Tuning NGINX – Mejores practicas

En este artículo se describen las mejores prácticas de rendimiento y fiabilidad para NGINX

En primer lugar realizamos un backup de la configuración actual:

 

cp /etc/nginx/nginx.conf  /etc/nginx/nginx.conf.bck

 

Editamos el archivo de configuración y modificamos las siguientes lineas:

 

# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically

# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don’t set FD’s then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;

# only log critical errors
error_log /var/log/nginx/error.log crit;

# provides the configuration file context in which the directives that affect connection processing are specified.
events {
# determines how much clients will be served per worker
# max clients = worker_connections * worker_processes
# max clients is also limited by the number of socket connections available on the system (~64k)
worker_connections 4000;

# optmized to serve many clients with each thread, essential for linux — for testing environment
use epoll;

# accept as many connections as possible, may flood worker connections if set too low — for testing environment
multi_accept on;
}

# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

# to boost I/O on HDD we can disable access logs
access_log off;

# copies data between one FD and other from within the kernel
# faster then read() + write()
sendfile on;

# send headers in one peace, its better then sending them one by one
tcp_nopush on;

# don’t buffer data sent, good for small data bursts in real time
tcp_nodelay on;

# reduce the data that needs to be sent over network — for testing environment
gzip on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
gzip_disable msie6;

# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;

# request timed out — default 60
client_body_timeout 10;

# if client stop responding, free up memory — default 60
send_timeout 2;

# server will close connection after this time — default 75
keepalive_timeout 30;

# number of requests client can make over keep-alive — for testing environment
keepalive_requests 100000;

 

Antes de reiniciar comprobamos que correcta configuración de la aplicación:

/etc/init.d/nginx configtest

Reiniciamos:

nginx -s reload

 

también  podemos realizar unos pequeños ajustes para la mitigación de un posible ataque DDOS. teniendo en cuenta que tiene que ir acompañado de otras medidas.

 

# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

# limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

# zone which we want to limit by upper values, we want limit whole server
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}

# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file
client_body_buffer_size 128k;

# headerbuffer size for the request header from client — for testing environment
client_header_buffer_size 3m;

# maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;

# read timeout for the request body from client — for testing environment
client_body_timeout 5s;

# how long to wait for the client to send a request header — for testing environment
client_header_timeout 5s;

 

Volvemos a verificar la configuración y reiniciamos el servicio.

/etc/init.d/nginx configtest

nginx -s reload

 

Un saludo

:wq!

 

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

*