Ask HN: Do you use Nginx in production? or have you switched

by martinbaunon 9/9/2024, 12:11:53 AM with 4 comments
  • by stephenron 9/9/2024, 1:57:25 AM

    We use HAProxy at the load balancers, and HAProxy/Varnish/Apache on the individual app server VMs.

    This separates concerns completely:

    - HAProxy knows about and manages the TLS, balancing, client routing etc;

    - Varnish knows about and manages response caching and ESI processing (and often a combination of both);

    - Apache knows about and runs the various backend services (a php web app, a couple of ruby third party tools, etc)

    Nginx has some significant downsides to what we currently use, unless we opt for the paid version which best I can tell is ~$1K/instance/month. These aren't hypothetical differences these are features we actually use:

    - no sync for load balancing data (sticky peer data, rate limit data, etc): HAProxy supports this out of the box;

    - no active health checks: HAProxy supports this out of the box;

    - no API for purging cache: Varnish supports this out of the box.

    - no ESI support: Varnish supports this out of the box. Best I can tell even the paid version of nginx doesn't support this.

  • by re-thcon 9/9/2024, 12:24:11 AM

    CDNs, ingress, etc... haven't had to use a web proxy directly for years. At the end of the day funnily enough it's still nginx or similar behind the scenes.

    Caddy for local development. Less config and setup.

  • by cpburns2009on 9/9/2024, 12:50:11 AM

    It works, it's easy to configure, it's fast, and it's been solid for the 10 years I've used it.

  • by efortison 9/9/2024, 1:27:55 AM

    I use Nginx:

      - as a layer on top the app servers for not having to expose Node.js, and loadbalancing app servers,

  - brotli_static,

  - serving avif conditionally[1]

  - anonymizing IPs in logs

  - injecting the caching headers

  - injecting the CSP header

  - SSL Offloading
    Autorenewing SSL certificates within the server is not appealing to me because externally running a script to renew them is not much more complex and it's more secure.

    I mean, the autorenew bots need more priviledges, such as:

      - HTTP challenges need to be via HTTP (not HTTPS) [2],

  - HTTP challenges need write permissions on a servable directory, 

  - DNS or HTTP challenges would need a program on a live server,

  - need ‘pass out’ firewall exceptions without IP scope. "We don’t publish a list of IP addresses we use to validate… Let’s Encrypt" [3]
    1. https://blog.uxtly.com/conditional-avif-for-video-posters

    2. https://datatracker.ietf.org/doc/html/rfc8555#section-8.3

    3. https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...