Last year we introduced TCP load balancing in NGINX Plus for applications that don’t use HTTP as their transmission protocol. Applications like Microsoft Exchange 2013 and MySQL, and any SSL traffic that is not decrypted by NGINX Plus, all run over plain TCP.
NGINX Plus Release 7 (R7) greatly improves TCP load balancing with additional features to help you better secure your TCP applications against external threats. Tuning of TCP load balancing is also more flexible thanks to new configurable parameters. This post covers the new features in detail, explaining how to use them to accelerate, secure, and scale your applications that communicate over TCP.
Editor –
- NGINX Plus R9 and later extends support for the features described here to UDP traffic.
- For an overview of all the new features in NGINX Plus R7, see Announcing NGINX Plus R7 on our blog.
- For detailed discussions of other new features in NGINX Plus R7, see these related blog posts:
Apply Access Control and DDoS Protection to Secure Your TCP Services
NGINX Plus R7 introduces access controls, connection limiting, and bandwidth limits for TCP traffic. NGINX Plus now provides the same level of security and DDoS protection for TCP applications as for HTTP applications.
Access Controls
You can now allow or deny traffic to proxied or load‑balanced TCP servers based on specific client IP addresses and ranges. This is great for quickly blocking IP addresses that are attacking you or are known to be malicious (like those listed at Project HoneyPot). The configuration is fairly simple.
server {
# ...
deny 72.46.166.10;
deny 73.46.156.0/24;
allow all;
}
The first deny
directive blocks one IP address and the second a range of addresses, with all other addresses allowed through by the final allow all
directive. The logic can also be reversed by allowing access from the IP addresses you specify and blocking everyone else with a final deny all
directive.
For more information, see the ngx_stream_access_module documentation.
Connection Limiting
With NGINX Plus R7 you can limit the number of connections that clients can make to TCP applications proxied by NGINX Plus. Perhaps one part of your application is slower than other parts, for example if a request to that part generates a lot of database calls or in general initiates a lot of work on the back end. Attackers can exploit this by having hundreds or thousands of computers repeatedly making that same request.
With connection limiting, you can minimize the effect of these attacks by limiting the number of connections the attackers can make. This limits the power of each individual computer used in an attack.
stream {
limit_conn_zone $binary_remote_addr zone=my_limit_conn:10m;
# ...
server {
limit_conn my_limit_conn 1;
# ...
}
}
In this example each IP address is limited to one connection. The NGINX variable $binary_remote_addr
captures the client’s IP address.
For more information, see the ngx_stream_limit_conn_module documentation.
Bandwidth Limiting
NGINX Plus R7 includes new functionality to limit upload and download speed for each connection. Capping bandwidth slows down greedy downloaders.
server {
# ...
proxy_download_rate 100k;
proxy_upload_rate 50k;
}
With these settings a client can download data through a single connection at a maximum speed of 100 kilobytes per second, and upload data through a single connection at a maximum speed of 50 kilobytes per second. Keep in mind, however, that clients can open multiple connections. If the goal is to limit overall speed of loading per client, you must also limit the number of connections to one as described in the previous section.
More Configurable Load Balancing
With R7, we’ve added more configurable options to help you get the most out of NGINX Plus’ TCP load‑balancing capabilities.
Binding to a Specific IP Address
You can specify the IP address that NGINX Plus uses when talking to the backend servers it proxies. Include the proxy_bind
directive:
upstream backend {
server backend1.example.com;
server backend2.example.com;
}
server {
# ...
proxy_bind 192.168.1.100;
proxy_pass backend;
}
In this example, NGINX Plus uses 192.168.1.100 as its address for all connections to the servers in the backend upstream group.
PROXY Protocol Support
NGINX Plus R7 adds support for the PROXY protocol. This provides a convenient way to safely transport connection information, such as a client’s IP address, across multiple layers of proxies.
A great use case comes from an NGINX customer that needed to decrypt a large volume of SSL traffic, more than a single NGINX instance could handle. The customer implemented two tiers – a frontend NGINX cluster that load balances TCP traffic across a larger secondary cluster that terminates the SSL connections.
The proxy_protocol
directive is used to forward the client IP address to the second tier so it can be added as a header in the decrypted HTTP traffic.
Other Enhancements
There are a couple of other enhancements to TCP load balancing in NGINX Plus R7:
- The new
backlog
parameter to thelisten
directive limits the length of the queue of pending connections. - The
tcp_nodelay
directive controls whether Nagle’s Algorithm is used. By default it is set toon
, which disables Nagle’s Algorithm.
Comparing NGINX Plus and NGINX Open Source
Both NGINX Plus and NGINX Open Source support TCP load balancing. NGINX Plus adds features that enhance TCP load balancing and provide more visibility into the load‑balanced traffic. The following table compares the two.
NGINX Open Source | NGINX Plus | |
---|---|---|
Core Features | ||
TCP load balancing | Optional feature, enabled at compile time | Built‑in and fully supported by NGINX, Inc. |
Load‑balancing methods | Round Robin, Hash, IP Hash, Least Connections | All NGINX Open Source methods, plus Least Time |
PROXY_PROTOCOL support | ✅ | ✅ (New in R7) |
SSL decryption and encryption | ✅ | ✅ |
Dynamic Configuration | ||
DNS configuration | Static (at configuration load) | Dynamic (DNS configuration can be regularly refreshed) |
Dynamic load‑balancing configuration | ❌ | ✅ |
High Availability | ||
Passive health checks | ✅ | ✅ |
Application‑aware health checks | ❌ | ✅ |
Slow‑Start for recovered servers | ❌ | ✅ |
Management and Monitoring | ||
TCP load balancing metrics and health check data | ❌ | ✅ |
Security and Access Controls | ||
Access Control Lists (ACLs) | ✅ | ✅ (New in R7) |
Bandwidth limiting | ✅ | ✅ (New in R7) |
Client connection limits | ✅ | ✅ (New in R7) |
Binding to a specific address | ✅ | ✅ (New in R7) |
Server (upstream) connection limits | ❌ | ✅ |
Upgrade or Try NGINX Plus
If you’re running NGINX Plus, we strongly encourage you to update to Release 7 as soon as possible. You’ll pick up a number of fixes and improvements, and it will help us to help you if you need to raise a support ticket. Installation and upgrade instructions can be found at the customer portal. Not using NGINX Plus yet? Give it a try for free today!