Building Business Systems with Domain-Specific Languages for NGINX & OpenResty

This post is adapted from a presentation at nginx.conf 2016 by Yichun Zhang, Founder and CEO of OpenResty, Inc. This is the first of two parts of the adaptation. In this part, Yichun describes OpenResty’s capabilities and goes over web application use cases built atop OpenResty. In Part 2, Yichun looks at what a domain-specific language is in more detail.

You can view the complete presentation on YouTube.

Global Server Load Balancing with Route 53 and NGINX Plus

This deployment guide explains how to configure global load balancing (GLB) of traffic for web domains hosted in Amazon Web Services (AWS) Elastic Compute Cloud (EC2). For high availability and improved performance, you set up multiple backend servers (web servers, application servers, or both) for a domain in two or more AWS regions. Within each region, NGINX Plus load balances traffic across the backend servers.

The AWS Domain Name System (DNS) service, Amazon Route 53, performs global load balancing by responding to a DNS query from a client with the DNS record for the region hosting the domain that is closest to the client. For best performance and predictable failover between regions, “closeness” is measured in terms of network latency rather than the actual geographic location of the client.

On the fly (and free) SSL registration and renewal

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let’s Encrypt.

This OpenResty plugin automatically and transparently issues SSL certificates from Let’s Encrypt (a free certificate authority) as requests are received. It works like:

  • A SSL request for a SNI hostname is received.
  • If the system already has a SSL certificate for that domain, it is immediately returned (with OCSP stapling).
  • If the system does not yet have an SSL certificate for this domain, it issues a new SSL certificate from Let’s Encrypt. Domain validation is handled for you. After receiving the new certificate (usually within a few seconds), the new certificate is saved, cached, and returned to the client (without dropping the original request).

This uses the ssl_certificate_by_lua functionality in OpenResty

Dynamic tracing talk

Dynamic tracing technology is a kind of post-modern advanced debugging techniques. It can help software engineers at a very low cost in a very short period of time, to answer some difficult questions about the software systems to more quickly troubleshoot and resolve problems. It is the rise of a large and prosperous background, we are in a rapid growth of the Internet age, as an engineer, faced with the challenge of two aspects: First, the number of size, regardless of the size of the user or the size of the room, are in the machine the rapid growth era. A second aspect of the challenge is the complexity. Our business logic more complex, we run the software systems are becoming more complex, and we know it will be divided into many, many levels, including the operating system kernel and above is a variety of system software, such as database and Web server, and then up virtual machines high-level scripting language or other language interpreter and real-time (JIT) compiler, various levels of abstraction on top of it is the business logic of the application level and a lot of complex code logic.

nginx module for Brotli compression

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.

ngx_brotli is a set of two nginx modules:

  • ngx_brotli filter module – used to compress responses on-the-fly,
  • ngx_brotli static module – used to serve pre-compressed files.

Mitigating DDoS Attacks with NGINX and NGINX Plus

A Distributed Denial-of-Service (DDoS) attack is an attempt to make a service, usually a website, unavailable by bombarding it with so much traffic from multiple machines that the server providing the service is no longer able to function correctly because of resource exhaustion.

Typically, the attacker tries to saturate a system with so many connections and requests that it is no longer able to accept new traffic, or becomes so slow that it is effectively unusable.

Mitigating DDoS Attacks with NGINX and NGINX Plus