Mastering Nginx Performance: Essential Config Tweaks and Kernel Optimizations

Key Nginx Configuration Optimizations

worker_processes 8;

– set the number of worker processes to match CPU cores.

worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;

– bind each worker to a specific CPU. worker_rlimit_nofile 65535; – align the max open files limit with the system ulimit. use epoll; – enable the efficient epoll I/O model. worker_connections 65535; – define the maximum connections per worker. keepalive_timeout 60; – set HTTP keep‑alive timeout, avoiding overly long idle connections. client_header_buffer_size 4k; – buffer size for request headers, usually a multiple of the system page size. open_file_cache max=102400 inactive=20s; – cache opened files with a max count and inactivity timeout. open_file_cache_valid 30s; – interval to validate the cache. open_file_cache_min_uses 1; – minimum uses before a file stays cached. server_tokens off; – hide Nginx version information for security. sendfile on; – enable zero‑copy file transfer. tcp_nopush on; – send HTTP headers in full packets. tcp_nodelay on; – disable Nagle’s algorithm for low‑latency data.

FastCGI Directive Overview

fastcgi_cache_path /usr/local/nginx/fastcgi_cache levels=1:2 keys_zone=TEST:10m inactive=5m;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_buffer_size 16k;

fastcgi_buffers 16 16k;

fastcgi_busy_buffers_size 32k;

fastcgi_temp_file_write_size 32k;

fastcgi_cache TEST;

fastcgi_cache_valid 200 302 1h;

fastcgi_cache_valid 301 1d;

fastcgi_cache_valid any 1m;

fastcgi_cache_min_uses 1;

fastcgi_cache_use_stale error timeout invalid_header http_500;

Kernel Parameter Tuning for High Concurrency

net.ipv4.tcp_max_tw_buckets = 6000

net.ipv4.ip_local_port_range = 1024 65000

net.ipv4.tcp_tw_recycle = 0

– generally disabled in NAT environments.

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_syncookies = 1

net.core.somaxconn = 262144

net.core.netdev_max_backlog = 262144

net.ipv4.tcp_max_orphans = 262144

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 1

net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 30

Security‑Focused Nginx Settings

Disable directory listing: autoindex off; Turn off SSI: ssi off; Hide server version: server_tokens off; Limit request body sizes:

client_body_buffer_size 1K;</code>
<code>client_header_buffer_size 1k;</code>
<code>client_max_body_size 1k;</code>
<code>large_client_header_buffers 2 1k;

Set low timeouts to mitigate DoS:

client_body_timeout   10;</code>
<code>client_header_timeout 10;</code>
<code>keepalive_timeout     65;</code>
<code>send_timeout          10;

Limit connections per IP:

limit_zone slimits $binary_remote_addr 5m;</code>
<code>limit_conn slimits 5;

Comprehensive Nginx Tuning Checklist

Hide version, change default user, adjust worker processes and CPU affinity, use epoll, raise worker_connections, increase file descriptor limits, tune domain hash size, enable sendfile, configure keepalive, set upload limits, fine‑tune FastCGI, enable gzip compression, set expires headers, rotate logs, secure file permissions, prevent hotlinking, customize error pages, apply anti‑scraping rules, control concurrency, and consider clustering.

Monitoring and Performance Observation

Compile Nginx with --with-http_stub_status_module and add a status location:

location = /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
}

Query with curl 127.0.0.1/nginx_status. External tools like ngxtop can provide real‑time request statistics:

# pip install ngxtop
# ngxtop top remote_addr          # most frequent IPs
# ngxtop -i 'status >= 400' print request status http_referer
# ngxtop -c /etc/nginx/nginx.conf -i 'status==200'
# ngxtop -c /etc/nginx/nginx.conf -g remote_addr

Graphical monitoring can be added with tools such as nginx‑rrd (requires PHP integration).