jm + nginx   22

Nginx tuning tips: TLS/SSL HTTPS – Improved TTFB/latency
Must do these soon on jmason.org / taint.org et al.
nginx  http  https  http2  ops  tls  security  linux 
12 days ago by jm
Generate Mozilla Security Recommended Web Server Configuration Files
this is quite cool -- generate web server configs to activate current best-practice TLS settings
web  openssl  nginx  lighttpd  apache  haproxy  hsts  security  ssl  tls  ops 
february 2018 by jm
Nchan
Nchan is a scalable, flexible pub/sub server for the modern web, built as a module for the Nginx web server. It can be configured as a standalone server, or as a shim between your application and tens, thousands, or millions of live subscribers. It can buffer messages in memory, on-disk, or via Redis. All connections are handled asynchronously and distributed among any number of worker processes. It can also scale to many nginx server instances with Redis. Messages are published to channels with HTTP POST requests or websockets, and subscribed also through websockets, long-polling, EventSource (SSE), old-fashioned interval polling, and more. Each subscriber can listen to up to 255 channels per connection, and can be optionally authenticated via a custom application url. An events meta channel is also available for debugging.


Also now supports HTTP/2. This used to be called the Nginx HTTP Push Module, and I used it with great results in that form. This is the way to do HTTP push in all its forms....
nginx  pubsub  websockets  sse  http  http-push  http2  redis  long-polling  nchan 
january 2016 by jm
BBC Digital Media Distribution: How we improved throughput by 4x
Replacing varnish with nginx. Nice deep-dive blog post covering kernel innards
nginx  performance  varnish  web  http  bbc  ops 
january 2016 by jm
Designing the Spotify perimeter
How Spotify use nginx as a frontline for their sites and services
scaling  spotify  nginx  ops  architecture  ssl  tls  http  frontline  security 
october 2015 by jm
Automated Nginx Reverse Proxy for Docker
Nice hack. An automated nginx reverse proxy which regenerates as the Docker containers update
nginx  reverse-proxy  proxies  web  http  ops  docker 
june 2015 by jm
Why we don't use a CDN: A story about SPDY and SSL
All of our assets loaded via the CDN [to our client in Australia] in just under 5 seconds. It only took ~2.7s to get those same assets to our friends down under with SPDY. The performance with no CDN blew the CDN performance out of the water. It is just no comparison. In our case, it really seems that the advantages of SPDY greatly outweigh that of a CDN when it comes to speed.
cdn  spdy  nginx  performance  web  ssl  tls  optimization  multiplexing  tcp  ops 
january 2015 by jm
lookout/ngx_borderpatrol
BorderPatrol is an nginx module to perform authentication and session management at the border of your network. BorderPatrol makes the assumption that you have some set of services that require authentication and a service that hands out tokens to clients to access that service. You may not want those tokens to be sent across the internet, even over SSL, for a variety of reasons. To this end, BorderPatrol maintains a lookup table of session-id to auth token in memcached.
borderpatrol  nginx  modules  authentication  session-management  web-services  http  web  authorization 
june 2014 by jm
Scaling Realtime at DISQUS
Disqus' realtime architecture -- nginx PushStream module doing the heavy lifting, basically. See https://gist.github.com/dctrwatson/0b3b52050254e273ff11 for the production nginx configs they use. I am very impressed that push-stream has grown to be so solid; it's a great way to deal with push from the sounds of it.

http://blog.disqus.com/post/51155103801/trying-out-this-go-thing now notes that some of the realtime backends are in Go.

https://speakerdeck.com/dctrwatson/c1m-and-nginx ("C1M and Nginx") is a more up to date presentation. It notes that PushStream supports "EventSource, WebSocket, Long Polling, and forever iframe". More sysctls and nginx tuning in that prez.
sysctl  nginx  tuning  go  disqus  realtime  push  eventsource  websockets  long-polling  iframe  python 
april 2014 by jm
Cloudflare demonstrate Heartbleed key extraction
from nginx. 'Based on the findings, we recommend everyone reissue + revoke their private keys.'
security  nginx  heartbleed  ssl  tls  exploits  private-keys 
april 2014 by jm
Video Processing at Dropbox
On-the-fly video transcoding during live streaming. They've done a great job of this!
At the beginning of the development of this feature, we entertained the idea to simply pre-transcode all the videos in Dropbox to all possible target devices. Soon enough we realized that this simple approach would be too expensive at our scale, so we decided to build a system that allows us to trigger a transcoding process only upon user request and cache the results for subsequent fetches. This on-demand approach: adapts to heterogeneous devices and network conditions, is relatively cheap (everything is relative at our scale), guarantees low latency startup time.
ffmpeg  dropbox  streaming  video  cdn  ec2  hls  http  mp4  nginx  haproxy  aws  h264 
february 2014 by jm
Chartbeat's Lessons learned tuning TCP and Nginx in EC2
a good writeup of basic sysctl tuning for an internet-facing HTTP proxy fleet running in EC2. Nothing groundbreaking here, but it's well-written
nginx  amazon  ec2  tcp  ip  tuning  sysctl  linux  c10k  ssl  http 
january 2014 by jm
Improved HTTPS Performance with Early SSL Termination
This is a neat hack. Since SSL/TLS connection establishment requires lots of consecutive round trips before the connection is ready, by performing that closer to the user and reusing an existing region-to-region connection behind the scenes, the overall latency is greatly improved. Works for HTTP as well
http  https  ssl  architecture  aws  ec2  performance  latency  internet  round-trip  nginx  tls 
july 2013 by jm
Setting up Perfect Forward Secrecy for nginx or stud
Matt Sergeant writes up a pretty solid HOWTO:

There has been a lot of discussion recently about Perfect Forward Secrecy (PFS) and the benefits it can bring you, especially in terms of any kind of traffic sniffing attack. Unfortunately setting this up I found very few guides telling you exactly what you need to do. The downside to PFS [via ECDHE] is that it uses more CPU power than other ciphers. This is a trade-off between security and cost.
ecdhe  elliptic-curve  crypto  pfs  ssl  tls  howto  nginx  stud 
june 2013 by jm
SoloWizard
'bootstrap an OSX development machine with a one-liner'.
Many teams use chef to manage their production machines, but developers often build their development boxes by hand. SoloWizard makes it painless to create a configurable chef solo script to get your development machine humming: mysql, sublime text, .bash_profile tweaks to OS-X settings - it's all there!
osx  chef  mac  build-out  ops  macosx  deployment  developers  desktops  laptops  mysql  rabbitmq  activemq  nginx 
march 2013 by jm
Scaling: It's Not What It Used To Be
skamille's top 5 scaling apps. "1. Redis. I was at a NoSQL meetup last night when someone asked "if you could put a million dollars behind one of the solutions presented here tonight, which one would you choose?" And the answer that one of the participants gave was "None of the above. I would choose Redis. Everyone uses one of these products and Redis."
2. Nginx. Your ops team probably already loves it. It's simple, it scales fabulously, and you don't have to be a programmer to understand how to run it.
3. HAProxy. Because if you're going to have hundreds or thousands of servers, you'd better have good load balancing.
4. Memcached. Redis can act as a cache but using a real caching product for such a purpose is probably a better call.
And finally:
5. Cloud hardware. Imagine trying to grow out to millions of users if you had to buy, install, and admin every piece of hardware you would need to do such a thing."
scaling  nginx  memcached  haproxy  redis 
april 2012 by jm
SSL perf tip
don't use Diffie-Hellman ciphers, they're slow
ssl  tls  nginx  performance  web  diffie-hellman  ciphers 
july 2011 by jm
Quora’s Technology Examined
Python, Nginx, Tornado for COMET stuff, MySQL as a data store, memcached, Thrift, haproxy, AWS, Pylons.  fantastic, very detailed post (via Nelson)
quora  python  nginx  tornado  comet  mysql  memcached  thrift  haproxy  aws  pylons  via:nelson  from delicious
february 2011 by jm
Unicorn at GitHub
new Ruby HTTP server, using a preforked process pool based on select(). Github like it because of failure-recovery problems with Ruby threading bugs in Mongrel. The preforking algo used is extremely rudimentary -- the kind of thing we used in SpamAssassin before I implemented Apache-style preforking in 3.0
web  ruby  rails  github  nginx  httpd  server  mongrel  unicorn  rubyonrails  preforking  unix  fork  select  process-pool  from delicious
october 2009 by jm

related tags

activemq  ajax  amazon  apache  architecture  authentication  authorization  aws  bbc  borderpatrol  build-out  c10k  cdn  chef  ciphers  comet  crypto  datadog  deployment  desktops  developers  diffie-hellman  disqus  docker  dropbox  ec2  ecdhe  elliptic-curve  eventsource  exploits  ffmpeg  fork  frontline  github  go  h264  haproxy  heartbleed  hls  howto  hsts  http  http-push  http2  httpd  https  iframe  internet  ip  laptops  latency  lighttpd  linux  long-polling  mac  macosx  memcached  metrics  modules  mongrel  monitoring  mp4  multiplexing  mysql  nchan  nginx  openssl  ops  optimization  osx  performance  pfs  preforking  private-keys  process-pool  proxies  pubsub  push  pylons  python  quora  rabbitmq  rails  realtime  redis  reverse-proxy  round-trip  ruby  rubyonrails  scalability  scaling  security  select  server  session-management  spdy  speed  spotify  sse  ssl  streaming  stud  sysctl  tcp  thrift  tls  tornado  tuning  unicorn  unix  varnish  via:nelson  video  web  web-services  webdev  websockets 

Copy this bookmark:



description:


tags: