How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
Signaler
NGINX, Inc.Suivre
8 Sep 2022•0 j'aime•32 vues
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
8 Sep 2022•0 j'aime•32 vues
Télécharger pour lire hors ligne
Signaler
Logiciels
test
NGINX, Inc.Suivre
Recommandé
Best Practices for Getting Started with NGINX Open SourceNGINX, Inc.
Load Balancing Applications with NGINX in a CoreOS ClusterKevin Jones
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesOrtus Solutions, Corp
NGINX ADC: Basics and Best PracticesNGINX, Inc.
NGINX ADC: Basics and Best Practices – EMEANGINX, Inc.
Contenu connexe
Similaire à How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
NGINX 101 - now with more Dockersarahnovotny
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
Managing and Monitoring Application PerformanceSebastian Marek
High Availability Content Caching with NGINXNGINX, Inc.
![[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview](https://cdn.slidesharecdn.com/ss_thumbnails/deis1-141107133247-conversion-gate02-thumbnail.jpg?width=384&height=256&fit=bounds)
[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis OverviewLeo Lorieri
Zero Downtime Deployment with AnsibleStein Inge Morisbak
![[EXTENDED] Ceph, Docker, Heroku Slugs, CoreOS and Deis Overview](https://cdn.slidesharecdn.com/ss_thumbnails/deis1-141107133247-conversion-gate02-thumbnail.jpg?width=2048&height=1162&fit=bounds)
Plus de NGINX, Inc.
【NGINXセミナー】 Ingressを使ってマイクロサービスの運用を楽にする方法NGINX, Inc.
【NGINXセミナー】 NGINXのWAFとは?その使い方と設定方法 解説セミナーNGINX, Inc.
【NGINXセミナー】API ゲートウェイとしてのNGINX Plus活用方法NGINX, Inc.
Get Hands-On with NGINX and QUIC+HTTP/3NGINX, Inc.
Managing Kubernetes Cost and Performance with NGINX & KubecostNGINX, Inc.
Manage Microservices Chaos and Complexity with ObservabilityNGINX, Inc.
Dernier
Semantic Search_ NLP_ ML.pdfPlamenaDzharadat
Jens Happe - Write tests you love, not hate.pdfJens Happe
Migration process from monolithic to micro frontend architecture in mobile ap...ESUG
Alliance Expedition BattleSilver Caprice
BioSmalltalkESUG
La strada verso il successo con i database a grafo, la Graph Data Science e l...Neo4j
How to Avoid the Top 5 NGINX Configuration Mistakes.pptx
- 1. Avoiding Common NGINX Configuration Mistakes Robert Haynes, Timo Stark NGINX
- 2. ©2022 F5 2 1. Not setting enough file descriptors
- 3. ©2022 F5 3 File Descriptors? • Everything in UNIX/LINUX is a file (sort of) • Each process (e.g. an NGINX worker process) needs a file descriptor for: • Standard input and standard error • Every file that a process opens • Every network socket • Some system calls
- 4. ©2022 F5 4 Example lrwx------ 1 nginx nginx 64 Jul 11 16:55 0 -> /dev/null lrwx------ 1 nginx nginx 64 Jul 11 16:55 1 -> /dev/null lrwx------ 1 nginx nginx 64 Jul 11 16:55 10 -> 'anon_inode:[eventpoll]' lrwx------ 1 nginx nginx 64 Jul 11 16:55 11 -> 'anon_inode:[eventfd]' lrwx------ 1 nginx nginx 64 Jul 11 16:55 12 -> 'anon_inode:[eventfd]' l-wx------ 1 nginx nginx 64 Jul 11 16:55 2 -> /var/log/nginx/error.log l-wx------ 1 nginx nginx 64 Jul 11 16:55 3 -> /var/log/nginx/error.log l-wx------ 1 nginx nginx 64 Jul 11 16:55 4 -> /var/log/nginx/access.log lrwx------ 1 nginx nginx 64 Jul 11 16:55 6 -> 'socket:[52276]' lrwx------ 1 nginx nginx 64 Jul 11 16:55 7 -> 'socket:[7717086]' ls –l /proc/<NGINX worker process id>/fd Will increase with the number of connections
- 5. ©2022 F5 5 What happens if you run out? root@ip-10-0-1-4:/proc/6179/fdinfo# tail -f /var/log/nginx/error.log 2022/07/18 16:22:22 [alert] 1485851#1485851: *183 socket() failed (24: Too many open files) while connecting to upstream, client: 71.197.217.65, server: www.snarketing.net, request: "GET / HTTP/1.1", upstream: "http://10.0.1.199:8082/", host: "www.snarketing.net" .net" Application errors Error log entries
- 6. ©2022 F5 6 How many do you need? NGINX Worker Client Connection Upstream Servers Log Files Number of connections per worker is set by the worker_connections directive (default 512) but example configs are set at 1024. Each connection to an upstream server needs 1 file descriptor, plus some for response caching Writing to log files also require a file descriptor A good baseline is to set max file handles to 2 X worker_connections (OS default is usually 1024)
- 7. ©2022 F5 7 Increasing file descriptors Add the worker_rlimit_nofile directive to the main{} context user nginx; worker_processes 1024; worker_rlimit_nofile 2048; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid;
- 8. ©2022 F5 8 Demo Audience Participation Required!
- 9. ©2022 F5 9 2. Root Only inside Location Blocks
- 10. ©2022 F5 10 Document Roots and Location Blocks root <path>; location <url> { # do something } Sets the location to look for files to serve Defines some actions to take based on the url (regex/wildcard ok)
- 11. ©2022 F5 11 Our Directory Structure . └── html ├── 50x.html ├── dashboard.html ├── images │ ├── cat.jpg │ ├── credits.txt │ ├── ostrich.jpg │ └── potato.jpg ├── index.html ├── mammal │ └── cat │ └── index.html ├── nginx-modules-reference.pdf ├── ostrich │ └── index.html └── veg └── potato └── index.html
- 12. ©2022 F5 12 Our config file: server { listen 80 default_server; server_name www.snarketing.net; access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } location /cat { root /usr/share/nginx/html/mammal; } location /potato { root /usr/share/nginx/html/veg; } … }
- 13. ©2022 F5 13 Example location /cat { root /usr/share/nginx/html/mammal; } ├── mammal └── cat └── index.html Not Secure | http://www.snarketing.net/cat
- 14. ©2022 F5 14 What if? location /ostrich { proxy_set_header foo "test"; }
- 15. ©2022 F5 15 Solution server { listen 80 default_server; server_name www.snarketing.net; access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html; index index.html index.htm; } location /cat { root /usr/share/nginx/html/mammal; } location /potato { root /usr/share/nginx/html/veg; } … root /usr/share/nginx/html;
- 16. ©2022 F5 16 Demo
- 17. ©2022 F5 17 3. Using ‘if’ in a location context
- 18. ©2022 F5 18 “Directive if has problems when used in location context, in some cases it doesn’t do what you expect but something completely different instead. In some cases it even segfaults. It’s generally a good idea to avoid it if possible.”
- 19. ©2022 F5 19 • Usually computationally more expensive than an in-built function • Takes a deep understanding of how if executes in the NGINX rewrite module to avoid problems (NGINX 301?) • Can cause an NGINX SIGSEV (bad) Reasons not to use “if” in a location Context
- 20. ©2022 F5 20 Example: Don’t use if to check for a file server { listen 80 default_server; server_name www.snarketing.net; access_log /var/log/nginx/host.access.log main; index index.html index.htm; root /usr/share/nginx/html; location / { if (!-f $request_filename) { break; } } …
- 21. ©2022 F5 21 Use try_files instead server { listen 80 default_server; server_name www.snarketing.net; access_log /var/log/nginx/host.access.log main; index index.html index.htm; root /usr/share/nginx/html; location / { try_files $uri $uri/ /index.html; } }
- 22. ©2022 F5 22 Demo
- 23. ©2022 F5 23 4. Directive Inheritance Confusion
- 24. ©2022 F5 24 Directives are inherited ”outside in” http { server { location foo { root /home/user/public_html; } } } root /home/user/foo; Sets directive Inherits Directive Overrides directive
- 25. ©2022 F5 25 Array type directives can have multiple values – the most common example is add_header Beware of array-type Directives location / { add_header My-Header 1; add_header My-Other-Header 2; add_header My-Other-Othe-Header 3; } You might think that inheritance would work by adding the headers together server { … add_header My-Header 1; location / { add_header My-Other-Header 2; } But you would be wrong!
- 26. ©2022 F5 26 Example: add_header http { add_header X-HTTP-LEVEL-HEADER 1; add_header X-ANOTHER-HTTP-LEVEL-HEADER 1; server { listen 8080; location / { return 200 "OK"; } } server { listen 8081; add_header X-SERVER-LEVEL-HEADER 1; location / { return 200 "OK"; } location /test { add_header X-LOCATION-LEVEL-HEADER 1; return 200 "OK"; } location /correct { add_header X-HTTP-LEVEL-HEADER 1; add_header X-ANOTHER-HTTP-LEVEL-HEADER 1; add_header X-SERVER-LEVEL-HEADER 1; add_header X-LOCATION-LEVEL-HEADER 1; return 200 "OK"; } } Inherits Replaces Replaces To get all headers must duplicate
- 27. ©2022 F5 27 Demo
- 28. ©2022 F5 28 5. Not Using Keepalives for upstreams
- 29. ©2022 F5 29 What are keepalives and why should you care? Upstreams Clients Without keepalives NGINX opens a new connection for each HTTP request Ephemeral port exhaustion
- 30. ©2022 F5 30 What are keepalives and why should you care? Upstreams Clients With keepalives NGINX reuses connections to upstreams
- 31. ©2022 F5 31 Demo
- 32. ©2022 F5 32 Use the keepalive directive in the upstream{} block Enabling keepalives upstream http_backend { server 127.0.0.1:8080; keepalive 4; } This ensures that the connection uses the correct HTTP version (HTTP 1 does not support keepalives) Add the following directives to the location{} block location / { proxy_http_version 1.1; proxy_set_header "Connection" ""; proxy_pass http://backend; } What number to set the keepalive value to? We recommend at least 4 x the number of servers listed in the upstream{} block.
- 33. ©2022 F5 33 Demo
- 34. ©2022 F5 34 Questions?
Notes de l'éditeur
- Welcome intro etc Demo setup ubuntu@54.190.3.225 I have added your private key Script files are in ~/webinar http://www.snarketing.net (public DNS)
- Explain these are in no particular order, but we’re starting with the only one that means messing about with the main context.
- Explain file descriptors
- You can see them in /proc for your process
- The default limit is 1024 and you can blow through this
- Explain how many you need
- This is how to set them.
- Run the 1.sh script Show the /etc/nginx/nginx.conf not that this is artificiallcy set to create a files descriptor problem (as its hard to do in a demo) Go to www.snarketing.net – show it works Get the audience to go to www.snarketing.net See it break – tail /var/log/nginx/error.log Run 1fixed.sh Show the /etc/nginx/nginx.conf Repeat with the audience, see tit works and no file errors
- This one can catch you out, and it’s a little counter intuitive lets take a look
- Explain what a root directive and location block are
- Here’s a very basic layout, now let’s take a look at our nginx.conf
- Exolain the location / points to /usr/share/nginx and tha the other locations point to other document roots Emphasse there are only /, /cat and /potato – and that something for say /ostrich would go to the / location
- Walk through this example
- But what If I just want to add a header for a particular location. The content is still in the / root, so no need to add that right? Wrong, it will break because there is no root for the location to inherit
- The solution is to have a root in the server context – or always declare a root in the location (but repeated lines are meh)
- Demo instructions Run 2.sh Show the /etc/nginx/conf.d/default.conf Check out http://www.snarketing.net/ostrich/. http://www.snarketing.net/cat http://www.snarketing.net/potato Run 2broken.sh Show the /etc/nginx/conf.d/default.conf Explain that we have just added a particular header in the ostrich location Check out http://www.snarketing.net/ostrich/ 404 Baby!!! Explain that this is because there is no location block in the main server{} context, and we don’t set one in the location{} block. The fix is to add the doc root to the main server{} context Run 2fixed.sh Show the /etc/nginx/conf.d/default.conf note the documentroot in the server context Check out http://www.snarketing.net/ostrich/ The bird is back!
- I debated on putting this in, but if your organization has a whole article called “if is evil” you kind of have to
- From the article itself
- Tell them why
- Here’s a simple example – don’t do this there are almost always a better way
- Like this
- Demo instructions Run 3.sh Show /etc/nginx/conf.d/default.conf go to www.snarketing.net.fubar It works but its ugly Run 3fixed.sh Show default.conf Explain try files is better go to www.snarketing.net.fubar
- This can be confusing
- Explain directive inheritance
- Talk about array type of directives – i.e the ones that are additive – root is ony 1 value at time, but add_header can keep adding headers as much as you like – so you should be able to add more in a different context and inherit the upper levels? No!
- This builds and is fairly self explanatory – it shows what inherits and what replaces walk through it not that even if you wanted to redefine 1 header of many, you would need to redefine them all.
- Demo instructions: Run 4.sh Show /etc/nginx/conf.d/defult.conf in a different terminal = – note that this includes the http{} context which is less usual but what we need for this demo curl -is localhost:8080 note the headers Explain that this is inheriting from the http{} context curl -is localhost:8081 note the headers For the server listening on port 8081, there is an add_header directive in the server{} block but not in its child location / block. The header defined in the server{} block overrides the two headers defined in the http{} context curl -is localhost:8081/test In the child location /test block, there is an add_header directive and it overrides both the header from its parent server{} block and the two headers from the http{} context: curl -is localhost:8081/correct If we want a location{} block to preserve the headers defined in its parent contexts along with any headers defined locally, we must redefine the parent headers within the location{} block. That’s what we’ve done in the location /correct block:
- OK, here’s a performance and scalability one, and it’s easy to implement.
- Without keepalives nginx will make a new connecton to an upstream server for every request This may well lead to port exhaustion – because we need an ephemeral port for every connection, and we can run out. plus it’s an overhead to do a TCP handshake for every single http request This problem was solved by keepalives over a decade ago (HTTP1-1.1) Keepalives reuse the same connection for multiple requests and are standard at the front end, but need a coo
- Keepalives reuse the same connection for multiple requests and are standard at the front end, but need a couple of settings to enable for the upstream servers – but first let's take a look at what happens without them
- Demo instructions: Run 5.sh Show /etc/nginx/conf.d/default.conf Run connections.sh View output – lots of connections to the backend – and this is a small scale test Return to presentation talk long enough for the connections in TIME_WAIT to go away
- Enabling keepalives is easy! Add the keepalive directive to the
- Demo Instructions Run 5fixed.sh Show /etc/nginx/conf.d/default.conf Run connections.sh View output – fewer connections to the backend Return to presentation