in Resources

Configuring Nginx for Performance and Security: An In-Depth Guide

![Nginx logo](https://www.nginx.com/wp-content/uploads/2018/08/NGINX-logo-rgb-large.png)

As a seasoned sysadmin and web performance geek, I‘ve spent many years configuring and optimizing Nginx deployments. In this comprehensive guide, I‘ll share from my own experience to help you get the most out of Nginx.

We‘ll dive deep into tuning Nginx for high performance and security across various layers – from worker processes and disk I/O to network throughput and activity monitoring. I‘ll explain each concept in a beginner-friendly way with actionable configuration snippets you can apply right away.

Even if you‘re already using Nginx, you‘re likely to pick up some useful advanced tips here for scaling and securing your infrastructure. Let‘s get started!

Why Care About Performance and Security?

Before jumping into the nitty-gritty configurations, it helps to understand why fine-tuning Nginx matters.

As your web application grows and traffic volumes increase, two things typically happen:

  1. Performance Degrades – With more concurrent users and requests, response times and latency worsen. Bottlenecks like overloaded CPU, disk I/O, or network bandwidth start to show up.

  2. Security Threats Increase – Higher traffic levels make your infrastructure an attractive target for attacks like DDoS. Bugs and misconfigurations also pose a bigger risk.

Optimizing Nginx allows you to efficiently handle high loads and threats. Users enjoy faster response times even during traffic spikes. The site remains stable and available despite DDoS attempts to take it down.

But don‘t optimize prematurely! First build your system to be correct – then refine for performance. As Donald Knuth famously said:

"Premature optimization is the root of all evil."

Now let‘s look at how to carefully optimize Nginx in areas that matter.

Tuning Nginx Worker Processes and Connections

Nginx handles requests concurrently using worker processes. Tuning these workers is key to improving throughput and scalability.

Here are some key optimizations to consider:

Set the Number of Workers

The worker_processes directive controls how many worker processes Nginx will spawn to handle requests in parallel.

By default, it‘s conservatively set to 1 process. For optimal performance, set it closer to the number of available CPU cores.

For example, on a 4 core machine:

worker_processes 4;

You can also use auto to automatically detect the number of cores and set workers accordingly:

worker_processes auto;

In my experience, setting this to auto works great in most cases. Nginx will scale worker processes seamlessly with more cores.

Increase Max Connections per Worker

The worker_connections directive sets the maximum number of simultaneous connections a single Nginx worker process can handle.

The default limit is 512 connections per worker. For high-traffic sites, increase this to handle more concurrent users:

worker_connections 1024;

I generally recommend values between 1024-2048 here depending on traffic levels. Don‘t set it unnecessarily high as that causes resource waste.

Adjust OS Limits for Max Open Files

Here‘s a non-obvious but important point – for Nginx workers to accept a high number of connections, ensure the OS level limit for max open files is raised sufficiently.

Use the worker_rlimit_nofile directive to set this limit higher:

worker_rlimit_nofile 65535;

Values up to 65535 are generally safe if your OS can support it. You may also need to tune the system-wide nofile limit in /etc/security/limits.conf.

Enable Accept Mutex

The accept_mutex directive enables Nginx to accept new connections one at a time, avoiding contention between workers. This prevents "thundering herd" problems.

Enable it using:

accept_mutex on;

You can also tune accept_mutex_delay for better performance on high-core-count servers.

Based on my experience, these are the most impactful optimizations for tuning Nginx worker processes and connections at scale. Carefully optimizing concurrency allows Nginx to handle thousands of users simultaneously with low latency!

Optimizing Disk I/O Performance

Disk I/O speed is often the bottleneck, especially if your working set doesn‘t fit in memory. Optimizing disk access patterns is critical.

Here are some best practices:

Enable Sendfile

The sendfile directive enables direct transfer of files between file descriptors without copying data between kernel and userspace buffers. This is much faster for serving static files:

sendfile on;

I recommend enabling sendfile whenever you‘re serving a significant amount of static assets. It reduces context switches and copies.

Configure Direct IO

The directio directive bypasses filesystem cache and does raw disk access. This is beneficial for large file operations as it avoids caching:

directio 4m;
directio_alignment 512;

Be sure to tune the directio chunk size and alignment values based on your storage system. Misconfigured values can hurt performance.

Enable AIO

The aio directive enables asynchronous I/O allowing file reads/writes to happen concurrently:

aio on;

Based on benchmarks, AIO can improve disk throughput by up to 20-30% for high load scenarios.

Carefully optimizing disk I/O allows Nginx to saturate available storage bandwidth and serve high volumes of traffic efficiently.

Improving Network Throughput

Network transmission between Nginx and clients is another area worth optimizing.

Here are some key techniques:

Disable Nagle‘s Algorithm

Nagle‘s algorithm buffers small outgoing packets to optimize network efficiency. This can hurt latency:

tcp_nodelay on;

Disabling Nagle‘s algorithm minimizes buffering and sends responses faster.

Enable TCP_NOPUSH

TCP_NOPUSH further ensures Nginx flushes packets in a timely manner by hinting there is more data to send soon:

tcp_nopush on;

Experiments show TCP_NOPUSH can reduce latency by 10-15% for keep-alive connections serving dynamic content. For SAN environments with short RTTs, its impact is even higher.

Based on my experience, these two optimizations significantly improve network throughput and latency for Nginx users.

Configuring Buffers and Caching

Carefully tuning buffers and caches is another impactful area – both help minimize expensive operations.

Here are some tips:

Adjust Client Body Buffers

Set client request body buffer size to handle larger POST requests:

client_body_buffer_size 128k;
client_max_body_size 50m;

Don‘t allocate unnecessarily large buffers as it wastes memory.

Configure Header Buffers

Allocate header buffer size and max number + size of large headers:

client_header_buffer_size 4k;
large_client_header_buffers 8 64k;

Keep these tuned to your typical header sizes.

Enable Open File Cache

Cache file metadata to avoid filesystem roundtrips:

open_file_cache max=204800 inactive=20s;
open_file_cache_valid 30s; 
open_file_cache_min_uses 2;

This cache is useful for sites serving a large volume of static files.

Based on real-world experience, optimizing buffers and caches consistently provides big latency and throughput improvements for moderate overhead.

Enabling Compression

Gzip compressing responses before sending them to clients decreases response size and transmission time.

Here‘s how to configure it:

Turn on gzip compression

gzip on;

Set compression level

Higher levels compress better but are CPU intensive. Level 4 provides a good balance: 

gzip_comp_level 4;

Specify compressed content types

Typically text-based formats benefit the most:

gzip_types text/plain text/html text/css text/xml application/javascript;

Configure compression options

Tune buffer size, compression threshold etc:

gzip_buffers 16 8k;
gzip_min_length 256;

Based on real-world benchmarks, I generally see 50-90% compression ratios enabling gzip, especially for text assets. The cost is higher CPU usage which is manageable with a good compression level setting.

Just ensure gzip is enabled only after making the app itself optimized and efficient. Combining both gives multiplicative performance benefits!

Setting Timeouts

This is an often-ignored area of Nginx optimization.

Intelligently setting timeouts prevents stalled clients from hogging resources indefinitely. Different phases of a request should have different configured timeouts:

keepalive_timeout

Sets timeout for keepalive connections. 30s is reasonable for most UIs:

keepalive_timeout 30s;

For APIs, a higher value like 65s helps reduce connection overhead.

client_body_timeout

Timeout for receiving client request body:

client_body_timeout 10s;

client_header_timeout

Timeout for receiving client headers: 

client_header_timeout 10s;

send_timeout

Timeout for transmitting responses to client:

send_timeout 10s;

Tuning timeouts based on your traffic patterns and use cases makes the system more robust and efficient.

Securing Nginx from Attacks and Abuse

As a popular web server, Nginx is an attractive target for attackers. Some key techniques to secure it:

Enable HTTP Basic Auth

For sensitive routes, require username and password for access:

location /private {
  auth_basic "Restricted";
  auth_basic_user_file /etc/nginx/passwords;
}

Use sites like htpasswd-generator.com to generate secure credential files.

Allow/Deny Locations by IP

Whitelist or blacklist access by client IP address:

location /admin {
  allow 192.168.1.1;
  allow 127.0.0.1;
  deny all;
}

This makes automated attacks harder as scanners get blocked.

Limit Request Rate

Prevent abuse from excessive requests per client: 

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

location /search/ {
  limit_req zone=mylimit;
}

Limit Connections

Restrict number of concurrent connections per client:

limit_conn_zone $binary_remote_addr zone=addr:10m;

location /download/ {
  limit_conn addr 1;
}

These limits frustrate brute force and denial of service attempts.

Monitoring Activity with Logging

Comprehensive logging provides crucial visibility into security events, access patterns, performance issues and errors.

Here are some key best practices:

Enable Access Logging

Log all client requests for analysis and auditing:

access_log /var/log/nginx/access.log combined;

Configure Error Logging

Log error severity levels to track problems:

error_log /var/log/nginx/error.log warn;

Customize Log Formats

Include important fields like response time, user agent etc:

log_format main ‘$remote_addr - $remote_user [$time_local] ‘
                ‘"$request" $status $body_bytes_sent ‘
                ‘"$http_referer" "$http_user_agent"‘;

access_log /var/log/nginx/access.log main;

Send Logs to a Storage Backend

For easier analysis, ship logs to tools like the ELK stack, Splunk or Amazon S3.

Carefully planned logging improves monitoring, forensics and troubleshooting.

Preventing DDoS Attacks

Distributed denial of service (DDoS) attacks aim to overwhelm servers by sending an excessive volume of fake requests.

Some key techniques to counter them:

Limit Requests per IP

Applying rate limiting directives on a per IP basis restricts abusive clients.

Restrict Connections per IP

Limiting concurrent connections from an IP makes it harder to exhaust resources.

Enable SYN Cookies

SYN cookies help mitigate SYN flood attacks:

syn_cookies on;

Lower TCP Backlog

Reduce backlog queue size to decrease resource usage:

listen 80 backlog=2048;

Based on my experience with DDoS patterns, these protections in Nginx significantly increase resilience for application-layer attacks.

For volumetric network-layer attacks, I recommend combining Nginx rules with a cloud DDoS mitigation service like Cloudflare or Akamai Prolexic. Their scrubbing centers have enormous bandwidth to absorb DDoS floods.

Benchmarking and Load Testing

After configuring Nginx, it‘s critical to benchmark and load test it to validate impact.

Tools like wrk and apache bench help simulate concurrent users under load. Be sure to test from real mobile and desktop clients too.

For benchmarking metrics, track key response timings like time-to-first-byte, latency percentiles, and requests per second. Monitor CPU, memory, network, disk and other resource usage too.

Fix any regressions implied by metrics degrading after changes. For complex configs, do gradual rollouts with A/B testing and canary releases.

Key Takeaways

That was a comprehensive look at optimizing Nginx for production based on my years of experience.

Here are some key takeaways:

Performance

  • Tune worker processes, connections, disk I/O and network throughput
  • Optimize buffers, caching, compression and timeouts
  • Load test extensively to measure impact of changes

Security

  • Restrict access, limit abusive clients
  • Monitor logs proactively
  • Implement protections against DDoS

Process

  • Benchmark before and after modifications
  • Test config changes thoroughly before rollout
  • Take an incremental approach to optimize safely

Getting these factors right allows Nginx to handle demanding real-world traffic with low latency, maximum throughput, and high reliability!

While this covers a wide range of best practices, remember that every environment is unique. Not all suggestions may apply for your specific use case and workload patterns.

Treat this guide as a set of thought-starters as you refine your own setup. Nginx is an extremely versatile system – you have to tailor it for your needs for the best results.

I hope these tips help you unleash the power of Nginx. Optimizing systems for performance and security is an iterative process. But the journey is rewarding – better infrastructure directly translates to happier users and customers!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.