As you may know, our repository holds the latest stable NGINX and vast array of dynamic modules for it.
However, some performance-oriented folks are always looking for speeding up what’s already fast – that is NGINX itself.
There are some open-source patches for it, mainly by Cloudflare to improve things further. So I’ve decided to save trouble for many people relying on a manual compilation, and build this better patched NGINX as a package that is compatible with all the NGINX modules we have! I call it – NGINX-MOD.
At present, the NGINX-MOD is based on latest stable NGINX with the following additions:
More on those patches in the documentation below.
yum install https://extras.getpagespeed.com/release-latest.rpm yum -y update getpagespeed-release yum -y install yum-utils yum-config-manager --enable getpagespeed-extras-nginx-mod yum install nginx
If you were using our regular NGINX build, you can run a series of commands to upgrade to NGINX-MOD without affecting installed modules or configuration:
yum -y update getpagespeed-release yum -y install yum-utils yum-config-manager --enable getpagespeed-extras-nginx-mod yum update nginx
There are some caveats here. Primarily, there is some modules which depend on a specific OpenSSL version:
So as long as you use NGINX-MOD and want to install any of such modules, keep this in mind:
nginx-mod-module-<foo>and their version is comprised of
<nginx version>.<openssl version>.<module version>so you can easily tell which OpenSSL they were compiled against and whether it’s a “mod” version
nginx-module-luawill be replaced with
Going back to the stable package while preserving existing configuration:
yum-config-manager --disable getpagespeed-extras-nginx-mod rpm --erase --justdb --nodeps nginx-mod # add "nginx-mod-module-lua" or "nginx-mod-module-rtmp" if you have them yum install nginx # add "nginx-module-lua" or "nginx-module-rtmp" if you use those modules yum history sync
Please refer here for additional documentation.
Some NGINX users seek to define rate-limiting of once in a day for specific resources. This is not possible with stock NGINX.
Our patch allows for a more fine-grained rate limit configuration. Examples:
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/h; # 1 request per hour limit_req_zone $binary_remote_addr zone=one:10m rate=1r/d; # 1 request per day limit_req_zone $binary_remote_addr zone=one:10m rate=1r/w; # 1 request per week limit_req_zone $binary_remote_addr zone=one:10m rate=1r/M; # 1 request per month limit_req_zone $binary_remote_addr zone=one:10m rate=1r/Y; # 1 request per year
It is important to note, that your defined zone memory size should allow retaining old IP entries before the defined rate will apply.
Example: you have defined a
10m zone and
1r/d for a particular resource.
10m can store around 160,000 IP addresses.
So if someone visits your rate-limited resource, and your traffic to it exceed 160K unique visitors within 24 hrs, then the same visitor can theoretically not be rate-limited within the same day, because information about his IP address will be evicted from memory after enough visitors visited the resource.
This note applies to the stock module’s configuration as well, but less so.
So the rules of thumb are:
HPACK patch implements full HPACK in NGINX. In short, this allows for compressing HTTP headers
There are some configuration directives in this build, which are not otherwise available in regular builds. Let’s document them here.
The following set of configuration directives are added by dynamic TLS records patch.
Whether to enable dynamic TLS records.
The TLS record size to start with. Defaults to 1369 bytes (designed to fit the entire record in a single TCP segment: 1369 = 1500 – 40 (IPv6) – 20 (TCP) – 10 (Time) – 61 (Max TLS overhead))
ssl_dyn_rec_size_hi: the TLS record size to grow to. Defaults to 4229 bytes (designed to fit the entire record in 3 TCP segments)
The number of records to send before changing the record size.
Because we build with latest OpenSSL:
ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];
Not a new directive. But since we build with the most recent stable OpenSSL, it allows for
TLSv1.3 value to be used.
To verify how you benefit from NGINX-MOD, you can run some tests.
yum install nghttp2 h2load https://example.com -n 2 | tail -6 |head -1
traffic: 71.46KB (73170) total, 637B (637) headers (space savings 78.68%), 70.61KB (72304) data
If you see 50% or more space savings, then it means that full HPACK compression is utilized.