Server Setup

NGINX-MOD: a better, faster NGINX build

by , , revisited on


As you may know, our repository holds latest stable NGINX and vast array of dynamic modules for it.

However, some performance oriented folks are always looking for speeding up what’s already fast – that is NGINX itself.

There are some open source patches for it, mainly by Cloudflare to improve things further. So I’ve decided to save trouble for many people relying on manual compilation, and build this better patched NGINX as a package that is compatible with all the NGINX modules we have! I call it – NGINX-MOD.

At present, the NGINX-MOD is based on latest stable NGINX with the following:

  • Latest OpenSSL 1.1.x (allows for TLS 1.3 to be configured)
  • Patch for HTTP/2 HPACK (performance)
  • Patch for dynamic TLS records (performance)

More on those patches in documentation below.

How to install NGINX-MOD

yum -y install https://extras.getpagespeed.com/release-el7-latest.rpm
yum -y update getpagespeed-release
yum -y install yum-utils
yum-config-manager --enable getpagespeed-extras-nginx-mod
yum install nginx

How to switch to NGINX-MOD from our regular NGINX

If you were using our regular NGINX build, you can run a series of commands to upgrade to NGINX-MOD without affecting installed modules or configuration:

yum -y update getpagespeed-release
yum -y install yum-utils
yum-config-manager --enable getpagespeed-extras-nginx-mod
yum update nginx

How to switch back to stable NGINX

Going back to stable package while preserving existing configuration:

yum-config-manager --disable getpagespeed-extras-nginx-mod
rpm --erase --justdb --nodeps nginx-mod
yum install nginx
yum history sync

Quick Documentation

What is HPACK Patch

HPACK patch implements full HPACK in NGINX. In short, this allows for compressing HTTP headers

There are some configuration directives in this build, which are not otherwise available in regular builds. Let’s document them here.

Configuration Directives

The following set of configuration directives are added by dynamic TLS records patch.

ssl_dyn_rec_enable on|off

Whether to enable dynamic TLS records.

ssl_dyn_rec_size_lo

The TLS record size to start with. Defaults to 1369 bytes (designed to fit the entire record in a single TCP segment: 1369 = 1500 – 40 (IPv6) – 20 (TCP) – 10 (Time) – 61 (Max TLS overhead))
ssl_dyn_rec_size_hi: the TLS record size to grow to. Defaults to 4229 bytes (designed to fit the entire record in 3 TCP segments)

ssl_dyn_rec_threshold

The number of records to send before changing the record size.

Because we build with latest OpenSSL:

ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];

Not a new directive. But since we build with most recent stable OpenSSL, it allows for TLSv1.3 value to be used.

Verification

To verify how you benefit from NGINX-MOD, you can run some tests.

Check HTTP/2 headers compression

yum install nghttp2
h2load https://example.com -n 2 | tail -6 |head -1

Example output:

traffic: 71.46KB (73170) total, 637B (637) headers (space savings 78.68%), 70.61KB (72304) data

If you see 50% or more space savings, then it means that full HPACK compression is utilized.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.