What's New in NGINX Plus R12?

NGINX Plus R12 Overview
Liam Crilly
Director of Product Management
April 12, 2017

NGINX Plus R11 Recap
Key new features for improved customization, compatibility, and more
● Binary compatibility for dynamic modules
● Improved TCP/UDP load balancing
● GeoIP2 dynamic module
● Enhanced nginScript module
Released: Tuesday October 25, 2016
2

NGINX Plus R12 New Features
Key new features for improved clustering, customization, and visibility
● Configuration sharing for High Availability (HA) clusters
○ Configure a single server, push configuration from there to remaining servers
● nginScript General Availability
○ Perform custom actions with familiar JavaScript syntax
● Updated extended status monitoring
○ Better visibility with response time, TCP/UDP error codes, shared memory zone usage,
and additional enhancements
● Enhanced caching
○ Better performance with background updates
● Improved health checks, JWT validation, and client certificates for TCP/UDP applications
Released: Tuesday March 14, 2017
3

4

MORE INFORMATION AT
NGINX.COM
NGINX Plus HA Overview
NGINX Plus HA deployment options:
● Active/Passive -- Only one server processes
traffic
● Active/Active -- Both servers actively process
traffic
Most users deploy two or more NGINX Plus
servers:
● Redundancy in case of failure
● Scale to handle more users

MORE INFORMATION AT
NGINX.COM
NGINX Plus R12 Configuration Sharing
Problem
● How do I manage configuration of a large
cluster of NGINX Plus servers?
● Individually configuring each server is not
scalable
Solution
● Make all changes to a single “master” NGINX
Plus server
● Synchronize all changes to the remaining
servers in the cluster

MORE INFORMATION AT
NGINX.COM
NGINX Plus R12 Configuration Sharing in Detail
1. Nominate one or more master nodes in the
cluster
2. Install the new nginx-sync package on the
master
3. Create /etc/nginx-sync.conf on the master
and enter peer IPs
4. Give master SSH root/sudoers access to peers
5. Invoke the configuration sync process, nginx-sync.sh which is included in the nginx-sync
package, to update each of the other servers in the cluster (the peers):
a. Push the updated configuration to the peer
b. Verify that the configuration is valid for the peer (nginx -t), and rolls it back if not
c. Applies the configuration if it is valid, and reloads the NGINX Plus process on the peer

MORE INFORMATION AT
NGINX.COM
Configuration Sharing FAQ
● What happens if the master fails?
○ Pre-configure multiple servers to be the master
○ If master fails, designate other pre-configured machine to be master
● What happens if a peer fails?
○ Configuration synced to other machines
○ When peer recovers, run nginx-sync.sh to update it to latest config
● Does the master need root SSH access?
○ Modifying config and reloading NGINX Plus process requires root access
○ /etc/sudoers can be used to apply principle of least privilege
● HA is exclusive to NGINX Plus

MORE INFORMATION AT
NGINX.COM
9

MORE INFORMATION AT
NGINX.COM
nginScript: Overview
● High-performance JavaScript implementation designed for server side use cases
○ ECMAScript 5.1 compliant
○ Virtual machine per request, destroyed upon completion
○ No garbage collection
○ Uses only a few KBs of memory for small tasks
● Use nginScript to perform custom actions such as:
○ Mask user identity in logs files
○ Session persistence for TCP/UDP protocols, e.g. IoT
○ Implement custom load balancing algorithms
● Works with HTTP, TCP, and UDP applications

MORE INFORMATION AT
NGINX.COM
js_include mask_ip.js;
js_set $remote_addr_masked maskRemoteAddress;
log_format masked '$remote_addr_masked - $remote_user '
'[$time_local] "$request" $status '
'$body_bytes_sent "$http_referer" '
'"$http_user_agent"';
server {
listen 80;
access_log /var/log/nginx/access.log;
access_log /var/log/nginx/access_masked.log masked;
location / {
#proxy_pass http://backend;
# For testing only (show the masked value)
return 200 "$remote_addr -> $remote_addr_maskedn";
}
}
nginScript Example: Data Masking in Access Logs
$ curl http://localhost/
127.0.0.1 -> 8.163.209.30
$ sudo tail --lines=1 /var/log/nginx/access*.log
==> /var/log/nginx/access.log <==
127.0.0.1 - - [16/Mar/2017:19:08:19 +0000] "GET / HTTP/1.1" 200 26 "-" "curl/7.47.0”
==> /var/log/nginx/access_masked.log <==
8.163.209.30 - - [16/Mar/2017:19:08:19 +0000] "GET / HTTP/1.1" 200 26 "-" "curl/7.47.0"
function fnv32a(str) {
var hval = 2166136261;
for (var i = 0; i < str.length; ++i ) {
hval ^= str.charCodeAt(i);
hval += (hval << 1) + (hval << 4) + (hval << 7) + (hval
<< 8) + (hval << 24);
}
return hval >>> 0;
}
function i2ipv4(i) {
var octet1 = (i >> 24) & 255;
var octet2 = (i >> 16) & 255;
var octet3 = (i >> 8) & 255;
var octet4 = i & 255;
return octet1 + "." + octet2 + "." + octet3 + "." + octet4;
}
function maskRemoteAddress(req) {
return i2ipv4(fnv32a(req.remoteAddress));
}

MORE INFORMATION AT
NGINX.COM
nginScript: What’s New?
● Generally available and suitable for production usage
● Number of enhancements to support more of the JavaScript language and better
integrate with NGINX Plus:
○ Pre-read phase in stream module for TCP/UDP load balancing
○ ECMAScript 6 Number and Math properties and methods
○ Additional String methods such as trim, includes, repeat, startsWith, and
endsWith
○ Scopes
● Though now stable work is ongoing

MORE INFORMATION AT
NGINX.COM
13

MORE INFORMATION AT
NGINX.COM
Extended Status Monitoring: Overview
● Over 40 additional metrics compared to open source NGINX
● Per virtual server and per backend server statistics
● Use our graphical dashboard or view in New Relic, DataDog, etc
● JSON output to export to your favorite monitoring tool
"nginx_build": "nginx-plus-r12-p2",
"nginx_version": "1.11.10",
"pid": 98240,
"ppid": 50622,
"processes": {
"respawned": 0
},
"requests": {
"current": 1,
"total": 9915307
},
"server_zones": {
"hg.nginx.org": {
"discarded": 9150,
"processing": 0,
"received": 146131844,
"requests": 597471,
"responses": {
"1xx": 0,
"2xx": 561986,
"3xx": 12839,
"4xx": 7081,
"5xx": 6415,
"total": 588321
},
"sent": 14036626711
},

Extended Status Monitoring: What’s New?
● Shared memory zone utilization
○ Shared memory zones are mandatory for health checks, caching, rate limiting…
○ Can now tune shared memory zone size
● Response time metrics
○ Key for determining server load
15

● NGINX Plus release number displayed along with open source base
● Makes it easy to tell what NGINX Plus version a server is running
16

● Error codes for TCP/UDP applications
○ Looks like standard HTTP error code for familiarity and ease of debugging
○ Ability to construct TCP/UDP access logs with status codes
17

MORE INFORMATION AT
NGINX.COM
● JSON compliant-escaping in log files
○ Better compatibility with modern logging tools
● Use server name from configuration file instead of resolved ip/port in dashboard
○ Better correlation between what’s in config and what’s on screen
○ New name field in JSON output contains server name from config
● Extended Status Monitoring is exclusive to NGINX Plus

MORE INFORMATION AT
NGINX.COM
19

Caching Overview
● NGINX Plus stores a copy of content generated by origin server
● Why cache content?
○ Better performance for end user
○ Reduced load on origin servers
20

Caching: What’s New?
● Cached content has a validity period, after which it is considered “stale”
● By default, NGINX Plus will not serve stale content
● NGINX Plus can now serve the stale content to user and refresh in the background
● Support for the Cache-Control extensions defined in RFC 5861,
stale-while-revalidate and stale-if-error.
● No “cache miss” penalty results in better user experience
21

Example: Stale-while-revalidate with background revalidation
22
proxy_cache_path /path/to/cache levels=1:2 keys_zone=my_cache:10m
max_size=10g inactive=60m;
server {
location / {
proxy_cache my_cache;
# Serve stale content when updating
proxy_cache_use_stale updating;
# In addition, don’t block the first request that triggers the
# update and do the update in the background
proxy_cache_background_update on;
proxy_pass http://my_upstream;
}
}

Caching: What’s New?
● Can now bypass the cache for byte-range requests that start far into the requested (and
uncached) resource
● For large files such as video content, byte-range requests deep into the file will not add
latency to the client request
● Previously, the client would need to wait for the preceding bytes to be fetched and written to
the cache before receiving the byte range it had requested
23
1-15000
15001-30000
30001-45000
15000001-

Example: Cache bypass for deep range requests
24
proxy_cache_path /path/to/cache keys_zone=my_cache:10m max_size=10g;
server {
location / {
proxy_cache my_cache;
# Bypass cache for byte range requests beyond 10 megabytes
proxy_cache_max_range_offset 10m;
}
}

○ Better visibility with response time, TCP/UDP error codes, shared memory zone usage, and
additional enhancements
25

Active Health Checks Overview
● NGINX Plus actively monitors the health of HTTP, TCP, and UDP servers
● “Slow start” to gently reintroduce servers
● Why active health checks?
○ Improves the reliability of applications
○ Enables non-disruptive maintenance operations
26

Active Health Checks: What’s New?
● Require newly introduced servers to pass health check before allowing them to process
traffic when adding via on-the-fly reconfiguration
● New servers from on-the-fly reconfiguration can now be “slow started”
● Zero-config health check for UDP applications
27
New server

Example: Mandatory health checks with slow-start
28
upstream my_upstream {
zone my_upstream 64k;
server backend1.example.com slow_start=30s;
}
server {
location / {
# Require new server to pass health check before receiving traffic
health_check uri=/ishealthy.php mandatory;
}
}

Example: Zero-config health checks for UDP protocols
29
upstream udp_app {
server backend1.example.com:1234;
server backend2.example.com:1234;
}
server {
listen 1234 udp;
proxy_pass udp_app;
# Basic UDP health check
health_check udp;
}

MORE INFORMATION AT
NGINX.COM
Other New Features
● SSL client certificates for TCP/UDP load balancing
○ Useful for automation, script can login to protected resource without presenting a
username and password
○ Better parity with HTTP load balancing
● Enhanced JWT (JSON Web Token) validation
○ Can now extract custom field for JWT
○ Improved support for OpenID Connect use cases
○ Previous support allowed for extraction of pre-defined fields only
○ JWT validation is exclusive to NGINX Plus
● Maximum Connections Queue
○ Connections to upstream servers can now be queued rather than dropped if the
servers are overloaded

MORE INFORMATION AT
NGINX.COM
NGINX Plus R12 Caveats
● Cache Metadata Format -- Internal cache metadata header format has changed. When
you upgrade to NGINX Plus R12, the on-disk cache will be invalidated and NGINX Plus will
automatically refresh the cache as needed.
● SSL “DN” variables -- Format of the $ssl_client_s_dn and $ssl_client_i_dn
variables has changed; they now use ‘,’ and are escaped as per RFC2253. The old
X509_NAME_oneline format that used ‘/’ to separate fields can be found in the
$ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
● Third-Party Dynamic Modules -- Dynamic Modules that are installed from the NGINX Plus
repository will be automatically updated during the upgrade. Any third-party modules that
you have built will need manual updates or will result in error upon upgrade.

MORE INFORMATION AT
NGINX.COM
Q&A
32

What's New in NGINX Plus R12?

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à What's New in NGINX Plus R12?

Similaire à What's New in NGINX Plus R12? (20)

Plus de NGINX, Inc.

Plus de NGINX, Inc. (20)

Dernier

Dernier (20)

What's New in NGINX Plus R12?