![AWS PrivateLink Support
server {
listen 80 proxy_protocol;
location /app/ {
proxy_pass http://backend1;
proxy_set_header Host $host;
proxy_set_header X-Cluster-VPC
$proxy_protocol_tlv_0xEA;
}
}
• AWS PrivateLink is for secure VPC to VPC communication without going over
public internet or using VPNs.
• The Provider VPC (server-side) has an NLB that adds PROXY Protocol
header with custom field that holds client VPC Endpoint ID.
• NGINX Plus reads this value into variable named
$proxy_protocol_tlv_0xEA
• Variable can be passed to application server, logged, used as rate limiting
key, etc.
• Exclusive to NGINX Plus
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$proxy_protocol_tlv_0xEA"';](https://image.slidesharecdn.com/whatsnewinnginxplusr16-181024180328/85/What-s-New-in-NGINX-Plus-R16-17-320.jpg)
What’s New in NGINX Plus R16?
- 1. What’s New in NGINX Plus R16?
- 2. Faisal Memon Product Marketing Manager, NGINX Formerly: • Sr. Technical Marketing Engineer, Riverbed • Technical Marketing Engineer, Cisco • Software Engineer, Cisco Who am I?
- 3. What is NGINX? Internet Web Server Serve content from disk Reverse Proxy FastCGI, uWSGI, gRPC… Load Balancer Caching, SSL termination… HTTP traffic - Basic load balancer - Content Cache - Web Server - Reverse Proxy - SSL termination - Rate limiting - Basic authentication - 7 metrics NGINX Open Source NGINX Plus + Advanced load balancer + Health checks + Session persistence + Least time alg + Cache purging + HA/Clustering + JWT Authentication + OpenID Connect SSO + NGINX Plus API + Dynamic modules + 90+ metrics
- 4. Previously on… • gRPC support • HTTP/2 Server Push • NGINX JavaScript sub requests • Clustering support for Sticky Learn * • OpenID Connect Authorization Code Workflow for SSO * • Watch on demand: nginx.com/webinars/whats-new-nginx- plus-r15/ * NGINX Plus Exclusive 4
- 5. Agenda • NGINX Plus R16 overview • New Features in detail • Demo • Summary
- 6. NGINX Plus R16 Overview Many customers run in NGINX Plus in multi-node clusters. NGINX Plus R16 adds new clustering features: • Global rate limiting – Rate Limiting is now cluster-aware. Specify global rate limits enforced by all nodes in cluster. • Cluster-aware key-value store – Key-value pairs are synced across the cluster. New timeout value. New DDoS mitigation use case. • Random with Two Choices – New algorithm. Select two backend servers at random, send request to one with lowest load. 6
- 7. NGINX Plus R16 Overview Additional features in NGINX Plus R16 include: • Enhanced UDP load balancing – Support for multiple UDP packets from client as part of same session. Support for more complex UDP protocols: OpenVPN, VoIP, VDI, DTLS. • PROXY Protocol v2– Support for the PROXY protocol v2 (PPv2) header, ability to inspect custom type-length-value (TLV) values. AWS PrivateLink support. • New dynamic module, NGINX JavaScript updates, and more 7
- 8. Agenda • NGINX Plus R16 overview • New Features in detail • Demo • Summary
- 9. Clustering and State Sharing 9 • Production is always a cluster • Avoids single point of failure (SPOF) • 3 tiers of a cluster
- 10. NGINX Plus Clustering Review • NGINX Plus R1 (2013) – Support for HA using keepalived • NGINX Plus R12 (2017) – Configuration synchronization • NGINX Plus R15 (2018) – State sharing for Sticky Learn session persistence • NGINX Plus R16 (2018) – State sharing for Rate Limiting and Key-Value Store • All HA/clustering features exclusive to NGINX Plus 10
- 11. NGINX Plus State Sharing stream { resolver 10.0.0.53 valid=20s; server { listen 1.2.3.4:9000; zone_sync; zone_sync_server nginx1.example.com:9000 resolve; } } Shared memory zones are identified in NGINX Plus with the zone keyword (example on next slide) for data to be shared between processors on the same server. The new zone_sync functionality extends this memory to be shared across different servers. • zone_sync -- Enables synchronization of shared memory zones in a cluster. • zone_sync_server -- Identifies the other NGINX Plus instances in the cluster. You create a separate zone_sync_server for each server in the cluster. • Add into main nginx.conf for each server in the cluster
- 12. Global Rate Limiting limit_req_zone $binary_remote_addr zone=global:1M rate=40r/s sync; server { listen 80; server_name www.example.com; location / { limit_req zone=global; proxy_set_header Host $host; proxy_pass http://my_server; } } • Rate limiting is to control the amount of requests sent to backend servers. The limit can be applied per IP Address, or other parts of the request. • Add the sync parameter at the end of rate limit definition (limit_req_zone) • The shared memory zone (global) that holds the current per ip rate are synced across all nodes in the cluster • All nodes will collectively enforce the rate limit, 40 requests/second in this example
- 13. Cluster-Aware Key-Value Store keyval_zone zone=blacklist:1M timeout=600 sync; keyval $remote_addr $target zone=blacklist; server { listen 80; server_name www.example.com; if ($target) { return 403; } location / { proxy_set_header Host $host; proxy_pass http://my_server; } location /api { api write=on; } } • Add the sync parameter at the end of key-value store definition (keyval_zone) • The timeout parameter specfies how long key-value pairs are valid, in seconds. The timeout is required if syncing the key-value store. • In this example we are creating a dynamic IP blacklist. Any IP addresses in the key-value store are blocked. • curl -X POST -d '{"192.0.2.26": "1"}' http://www.example.com/api/3/http/keyval s/blacklist • Access to /api should be restricted using IP access controls (allow, deny)
- 14. Random with Two Choices upstream my_backend { server server1.example.com; server server2.example.com; server server3.example.com; random two least_time=last_byte; } server { listen 80; location / { proxy_set_header Host $host; proxy_pass http://my_backend; } } • Pick two servers at random, send request to the one with the quickest response time. • Suitable for clusters with multiple active NGINX Plus servers • Due to workload variance, regular least_time not always accurate • Can alternatively use least_conn instead of least_time • Can also specify just random for pure random load balancing • The least_time parameter and response time metrics are NGINX Plus exclusive
- 15. Enhanced UDP Load Balancing stream { server { listen 1195 udp; proxy_pass 127.0.0.1:1194; } } • NGINX Plus R9 first introduced UDP load balancing but was limited to one packet per client. Only simple protocols such as DNS and RADIUS were supported. • NGINX Plus R16 UDP load balancing can handle multiple packets from a client. More complex UDP protocols such as OpenVPN, VOIP, VDI are now supported. • UDP load balancing is configured in a stream block by adding the udp parameter to the listen directive. • The example to the left is a suitable configuration for OpenVPN.
- 16. PROXY Protocol v2 (PPv2) server { listen 80 proxy_protocol; location /app/ { proxy_pass http://backend1; proxy_set_header Host $host; proxy_set_header X-Real-IP $proxy_protocol_addr; proxy_set_header X-Forwarded-For $proxy_protocol_addr; } } • PROXY Protocol is used to obtain original client IP/Port when multiple load balancers and proxies are chained. • PROXY Protocol v2 moves from text to binary header • Add proxy_protocol as parameter to listen • $proxy_protocol_addr, $proxy_protocol_port are populated with original client IP/Port • Supported for HTTP and Stream • Can also add PROXY Protocol header using proxy_protocol directive. (Stream only) stream { server { listen 12345; proxy_pass example.com:12345; proxy_protocol on; } }
- 17. AWS PrivateLink Support server { listen 80 proxy_protocol; location /app/ { proxy_pass http://backend1; proxy_set_header Host $host; proxy_set_header X-Cluster-VPC $proxy_protocol_tlv_0xEA; } } • AWS PrivateLink is for secure VPC to VPC communication without going over public internet or using VPNs. • The Provider VPC (server-side) has an NLB that adds PROXY Protocol header with custom field that holds client VPC Endpoint ID. • NGINX Plus reads this value into variable named $proxy_protocol_tlv_0xEA • Variable can be passed to application server, logged, used as rate limiting key, etc. • Exclusive to NGINX Plus log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$proxy_protocol_tlv_0xEA"';
- 18. 18 • OpenID opaque session tokens -- Actual JWT not sent to client, random string instead. • Support for SSL/clear traffic on same port – New variable $ssl_preread_protocol allows you to distinguish between the two. • New Encrypted Session Dynamic Module -- Provides encryption and decryption support for NGINX variables based on AES-256 with MAC • NGINX JavaScript enhancements -- Simplified request/response handling, new support for: bytesFrom(), padStart(), padEnd(), getrandom(), getentropy(), and binary literals Miscellaneous New Features
- 19. Changes in Behavior • upstream_conf and extended status APIs now removed, replaced by NGINX Plus API. See transition guide on our blog: • nginx.com/blog/transitioning-to-nginx-plus-api-configuration-monitoring • NGINX Plus is no longer supported on Ubuntu 17.10 (Artful), FreeBSD 10.3, or FreeBSD 11.0. • Ubuntu 14.04, 16.04, and 18.04 • FreeBSD 10.4+, 11.1+ • New Relic plugin open sourced and available on GitHub, but no longer supported • github.com/nginxinc/new-relic-agent
- 20. Agenda • NGINX Plus R16 overview • New Features in detail • Demo • Summary
- 21. Demo: The “Sin Bin” limit_req_zone $remote_addr zone=per_ip:1M rate=100r/s sync; limit_req_status 429; keyval_zone zone=sinbin:1M timeout=600 sync; keyval $remote_addr $in_sinbin zone=sinbin; server { listen 80; location / { if ($in_sinbin) { set $limit_rate 50; # Restrict bandwidth of bad clients } limit_req zone=per_ip; error_page 429 = @send_to_sinbin; proxy_pass http://my_backend; } location @send_to_sinbin { rewrite ^ /api/3/http/keyvals/sinbin break; proxy_method POST; proxy_set_body '{"$remote_addr":"1"}’; proxy_pass http://127.0.0.1:80; } location /api/ { api write=on; } } • Clients that exceed the rate limit are put into the “sin bin”. Clients in the ”sin bin” are restricted to a low bandwidth, 50 bytes per second. • Bots can easily detect if they’ve been blocked and move to a new IP, more difficult to detect bandwidth reduction. • Demo environment: • 3 NGINX Plus servers in Digital Ocean • WordPress server • Loadster simulating bad actors and regular users
- 22. Agenda • NGINX Plus R16 overview • New Features in detail • Demo • Summary
- 23. Summary • NGINX Plus R16 has new clustering features for active/active deployments • Rate limiting is cluster-aware, enabling you to configure global rate limits • Key-value store is cluster-aware, key-value pairs are synced to all cluster nodes • New Random with Two Choices algorithm recommended for all clustered deployments with variable workloads • Enhanced UDP Load Balancing support multiple packets from a client and more complex protocols such as OpenVPN • Proxy Protocol v2 (PPv2) is now supported, along with AWS PrivateLink
- 24. Download our Free Ebook 24 • How NGINX fits as a complement or replacement for existing API gateway and API management approaches • How to take an existing NGINX Open Source or NGINX Plus configuration and extend it to also manage API traffic • How to create a range of safeguards that can be applied to protect and secure backend API services in production • How to deploy NGINX Plus as an API gateway for gRPC services Download now: nginx.com/resources/library/ nginx-api-gateway-deployment/
- 25. Q & ATry NGINX Plus and NGINX WAF free for 30 days: nginx.com/free-trial-request
Editor's Notes
- #4: NGINX Plus gives you all the tools you need to deliver your application reliably. Web Server NGINX is a fully featured web server that can directly serve static content. NGINX Plus can scale to handle hundreds of thousands of clients simultaneously, and serve hundreds of thousands of content resources per second. Application Gateway NGINX handles all HTTP traffic, and forwards requests in a smooth, controlled manner to PHP, Ruby, Java, and other application types, using FastCGI, uWSGI, and Linux sockets. Reverse Proxy NGINX is a reverse proxy that you can put in front of your applications. NGINX can cache both static and dynamic content to improve overall performance, as well as load balance traffic enabling you to scale-out.
- #6: - We will
- #9: - We will
- #15: Remember that you were the only airport staff member who was directing passengers to queues. What happens if you are joined by several colleagues, so there are a number of you marshalling passengers to queues. Very quickly, it all starts to go wrong! For example, when a group of travellers arrive, you each notice that queue numbers 3 and 4 are shorter than the others, so independently you each make the best choice and direct passengers to those queue. Suddenly, the queues are overloaded! In the same way, several independent load balancers can overload the upstream servers that appear to be best, no matter what ‘best choice' algorithm you use.
- #21: - We will
- #23: - We will