresh its package list‐ ings from its known repositories. After the package list is refreshed, you can install NGINX Open Source from the Official NGINX repository. After you install it, the final command starts NGINX. 1.2 Installing on RedHat/CentOS Problem You need to install NGINX Open Source on RedHat or CentOS. Solution Create a file named /etc/yum.repos.d/nginx.repo that contains the following contents: [nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/ gpgcheck=0 enabled=1 Alter the file, replacing OS at the end of the URL with rhel or cen tos, depending on your distribution. Replace OSRELEASE with 6 or 7 for version 6.x or 7.x, respectively. Then, run the following commands: yum -y install nginx systemctl enable nginx 2 | Chapter 1: Basics

📄 Page 17

systemctl start nginx firewall-cmd --permanent --zone=public --add-port=80/tcp firewall-cmd --reload Discussion The file you just created for this solution instructs the yum package management system to utilize the Official NGINX Open Source package repository. The commands that follow install NGINX Open Source from the Official repository, instruct systemd to enable NGINX at boot time, and tell it to start it now. The firewall com‐ mands open port 80 for the TCP protocol, which is the default port for HTTP. The last command reloads the firewall to commit the changes. 1.3 Installing NGINX Plus Problem You need to install NGINX Plus. Solution Visit http://cs.nginx.com/repo_setup. From the drop-down menu, select the OS you’re installing and then follow the instructions. The instructions are similar to the installation of the open source solu‐ tions; however, you need to install a certificate in order to authenti‐ cate to the NGINX Plus repository. Discussion NGINX keeps this repository installation guide up to date with instructions on installing the NGINX Plus. Depending on your OS and version, these instructions vary slightly, but there is one com‐ monality. You must log in to the NGINX portal to download a cer‐ tificate and key to provide to your system that are used to authenticate to the NGINX Plus repository. 1.3 Installing NGINX Plus | 3

📄 Page 18

1.4 Verifying Your Installation Problem You want to validate the NGINX installation and check the version. Solution You can verify that NGINX is installed and check its version by using the following command: $ nginx -v nginx version: nginx/1.15.3 As this example shows, the response displays the version. You can confirm that NGINX is running by using the following command: $ ps -ef | grep nginx root 1738 1 0 19:54 ? 00:00:00 nginx: master process nginx 1739 1738 0 19:54 ? 00:00:00 nginx: worker process The ps command lists running processes. By piping it to grep, you can search for specific words in the output. This example uses grep to search for nginx. The result shows two running processes, a mas ter and worker. If NGINX is running, you will always see a master and one or more worker processes. For instructions on starting NGINX, refer to the next section. To see how to start NGINX as a daemon, use the init.d or systemd methodologies. To verify that NGINX is returning requests correctly, use your browser to make a request to your machine or use curl: $ curl localhost You will see the NGINX Welcome default HTML site. Discussion The nginx command allows you to interact with the NGINX binary to check the version, list installed modules, test configurations, and send signals to the master process. NGINX must be running in order for it to serve requests. The ps command is a surefire way to determine whether NGINX is running either as a daemon or in the foreground. The default configuration provided by default with 4 | Chapter 1: Basics

📄 Page 19

NGINX runs a static site HTTP server on port 80. You can test this default site by making an HTTP request to the machine at local host as well as the host’s IP and hostname. 1.5 Key Files, Commands, and Directories Problem You need to understand the important NGINX directories and commands. Solution NGINX files and directories /etc/nginx/ The /etc/nginx/ directory is the default configuration root for the NGINX server. Within this directory you will find configu‐ ration files that instruct NGINX on how to behave. /etc/nginx/nginx.conf The /etc/nginx/nginx.conf file is the default configuration entry point used by the NGINX service. This configuration file sets up global settings for things like worker process, tuning, logging, loading dynamic modules, and references to other NGINX con‐ figuration files. In a default configuration, the /etc/nginx/ nginx.conf file includes the top-level http block, which includes all configuration files in the directory described next. /etc/nginx/conf.d/ The /etc/nginx/conf.d/ directory contains the default HTTP server configuration file. Files in this directory ending in .conf are included in the top-level http block from within the /etc/ nginx/nginx.conf file. It’s best practice to utilize include state‐ ments and organize your configuration in this way to keep your configuration files concise. In some package repositories, this folder is named sites-enabled, and configuration files are linked from a folder named site-available; this convention is depre‐ cated. 1.5 Key Files, Commands, and Directories | 5

📄 Page 20

/var/log/nginx/ The /var/log/nginx/ directory is the default log location for NGINX. Within this directory you will find an access.log file and an error.log file. The access log contains an entry for each request NGINX serves. The error log file contains error events and debug information if the debug module is enabled. NGINX commands nginx -h Shows the NGINX help menu. nginx -v Shows the NGINX version. nginx -V Shows the NGINX version, build information, and configura‐ tion arguments, which shows the modules built in to the NGINX binary. nginx -t Tests the NGINX configuration. nginx -T Tests the NGINX configuration and prints the validated config‐ uration to the screen. This command is useful when seeking support. nginx -s signal The -s flag sends a signal to the NGINX master process. You can send signals such as stop, quit, reload, and reopen. The stop signal discontinues the NGINX process immediately. The quit signal stops the NGINX process after it finishes processing inflight requests. The reload signal reloads the configuration. The reopen signal instructs NGINX to reopen log files. Discussion With an understanding of these key files, directories, and com‐ mands, you’re in a good position to start working with NGINX. With this knowledge, you can alter the default configuration files and test your changes by using the nginx -t command. If your test 6 | Chapter 1: Basics