NGINX

1 Introduction

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. NGINX is known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.

NGINX is one of a handful of servers written to address the C10K problem. Unlike traditional servers, NGINX does not rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. This architecture uses small, but more importantly, predictable amounts of memory under load. Even if you do not expect to handle thousands of simultaneous requests, you can still benefit from NGINX’s high-performance and small memory footprint. NGINX scales in all directions: from the smallest Virtual Private Server (VPS) all the way up to large clusters of servers.

Basic generic network diagram_v2.png

The LoadMaster offers advanced Layer 4 and Layer 7 server load balancing, SSL Acceleration and a multitude of other advanced Application Delivery and Optimization (ADC) features. The Kemp LoadMaster can load balance the NGINX workload. The LoadMaster intelligently and efficiently distributes user traffic among the servers so that users get the best experience possible.

This document provides guidance and recommended settings on how to load balance NGINX with a Kemp LoadMaster. The Kemp Support Team is available to provide solutions for scenarios not explicitly defined.

The Kemp support site can be found at: https://support.kemptechnologies.com.

2 Configure the LoadMaster

Follow the steps in the sections below to configure the LoadMaster with the recommended settings to load balance the NGINX workload.

2.1 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B, Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

Because this application can run at Layer 4, transparency is enforced. Transparency takes a higher priority than Subnet Originating Requests. Therefore, if transparency is enabled on the Virtual Service and Subnet Originating Requests is enabled globally, the Virtual Service still uses transparency. The Real Server sees traffic from this virtual service originating with the client’s source IP address (transparency). See the Transparency document on the Kemp documentation page for more details.

081.png

 

In the diagram above, you can see the following details:

  • Client: 10.0.0.100/24
  • Virtual Service on eth0: 10.0.0.15/24
  • Real Server on eth1: 10.20.20.25/24

With Subnet Originating Requests enabled, the Real Server sees traffic originating from 10.20.20.21 (LoadMaster eth1 address) and responds correctly.

With Subnet Originating Requests disabled, the Real Server sees traffic originating from 10.0.0.15 (LoadMaster Virtual Service address on eth0) and responds to eth0 causing asymmetric routing

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether or not to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

2. Select the Subnet Originating Requests check box.

2.2 Configure the LoadMaster

Follow the steps in the sections below to configure the LoadMaster with the recommended settings to load balance the NGINX workload.

2.2.1 Create the HTTP/HTTPS Virtual Services

Refer to the sections below for recommended settings for the HTTP/HTTPS Virtual Services.

2.2.1.1 Create the NGINX HTTP Virtual Service

Follow the steps below to create and configure the recommended settings for the NGINX HTTP Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

VSAN002.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 80 in the Port text box.

4. Enter a recognizable Service Name, for example Nginx HTTP.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Persistence Mode

Active Cookie

  Cookie name JSESSIONID

 

Timeout

1 Hour

 

Scheduling Method

least connection

  Idle Connection Timeout 900

Real Servers

URL

/

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 80 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.2.1.2 Create the NGINX HTTPS Virtual Service

Follow the steps below to create and configure the recommended settings for the NGINX HTTPS Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

VSAN004.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 443 in the Port text box.

4. Enter a recognizable Service Name, for example Nginx HTTPS.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments

Standard Options

Persistence Mode

Source IP Address

 

 

Timeout

1 Hour

 

 

Scheduling Method

least connection

 
  Idle Connection Timeout 900  

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Note: This field disappears after it is clicked.

Real Servers

URL

/

 

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 443 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.2.1.2.1 Configure the NGINX HTTPS HTTP Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. Kemp also recommends changing the Real Server Check Method and Persistence Mode to None.

2.2.1.3 Create the NGINX HTTPS Offloaded Virtual Service

Follow the steps below to create and configure the recommended settings for the NGINX HTTPS Offloaded Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

VSAN005.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 443 in the Port text box.

4. Enter a recognizable Service Name, for example Nginx HTTPS Offloaded.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

 

Standard Options

Persistence Mode

Active Cookie

You need to enable SSL Acceleration before you can select Active Cookie as the Persistence Mode.

 

Timeout

1 Hour

 
  Cookie name JSESSIONID  

 

Scheduling Method

least connection

 
  Idle Connection Timeout 900  
SSL Properties SSL Acceleration Enabled  
  Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Note: This field disappears after it is clicked.

Real Servers

URL

/

 

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 443 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.2.1.3.1 Configure the NGINX HTTPS Offloaded HTTP Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. Kemp also recommends changing the Real Server Check Method and Persistence Mode to None.

2.2.1.4 Create the NGINX HTTPS Re-encrypt Virtual Service

Follow the steps below to create and configure the recommended settings for the NGINX HTTPS Re-encrypt Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

VSAN006.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 443 in the Port text box.

4. Enter a recognizable Service Name, for example Nginx HTTPS Re-encrypt.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments

Standard Options

Persistence Mode

Active Cookie

You need to enable SSL Acceleration before you can select Active Cookie as the Persistence Mode.

 

Timeout

1 Hour

 
  Cookie name JSESSIONID  

 

Scheduling Method

least connection

 
  Idle Connection Timeout 900  
SSL Properties SSL Acceleration Enabled  
  Reencrypt Enabled  
  Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Note: This field disappears after it is clicked.

Real Servers

URL

/

 

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 443 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.2.1.4.1 Configure the NGINX HTTPS Re-encrypt HTTP Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. Kemp also recommends changing the Real Server Check Method and Persistence Mode to None.

2.3 Create the Mail Virtual Services

Refer to the sections below for recommended settings for the mail Virtual Services.

2.3.1 Create the NGINX IMAP Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

VSAN007.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 143 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Idle Connection Timeout 3600

Real Servers

Checked Port

143

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 143 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.2 Create the NGINX IMAP with STARTTLS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

VSAN008.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 143 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments
Basic Properties Service Type STARTTLS protocols  

Standard Options

Idle Connection Timeout 3600  
SSL Properties Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Real Servers

Checked Port

143

 

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 143 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.3 Create the NGINX IMAPS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

VSAN009.png

2. Type a valid IP address in the Virtual Address text box.

a) Type 993 as the Port.

3. Enter a recognizable Service Name.

4. Ensure tcp is selected as the Protocol.

5. Click Add this Virtual Service.

6. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Server Initiating Protocol IMAP4
  Idle Connection Timeout 3600

Real Servers

Checked Port

993

7. Add the Real Servers:

b) Expand the Real Servers section.

c) Click Add New.

d) Type the address of the Real Server.

e) Type 993 as the Port.

f) Click Add This Real Server.

g) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.4 Create the NGINX IMAPS Offloaded Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

VSAN010.png

2. Type a valid IP address in the Virtual Address text box.

3. Type 993 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments

Standard Options

Server Initiating Protocol IMAP4  
  Idle Connection Timeout 3600  
SSL Properties SSL Acceleration Enabled  
  Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Real Servers

Checked Port

143

 

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 993 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.5 Create the NGINX POP Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 110 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Idle Connection Timeout 3600

Real Servers

Checked Port 110

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 110 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.6 Create the NGINX POP with STARTTLS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 110 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments
Basic Properties Service Type STARTTLS protocols  

Standard Options

Idle Connection Timeout 3600  
SSL Properties Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

 

Cipher Cet BestPractices  

Real Servers

Checked Port 110  

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 110 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.7 Create the NGINX POPS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 995 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Server Initiating Protocols POP3
  Idle Connection Timeout 3600

Real Servers

Checked Port 995

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 995 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.8 Create the NGINX POPS Offloaded Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 995 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments

Standard Options

Server Initiating Protocols POP3  
  Idle Connection Timeout 3600  

SSL Properties

SSL Acceleration Enabled  

 

Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Real Servers

Real Server Check Method Mailbox (POP3) Protocol  
  Checked Port 110  

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 995 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.9 Create the NGINX SMTP Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 587 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Server Initiating Protocols SMTP
  Persistence Mode Source IP Address

 

Persistence Timeout 1 Hour

 

Idle Connection Timeout 120

Real Servers

Checked Port 587

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 587 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.10 Create the NGINX SMTP with STARTTLS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 25 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments
Basic Properties Service Type STARTTLS protocols  

Standard Options

Persistence Mode Source IP Address  
  Persistence Timeout 1 Hour  

 

Idle Connection Timeout 120  

SSL Properties

Supported Protocols TLS1.0, TLS 1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Real Servers

Checked Port 25  

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 25 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.11 Create the NGINX SMTPS Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 587 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Standard Options

Server Initiating Protocols SMTP
  Persistence Mode Source IP Address

 

Persistence Timeout 1 Hour

 

Idle Connection Timeout 120

Real Servers

TCP Connection Only 587

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 587 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

2.3.12 Create the NGINX SMTPS Offloaded Virtual Service

Follow the steps below to create and configure the recommended settings for the Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

2. Type a valid IP address in the Virtual Address text box.

3. Type 587 in the Port text box.

4. Enter a recognizable Service Name.

5. Ensure tcp is selected as the Protocol.

6. Click Add this Virtual Service.

7. Configure the settings as shown in the following table:

Section

Option

Value

Comments

Standard Options

Server Initiating Protocols SMTP  
  Persistence Mode Source IP Address  

 

Persistence Timeout 1 Hour  

 

Idle Connection Timeout 120  
SSL Properties SSL Acceleration Enabled  
  Supported Protocols TLS1.0, TLS1.1, TLS1.2, TLS1.3

While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing.

TLS1.3 is currently only supported on software LoadMasters.

  Cipher Set BestPractices  

Real Servers

Real Server Check Method Mail (SMTP) Protocol  
  Checked Port 25  

8. Add the Real Servers:

a) Expand the Real Servers section.

b) Click Add New.

c) Type the address of the Real Server.

d) Type 587 as the Port.

e) Click Add This Real Server.

f) Repeat the steps above to add more Real Servers as needed, based on the environment.

Last Updated Date

This document was last updated on 30 January 2019.

Was this article helpful?

0 out of 0 found this helpful

Comments