Please note that NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details please read this blog announcement.
This post is adapted from the keynote by Gus Robertson, CEO of NGINX, Inc., From Failure to Flawless: Application Delivery Today. The talk included special guest Igor Sysoev, CTO and Co‑founder of NGINX, Inc., and was delivered at nginx.conf 2016. Many additional blog posts and videos from other presentations at the conference are available.
Table of Contents
Note: A brief video with the theme “NGINX puts an army behind you” was shown just before the talk began.
The stakes are high now, right? The stakes have definitely changed, and I think the video really sets the tone for the conference over the next two days around flawless application delivery. I want to reiterate a couple of the statements that were made in that video because for me they really resonated.
0:30 Businesses Are the Applications You Build
The first is that your applications are no longer just an extension of the business or the company that you work for now. In fact, they are the personification of that business. They are how people perceive your company to be.
We could have picked on many different companies; the reality is that sites are going down almost daily, and for a number of reasons. It could be poor planning, poor design, a sudden influx of traffic that was unexpected. Just general infrastructure problems that can go wrong, but the reality is that sites do go down every day and we could have picked any one of these.
I want to share an experience with you of something more personal for me. You may be able to tell from my accent – I’m not from Texas. I’m originally from Australia, and in Australia, once every five years we hold a national survey. It’s called the census, and the census gathers data from the residents around the type of dwellings they live in, the number of residents, age, gender, even some optional questions around religion.
They gather this on a single day and night in a five year period, and Australia has a population of just under 25 million people. It was actually conducted last month, in August.
1:48 Prime Minister Begins Census
It started off very nicely with the Prime Minister of the country sending out a nice tweet that he and his family had completed the survey online. Within a few hours the website was down.
1:59 The Australian Census Website Goes Down
Not just was it down, but it was down over a 43‑hour period. Just think about that – a 43‑hour period. And guess what happened: the blame game started. The Prime Minister of the country is talking about a potential reason being a malicious DDoS attack. Then information came out that in fact it wasn’t a potential DDoS attack, it was anomalous traffic.
Unexpected traffic was coming into the site, even after public data showed that there were several hundreds of thousands of dollars spent load testing this particular site. Now you would have thought that when you run a survey for 25 million people, you could probably anticipate the amount of traffic coming in, particularly when it has to be done in a single day.
So this heavily impacted the department that was responsible, the Australian Bureau of Statistics within the Australian government. The census is done online, but for those that don’t want to do it online, it’s also delivered in a physical package.
3:04 Census Collectors
So collectors come and collect those packages, and not only did they get negative responses, some of them actually got death threats. People were so frustrated that because this is compulsory to complete, and that the government didn’t organize it correctly, they had to complete the physical documents rather than go online. So this certainly had a perception issue for the Australian Bureau of Statistics, but it even went further than that.
3:31 Census Affects Prime Minister’s Credibility
It even got to the point where the Australian press were questioning the validity and credibility of the Prime Minister to run the country if he can’t run a website. These are the stakes for today’s world. These are the stakes that we live at and let me tell you, there’s no mercy.
Consumers have no mercy and the press has no mercy. In an instant, as soon as your site is down, your customers are complaining online on social media, on Twitter, and the press is publishing articles about your site being down.
4:04 Don’t Make Your Best Day Your Worst
Now, as I said, [an outage] reflects on the credibility of your company, and inevitably these things happen on the day that you least want them to happen. On the day that you’re launching the census, the day that you’re launching healthcare.gov, the day that you’re launching the most popular finale of your TV series for the season. The day that you’re launching your biggest sale of the year for Thanksgiving – for Black Friday or Cyber Monday.
Inevitably it’s on the day where you’re supposed to be driving the most revenue, you’re attracting the most customers, and when your company is most visible is when something goes wrong. Your best day quickly becomes your worst. That’s the tone of the video; those are the stakes, and that’s why we’re here at this conference talking about flawless application delivery.
So I want to start now by thanking you and welcoming you to the conference. Now that we’ve spoken a little bit about the video, and I think set the stakes for why we’re all here, I want to ask that you just look around the room and see who’s here. These are people in our community that are supporting the NGINX project and community globally.
We chose Austin as the city for the event for a couple of reasons. It’s our third annual event, and last year we had it in San Francisco. We wanted it to pick somewhere that’s more neutral for East and West coast. For me, Austin holds a special place in my heart; when I first moved to the US, I moved to Virginia – I lasted one winter, and I decided it wasn’t for me.
So I looked for somewhere south, somewhere a little warmer, and it came down to two cities – Austin and Miami. Eventually Miami won out, partly because of the beach, but also because I knew it had more direct flights to the places I was traveling to for my work at the time. But Austin was definitely the number two city on my list.
I’ve had so many great experiences here, I can’t tell you. Quite often when I go to restaurants, I’m standing in line and I’ll ask for a table and someone will hear my accent and say, “Where are you from? Why don’t you sit with us for dinner?” Just some random stranger standing in line inviting me to join them for dinner. So the hospitality in this town is fantastic.
In some cases, it was too hospitable. I missed a flight (the first time in my entire life I’ve ever missed a flight) and it was in Austin. I do have one recommendation for a bar: my favorite bar is called Pete’s Dueling Piano Bar.
Those guys are amazing, they’ll play any song for tips and they’ll usually include something that’s going on in the audience in the song. So if you do want a recommendation, I suggest Pete’s Dueling Piano Bar. So please enjoy the event here in Texas and in Austin.
6:46 NGINX Statistics
I want to share some statistics with you, and you may have seen some of these on the screen. We now have over 180 million websites and domains running NGINX technology around the world. Just to give you a sense of how quickly this has grown: when Igor, Maxim, and Andrew first started this company in 2011 (because Igor for the previous seven years had been running the project single‑handedly), we were at 32 million websites. We have now added almost 150 million domains in the last five years since Igor, Andrew, and Maxim started NGINX, Inc. That’s an incredible advancement.
Number two is: we now have over 50% of the busiest sites in the world using our software. So I think it’s fair to say that we’ve become the standard for anyone running an application at web scale.
The third statistic that I put on the screen here I think is even more important is that there is only a hundred staff, and for us at NGINX, Inc. reaching that is quite a milestone. I mean we now have a hundred people in the company, but the reality is it wasn’t a hundred people that got 180 million websites and domains.
It is this army that we talk about, this army of people: it’s the people in this room, it’s the companies that you work at, it’s the millions of developers around the world who use our technology. It’s the ecosystem and partners that build technology on top of and around NGINX. It’s the press and analysts that support our technology and help customers understand where it can help them save money and improve efficiencies.
Gartner, by the way, last week announced that NGINX was the first open source company to be included in their application delivery controller Magic Quadrant, which I think is an amazing step forward for open source and for NGINX. So we thank the analysts and the press in addition, as I said, to all of the community people here in the room. And you are the army that support each other.
8:40 The World Is Changing
So we’ve set the stakes. We know the stakes are big – if it can question the credibility of a Prime Minister and a President, it can definitely question the credibility of your CEO and potentially other people in the company. The world is changing, and I think we all know that, but I believe the world is changing quicker than we all anticipated.
9:07 Three Times Growth
Let’s talk about some of the facts. Let’s talk about ecommerce. So, ecommerce in the last ten years has grown three‑fold, so 3x growth in a ten‑year period. So go on to the days back in the early 2000s when we were scared to put a credit card online, or to make a purchase because we didn’t know if we could return it if it wasn’t the right size.
9:34 Online Consumer Spending
Those fears are gone, and that’s already changed the way that we’re thinking and acting as a society. The reality is that only 10% of overall purchases are done online. Analysts are saying that this is going to grow at a compound rate of 20% or more year‑on‑year moving forward.
Think about what our world looks like today when only 10% of spending is online. Imagine when that changes to 20% or 30% or 50%. How are our expectations going to change around the performance of application delivery? Because the reality now is that today already 60% of research to purchase a product is done online even if only 10% is actually transacted there.
10:10 Online Research
And 50% is before they even contact the vendor involved. So if you lose a customer, you don’t even know you’ve lost them because 50% of the time they’ve made the decisions about their purchase before even involving a vendor or supplier. So the stakes are getting higher even still.
10:41 Online Purchase Times
It’s getting even easier to purchase online. I don’t know if you remember several years ago when you used to purchase, it would take several minutes to go through all of the process of entering your credit card and so forth. Now they’ve got it down to 17 seconds with fingerprint ID on your phone and single‑click buy buttons. That is an incredible experience.
Let me tell you an alternative experience. Last week my family and I were at JC Penney and we were buying some clothes for our child. We stood in line for 15 minutes behind 7 people and the line didn’t move because the first person in the line was wanting to do a return for credit, and the cashier wasn’t quite sure how to do it on the terminal. Just to buy a few items, 15 minutes of standing in line versus 17 seconds; I’ll take 17 seconds every day of the week.
11:22 Size of the Opportunity
So let’s talk a little bit about the size of the opportunity. Total business‑to‑consumer spending by 2020 will be $3.2 trillion. That sounds like a lot of money right? I think people in this room are saying, “That’s pretty good, Gus, but we’re not a business‑to‑consumer company. We’re a business‑to‑business company.”
Let me tell you that the stakes are even higher still: business‑to‑business will be $6.7 trillion, more than double business‑to‑consumer.
11:52 Business-to-Consumer Is Driving Change
The reality is that the way that we do B2C is impacting the business behavior we expect for B2B. Not only is it changing behavior, it’s changing expectations. How many times have you gone to the airport and had your boarding pass on your phone and you’re trying to bring it up as you’re standing in front of the security officer but you’re holding everyone up in the line?
You get frustrated when technology doesn’t work for you. We believe and we expect this stuff to just work. You’re on an airplane flying at a thousand kilometers an hour at 30,000 feet, and you’re upset that your WiFi gets disconnected. Louis C.K. has done a great bit on this. I wanted to do the whole bit, but I’m not as good a comedian. But you should look it up on YouTube, it’s hysterical.
Our expectations have changed. We expected to be able to buy our office supplies online; now we expect to be able to do our finances online and have the same experience. We expect to be able to list and sell our house and have the same experience as we do when buying something on Amazon, or ordering an Uber, or renting a house or a room through Airbnb.
12:59 Digital Business Is Here
Our expectations have changed. So digital business is here and so many analysts and people talk about digital business, digital economy, digital transformation. Digital business is more than just ecommerce; it’s the convergence of the physical and digital worlds.
So yes, it includes online transactions and the consumer experience with delivering applications, but also includes machine‑to‑machine. We’re in a world now where supply parts for building an airplane have digital sensors in them that tell the supply chain that they’re delayed in transit and to look for alternative parts to build the plane so the whole production isn’t slowed down.
This is the world we’re living in, and applications are becoming a critical cornerstone of how we as companies operate, whether it’s the frontend consumer‑facing retail or application user interface, or the backend machine‑to‑machine. All of that is critical, and if any part of that goes down, the business goes down. So the stakes are high.
14:05 Top Five Companies
Do you want proof that technology is leading the charge here? In July of this year, for the first time in history, the five largest companies by market capitalization were technology companies.
14:26 Apps Are the New Marketplace
So we’ve talked about the stakes. Let me talk a little bit about how applications are actually built. Many people, when they think about applications, think about an icon on their phone. We all know it’s different. An application is more than just an icon; it’s a new digital marketplace. It’s the way that we bring buyers and sellers together.
It could be a heterogeneous marketplace like Amazon, or it could be a homogeneous marketplace like your particular company and your particular products and services. But at the end of the day, we’re bringing buyers and seller together in a digital marketplace.
What we’re finding in this evolution, as the marketplace moves from bazaars to shopping malls to applications, is that you can unlock additional suppliers and buyers. Just look at how Uber and Airbnb have brought additional suppliers to the market with private cars and private houses. The opportunities for us to open and expand our marketplace through applications is absolutely possible.
15:21 Traditional Enterprises See This Change
But let me tell you, it’s not just the startups and the disruptors that are seeing this evolution and this change. Traditional enterprises absolutely see this change and they’re making the necessary adjustments.
If you look at companies like Nordstrom – Nordstrom in Q1 of this year did 21% of all its revenue online. Macy’s just last month said it is going to close down a hundred stores and move that investment to its online retail business. As I’ve said before, you can see these changes coming in with every enterprise you work with. So there’s no doubt in my mind that enterprises and traditional companies recognize this change.
16:09 Heal Gives Peace of Mind
Those of you that were here last year will remember that I talked about Heal, an application that gave real peace of mind to my family. We had just flown into San Francisco two or three weeks before the conference and once we landed, my daughter had a fever and my wife was so upset. So we were trying to get a pediatrician but couldn’t get one, and someone recommended this app. Eventually we had a pediatrician at our apartment and within 60 minutes we knew that Chloe was fine.
16:42 Disney Junior
So a year ago this was the type of application gave us peace of mind. What’s giving my wife and me peace of mind now, particularly at dinner, is a new app, Disney Junior. Chloe can digitally stream all of her favorite shows. She’s two now, by the way. She uses the iPad better than I do, and she can watch Disney Junior so my wife and I can actually eat dinner if we’re out.
The problem is that when I’m traveling I wake up at four o’clock in the morning with the theme song for Sofia the First playing in my head. If you’re a parent, then I’m sure you know what that’s like. If it’s not Sofia, it’s the Wiggles. (They’re Australian, so I have to support them a little bit.)
17:20 CIO Magazine
Enterprises are definitely changing, and they recognize this. CIO Magazine recently recognized a hundred innovators in this space. DirecTV is one of these innovators. There were many on this list, but DirecTV was one of them. DirecTV had this fantastic quote that I want to call out here.
Not only were they using lightweight tools like NGINX and Node.js, but the reasoning and the benefits they got from making the architectural shift were exactly what you would expect – increased revenue, better quality of product, and a better experience for the customer. An improved competitive advantage with speed to market.
There’s no better reason to do anything in business. I want to increase revenue, I want to be more competitive, and I want to give a better experience to my customers. It makes a lot of sense.
18:09 Enterprise Is Awake and Moving
So this is happening, but the question is: how fast? Because enterprises are traditionally larger organizations with existing cultures, existing tools, existing applications, and making the shift is not necessarily as easy as you would think. Now we’ve spent the last five years as a company working with companies to help expedite this process. So I want to share with you some of the learnings that we’ve had along the way because I think this might be helpful.
18:36 What Have We Learned at NGINX?
So what have we learned at NGINX through this process? Number one: it’s all about the app. It’s very easy to get caught up in all of the cool new tools and infrastructure and do I want to do containers or virtual machines or data center or cloud. At the end of the day, the changes that you’re making are to provide a better customer experience, which is delivered through your application.
It’s really about agile software development practices. It’s about continuous integration and delivery, and about providing that better customer experience. Don’t lose sight of the fact that the core reason that we’re making these changes is to deliver a better application experience, not because we want a cooler infrastructure underneath the application.
19:20 Cultural Shift Is the Biggest Hurdle
The second thing is that many people think, “Okay, I’ve decided I’m doing continuous application delivery. It’s all about the tools”. No. Often the biggest issue that you’ll face is a change in culture. How do I restructure my team? How do I put the right processes in place across these new teams? How do I get real accountability into these teams so they are focused around the SLA and the customer experience? That cultural shift can take six to twelve months.
Many of the customers in this room know what I’m talking about. You’ve been through this experience, you know that this is often the largest hurdle. So don’t lose sight of the cultural issues and how do you do cultural change management as part of your process.
20:11 Monolith vs. Microservices
Because we’re a thought leader in the world of microservices, people often assume that we think every problem is solved with microservices. That’s definitely not the case. The reality is that quite often a monolith is a better architectural approach. If you’ve got a very defined application feature set [and] a centralized team that can build that feature set, then actually going with the monolith is going to be a much faster development process and less complex to manage as you deploy. So there are circumstances where a monolith is right.
For a microservice architecture, if you’re entering an application where you think the feature set is going to evolve over time, and you think it’s somewhat undefined, then maybe microservices is a better path. If you’ve got decentralized and fragmented development teams, then microservices may be a better path.
If you see this application going at large scale across the web, then microservices may be a better path. But I do want say that from an NGINX perspective, both architectures make sense. Different horses for different courses, right?
21:21 Cloud: Friend or Foe?
We often get asked by our customers if they should go to cloud; is it friend or foe? From my perspective, cloud has brought so many advantages to software development. To quickly grab an instance on the cloud and start developing an application, to sometimes bypass internal IT and just get something up and running.
It can be much faster and more efficient, and to have a compute resource on demand is incredibly advantageous when you want to scale up an application. But there are some cons as well. Before cloud was called cloud, does anyone remember what it was called? Some people called it computing on demand; others called it utility computing.
22:05 Utility Computing
We were talking about utility computing like it would be a power socket; like I could get compute power out of the wall like I do electricity. That was the promise ten years ago, and I think we’re kind of there. We can get compute power from a number of different cloud providers.
22:21 Cloud Providers
The reality is that cloud providers are starting to look a little bit more like this, where you’ve got the compute power. But there are all of these additional services and APIs that you can connect into that actually mean that if you ever want to move your application from one cloud to another, or to hybrid, or back to your own data center, it makes it very difficult.
I’ve been in the industry (and I hate to say it) since the late 80s. If we go back and think about what we’ve tried to achieve as an industry, we’ve actually tried to achieve application abstraction from underlying infrastructure. Back in the days of the mainframe you could only run mainframe apps on a mainframe. In the days of Unix systems, you could run a Sun app only on Solaris and a Sun system. Then we moved to the Microsoft and Linux world, where we had choices of hardware underneath.
Now we’re moving to cloud, and the risk is that we go back to a point where we lock our applications into the underlying infrastructure. So the recommendation I’d say here is: cloud is good, but there are some concerns or risks that you may want to address. Make sure you choose the right tools, ones that give you that abstraction from the underlying infrastructure, which gives you the option of portability in the future.
23:34 The Right Tools
Then finally the right tools – without a doubt you want to select the right tools because that’s what attracts the right talent. You can’t bring in developers straight out of college and tell them to start working on WebSphere or WebLogic. People want to bring the tools that they know how to use and they feel they can work on to provide the best application outcome for you.
Typically these tools are lightweight, they’re open source, and they’re developer friendly. Some of these tools are shown with stickers on the back of the laptop. Obviously we had to put NGINX, but there’s also Jenkins, Docker and containers, Node.js, MongoDB; the list goes on and on. There are many different tools, but typically they’re open source, lightweight, and very developer friendly. This will help your companies attract the right talent to develop the type of applications that you want to build.
24:29 What Are We Doing to Help?
So, what are we doing at NGINX? We kind of talked about how the stakes are high, we talked about how the world is changing and how we can expedite our existing companies and our application development processes to take advantage of these changes. What is NGINX as a company doing here to help?
24:49 Investing in Products
We’re going to hear more from Owen after me and Igor on this specifically, but [I’ll say now] we’re continually investing in our product. We release NGINX open source monthly, and just so you know, NGINX open source is managed and deployed and released by NGINX the company. We deliver that every month, with the help of the community of course. In addition to that, we release NGINX Plus three to four times a year.
We’re also investing in new products like NGINX Amplify to give you more visualization and monitoring capability of your application architectures. We’re also integrating other open source projects with NGINX like ModSecurity. So many people have asked us for ModSecurity and WAF included in NGINX, so we’ve worked with the team at ModSecurity to make that happen.
To further NGINX, we worked with ModSecurity to make that happen natively on NGINX, not with a shim with Apache around it. So we continually invest in our products and you’ll hear Igor talk about some advanced work we’re doing around an application process manager as well.
25:50 Engineering Talent
We invest in our engineering talent, and I feel so proud to be able to say that I believe around NGINX we’ve got the best engineering talent on the planet by far. I think that comes through for you as customers when you engage with our support team, and I hope that many of you in this room can attest to the quality and value of our support. Our support team works tirelessly and 60% to 70% of issues are resolved through first‑line support because our quality of support is phenomenal. I hope that you can all attest to that.
26:32 Reference Architectures
We continue to invest in our engineering talent; we’ve recently launched a number of microservices reference architectures because many of our customers were telling us, “We want to go down this microservices path, but we don’t want to make the same mistake that everyone else has made. How do we circumvent that?”
So we created three different models for three different use cases around how to deploy your microservices architecture, so you can focus on the code and not all the underlying connecting bits. Chris Stetson, who wrote this for us, is presenting it on Thursday afternoon, so I encourage you to go to his presentation and hear more about the Microservices Reference Architecture from NGINX.
27:01 Advanced Training Courses
We’re delivering more around training: more advanced training on how to use NGINX, NGINX in very specific use cases, and once again NGINX in a microservices architecture. We’re actually holding our first public training of the microservices course here on Friday and I know a number of you here in the room are attending that.
So in conclusion, I just want to reiterate the fact that I’m so thankful; I’ve been with the company now for four years, and I’m so thankful for all of you in the room here as community members, as customers, as press and analysts. Together you create this army that moves this project forward.
As I said, we’re at 180 million websites and growing, and it wouldn’t be possible without you. We’re here as well to support you with all the things we’re doing as a company. If there’s anything that I can do or the team can do during these next two days, please let us know. We all have NGINX t‑shirts on so you should be able to find us.
I would like to ask you to join me in welcoming Igor Sysoev to the stage. Igor is the original author of NGINX. He’s coming out to talk to you a little bit about containers, microservices, and some of the future things that he sees happening in application delivery. Please join me in welcoming Igor, thank you.
28:16 Words from Igor Sysoev
Linux containers are much more independent from the rest of the system than usual Linux packages. This allows administrators and developers to be worried less about library and framework capability. A containerized approach leads naturally to the concept of microservices in a cloud. This is fully the evolution of the idea of isolation, when a monolithic application is put into an independent box.
Microservices have a lot of advantages, such as flexibility of development and deployment, ability to run in the cloud, scalability, split testing, etc. However, unfortunately microservices also introduces some disadvantages, such as increasing the number of moving parts and communication overhead between the microservices.
31:41 NGINX Application Manager
To address these issues, we have started experimental work which should fix these shortcomings by embedding some NGINX features inside applications with our application manager. Some of the features do not require changes to applications at all – for example, accelerated content delivery.
As with usual NGINX usage, a special delivery strategy sends data generated by applications to a client. All that you need to do is just run your applications with our manager. It’s drop-in placement, and it doesn’t require any changes. However, other features require some application adoption.
For example, an application can instruct the manager to send a file by a send-file operation, so called “
sendfile offload”. The application can use the manager to process static files itself, without any application participation.
Yet another feature: for example, the application can instruct the manager to deal with some responses in a way similar to what NGINX does. It looks very similar if you’ve worked with NGINX before.
Another feature is upstream connectors. The connectors support full tolerance and upstream load balancing. The application will just offload all of this complexity to the connectors. It just calls the connectors in the same way it sends requests to the NGINX load balancer. Of course our manager will be able to run several application processes and handle the abnormal failures. The configuration of the manager will be dynamic, by a remote API and by the application. There will be no static configuration.
One of my favorite features in NGINX is the online binary upgrade without service interruption. This feature allows you to update an old NGINX version to the new one without service interruption. However, if we speak about containers, they are usually shut down and then run again with the new version of the application and there is some interruption in service.
Thank you again for coming here and I hope you will enjoy the content we have prepared for you over the next two days.
Please note that NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details please read this blog announcement.