what's new in nginx plus r8

NGINX Plus R8 – what’s newOWEN GARRETT

Building a great applicationis only half the battle, delivering the application is the other half.

The modern web requiresa new approachto application delivery

Flawless Application Deliveryfor the Modern Web

4

Load Balancer Monitoring & ManagementWeb ServerContent Cache

Streaming Media

MORE INFORMATION AT NGINX.COM

What’s New?NGINX Plus R8

● OAuth2 Technology Preview○ Industry standard for user identity

management○ NGINX Plus can offload processing of it from

the application

● Fully production supported HTTP/2○ Hardened based on real word usage○ Confidently move to HTTP/2 in production

● Persistent on-the-fly reconfiguration API○ A better way to do service discovery

● Scalable caching for large video files○ Segment rather than file based caching

● Improved health checking and other new features

1OAuth2


● Technology behind Facebook, Google, etc. logins

● High level workflow• User clicks on “Login In with Facebook” button on

airbnb• User logins to Facebook (authorization server)• User sent back to airbnb with “Access Token”• airbnb validates “Access Token” and extracts user

info

● A better user experience• Less passwords• More secure

What is OAuth2?

From airbnb.com


How OAuth2 is implemented today

● Facebook/Google provide a JavaScript SDK to developers (front end)• Other identity providers may require implementation of OAuth as back end

code

● Developers bake SDK in to application

● Usually a separate login mechanism exists for the legacy application-internal password database

● The problem with this approach:• Authentication tasks handled by developers and app servers• Supporting multiple identity providers requires integration with multiple

SDKs• How does all this work with the legacy password database?


Why NGINX Plus for OAuth2?

NGINX Plus offloads OAuth2 from the application


Why NGINX Plus for OAuth2?

● Offload the OAuth2 workflow from the application• Less work for developers and application servers

● Consolidate OAuth2 authentication and move it to the edge• Rather than on each application server

● NGINX Plus does all the work and passes the decoded “Access Token” to the application

• User info extracted and put into standard HTTP headers• Application can easily consume HTTP headers• Application can be agnostic to whether Facebook or Google was used• Existing password database can be converted to send HTTP headers so that

a single mechanism can be used at the back end, regardless of identity provider


Why Technology Preview?

● OAuth2 code is not part of the NGINX Plus binary• External Python script• Leverages NGINX http_auth_request module

● Not recommended for production deployments• Take the demo app and play with it• Customers encouraged to integrate their apps in development environment

● Plan is for a future NGINX Plus release to have a fully supported implementation

● Only Facebook and Google supported in this release

2Production-ready HTTP/2

MORE INFORMATION AT NGINX.COMhttp://w3techs.com/technologies/details/ce-http2/all/all

HTTP/2 usage growing steadily

http://w3techs.com/technologies/details/ce-http2/all/all


http://w3techs.com/technologies/segmentation/ce-http2/web_server

NGINX is the #1 Web Server for HTTP/2




http://caniuse.com/#feat=spdy

Browsers support for HTTP/2 is catching up with SPDY

http://caniuse.com/%23feat=spdy

http://caniuse.com/%23feat=spdy


http://caniuse.com/#feat=http2

Browsers support for HTTP/2 is catching up with SPDY

http://caniuse.com/%23feat=http2

http://caniuse.com/%23feat=http2


Why NGINX Plus for HTTP/2?

• HTTP/2 Gateway - HTTP/2 translated back into a protocol existing app servers can understand

• Backwards Compatibility - HTTP/2 and HTTP/1.x supported side-by-side


• Fully Production Supported• Hardened based on internal and real world testing

• bug fixes, tweaks, etc.• Part of main nginx-plus and nginx-plus-extras package• SPDY support removed from NGINX Plus

• For you• The most stable and battle tested implementation available• Move to HTTP/2 with confidence

So what’s new?

3Persistent on-the-fly Reconfiguration


• HTTP-based API to add, remove, or modify servers without restarting NGINX or touching a config file

• Why is this useful?• Quick, temporary changes to load-balancing configuration• No need to reload NGINX Plus – preserve state, stats, no burst in resource

usage• Simple security model - no need to access configuration and restart NGINX

On-the-fly Reconfiguration – an existing API in NGINX Plus


• It’s persistent- changes are no longer temporary:

• New configuration directive to define a file that holds the current servers and what state they are in

• API updates modify state in-memory and update state file in case of a restart

What’s new in R8?

upstream backend {zone backend 64k;state /etc/nginx/conf.d/backend.state;

}


What does this have to do with service discovery?

The problem

• Existing solutions:• Rely on configuration templates and restarting NGINX for each

change• Require root access to NGINX servers• Not scalable if done repeatedly throughout each day, especially if

using long lived connections (e.g. websockets)



• Services all register with a central repository

• NGINX can automatically create routes to new service instances, and scale existing services



The solution

• With NGINX Plus:• Use on-the-fly reconfiguration API instead of config templates• Easily scalable with no restarting

• In Action: Pre-built demo• Consul integrated with NGINX Plus on-the-fly reconfiguration• nginx.com/consul-r8

https://github.com/nginxinc/NGINX-Demos/tree/master/consul-demo

https://github.com/nginxinc/NGINX-Demos/tree/master/consul-demo

4Scalable caching for video


• When watching video on the internet we:• Rewind• Fast forward• Skip to the end• End early• In general, watch it non sequentially

• When we cache in NGINX, it is done sequentially:• Can cause delays with non-sequential watching• Whole file has to be cached before it can be served out of the cache to other

users

Scalable caching for video


• Slice the video files into small fragments

• Cache the small fragments

• No more delays!



proxy_cache_path /tmp/mycache keys_zone=mycache:10m;

location / { slice 1m; proxy_cache mycache; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_cache_valid 200 206 1h; proxy_pass http://localhost:8000;}


• $slice_range added to cache key to differentiate between fragments• Overwrite Range header as user range request may not match up with

NGINX

https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/




5... and more!


• Specify Health Check port - New port parameter allows NGINX to use a different port for health checks. Monitor many services on the same host.

Even more features

location / { proxy_pass http://backend; health_check port=8080;}

• HEAD request caching - Cached as standard GET requests by default. A HEAD request is identical to a standard GET request, except that the response body is not returned. Useful for testing links for validity, accessibility, and recent modification.

• New variable, $realip_remote_addr, original client IP address with the Real IP module.

• Syslog - The new nohostname parameter to the access_log and error_log directives disables logging of the hostname field to syslog; the hostname is unnecessary when logging to a local syslog server.

http://nginx.org/en/docs/http/ngx_http_realip_module.html%23var_realip_remote_addr

http://nginx.org/en/docs/http/ngx_http_realip_module.html%23var_realip_remote_addr

http://nginx.org/en/docs/http/ngx_http_realip_module.html

http://nginx.org/en/docs/http/ngx_http_realip_module.html

http://nginx.org/en/docs/http/ngx_http_log_module.html%23access_log

http://nginx.org/en/docs/http/ngx_http_log_module.html%23access_log

http://nginx.org/en/docs/ngx_core_module.html%23error_log

http://nginx.org/en/docs/ngx_core_module.html%23error_log

http://nginx.org/en/docs/syslog.html

http://nginx.org/en/docs/syslog.html


The following modules in the NGINX Plus Extras package have been updated:

• The Headers-More module is updated to 0.28• The Lua module is updated to 0.9.20• The Phusion Passenger Open Source module is updated to 5.0.22• The Redis module is updated to 0.21

The following packages will no longer be built:

• nginx-plus-http2 - HTTP/2 support is now rolled into the nginx-plus and nginx-plus-extras packages. SPDY is no longer supported with NGINX Plus

• nginx-plus-lua - For Lua support, please use the nginx-plus-extras package

Housekeeping

Summary


Summary

• OAuth2 Technology Preview can offload OAuth2 complexities from the application

• Fully production supported HTTP/2 from the #1 web server for HTTP/2

• Persistent on-the-fly reconfiguration for better service discovery

• Scalable caching for large video files

• … and many more features to help you achieve flawless application delivery faster


Next stepsUpgrade to NGINX Plus R8• apt-get install / yum install nginx-plusEnable HTTP/2• listen 443 ssl http2;

Configure your dashboard and persistent state

Try out the NGINX OAuth2 technology preview• nginx.com/oauth-r8

https://www.nginx.com/oauth-technology-preview


• NGINX Plus R8 overview with code samples• nginx.com/r8

• An overview of the OAuth Technology preview along with a demo app• nginx.com/oauth-r8

• Smart and efficient byte range caching with NGINX Plus• nginx.com/caching-r8

• Scalable service discovery with NGINX Plus R8 and Consul• nginx.com/consul-r8

Learn more

