TCP Load Balancing in NGINX Plus R7

Last year we introduced TCP load balancing in NGINX Plus for applications that don’t use HTTP as their transmission protocol. Applications like Microsoft Exchange 2013 and MySQL, and any SSL traffic that is not decrypted by NGINX Plus, all run over plain TCP.

NGINX Plus Release 7 (R7) greatly improves TCP load balancing with additional features to help you better secure your TCP applications against external threats. Tuning of TCP load balancing is also more flexible thanks to new configurable parameters. This post covers the new features in detail, explaining how to use them to accelerate, secure, and scale your applications that communicate over TCP.

Editor –

Apply Access Control and DDoS Protection to Secure Your TCP Services

NGINX Plus R7 introduces access controls, connection limiting, and bandwidth limits for TCP traffic. NGINX Plus now provides the same level of security and DDoS protection for TCP applications as for HTTP applications.

Access Controls

You can now allow or deny traffic to proxied or load‑balanced TCP servers based on specific client IP addresses and ranges. This is great for quickly blocking IP addresses that are attacking you or are known to be malicious (like those listed at Project HoneyPot). The configuration is fairly simple.

server {
# ...
deny 72.46.166.10;
deny 73.46.156.0/24;
allow all;
}

The first deny directive blocks one IP address and the second a range of addresses, with all other addresses allowed through by the final allow all directive. The logic can also be reversed by allowing access from the IP addresses you specify and blocking everyone else with a final deny all directive.

For more information, see the ngx_stream_access_module documentation.

Connection Limiting

With NGINX Plus R7 you can limit the number of connections that clients can make to TCP applications proxied by NGINX Plus. Perhaps one part of your application is slower than other parts, for example if a request to that part generates a lot of database calls or in general initiates a lot of work on the back end. Attackers can exploit this by having hundreds or thousands of computers repeatedly making that same request.

With connection limiting, you can minimize the effect of these attacks by limiting the number of connections the attackers can make. This limits the power of each individual computer used in an attack.

stream {
limit_conn_zone $binary_remote_addr zone=my_limit_conn:10m;
# ...
server {
limit_conn my_limit_conn 1;
# ...
}
}

In this example each IP address is limited to one connection. The NGINX variable $binary_remote_addr captures the client’s IP address.

For more information, see the ngx_stream_limit_conn_module documentation.

Bandwidth Limiting

NGINX Plus R7 includes new functionality to limit upload and download speed for each connection. Capping bandwidth slows down greedy downloaders.

server {
# ...
proxy_download_rate 100k;
proxy_upload_rate   50k;
}

With these settings a client can download data through a single connection at a maximum speed of 100 kilobytes per second, and upload data through a single connection at a maximum speed of 50 kilobytes per second. Keep in mind, however, that clients can open multiple connections. If the goal is to limit overall speed of loading per client, you must also limit the number of connections to one as described in the previous section.

More Configurable Load Balancing

With R7, we’ve added more configurable options to help you get the most out of NGINX Plus’ TCP load‑balancing capabilities.

Binding to a Specific IP Address

You can specify the IP address that NGINX Plus uses when talking to the backend servers it proxies. Include the proxy_bind directive:

upstream backend {
server backend1.example.com;
server backend2.example.com;
}

server {
# ...
proxy_bind 192.168.1.100;
proxy_pass backend;
}

In this example, NGINX Plus uses 192.168.1.100 as its address for all connections to the servers in the backend upstream group.

PROXY Protocol Support

NGINX Plus R7 adds support for the PROXY protocol. This provides a convenient way to safely transport connection information, such as a client’s IP address, across multiple layers of proxies.

A great use case comes from an NGINX customer that needed to decrypt a large volume of SSL traffic, more than a single NGINX instance could handle. The customer implemented two tiers – a frontend NGINX cluster that load balances TCP traffic across a larger secondary cluster that terminates the SSL connections.

The proxy_protocol directive is used to forward the client IP address to the second tier so it can be added as a header in the decrypted HTTP traffic.

Other Enhancements

There are a couple of other enhancements to TCP load balancing in NGINX Plus R7:

  • The new backlog parameter to the listen directive limits the length of the queue of pending connections.
  • The tcp_nodelay directive controls whether Nagle’s Algorithm is used. By default it is set to on, which disables Nagle’s Algorithm.

Comparing NGINX Plus and Open Source NGINX

Both NGINX Plus and the open source (F/OSS) NGINX software support TCP load balancing. NGINX Plus adds features that enhance TCP load balancing and provide more visibility into the load‑balanced traffic. The following table compares the two.

NGINX F/OSS NGINX Plus
Core Features
TCP load balancing Optional feature, enabled at compile time Built‑in and fully supported by NGINX, Inc.
Load‑balancing methods Round Robin, Hash, IP Hash, Least Connections All F/OSS methods, plus Least Time
PROXY_PROTOCOL support ✅ (New in R7)
SSL decryption and encryption
Dynamic Configuration
DNS configuration Static (at configuration load) Dynamic (DNS configuration can be regularly refreshed)
Dynamic load balancing configuration
High Availability
Passive health checks
Application‑aware health checks
Slow‑Start for recovered servers
Management and Monitoring
TCP load balancing metrics and health check data
Security and Access Controls
Access Control Lists (ACLs) ✅ (New in R7)
Bandwidth limiting ✅ (New in R7)
Client connection limits ✅ (New in R7)
Binding to a specific address ✅ (New in R7)
Server (upstream) connection limits

Upgrade or Try NGINX Plus

If you’re running NGINX Plus, we strongly encourage you to update to Release 7 as soon as possible. You’ll pick up a number of fixes and improvements, and it will help us to help you if you need to raise a support ticket. Installation and upgrade instructions can be found at the customer portal. Not using NGINX Plus yet? Give it a try for free today!

Cover image
Free O'Reilly Ebook
Your guide to everything NGINX