All new FME Server 2017.0+ and 2016.1.3 instances are now running behind a NGINX reverse proxy in FME Cloud. As a developer on the FME Cloud team, this is something I have been hoping to achieve for a while and with 2016.1.3+ all the pieces are finally in place. In this blog post, I would like to share with you what the advantages are and, if you have on-premises FME Server deployment(s) instead of FME Cloud, why you should consider NGINX for your personal FME Server deployment.
What is NGINX?
From their website:
NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. NGINX is known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.
In my own words, NGINX is a very lightweight web server that specializes in handling connections and serving static content. NGINX is often paired with a second web server like Apache, Unicorn, or in our case Tomcat where it acts as a reverse proxy. In such a configuration, NGINX handles the connections and static content, while all dynamic requests are forwarded to Tomcat for processing.
Advantages of NGINX
1. Enhanced SSL support
This is the main reason we moved to NGINX. We had struggled for a while with the Tomcat SSL configuration. While Tomcat itself has powerful SSL support, the setup is fairly complicated and we ran into limitations that prevented us from achieving the highest SSL security rating. NGINX simplifies the setup of SSL dramatically and is more performant at handling SSL connections while achieving the highest security rating (https://www.ssllabs.com/ssltest/).
Secondly, it also allows us to reuse the same settings for all incoming connection protocols (HTTP, WebSocket and SMTP). Previously, WebSocket and HTTP (Tomcat) were using their own settings and SMTP encryption was not supported.
Finally, NGINX uses the OpenSSL library from the Linux distribution. This means that if there is a serious security issue found in the library, the patch is available through the OS security updates and is either installed automatically, or it can be initiated by the user (on FME Cloud).
2. TLS support for email (2017 only)
For FME Server 2017.0+ instances, NGINX handles the receiving and forwarding of emails to FME Server. This means it is now possible to receive emails through an encrypted connection (TLS) with FME Server. If you use a provider like Gmail this happens automatically.
3. Improved performance and stability
NGINX handles serving all static assets of FME Server (images, JS and CSS files). This results in improved compression and caching of those files and reduced load on Tomcat.
We will also see a significant improvement when handling many concurrent connections. Because of NGINX’s efficient connection handling, the load on the server with hundreds of concurrent connections dropped significantly. Also, NGINX scales in a more conservative way than Tomcat does which means that rather than exhausting the server resources and risking a crash, NGINX will refuse new connections earlier on to preserve stability. How much NGINX will scale up depends on your server size, so if your server cannot handle enough connections for your needs, you can simply resize your server to a larger machine.
4. WebSocket access on port 443
NGINX allows connections to be proxied to the right service based on the request path. We took advantage of this and enabled WebSocket connections on port 443 (default HTTPS port). So instead of using wss://your-server.fmecloud.com:7080/websocket you can now use wss://your-server.fmecloud.com/websocket. Because of this, port 7080 can now remain closed in the firewall. For 2016.1.3, both ports 7080 and 443 are still open by default and will accept WebSocket connections. For 2017+, port 7080 is closed by default but will still accept WebSocket connections if manually opened. We generally recommend moving your WebSocket workflow to use port 443.
If you would like to know more about how to use NGINX with FME Server, contact us at firstname.lastname@example.org.