NGINX Unit Cookbook, the cover image and associated branding are trademarks of O'Reilly Media, Inc. NGINX Unit allows me to effectively deploy web application environments across a wide variety of use cases and language ecosystems with a common middleware server. Additional materials (code samples, exercises, etc.) can be downloaded at https://github.com/dejonghe/nginx_unit_examples/tree/master/2020.
This chapter introduces you to NGINX Unit in a traditional book format before switching to the O'Reilly Cookbook format in Chapter 2.
Unit Introduction and Features
- Application Landscape and Unit Project History 1
- Dynamic Web Application Server 2
- Polyglotism 2
- API-Driven Configuration and Server Management 2
- Conclusion 3
Each application served by Unit is run by an isolated process or set of processes. With NGINX Unit, teams are able to code in the application language that makes the most sense for the service they provide to the end user. The NGINX Unit has a unique place in system architectures as it is able to consolidate the number of different middleware server types needed to run a polyglot system.
Other installation methods, such as compiling from source and using third-party repositories, are also included to enable success with NGINX Unit on virtually any Linux-based platform.
Installation
- Red Hat–Based Systems (.rpm) 5
- Debian-Based Systems (.deb) 6
- Go and NPM 8
- Third-Party Repositories 8
- Installing from Source 9
The file you just created instructs the apt package management system to use the official NGINX Unit package repository. The application object defines attributes of the application that Unit runs, such as the language, process controls, and location on the file system. The example uses some attributes that can be applied to a PHP process, such as root and index.
You need to understand the NGINX Unit listener object for your application to listen for requests.
Configuration
- Application Object 13
- Listener Object 14
- Route Object 15
- Proxying 19
- Static Files 20
- Upstreams/Load Balancing 21
- Targets 22
Application-specific attributes are focused on the application's entry point, such as the project directory or main executable. The max and spare attributes represent integers of the maximum number of processes and the number of spare processes that should be kept on hand. The idle_timeout attribute represents the number of seconds a process can remain idle before terminating if the number of standby processes is excessive.
In the sec. teaches you how to apply application objects to the unit configuration. In the Recipe 4.2 section you will learn how to apply listener objects to the unit configuration. The Unit configuration routes attribute can be configured as an array of route steps or an object of named route arrays.
Ranges, in the format {start_port}-{end_port}, are supported for the IP and Port portions of the source and destination options. To match a request for a composite match option, the request must match all of the option's attributes. The value attribute behaves exactly like a simple type match option, accepting a string pattern or an array of string patterns.
The files are accessed with the access rights of the user Unity is running as, usually root. Routing to a target is done by simply adding to the application's namespace with the name of the target.
Usage and Operations
Startup and Shutdown 25
When a unit is installed via a repository, a startup file for a service manager such as init.d or systemd is also installed and configured. The service manager used to start the unit daemon depends on the type of system it is running on.
Applying Configuration 26
In accordance with the REST standard, a PUT request overwrites previous configurations that might have previously been defined for a given entity. Alternatively, you can create all of these objects at once by using the entire config‐. This command removes any other listeners, apps, and routes that may have been previously defined.
In the examples for this solution, we build on the examples from Chapter 3 by submitting. Using a GET method, you retrieved the entire configuration of the running NGINX Unit server and stored it in a configuration file. It is important to note what each HTTP method will do to a given entity targeted by the API RESTful endpoint.
A PUT will set the configuration or value for a given device, overwriting what was previously configured.
Limits 30
The device naturally separates applications by creating separate processes for each one, enabling isolation at the process and memory layers. Each application process can be owned by separate users, which also enables security at the file permission layer. Next, NGINX Unit has full SSL/TLS support, which enables Unit to serve applications through encrypted HTTPS communication.
Finally, the system user accounts used to run Unit (the account running the unitd daemon, the control socket owner, and application-specific user and group accounts) allow access rights to be adjusted. The unit runs each application as a separate process or group of processes, enabling it to run these processes as a separate system user.
Security
Unix User Permissions 31
Linux Namespace Isolation 32
This example implements all available Linux namespace configurations for an NGINX unit application. The Linux namespace wraps the global system resource in an abstraction that makes processes within the namespace appear to have their own isolated instance of the global resource. Changes to a global resource are visible to other processes that are members of the namespace, but invisible to other processes.
This type of isolation is similar to Docker and LXC in that they use Linux namespaces and cgroups to separate containers. This isolation is available on Linux systems and may not be fully supported by every operating system that NGINX Unit is capable of running on, such as FreeBSD, MacOS, and Solaris. The uidmap and gidmap options are only available if the operating system supports Linux user namespaces.
Imenski spaces Linux Cgroup Imenski spaces User's imenski spaces Imenski spaces Mount Imenski spaces network Imenski spaces PID Imenski spaces Uname Imenski spaces chroot Man Page.
API Security Through Encryption 34
This recipe combines the certificate, certificate authority chain, and key into a bundle that can be used by NGINX Unit. Once uploaded to Unit's certificate store, the certificate can be referenced by listeners. It references the application through the pass attribute, as well as the certificate bundle object.
Confirmation that the TLS certificate is properly configured can be done by making a request to the listener. Using the verbose flag, -v, when issuing the curl command will print the TLS handshake operations if the certificate is properly configured. You will also learn how to serve applications based on common frameworks such as Django, Flask (Python frameworks) and Express (a Node.js framework).
This chapter will demonstrate how to install programs on a system and ensure that they have the correct file permissions and the necessary configuration of the NGINX Unit to operate them. To install WordPress, if you haven't already, check the prerequisites to make sure you have the necessary requirements. Configure a PHP application object as well as a listener object and pass both objects to the NGINX Unit control interface.
Application Integration
- WordPress 37
- Django 40
- Flask 42
- Express 43
- Ruby 46
Once the application code is on the file system, WordPress needs to be told how to connect to the database. If a static file is not found, the request is sent to the main index.php script. If a virtual environment is used, the optional home attribute can be set to the base directory of the virtual environment.
The default Express HTTP server, ServerResponse, and IncomingMessage objects must be replaced with objects from the standard http package for the unit-http package. In this recipe, the unit-http package is installed on the project and its objects are used instead of the default http server objects. Finally, the Unit application and listener objects are constructed and passed to the Unit Control API.
The configuration then defines a listener object that instructs Unit to send incoming requests on the interface to be routed to the ruby_app application. This example further demonstrates how a properly configured server block can receive connections and route the request to the upstream block. Incoming connections to the NGINX server will be processed and requests matching the configured server definition will be routed to the configuration in this server block.
In this example, all configuration requests are sent to the NGINX Unit server for processing. The NGINX Unit server returns the request to the NGINX server, which returns the request to the client.
Ecosystem Integration
- Reverse Proxying to Unit Applications Through NGINX 49
- Securely Serving the NGINX Unit Control API 50
- Containerized Environment 52
- Deployments 53
In short, this recipe assumes that the NGINX server block is configured with the necessary requirement and security-related guidelines. In a reverse proxy situation, the NGINX server will be configured on the same physical or virtual machine as NGINX unit. In a load balancing situation, the NGINX server will be configured with an upstream block containing several remote server directives.
This recipe configures the NGINX reverse proxy server to serve the NGINX Unit control interface over an HTTPS connection. The NGINX server is configured to only serve on port 443 and to only accept encrypted connections. Once all security measures are met, NGINX will send the request to the NGINX Unit control interface.
This recipe demonstrates the basics of using NGINX Unit as a proxy server for dockerized applications. The Docker image is then run with the proxy flag to expose the listener to the host. This book focused on the NGINX unit server, its capabilities, its configuration, and where it fits into your system architecture.
By going through these recipes, you have gained practical knowledge about installing NGINX Unit and Unit configuration elements. I hope this book has given you the ability to effectively manage NGINX Unit in your web application landscape.
