Load Balancing DNS Traffic with NGINX and NGINX Plus

NGINX Plus R9 introduces the ability to reverse proxy and load balance UDP traffic, a significant enhancement to NGINX Plus’ Layer 4 load-balancing capabilities.

This blog post looks at the challenges of running a DNS server in a modern application infrastructure to illustrate how the open source NGINX software and NGINX Plus can effectively and efficiently load balance both UDP and TCP traffic (for brevity, we’ll refer to NGINX Plus for the rest of the post).


Using Free SSL/TLS Certificates from Let’s Encrypt for NGINX

Let’s Encrypt is a new certificate authority (CA) offering free and automated SSL/TLS certificates. Certificates issued by Let’s Encrypt are trusted by most browsers in production today, including Internet Explorer on Windows Vista. Simply download and run the Let’s Encrypt client to generate a certificate (there are a few more steps than that, of course, though not many).

Before issuing a certificate, Let’s Encrypt validates ownership of your domain. First, The Let’s Encrypt client running on your host creates a temporary file (a token) with the required information in it. The Let’s Encrypt validation server makes an HTTP request to retrieve the file and validates the token, which serves to verify that the DNS record for your domain resolves to the server running the Let’s Encrypt client.

The Let’s Encrypt client does not yet officially support NGINX and NGINX Plus (support is in beta), but you can still get started right away using Let’s Encrypt with NGINX and NGINX Plus. (This blog applies to both NGINX and NGINX Plus, but for ease of reading we’ll refer only to NGINX Plus from now on.) All you need is the webroot plug-in from Let’s Encrypt, and a few small changes to your NGINX Plus configuration…”


Nginx: a caching, thumbnailing, reverse proxying image server?

“A month or two ago, I decided to remove Varnish from my site and replace it with Nginx’s built-in caching system. I was already using Nginx to proxy to my Python sites, so getting rid of Varnish meant one less thing to fiddle with. I spent a few days reading up on how to configure Nginx’s cache and overhauling the various config files for my Python sites (yes, irony). In the course of my reading I bookmarked a number of interesting Nginx modules to return to, among them the Image Filter module.

I thought it would be neat to combine Nginx’s reverse proxying, caching, and image filtering to create a thumbnailing server for my images hosted on S3. If you look closely at the <img> tag below (and throughout this site), you can see Nginx in action…”


Using Nginx as a Load Balancer

“After you’ve ensured your web application is setup for a distributed environment, you can then decide on a strategy for load balancing. Nginx offers these strategies:

  • Round Robin – Nginx switches which server to fulfill the request in order they are defined
  • Least Connections – Request is assigned to the server with the least connections (and presumably the lowest load)
  • Ip-Hash/Sticky Sessions – The Client’s IP address is hashed. Ther resulting hash is used to determine which server to send the request to. This also makes user sessions “sticky”. Subsequent requests from a specific user always get routed to the same server. This is one way to get around the issue of user sessions behaving as expected in a distributed environment.
  • Weight – With any of the above strategies, you can assign weights to a server. Heavier-weighted servers are more likely to be selected to server a request. This is good if you want to use a partiuclarly powerful server more, or perhaps to use a server with newer or experimental specs/software installed less…”


Ceryx – A dynamic NGINX

“Reverse proxying hundreds, or even thousands of contained micro-services is an interesting problem and one that we face daily at Sourcelair. That’s why, today, we’re glad to announce Ceryx, a dynamic reverse proxy using OpenResty, Lua and Flask that can be used to proxy hosts to any number of services, with it’s configuration being available instantly. Ceryx is a project we’ve been working on the last couple of months and we’re open sourcing now…”