from Hacker News

Ask HN: Do you use Nginx in production? or have you switched

by martinbaun on 9/9/24, 12:11 AM with 22 comments

What are you using infront of your webapp? and more importantly why?

I used NGINX for many years, but around 1.5 year ago I switched to Caddyserver as the SSL certificates are just so nice getting them autohandled. I noticed a slight performance decrease, but for my kinda services it is not so important.

But I am curious, what do you use? and more importantly why?

  • by stephenr on 9/9/24, 1:57 AM

    We use HAProxy at the load balancers, and HAProxy/Varnish/Apache on the individual app server VMs.

    This separates concerns completely:

    - HAProxy knows about and manages the TLS, balancing, client routing etc;

    - Varnish knows about and manages response caching and ESI processing (and often a combination of both);

    - Apache knows about and runs the various backend services (a php web app, a couple of ruby third party tools, etc)

    Nginx has some significant downsides to what we currently use, unless we opt for the paid version which best I can tell is ~$1K/instance/month. These aren't hypothetical differences these are features we actually use:

    - no sync for load balancing data (sticky peer data, rate limit data, etc): HAProxy supports this out of the box;

    - no active health checks: HAProxy supports this out of the box;

    - no API for purging cache: Varnish supports this out of the box.

    - no ESI support: Varnish supports this out of the box. Best I can tell even the paid version of nginx doesn't support this.

  • by re-thc on 9/9/24, 12:24 AM

    CDNs, ingress, etc... haven't had to use a web proxy directly for years. At the end of the day funnily enough it's still nginx or similar behind the scenes.

    Caddy for local development. Less config and setup.

  • by cpburns2009 on 9/9/24, 12:50 AM

    It works, it's easy to configure, it's fast, and it's been solid for the 10 years I've used it.

  • by efortis on 9/9/24, 1:27 AM

    I use Nginx:

      - as a layer on top the app servers for not having to expose Node.js, and loadbalancing app servers,

  - brotli_static,

  - serving avif conditionally[1]

  - anonymizing IPs in logs

  - injecting the caching headers

  - injecting the CSP header

  - SSL Offloading
    Autorenewing SSL certificates within the server is not appealing to me because externally running a script to renew them is not much more complex and it's more secure.

    I mean, the autorenew bots need more priviledges, such as:

      - HTTP challenges need to be via HTTP (not HTTPS) [2],

  - HTTP challenges need write permissions on a servable directory, 

  - DNS or HTTP challenges would need a program on a live server,

  - need ‘pass out’ firewall exceptions without IP scope. "We don’t publish a list of IP addresses we use to validate… Let’s Encrypt" [3]
    1. https://blog.uxtly.com/conditional-avif-for-video-posters

    2. https://datatracker.ietf.org/doc/html/rfc8555#section-8.3

    3. https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let...