Skip to content

Instantly share code, notes, and snippets.

@iomonad
Forked from denji/nginx-tuning.md
Created May 23, 2020 11:56
Show Gist options
  • Save iomonad/e556afb95baa5b49afce2d9872460ffb to your computer and use it in GitHub Desktop.
Save iomonad/e556afb95baa5b49afce2d9872460ffb to your computer and use it in GitHub Desktop.

Revisions

  1. @denji denji revised this gist Jun 29, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -273,7 +273,7 @@ Happy Hacking!
    Reference links
    ---------------

    * __https://github.com/trimstray/nginx-quick-reference__
    * __https://github.com/trimstray/nginx-admins-handbook__
    * __https://github.com/GrrrDog/weird_proxies/wiki/nginx__
    * __https://github.com/h5bp/server-configs-nginx__
    * __https://github.com/leandromoreira/linux-network-performance-parameters__
  2. @denji denji revised this gist Jun 8, 2019. 1 changed file with 19 additions and 7 deletions.
    26 changes: 19 additions & 7 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -207,6 +207,8 @@ Trying with the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/ngi

    #### `nolimit` without Systemd

    # /etc/security/limits.conf
    # /etc/default/nginx (ULIMIT)
    $ nano /etc/security/limits.d/nginx.conf
    nginx soft nofile 65536
    nginx hard nofile 65536
    @@ -271,13 +273,10 @@ Happy Hacking!
    Reference links
    ---------------

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://www.keycdn.com/support/tcp-fast-open/
    * https://www.masv.io/enabling-tcp-fast-open-nginx-centos-7/
    * ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~
    * https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
    * https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
    * https://github.com/h5bp/server-configs-nginx
    * __https://github.com/trimstray/nginx-quick-reference__
    * __https://github.com/GrrrDog/weird_proxies/wiki/nginx__
    * __https://github.com/h5bp/server-configs-nginx__
    * __https://github.com/leandromoreira/linux-network-performance-parameters__
    * https://github.com/nginx-boilerplate/nginx-boilerplate
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    * https://www.nginx.com/blog/socket-sharding-nginx-release-1-9-1/
    @@ -288,14 +287,27 @@ Reference links
    * https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/
    * https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/
    * https://www.nginx.com/blog/introducing-cicd-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/testing-the-performance-of-nginx-and-nginx-plus-web-servers/
    * https://www.nginx.com/blog/smart-efficient-byte-range-caching-nginx/
    * https://nginx.org/r/pcre_jit
    * https://nginx.org/r/ssl_engine (`openssl engine -t `)
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/tuning-nginx/
    * https://github.com/intel/asynch_mode_nginx
    * https://openresty.org/download/agentzh-nginx-tutorials-en.html
    * https://www.maxcdn.com/blog/nginx-application-performance-optimization/
    * https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
    * https://medium.freecodecamp.org/a8afdbfde64d
    * https://medium.freecodecamp.org/secure-your-web-application-with-these-http-headers-fd66e0367628
    * https://gist.github.com/CMCDragonkai/6bfade6431e9ffb7fe88
    * https://gist.github.com/denji/9130d1c95e350c58bc50e4b3a9e29bf4
    * https://8gwifi.org/docs/nginx-secure.jsp
    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
    * https://www.linode.com/docs/websites/nginx/configure-nginx-for-optimized-performance
    * https://haydenjames.io/nginx-tuning-tips-tls-ssl-https-ttfb-latency/


    Static analyzers
    ----------------
    * https://github.com/yandex/gixy
  3. @denji denji revised this gist Dec 11, 2018. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -215,7 +215,7 @@ Trying with the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/ngi
    #### `nolimit` with Systemd

    $ mkdir -p /etc/systemd/system/nginx.service.d
    $ nano /etc/security/limits.d/nginx.conf
    $ nano /etc/systemd/system/nginx.service.d/nginx.conf
    [Service]
    LimitNOFILE=30000
    $ systemctl daemon-reload
  4. @denji denji revised this gist Nov 20, 2018. 1 changed file with 176 additions and 45 deletions.
    221 changes: 176 additions & 45 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -40,54 +40,75 @@ events {
    # max clients is also limited by the number of socket connections available on the system (~64k)
    worker_connections 4000;
    # optmized to serve many clients with each thread, essential for linux -- for testing environment
    # optimized to serve many clients with each thread, essential for linux -- for testing environment
    use epoll;
    # accept as many connections as possible, may flood worker connections if set too low -- for testing environment
    multi_accept on;
    }
    # cache informations about FDs, frequently accessed files
    # can boost performance, but you need to test those values
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    # to boost I/O on HDD we can disable access logs
    access_log off;
    # copies data between one FD and other from within the kernel
    # faster then read() + write()
    sendfile on;
    # send headers in one peace, its better then sending them one by one
    tcp_nopush on;
    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;
    # reduce the data that needs to be sent over network -- for testing environment
    gzip on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
    gzip_disable msie6;
    # allow the server to close connection on non responding client, this will free up memory
    reset_timedout_connection on;
    # request timed out -- default 60
    client_body_timeout 10;
    # if client stop responding, free up memory -- default 60
    send_timeout 2;
    # server will close connection after this time -- default 75
    keepalive_timeout 30;
    # number of requests client can make over keep-alive -- for testing environment
    keepalive_requests 100000;
    http {
    # cache informations about FDs, frequently accessed files
    # can boost performance, but you need to test those values
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    # to boost I/O on HDD we can disable access logs
    access_log off;
    # copies data between one FD and other from within the kernel
    # faster than read() + write()
    sendfile on;
    # send headers in one piece, it is better than sending them one by one
    tcp_nopush on;
    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;
    # reduce the data that needs to be sent over network -- for testing environment
    gzip on;
    # gzip_static on;
    gzip_min_length 10240;
    gzip_comp_level 1;
    gzip_vary on;
    gzip_disable msie6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types
    # text/html is always compressed by HttpGzipModule
    text/css
    text/javascript
    text/xml
    text/plain
    text/x-component
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    application/atom+xml
    font/truetype
    font/opentype
    application/vnd.ms-fontobject
    image/svg+xml;
    # allow the server to close connection on non responding client, this will free up memory
    reset_timedout_connection on;
    # request timed out -- default 60
    client_body_timeout 10;
    # if client stop responding, free up memory -- default 60
    send_timeout 2;
    # server will close connection after this time -- default 75
    keepalive_timeout 30;
    # number of requests client can make over keep-alive -- for testing environment
    keepalive_requests 100000;
    }
    ```

    Now you can save config and run bottom [command](https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#stopping-or-restarting-nginx)
    @@ -111,7 +132,7 @@ Just For Security Reason
    server_tokens off;
    ```

    Nginx Simple DDoS Defense
    NGINX Simple DDoS Defense
    -------------------------

    This is far away from secure DDoS defense but can slow down some small DDoS. Those configs are also in test environment and you should do your values.
    @@ -133,7 +154,7 @@ server {
    # request body is written into a temporary file
    client_body_buffer_size 128k;
    # headerbuffer size for the request header from client -- for testing environment
    # buffer size for reading client request header -- for testing environment
    client_header_buffer_size 3m;
    # maximum number and size of buffers for large headers to read from client request
    @@ -160,6 +181,52 @@ nginx -s reload

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.

    Increase The Maximum Number Of Open Files (`nofile` limit) – Linux
    -----------------------------------------------

    Two ways to raise the nofile/max open files/file descriptors/file handles limit for NGINX in RHEL/CentOS 7+.
    With NGINX running, checking current limit on master process

    $ cat /proc/$(cat /var/run/nginx.pid)/limits | grep open.files
    Max open files 1024 4096 files

    #### And worker processes

    ps --ppid $(cat /var/run/nginx.pid) -o %p|sed '1d'|xargs -I{} cat /proc/{}/limits|grep open.files

    Max open files 1024 4096 files
    Max open files 1024 4096 files

    Trying with the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/nginx.conf` fails as SELinux policy doesn't allow `setrlimit`. This is shown in `/var/log/nginx/error.log`

    015/07/24 12:46:40 [alert] 12066#0: setrlimit(RLIMIT_NOFILE, 2342) failed (13: Permission denied)

    #### And in /var/log/audit/audit.log

    type=AVC msg=audit(1437731200.211:366): avc: denied { setrlimit } for pid=12066 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

    #### `nolimit` without Systemd

    $ nano /etc/security/limits.d/nginx.conf
    nginx soft nofile 65536
    nginx hard nofile 65536
    $ sysctl -p

    #### `nolimit` with Systemd

    $ mkdir -p /etc/systemd/system/nginx.service.d
    $ nano /etc/security/limits.d/nginx.conf
    [Service]
    LimitNOFILE=30000
    $ systemctl daemon-reload
    $ systemctl restart nginx.service

    #### SELinux boolean `httpd_setrlimit` to true(1)

    This will set fd limits for the worker processes. Leave the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/nginx.conf` and run the following as root

    setsebool -P httpd_setrlimit 1

    DoS [HTTP/1.1 and above: Range Requests](https://tools.ietf.org/html/rfc7233#section-6.1)
    ----------------------------------------

    @@ -181,22 +248,86 @@ Socket Sharding in NGINX 1.9.1+ (DragonFly BSD and Linux 3.9+)
    [Multi-threaded](https://nginx.org/r/aio) sending of files is currently supported only Linux.
    Without [`sendfile_max_chunk`](https://nginx.org/r/sendfile_max_chunk) limit, one fast connection may seize the worker process entirely.

    Selecting an upstream based on SSL protocol version
    ---------------------------------------------------
    ```nginx
    map $ssl_preread_protocol $upstream {
    "" ssh.example.com:22;
    "TLSv1.2" new.example.com:443;
    default tls.example.com:443;
    }
    # ssh and https on the same port
    server {
    listen 192.168.0.1:443;
    proxy_pass $upstream;
    ssl_preread on;
    }
    ```

    Happy Hacking!
    --------------
    ==============

    Reference links
    ---------------

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://www.keycdn.com/support/tcp-fast-open/
    * https://www.masv.io/enabling-tcp-fast-open-nginx-centos-7/
    * ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~
    * https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
    * https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
    * https://github.com/h5bp/server-configs-nginx
    * https://github.com/nginx-boilerplate/nginx-boilerplate
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    * https://www.nginx.com/blog/socket-sharding-nginx-release-1-9-1/
    * https://www.nginx.com/blog/nginx-1-13-9-http2-server-push/
    * https://www.nginx.com/blog/performing-a-b-testing-nginx-plus/
    * https://www.nginx.com/blog/10-tips-for-10x-application-performance/
    * https://www.nginx.com/blog/http-keepalives-and-web-performance/
    * https://www.nginx.com/blog/overcoming-ephemeral-port-exhaustion-nginx-plus/
    * https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/
    * https://www.nginx.com/blog/introducing-cicd-with-nginx-and-nginx-plus/
    * https://nginx.org/r/pcre_jit
    * https://nginx.org/r/ssl_engine (`openssl engine -t `)
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/tuning-nginx/
    * https://www.maxcdn.com/blog/nginx-application-performance-optimization/
    * https://www.linode.com/docs/websites/nginx/configure-nginx-for-optimized-performance
    * https://haydenjames.io/nginx-tuning-tips-tls-ssl-https-ttfb-latency/

    Static analyzers
    ----------------
    * https://github.com/yandex/gixy

    Syntax highlighting
    -------------------
    * https://github.com/chr4/sslsecure.vim
    * https://github.com/chr4/nginx.vim
    * https://github.com/nginx/nginx/tree/master/contrib/vim

    NGINX config formatter
    ----------------------
    * https://github.com/1connect/nginx-config-formatter
    * https://github.com/lovette/nginx-tools/tree/master/nginx-minify-conf

    NGINX configuration tools
    -------------------------
    * https://github.com/nginxinc/crossplane
    * https://github.com/valentinxxx/nginxconfig.io

    BBR (Linux 4.9+)
    ----------------
    * https://blog.cloudflare.com/http-2-prioritization-with-nginx/
    * Linux v4.13+ as no longer required FQ (`q_disc`) with BBR.
    * https://github.com/google/bbr/blob/master/Documentation/bbr-quick-start.md
    * https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/commit/?id=218af599fa635b107cfe10acf3249c4dfe5e4123
    * https://github.com/systemd/systemd/issues/9725#issuecomment-413369212
    * If the latest Linux kernel distribution does not have `tcp_bbr` enabled by default:
    ```sh
    modprobe tcp_bbr && echo 'tcp_bbr' >> /etc/modules-load.d/bbr.conf
    echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/99-bbr.conf
    # Recommended for production, but with Linux v4.13rc1+ can be used not only in FQ (`q_disc') in BBR mode.
    echo 'net.core.default_qdisc=fq' >> /etc/sysctl.d/99-bbr.conf
    sysctl --system
    ```
  5. @denji denji revised this gist Mar 18, 2017. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -1,3 +1,5 @@
    ### Moved to git repository: https://github.com/denji/nginx-tuning

    NGINX Tuning For Best Performance
    =================================

  6. @denji denji revised this gist Mar 6, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -184,6 +184,7 @@ Happy Hacking!

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://www.keycdn.com/support/tcp-fast-open/
    * https://www.masv.io/enabling-tcp-fast-open-nginx-centos-7/
    * ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~
    * https://github.com/h5bp/server-configs-nginx
    * https://github.com/nginx-boilerplate/nginx-boilerplate
  7. @denji denji revised this gist Feb 25, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -184,6 +184,7 @@ Happy Hacking!

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://www.keycdn.com/support/tcp-fast-open/
    * ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~
    * https://github.com/h5bp/server-configs-nginx
    * https://github.com/nginx-boilerplate/nginx-boilerplate
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
  8. @denji denji revised this gist Feb 25, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -183,6 +183,7 @@ Happy Hacking!
    --------------

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://www.keycdn.com/support/tcp-fast-open/
    * https://github.com/h5bp/server-configs-nginx
    * https://github.com/nginx-boilerplate/nginx-boilerplate
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
  9. @denji denji revised this gist Feb 17, 2017. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -65,7 +65,7 @@ tcp_nopush on;
    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;
    # reduce the data that needs to be sent over network
    # reduce the data that needs to be sent over network -- for testing environment
    gzip on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
  10. @denji denji revised this gist Jan 19, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -188,6 +188,7 @@ Happy Hacking!
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    * https://www.nginx.com/blog/socket-sharding-nginx-release-1-9-1/
    * https://www.nginx.com/blog/performing-a-b-testing-nginx-plus/
    * https://www.nginx.com/blog/10-tips-for-10x-application-performance/
    * https://nginx.org/r/pcre_jit
    * https://nginx.org/r/ssl_engine (`openssl engine -t `)
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
  11. @denji denji revised this gist Jan 16, 2017. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -184,6 +184,7 @@ Happy Hacking!

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://github.com/h5bp/server-configs-nginx
    * https://github.com/nginx-boilerplate/nginx-boilerplate
    * https://www.nginx.com/blog/thread-pools-boost-performance-9x/
    * https://www.nginx.com/blog/socket-sharding-nginx-release-1-9-1/
    * https://www.nginx.com/blog/performing-a-b-testing-nginx-plus/
  12. @denji denji revised this gist Nov 22, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -192,3 +192,4 @@ Happy Hacking!
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/tuning-nginx/
    * https://www.maxcdn.com/blog/nginx-application-performance-optimization/
    * https://www.linode.com/docs/websites/nginx/configure-nginx-for-optimized-performance
  13. @denji denji revised this gist Nov 22, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -191,3 +191,4 @@ Happy Hacking!
    * https://nginx.org/r/ssl_engine (`openssl engine -t `)
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/tuning-nginx/
    * https://www.maxcdn.com/blog/nginx-application-performance-optimization/
  14. @denji denji revised this gist Nov 20, 2016. 1 changed file with 2 additions and 3 deletions.
    5 changes: 2 additions & 3 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -88,7 +88,7 @@ keepalive_timeout 30;
    keepalive_requests 100000;
    ```

    Now you can save config and run bottom command
    Now you can save config and run bottom [command](https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#stopping-or-restarting-nginx)

    ```
    nginx -s reload
    @@ -149,10 +149,9 @@ Now you can do again test config
    ```bash
    nginx -t # /etc/init.d/nginx configtest
    ```
    And then reload or restart your nginx
    And then [reload or restart your nginx](https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#stopping-or-restarting-nginx)

    ```
    # https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#stopping-or-restarting-nginx
    nginx -s reload
    /etc/init.d/nginx reload|restart
    ```
  15. @denji denji revised this gist Nov 20, 2016. 1 changed file with 2 additions and 3 deletions.
    5 changes: 2 additions & 3 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -152,10 +152,9 @@ nginx -t # /etc/init.d/nginx configtest
    And then reload or restart your nginx

    ```
    # https://www.nginx.com/resources/wiki/start/topics/tutorials/commandline/#stopping-or-restarting-nginx
    nginx -s reload
    /etc/init.d/nginx reload
    /etc/init.d/nginx restart
    /etc/init.d/nginx reload|restart
    ```

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
  16. @denji denji revised this gist Nov 20, 2016. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -153,7 +153,9 @@ And then reload or restart your nginx

    ```
    nginx -s reload
    /etc/init.d/nginx reload # /etc/init.d/nginx restart
    /etc/init.d/nginx reload
    /etc/init.d/nginx restart
    ```

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
  17. @denji denji revised this gist Nov 20, 2016. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -152,7 +152,8 @@ nginx -t # /etc/init.d/nginx configtest
    And then reload or restart your nginx

    ```
    nginx -s reload # /etc/init.d/nginx reload|restart
    nginx -s reload
    /etc/init.d/nginx reload # /etc/init.d/nginx restart
    ```

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
  18. @denji denji revised this gist Nov 20, 2016. 1 changed file with 2 additions and 4 deletions.
    6 changes: 2 additions & 4 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -147,14 +147,12 @@ client_header_timeout 3m;
    Now you can do again test config

    ```bash
    nginx -t
    /etc/init.d/nginx configtest
    nginx -t # /etc/init.d/nginx configtest
    ```
    And then reload or restart your nginx

    ```
    nginx -s reload
    /etc/init.d/nginx reload|restart|reload
    nginx -s reload # /etc/init.d/nginx reload|restart
    ```

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
  19. @denji denji revised this gist Nov 20, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -154,7 +154,7 @@ And then reload or restart your nginx

    ```
    nginx -s reload
    /etc/init.d/nginx restart|reload
    /etc/init.d/nginx reload|restart|reload
    ```

    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
  20. @denji denji revised this gist Nov 20, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -5,7 +5,7 @@ For this configuration you can use web server you like, i decided, because i wor

    Generally, properly configured nginx can handle up to 400K to 500K requests per second (clustered), most what i saw is 50K to 80K (non-clustered) requests per second and 30% CPU load, course, this was `2 x Intel Xeon` with HyperThreading enabled, but it can work without problem on slower machines.

    You must understand that this config is used in testing environment and not in production so you will need to find a way to implement most of those features best possible for your servers.
    __You must understand that this config is used in testing environment and not in production so you will need to find a way to implement most of those features best possible for your servers.__

    * [Stable version NGINX (deb/rpm)](https://nginx.org/en/linux_packages.html#stable)
    * [Mainline version NGINX (deb/rpm)](https://nginx.org/en/linux_packages.html#mainline)
  21. @denji denji revised this gist Nov 10, 2016. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -127,7 +127,8 @@ server {
    limit_req zone=req_limit_per_ip burst=10 nodelay;
    }
    # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file
    # if the request body size is more than the buffer size, then the entire (or partial)
    # request body is written into a temporary file
    client_body_buffer_size 128k;
    # headerbuffer size for the request header from client -- for testing environment
  22. @denji denji revised this gist Nov 9, 2016. 1 changed file with 12 additions and 8 deletions.
    20 changes: 12 additions & 8 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -1,5 +1,6 @@
    NGINX Tuning For Best Performance
    --
    =================================

    For this configuration you can use web server you like, i decided, because i work mostly with it to use nginx.

    Generally, properly configured nginx can handle up to 400K to 500K requests per second (clustered), most what i saw is 50K to 80K (non-clustered) requests per second and 30% CPU load, course, this was `2 x Intel Xeon` with HyperThreading enabled, but it can work without problem on slower machines.
    @@ -102,14 +103,14 @@ nginx -t
    ```

    Just For Security Reason
    ---
    ------------------------

    ```nginx
    server_tokens off;
    ```

    Nginx Simple DDoS Defense
    ---
    -------------------------

    This is far away from secure DDoS defense but can slow down some small DDoS. Those configs are also in test environment and you should do your values.

    @@ -158,25 +159,28 @@ nginx -s reload
    You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.

    DoS [HTTP/1.1 and above: Range Requests](https://tools.ietf.org/html/rfc7233#section-6.1)
    --
    ----------------------------------------

    By default [`max_ranges`](https://nginx.org/r/max_ranges) is not limited.
    DoS attacks can many Range-Requests (Impact on stability I/O).

    Socket Sharding in NGINX 1.9.1+ (DragonFly BSD and Linux 3.9+)
    --
    | | Latency (ms) | Latency stdev (ms) | CPU Load |
    -------------------------------------------------------------------

    | Socket type | Latency (ms) | Latency stdev (ms) | CPU Load |
    |------------------|--------------|--------------------|----------|
    | Default | 15.65 | 26.59 | 0.3 |
    | accept_mutex off | 15.59 | 26.48 | 10 |
    | reuseport | 12.35 | 3.15 | 0.3 |

    [Thread Pools](https://nginx.org/r/thread_pool) in NGINX Boost Performance 9x! (Linux)
    --
    --------------

    [Multi-threaded](https://nginx.org/r/aio) sending of files is currently supported only Linux.
    Without [`sendfile_max_chunk`](https://nginx.org/r/sendfile_max_chunk) limit, one fast connection may seize the worker process entirely.

    Happy Hacking!
    --
    --------------

    * http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
    * https://github.com/h5bp/server-configs-nginx
  23. @denji denji revised this gist Nov 9, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -2,7 +2,7 @@ NGINX Tuning For Best Performance
    --
    For this configuration you can use web server you like, i decided, because i work mostly with it to use nginx.

    Generally, properly configured nginx can handle up to 400,000 to 500,000 requests per second (clustered), most what i saw is 50,000 to 80,000 (non-clustered) requests per second and 30% CPU load, course, this was `2 x Intel Xeon` with HyperThreading enabled, but it can work without problem on slower machines.
    Generally, properly configured nginx can handle up to 400K to 500K requests per second (clustered), most what i saw is 50K to 80K (non-clustered) requests per second and 30% CPU load, course, this was `2 x Intel Xeon` with HyperThreading enabled, but it can work without problem on slower machines.

    You must understand that this config is used in testing environment and not in production so you will need to find a way to implement most of those features best possible for your servers.

  24. @denji denji revised this gist Nov 9, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -51,7 +51,7 @@ open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    # to boost IO on HDD we can disable access logs
    # to boost I/O on HDD we can disable access logs
    access_log off;
    # copies data between one FD and other from within the kernel
  25. @denji denji revised this gist Oct 22, 2016. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -37,10 +37,10 @@ events {
    # max clients is also limited by the number of socket connections available on the system (~64k)
    worker_connections 4000;
    # optmized to serve many clients with each thread, essential for linux
    # optmized to serve many clients with each thread, essential for linux -- for testing environment
    use epoll;
    # accept as many connections as possible, may flood worker connections if set too low
    # accept as many connections as possible, may flood worker connections if set too low -- for testing environment
    multi_accept on;
    }
  26. @denji denji revised this gist Sep 25, 2016. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -90,12 +90,14 @@ keepalive_requests 100000;
    Now you can save config and run bottom command

    ```
    nginx -s reload
    /etc/init.d/nginx start|restart
    ```

    If you wish to test config first you can run

    ```
    nginx -t
    /etc/init.d/nginx configtest
    ```

  27. @denji denji revised this gist Sep 25, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -80,7 +80,7 @@ client_body_timeout 10;
    # if client stop responding, free up memory -- default 60
    send_timeout 2;
    # server will close connection after this time
    # server will close connection after this time -- default 75
    keepalive_timeout 30;
    # number of requests client can make over keep-alive -- for testing environment
  28. @denji denji revised this gist Sep 16, 2016. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -143,11 +143,13 @@ client_header_timeout 3m;
    Now you can do again test config

    ```bash
    nginx -t
    /etc/init.d/nginx configtest
    ```
    And then reload or restart your nginx

    ```
    nginx -s reload
    /etc/init.d/nginx restart|reload
    ```

  29. @denji denji revised this gist Sep 6, 2016. 1 changed file with 1 addition and 0 deletions.
    1 change: 1 addition & 0 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -182,3 +182,4 @@ Happy Hacking!
    * https://nginx.org/r/pcre_jit
    * https://nginx.org/r/ssl_engine (`openssl engine -t `)
    * https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
    * https://www.nginx.com/blog/tuning-nginx/
  30. @denji denji revised this gist Aug 30, 2016. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions nginx-tuning.md
    Original file line number Diff line number Diff line change
    @@ -68,8 +68,8 @@ tcp_nodelay on;
    gzip on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
    gzip_disable "MSIE [1-6]\.";
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
    gzip_disable msie6;
    # allow the server to close connection on non responding client, this will free up memory
    reset_timedout_connection on;