Add content

slides/content.md

@@ -105,106 +105,219 @@ curl -L poul.org
 
 ---
 
-# NGINX
+## Reverse proxy
+
+- An HTTP **forward proxy** is a server the browser **(knowingly)** connects to in order to access HTTP resources
+- An HTTP **reverse proxy** is a server that *pretends* to be the requested service
+  - It will **transparently** provide the requested resources
+
+----
+
+## Why are reverse proxies useful?
+
+- Load balancing
+  - We have a number of instances of the same web app
+  - The reverse proxy will distribute the requests uniformly
+
+----
+
+## Why are reverse proxies useful?
+
+- High availability
+  - The reverse proxy may be configured detect the target services' health
+  - It will send requests to the other instances until it's fixed
+  - We can perform maintenances on one instance while the others are taking its load
+
+----
+
+## Why are reverse proxies useful?
+
+- Running multiple services on the same server
+  - The reverse proxy can direct requests to different services running on the same machine,
+    based on configurable parameters such as the domain name
 
 ----
 
-## Architettura
+## Why are reverse proxies useful?
+
+- Retro-fitting TLS or other new standards
+  - We can serve over TLS (HTTPS) services that do not support it
+  - We can serve over HTTP/2 services that do not support it
+
+---
+
+## NGINX
+
+- It is a web server
+  - It can serve files from a directory over HTTP(S)
+- It is a reverse proxy
+  - It can proxy services over a number of protocols
+  - Most interesting: HTTP, FastCGI
+
+----
 
-Due tipi di processo:
+## Architecture
 
-- **Processo master**: processo principale, eseguito come root
- - Legge i file di configurazione
- - Apre il socket usato per comunicare con i processi worker
+- **Master process**: main process, (optionally) run as root
+ - Reads configuration files
+ - Orchestraters and handles communication with workers
 
-- **Processi worker**: eseguiti come utente non amministratore (`www-data` su
-  Debian)
+- **Worker processes**: run as non-root user (i.e. `www-data` on debian)
  - Gestiscono le richieste
 
 ----
 
-## Installazione
+## Installation
 
-In Debian ci sono tre diversi pacchetti:
+- Official packages are available for a number of distributions
+- However, we will use Docker/Podman
 
-- `nginx-light`: versione minimale
-- `nginx` (`nginx-full`): quello che vi serve
-- `nginx-extras`: bloated
+```bash
+docker run -it -p 80:80 -p 443:443 nginx:1-alpine
+podman run -it -p 80:80 -p 443:443 nginx:1-alpine
+```
 
-[Qua](https://wiki.debian.org/Nginx#Recap_of_the_different_modules_in_every_package_.28starting_Squeeze-Backports.29) un confronto completo
+<small>We'll use the Alpine image since it's smaller</small>
 
 ----
 
-## Comandi
+## Commands
+
+Since we'll be using containers, we'll have to use our container engine
+to perform some tests on nginx.
+
+That is usually a matter of running:
 
-- Controllare la versione installata:
 ```
-sudo nginx -v
+docker/podman ps      # get the container ID
+docker/podman run -it <container ID> <our command>
 ```
 
-- Lista dei moduli abilitati
+<small>
+<ul>
+  <li>`-i`: run an interactive program</li>
+  <li>`-t`: allocate a terminal</li>
+</ul>
+</small>
+
+----
+
+## Commands
+
+- Check if the config is valid without loading it (**very useful**)
 ```
-sudo nginx -V
+nginx -t
 ```
 
-- Controllare se la configurazione è valida
+- List the installed modules 
 ```
-sudo nginx -t
+nginx -V
 ```
 
-- Ricaricare la configurazione
+- Reload the configuration (without restarting the container)
 ```
-sudo nginx -s reload
+nginx -s reload
 ```
 
 ----
 
 ## nginx.conf
 
-Direttive: semplici o a blocco
+Default config from container
+
 ```
-nome parametri;
+user nginx;
+worker_processes auto;
 
-nome {
-    altre direttive;
-    ...
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
 }
+
+http {
+
+... (continues)
 ```
-Sono presenti:
-- 1 blocco **events**
-- 1 blocco **http**
-- N blocchi **server**
-- N blocchi **location**
 
 ----
 
-## nginx.conf
+### nginx.conf
 
 ```
-user www-data;
-worker_processes 1;
-pid /run/nginx.pid ;
-
-events {
-    worker_connections 128;
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;     # optimize for sending files
+    #tcp_nodelay    on;     # send packets ASAP
+    #tcp_nopush     on;     # try to fill packets before sending
+    keepalive_timeout  65;
+    #gzip  on;              # enable compression (good!)
+    include /etc/nginx/conf.d/*.conf;
 }
+```
 
-http {
-    server {
-        location {
-        }
+----
+
+### conf.d/default.conf
+
+```
+server {
+    listen       80;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
     }
 }
 ```
+<small>I removed the commented lines for brevity</small>
+
+----
+
+## nginx.conf
+
+We must have:
+- 1 **events** block
+- 1 **http** block
+  - N **server** blocks
+    - N **location** blocks
 
 ----
 
 ## nginx.conf
 
-- **events** è indipendente
-- **http** contiene i blocchi **server**
--  **server** contiene i blocchi **location**
-- suggerimento: applicare le direttive al blocco più esterno
+How do we override the container's config?
+
+With a **volume**!
+
+```bash
+docker/podman run \
+  -v /path/to/nginx.conf:/etc/nginx/nginx.conf:ro \
+  -v /path/to/nginx/conf.d:/etc/nginx/conf.d:ro \
+  -p 80:80 -p 443:443 \
+  nginx:1-alpine
+```
+
+<small>Note that we made sure everything is mounted read-only</small>
+
+----
+
+## Virtual Hosts
+
+With virtual hosts we can accomplish serving multiple sites from the same server
 
 ----
 
@@ -230,12 +343,10 @@ http {
 
 ## Location blocks
 
-- Quando si ha a che fare con file e cartelle
-- Per indicare a NGINX cosa fare quando una specifica risorsa viene richiesta
-- Si può usare il percorso esatto o un'espressione regolare, con un opportuno
-  prefisso
+- Used to tell NGINX what to do with particular URL paths
+- We can discriminate against specific paths or a regular expressions
 
- ```
+```
 server {
     location / {
         root /var/www/html;
@@ -246,7 +357,16 @@ server {
         root /var/www/images;
     }
 }
- ```
+```
+
+---
+
+## Reverse proxying applications
+
+We will see how to reverse-proxy apps over
+
+- HTTP
+- FastCGI
 
 ----
 
@@ -255,9 +375,10 @@ server {
 ```
 server {
     location / {
-        proxy_pass http://localhost:8080;
+        proxy_pass http://other_container:8080;
     }
 
+    # Serve images directly, improves performance
     location ~ \.(gif|jpg|png)$ {
         root /var/www/images;
     }
@@ -271,7 +392,9 @@ server {
 ```
 server {
     location / {
-        fastcgi_pass  localhost:9000;
+        fastcgi_pass  other_container:9000;
+        # Or with UNIX domain sockets
+        #fastcgi_pass unix:///var/run/gunicorn.sock;  
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param QUERY_STRING    $query_string;
     }
@@ -282,30 +405,47 @@ server {
 }
 ```
 
-[Guida completa](http://www.patricksoftwareblog.com/how-to-configure-nginx-for-a-flask-web-application/) usando Gunicorn
-
 ---
 
-# HTTPS
+## HTTPS (HTTP over TLS)
+
+Why is it important?
+
+- For many top-level domain names it's mandatory
+- It ensures the **communication is private**
+- As a side effect, it also ensures **integrity** of the content
+
+----
+
+## X.509 certificates
+
+- In most server-client TLS connections, the client wants the server to authenticate itself
+  - <small>Sometimes the client is also authenticated (i.e. Agenzia delle Entrate website, authentication
+    with Tessera Sanitaria)</small>
+- The authentication is done using **X.509 certificates**
 
 ----
 
-## HTTPS in breve
+## X.509 certificates
+
+- When a TLS connection is made, the browser will check whether the certificate
+  - Is valid for the website's **domain name**
+  - Is valid right now (certificates **expire**)
+  - Is itself **signed** by a known, trusted **Certification Authority**
+  - It has not been **revoked** by the CA
+
+Certification Authority certificates usually come with the **OS** or the **browser** itself.
 
-- Scegli un cifrario simmetrico abbastanza veloce (AES)
-- Scegli una chiave casuale (chiave di sessione)
-- Cifra la chiave usando un cifrario a chiave pubblica
-- Inviala al client
-- Ora può essere usata come segreto condiviso per AES
 
 ----
 
-## Certificati
+## X.509 certificates
+
+- In the past, in order to get a signed certificate you would have to pay a CA
+- They would check your identity and see if you're really entitled for the cert
+- They would then hand out a certificate, usually valid for 1 year
 
-- Nella parte di cifratura della chiave di sessione viene usato un certificato
-  per garantire l'identità del server.
-- I certificati vengono rilasciati da istituzioni col ruolo di **Certification
-  Authority** (CA)
+But today we have a simpler (and free) option...
 
 ----