Enhancing Security and Performance for a High‑Traffic Ecommerce Website with NGINX Plus
Buydig.com is a fast‑growing ecommerce store with nearly 50,000 daily visitors – and even more during its peak shopping season. From photography equipment to computer accessories to home entertainment systems, Buydig.com offers a comprehensive selection of consumer electronics at low prices in several countries.
In 2003 – the early days of Buydig.com – the website was built as a two‑layer Microsoft .NET application, with an IIS web server and SQL Server as the backend database. But as the number of visitors increased over time, that architecture couldn’t keep up with the traffic. Pages slowed down and eventually stopped responding. Also, without a frontend load balancer and reverse proxy, Buydig.com was vulnerable to distributed denial‑of‑service (DDos) attacks.
“Our search for a better solution started when we encountered a DDoS attack, which is common for websites. In this attack, several computers were programmed to hit a page on our site at the same time. CPU usage went up and, unfortunately, our site went down. When the site came back up, it was slow and not performing well. We had to come up with a better way, so we started looking for new solutions,” says Charles Bender, Director of IT at Buydig.com.
Buydig.com needed a frontend solution that is easy to configure, serves pages quickly regardless of site traffic volume, protects its backend servers and database from malicious traffic, and provides a fault‑tolerant architecture with the potential to scale.
After trying several other solutions without seeing improvement, Buydig.com looked into NGINX Plus as a frontend load balancer.
“We just weren’t getting the performance, security, and scalability that we needed with the alternatives. The other products we tried all lacked the flexibility, power, and performance of NGINX Plus,” says Bender. “With NGINX Plus, we found a solution that is uniquely tuned to our needs.”
Built on top of the world’s most popular open source web server for high‑traffic websites, NGINX Plus adds enterprise‑ready features into one easy‑to‑deploy package, and was a great fit for Buydig.com’s needs.
Buydig.com implemented NGINX Plus in its frontend application layer, completely separate from its backend servers. NGINX Plus handles all incoming HTTP and HTTPS traffic and is hosted in Amazon Web Services (AWS). Buydig.com uses two AWS locations – US East and US West – with two EC2 instances in each running Red Hat Enterprise Linux 7 and NGINX Plus. Requests come from clients to AWS data centers where NGINX Plus processes them as the front line for all of Buydig.com’s traffic.
With NGINX Plus, Buydig.com easily handles a very large number of concurrent connections, which protects its backend application from becoming overloaded and improves the site’s uptime and performance. Because of NGINX Plus’s HTTP keepalive connections, Buydig.com can pool connections as they come in, reducing the number of connections to the backend as much as possible.
“Since implementing NGINX Plus as our frontend load balancer and reverse proxy to handle all incoming traffic, it has not died or even slowed down once. The performance is fantastic. We need to keep connection usage low on the backend, and NGINX Plus allows us to do exactly that with extreme ease,” says Bender.
Bender also noted, “We just finished our first holiday season with NGINX Plus and it performed flawlessly, so we’re definitely very happy with it.”
Powerful Configuration Tools
Buydig.com takes advantage of NGINX Plus’ powerful configuration language and customizes it to meet the needs of its backend application. With the flexibility offered through features such as
location blocks, Buydig.com is able to handle different parts of its site effectively.
For example, the main scripts used by the entire Buydig.com site are hosted in a single directory. Buydig.com protects this directory location against abuse and unauthorized traffic by rate limiting requests and implementing access controls. For other locations, such as the /assets directory which stores static assets such as images and CSS stylesheets, Buydig.com does not use rate limiting because it can slow down page loading (or even make it fail) if clients can’t pull up the images quickly. “Being able to use the
location blocks within NGINX Plus to customize settings is very flexible and powerful for us,” says Bender.
NGINX Plus provides Buydig.com several other security enhancements. To ensure security and privacy, the checkout process for Buydig.com and its sister site, Beachcamera.com, are encrypted. The support for TLS SNI in NGINX Plus enables Buydig.com to use one IP address to encrypt and serve both sites.
“We have multiple SSL sites on multiple servers so TLS SNI is a no‑brainer for us,” says Bender. “It requires practically zero config. Using TLS SNI in NGINX Plus, we can get the site security we need and massively simplify things at the same time. TLS SNI takes out complexity.“
Next, NGINX Plus offers flexible logging, where the log format can be customized as needed. As an e;commerce site that accepts credit cards for online purchases, Buydig.com must comply with the Payment Card Industry (PCI) security standard, which includes requirements for logging all traffic. Logging of Buydig.com’s traffic used to be complicated because HTTP is used when users first enter and browse on the site, but HTTPS must be used during the purchasing process.
With other solutions, Buydig.com was faced with two separate sets of log files – one for HTTP and another for HTTPS – in different formats, which made it difficult to log a complete request path. With NGINX Plus’ configurable logging, Buydig.com can combine the HTTP and HTTPS logs together. “Being able to have combined logs within NGINX Plus helps us meet PCI compliance and is really useful for debugging,” says Bender.
Hardened Application from Health Checks
Since Buydig.com has two backend servers, they need to know if one locks up and stops serving pages. Health checks in NGINX Plus enable effective load balancing in the event of a failed server, and let Buydig.com complete routine maintenance without disrupting traffic flow or the user experience.
“Our site is being continually worked on, both to add new features and to upgrade servers, so we need to be able to update a web node without taking the whole site offline. With health checks in NGINX Plus, we can gracefully remove a server from the load‑balanced pool so it can be worked on, and then easily reintroduce it when the work is done. It’s as simple as renaming a file. The health checks in NGINX Plus definitely make it easy for us to perform server maintenance and release new features,” says Bender.
Also, because NGINX Plus continuously monitors the backend application and redirects traffic when failure is detected, Buydig.com is able to mitigate DDoS attacks.
“NGINX Plus shields us from DDoS attacks. We’re happy with the improved performance and security we get with NGINX Plus,” says Bender.
By adding NGINX Plus for load balancing in its frontend application layer, implementing health checks, and combining HTTP and HTTPS logs, Buydig.com has dramatically improved site reliability and performance. NGINX Plus provides speed and security, so Buydig.com can focus on selling great products with great service to its growing customer base.
“We tried a lot of different technologies to improve performance. NGINX Plus stood out from the beginning, and right away it did what we needed it to do. And when a new challenge came up, it still did what we needed it to do. NGINX Plus is dynamic and flexible. It works really well, and helps us achieve our goals,” says Bender.
Buydig.com is a pioneering retailer of consumer electronics located in Edison, New Jersey. The company is a truly comprehensive source of camera, video, home entertainment, and assorted consumer electronics equipment. Buydig.com is a four‑time Platinum Winner of the Bizrate Circle of Excellence Award. For more information, visit www.buydig.com.