what's new in nginx plus r8
TRANSCRIPT
NGINX Plus R8 – what’s newOWEN GARRETT
Building a great applicationis only half the battle, delivering the application is the other half.
The modern web requiresa new approachto application delivery
Flawless Application Deliveryfor the Modern Web
4
Load Balancer Monitoring & ManagementWeb ServerContent Cache
Streaming Media
MORE INFORMATION AT NGINX.COM
What’s New?NGINX Plus R8
● OAuth2 Technology Preview○ Industry standard for user identity
management○ NGINX Plus can offload processing of it from
the application
● Fully production supported HTTP/2○ Hardened based on real word usage○ Confidently move to HTTP/2 in production
● Persistent on-the-fly reconfiguration API○ A better way to do service discovery
● Scalable caching for large video files○ Segment rather than file based caching
● Improved health checking and other new features
1OAuth2
MORE INFORMATION AT NGINX.COM
● Technology behind Facebook, Google, etc. logins
● High level workflow• User clicks on “Login In with Facebook” button on
airbnb• User logins to Facebook (authorization server)• User sent back to airbnb with “Access Token”• airbnb validates “Access Token” and extracts user
info
● A better user experience• Less passwords• More secure
What is OAuth2?
From airbnb.com
MORE INFORMATION AT NGINX.COM
How OAuth2 is implemented today
● Facebook/Google provide a JavaScript SDK to developers (front end)• Other identity providers may require implementation of OAuth as back end
code
● Developers bake SDK in to application
● Usually a separate login mechanism exists for the legacy application-internal password database
● The problem with this approach:• Authentication tasks handled by developers and app servers• Supporting multiple identity providers requires integration with multiple
SDKs• How does all this work with the legacy password database?
MORE INFORMATION AT NGINX.COM
Why NGINX Plus for OAuth2?
NGINX Plus offloads OAuth2 from the application
MORE INFORMATION AT NGINX.COM
Why NGINX Plus for OAuth2?
● Offload the OAuth2 workflow from the application• Less work for developers and application servers
● Consolidate OAuth2 authentication and move it to the edge• Rather than on each application server
● NGINX Plus does all the work and passes the decoded “Access Token” to the application
• User info extracted and put into standard HTTP headers• Application can easily consume HTTP headers• Application can be agnostic to whether Facebook or Google was used• Existing password database can be converted to send HTTP headers so that
a single mechanism can be used at the back end, regardless of identity provider
MORE INFORMATION AT NGINX.COM
Why Technology Preview?
● OAuth2 code is not part of the NGINX Plus binary• External Python script• Leverages NGINX http_auth_request module
● Not recommended for production deployments• Take the demo app and play with it• Customers encouraged to integrate their apps in development environment
● Plan is for a future NGINX Plus release to have a fully supported implementation
● Only Facebook and Google supported in this release
2Production-ready HTTP/2
MORE INFORMATION AT NGINX.COMhttp://w3techs.com/technologies/details/ce-http2/all/all
HTTP/2 usage growing steadily
MORE INFORMATION AT NGINX.COM
http://w3techs.com/technologies/segmentation/ce-http2/web_server
NGINX is the #1 Web Server for HTTP/2
MORE INFORMATION AT NGINX.COM
http://caniuse.com/#feat=spdy
Browsers support for HTTP/2 is catching up with SPDY
MORE INFORMATION AT NGINX.COM
http://caniuse.com/#feat=http2
Browsers support for HTTP/2 is catching up with SPDY
MORE INFORMATION AT NGINX.COM
Why NGINX Plus for HTTP/2?
• HTTP/2 Gateway - HTTP/2 translated back into a protocol existing app servers can understand
• Backwards Compatibility - HTTP/2 and HTTP/1.x supported side-by-side
MORE INFORMATION AT NGINX.COM
• Fully Production Supported• Hardened based on internal and real world testing
• bug fixes, tweaks, etc.• Part of main nginx-plus and nginx-plus-extras package• SPDY support removed from NGINX Plus
• For you• The most stable and battle tested implementation available• Move to HTTP/2 with confidence
So what’s new?
3Persistent on-the-fly Reconfiguration
MORE INFORMATION AT NGINX.COM
• HTTP-based API to add, remove, or modify servers without restarting NGINX or touching a config file
• Why is this useful?• Quick, temporary changes to load-balancing configuration• No need to reload NGINX Plus – preserve state, stats, no burst in resource
usage• Simple security model - no need to access configuration and restart NGINX
On-the-fly Reconfiguration – an existing API in NGINX Plus
MORE INFORMATION AT NGINX.COM
• It’s persistent- changes are no longer temporary:
• New configuration directive to define a file that holds the current servers and what state they are in
• API updates modify state in-memory and update state file in case of a restart
What’s new in R8?
upstream backend {zone backend 64k;state /etc/nginx/conf.d/backend.state;
}
MORE INFORMATION AT NGINX.COM
What does this have to do with service discovery?
The problem
• Existing solutions:• Rely on configuration templates and restarting NGINX for each
change• Require root access to NGINX servers• Not scalable if done repeatedly throughout each day, especially if
using long lived connections (e.g. websockets)
MORE INFORMATION AT NGINX.COM
What does this have to do with service discovery?
• Services all register with a central repository
• NGINX can automatically create routes to new service instances, and scale existing services
MORE INFORMATION AT NGINX.COM
What does this have to do with service discovery?
The solution
• With NGINX Plus:• Use on-the-fly reconfiguration API instead of config templates• Easily scalable with no restarting
• In Action: Pre-built demo• Consul integrated with NGINX Plus on-the-fly reconfiguration• nginx.com/consul-r8
4Scalable caching for video
MORE INFORMATION AT NGINX.COM
• When watching video on the internet we:• Rewind• Fast forward• Skip to the end• End early• In general, watch it non sequentially
• When we cache in NGINX, it is done sequentially:• Can cause delays with non-sequential watching• Whole file has to be cached before it can be served out of the cache to other
users
Scalable caching for video
MORE INFORMATION AT NGINX.COM
• Slice the video files into small fragments
• Cache the small fragments
• No more delays!
Scalable caching for video
MORE INFORMATION AT NGINX.COM
proxy_cache_path /tmp/mycache keys_zone=mycache:10m;
location / { slice 1m; proxy_cache mycache; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_cache_valid 200 206 1h; proxy_pass http://localhost:8000;}
Scalable caching for video
• $slice_range added to cache key to differentiate between fragments• Overwrite Range header as user range request may not match up with
NGINX
https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
5... and more!
MORE INFORMATION AT NGINX.COM
• Specify Health Check port - New port parameter allows NGINX to use a different port for health checks. Monitor many services on the same host.
Even more features
location / { proxy_pass http://backend; health_check port=8080;}
• HEAD request caching - Cached as standard GET requests by default. A HEAD request is identical to a standard GET request, except that the response body is not returned. Useful for testing links for validity, accessibility, and recent modification.
• New variable, $realip_remote_addr, original client IP address with the Real IP module.
• Syslog - The new nohostname parameter to the access_log and error_log directives disables logging of the hostname field to syslog; the hostname is unnecessary when logging to a local syslog server.
MORE INFORMATION AT NGINX.COM
The following modules in the NGINX Plus Extras package have been updated:
• The Headers-More module is updated to 0.28• The Lua module is updated to 0.9.20• The Phusion Passenger Open Source module is updated to 5.0.22• The Redis module is updated to 0.21
The following packages will no longer be built:
• nginx-plus-http2 - HTTP/2 support is now rolled into the nginx-plus and nginx-plus-extras packages. SPDY is no longer supported with NGINX Plus
• nginx-plus-lua - For Lua support, please use the nginx-plus-extras package
Housekeeping
Summary
MORE INFORMATION AT NGINX.COM
Summary
• OAuth2 Technology Preview can offload OAuth2 complexities from the application
• Fully production supported HTTP/2 from the #1 web server for HTTP/2
• Persistent on-the-fly reconfiguration for better service discovery
• Scalable caching for large video files
• … and many more features to help you achieve flawless application delivery faster
MORE INFORMATION AT NGINX.COM
Next stepsUpgrade to NGINX Plus R8• apt-get install / yum install nginx-plusEnable HTTP/2• listen 443 ssl http2;
Configure your dashboard and persistent state
Try out the NGINX OAuth2 technology preview• nginx.com/oauth-r8
MORE INFORMATION AT NGINX.COM
• NGINX Plus R8 overview with code samples• nginx.com/r8
• An overview of the OAuth Technology preview along with a demo app• nginx.com/oauth-r8
• Smart and efficient byte range caching with NGINX Plus• nginx.com/caching-r8
• Scalable service discovery with NGINX Plus R8 and Consul• nginx.com/consul-r8
Learn more