yzdann · October 5, 2020 17:05
diff --git a/nginx-cookbook b/nginx-cookbook
 If one of the servers needs to be temporarily removed from the load‑balancing rotation, it can be marked with the down

    server backend3.example.com down;

 With this configuration of weights, out of every 6 requests, 5 are sent to backend1.example.com and 1 to backend2.example.com.

    server backend1.example.com weight=5;
    server backend2.example.com;

 location /resources {
 secure_link_secret mySecret;
 if ($secure_link = "") { return 403; }
 rewrite ^ /secured/$secure_link;
 }
 location /secured/ {
 internal;

 add_header Strict-Transport-Security max-age=31536000;


 Satisfying Any Number of Security
 Methods

 location / {
 satisfy any;
 allow 192.168.1.0/24;
 deny all;
 auth_basic
 "closed site";
 auth_basic_user_file conf/htpasswd;
 }

 http {
 log_format
 geoproxy
 '[$time_local] $remote_addr '
 '$realip_remote_addr $remote_user '
 '$request_method $server_protocol '
 '$scheme $server_name $uri $status '
 '$request_time $body_bytes_sent '
 '$geoip_city_country_code3 $geoip_region '
 '"$geoip_city" $http_x_forwarded_for '
 '$upstream_status $upstream_response_time '
 '"$http_referer" "$http_user_agent"';
 ...
 }


 error_log syslog:server=10.0.1.42 debug;
 access_log syslog:server=10.0.1.42,tag=nginx,severity=info
 geoproxy;

 http {
 keepalive_requests 320;
 keepalive_timeout 300s;
 ...
 }


 keepalive 


 server {
 proxy_buffering on;
 proxy_buffer_size 8k;
 proxy_buffers 8 32k;
 proxy_busy_buffer_size 64k;
 ...
 }


 http {
 access_log /var/log/nginx/access.log main buffer=32k
 flush=1m;
 }


 Check the kernel setting for net.core.somaxconn, which is the maxi‐
 mum number of connections that can be queued by the kernel for
 NGINX to process. If you set this number over 512, you’ll need to
 set the backlog parameter of the listen directive in your NGINX
 configuration to match
 ----------------------------------------------------------------------
 ----------------------------------------------------------------------
 ----------------------------------------------------------------------
 PLUS


 least_time=header (NGINX Plus) – The least average time to receive the response header from the server ($upstream_header_time)
 least_time=last_byte (NGINX Plus) – The least average time to receive the full response from the server ($upstream_response_time)

 server backend1.example.com slow_start=30s;

 three session persistence methods. The methods are set with the sticky directive. (For session persistence with NGINX Open Source, use the hash or ip_hash directive as described above.)

 Sticky cookie – NGINX Plus adds a session cookie to the first response 
 Sticky route – NGINX Plus assigns a “route” to the client when it receives the first request
 Sticky learn method – NGINX Plus first finds session identifiers by inspecting requests and responses
 If a request contains a session identifier already “learned”, NGINX Plus forwards the request to the corresponding server:

 Limiting the Number of Connections
    server backend1.example.com max_conns=3;
    queue 100 timeout=70;

 sticky_route

 drain

 nginx-sync

 ----------------------------------------------------------------------
 ----------------------------------------------------------------------
 ----------------------------------------------------------------------
 upstream my_app {
    ip_hash;
    server 111.11.11.11:3001 weight=100 max_fails=5 fail_timeout=300;
    server 222.22.22.22:3002 weight=100 max_fails=5 fail_timeout=300;
    keepalive 8;
 }

 server {
    server_name my-app.com;

    location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        # This is necessary to pass the correct IP to be hashed
        real_ip_header X-Real-IP;

        proxy_pass http://my_app/;
        proxy_redirect off;
    }
 }
	If one of the servers needs to be temporarily removed from the load‑balancing rotation, it can be marked with the down

	server backend3.example.com down;

	With this configuration of weights, out of every 6 requests, 5 are sent to backend1.example.com and 1 to backend2.example.com.

	server backend1.example.com weight=5;
	server backend2.example.com;

	location /resources {
	secure_link_secret mySecret;
	if ($secure_link = "") { return 403; }
	rewrite ^ /secured/$secure_link;
	}
	location /secured/ {
	internal;

	add_header Strict-Transport-Security max-age=31536000;


	Satisfying Any Number of Security
	Methods

	location / {
	satisfy any;
	allow 192.168.1.0/24;
	deny all;
	auth_basic
	"closed site";
	auth_basic_user_file conf/htpasswd;
	}

	http {
	log_format
	geoproxy
	'[$time_local] $remote_addr '
	'$realip_remote_addr $remote_user '
	'$request_method $server_protocol '
	'$scheme $server_name $uri $status '
	'$request_time $body_bytes_sent '
	'$geoip_city_country_code3 $geoip_region '
	'"$geoip_city" $http_x_forwarded_for '
	'$upstream_status $upstream_response_time '
	'"$http_referer" "$http_user_agent"';
	...
	}


	error_log syslog:server=10.0.1.42 debug;
	access_log syslog:server=10.0.1.42,tag=nginx,severity=info
	geoproxy;

	http {
	keepalive_requests 320;
	keepalive_timeout 300s;
	...
	}


	keepalive


	server {
	proxy_buffering on;
	proxy_buffer_size 8k;
	proxy_buffers 8 32k;
	proxy_busy_buffer_size 64k;
	...
	}


	http {
	access_log /var/log/nginx/access.log main buffer=32k
	flush=1m;
	}


	Check the kernel setting for net.core.somaxconn, which is the maxi‐
	mum number of connections that can be queued by the kernel for
	NGINX to process. If you set this number over 512, you’ll need to
	set the backlog parameter of the listen directive in your NGINX
	configuration to match
	----------------------------------------------------------------------
	----------------------------------------------------------------------
	----------------------------------------------------------------------
	PLUS


	least_time=header (NGINX Plus) – The least average time to receive the response header from the server ($upstream_header_time)
	least_time=last_byte (NGINX Plus) – The least average time to receive the full response from the server ($upstream_response_time)

	server backend1.example.com slow_start=30s;

	three session persistence methods. The methods are set with the sticky directive. (For session persistence with NGINX Open Source, use the hash or ip_hash directive as described above.)

	Sticky cookie – NGINX Plus adds a session cookie to the first response
	Sticky route – NGINX Plus assigns a “route” to the client when it receives the first request
	Sticky learn method – NGINX Plus first finds session identifiers by inspecting requests and responses
	If a request contains a session identifier already “learned”, NGINX Plus forwards the request to the corresponding server:

	Limiting the Number of Connections
	server backend1.example.com max_conns=3;
	queue 100 timeout=70;

	sticky_route

	drain

	nginx-sync

	----------------------------------------------------------------------
	----------------------------------------------------------------------
	----------------------------------------------------------------------
	upstream my_app {
	ip_hash;
	server 111.11.11.11:3001 weight=100 max_fails=5 fail_timeout=300;
	server 222.22.22.22:3002 weight=100 max_fails=5 fail_timeout=300;
	keepalive 8;
	}

	server {
	server_name my-app.com;

	location / {
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	proxy_set_header X-Real_IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-NginX-Proxy true;

	# This is necessary to pass the correct IP to be hashed
	real_ip_header X-Real-IP;

	proxy_pass http://my_app/;
	proxy_redirect off;
	}
	}