As you may know, our repository holds the latest stable NGINX and a vast array of dynamic modules for it.
However, some performance-oriented folks are always looking for speeding up what’s already fast – that is NGINX itself.
There are some open-source patches for NGINX, mainly by Cloudflare to improve things further. Unfortunately, many people rely on the manual compilation of NGINX in this case, subject to many pitfalls.
Now the patched, high-performance NGINX can be installed and updated easily using packages. We refer to it as NGINX-MOD.
NGINX-MOD is based on the latest stable NGINX with the following additions:
Server:
header and error pagesCONNECT
request methodMore on those patches in the documentation below.
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm yum-utils
sudo yum-config-manager --disable getpagespeed-extras-mainline
sudo yum-config-manager --enable getpagespeed-extras-nginx-mod
sudo yum -y install nginx
sudo systemctl enable --now nginx
If you were using our regular NGINX build, you can run a series of commands to upgrade to NGINX-MOD without affecting installed modules or configuration:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm yum-utils
sudo yum-config-manager --disable getpagespeed-extras-mainline
sudo yum-config-manager --enable getpagespeed-extras-nginx-mod
sudo yum -y update nginx
# importantly, we must re-enable the nginx service after switching packages:
sudo systemctl enable --now nginx
NGINX-MOD is fully compatible with our extensive collection of NGINX module packages in our base repository.
So you can install them as usual, for example:
sudo yum -y install nginx-module-pagespeed
Please refer here for additional documentation.
Some NGINX users seek to define rate-limiting of once in a day for specific resources. This is not possible with stock NGINX.
Our patch allows for a more fine-grained rate limit configuration. Examples:
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/h; # 1 request per hour
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/d; # 1 request per day
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/w; # 1 request per week
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/M; # 1 request per month
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/Y; # 1 request per year
It is important to note, that your defined zone memory size should allow retaining old IP entries before the defined rate will apply.
For example, you have defined a 10m
zone and 1r/d
for a particular resource. 10m
can store around 160,000 IP addresses.
So if someone visits your rate-limited resource, and your traffic to it exceeds 160K unique visitors within 24 hrs, then the same visitor can theoretically not be rate-limited within the same day, because information about his IP address will be evicted from memory after enough visitors visited the resource.
This note applies to the stock module’s configuration as well, but less so.
So the rules of thumb are:
HPACK patch implements full HPACK in NGINX. In short, this allows for compressing HTTP headers
CONNECT
patchThis patch allows the CONNECT
request method. To configure your NGINX to handle such requests, install the supplementary module:
sudo yum -y install nginx-mod-module-proxy-connect
Documentation of this module can be found here.
There are some configuration directives in this build, which are not otherwise available in regular builds. Let’s document them here.
The following set of configuration directives is added by dynamic TLS records patch.
ssl_dyn_rec_enable on|off
Whether to enable dynamic TLS records.
ssl_dyn_rec_size_lo
The TLS record size to start with. Defaults to 1369 bytes (designed to fit the entire record in a single TCP segment: 1369 = 1500 – 40 (IPv6) – 20 (TCP) – 10 (Time) – 61 (Max TLS overhead))
ssl_dyn_rec_size_hi: the TLS record size to grow to. Defaults to 4229 bytes (designed to fit the entire record in 3 TCP segments)
ssl_dyn_rec_threshold
The number of records to send before changing the record size.
Because we build with latest OpenSSL:
ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];
Not a new directive. But since we build with the most recent stable OpenSSL, it allows for the TLSv1.3
value to be used.
By default, NGINX only supports server_tokens off;
which still yields nginx
in the Server:
header and in error pages.
With NGINX-MOD, you can specify a new value none
, which will cause NGINX to stop emission of its presence on the server:
server_tokens none;
To verify how you benefit from NGINX-MOD, you can run some tests.
yum install nghttp2
h2load https://example.com -n 2 | tail -6 |head -1
Example output:
traffic: 71.46KB (73170) total, 637B (637) headers (space savings 78.68%), 70.61KB (72304) data
If you see 50% or more space savings, then it means that full HPACK compression is utilized.
Going back to the stable package while preserving the existing configuration:
yum-config-manager --disable getpagespeed-extras-nginx-mod
MOD_PKGS=$(rpm -qa --queryformat '%{NAME}n' | grep nginx-mod | grep -v nginx-module)
rpm --erase --justdb --nodeps ${MOD_PKGS}
STABLE_PKGS=$(echo ${MOD_PKGS} | sed 's@nginx-mod@nginx@g')
yum -y install ${STABLE_PKGS}
yum history sync
# importantly, we must re-enable the nginx service after switching packages:
sudo systemctl enable --now nginx
These commands will disable the NGINX-MOD repository and replace any nginx-mod*
packages with their equivalents from the base repository, thus downgrading to stable NGINX.