The Ultimate DevOps Playbook: Tuning Nginx, Gunicorn/FPM, and Elasticsearch on OVH for C++

Nginx as a High-Performance Frontend for C++ Applications

When deploying C++ applications that expose an HTTP interface, particularly those managed by Gunicorn (for Python-based APIs) or PHP-FPM (for PHP backends), Nginx serves as an indispensable high-performance frontend. Its strengths lie in efficient static file serving, robust reverse proxying capabilities, and sophisticated load balancing. For OVH infrastructure, optimizing Nginx is crucial for minimizing latency and maximizing throughput.

A common configuration involves Nginx handling incoming requests, serving static assets directly, and proxying dynamic requests to the application server. This offloads the heavy lifting of I/O and connection management from the application itself, allowing it to focus on business logic.

Nginx Configuration for Reverse Proxying

The core of Nginx’s role is its reverse proxy configuration. We’ll focus on optimizing connection handling and request buffering.

Key Directives and Tuning Parameters

• worker_processes: Set this to the number of CPU cores available on your OVH instance. For a 4-core server, auto or 4 is appropriate.
• worker_connections: This defines the maximum number of simultaneous connections that each worker process can handle. A common starting point is 1024 or 2048, but this should be tuned based on expected load and system limits (ulimit -n).
• keepalive_timeout: Controls how long an idle keep-alive connection will remain open. A value between 60 and 120 seconds is often a good balance between resource utilization and responsiveness.
• proxy_connect_timeout: The timeout for establishing a connection with the upstream server. Keep this relatively low (e.g., 5-10 seconds) to avoid hanging on unresponsive backends.
• proxy_send_timeout and proxy_read_timeout: Timeouts for sending a request to and receiving a response from the upstream server. These should be set higher than proxy_connect_timeout, perhaps 60-120 seconds, to accommodate longer-running application requests.
• proxy_buffering: By default, Nginx buffers responses from the upstream server. This can improve performance by allowing Nginx to send data to the client more efficiently. Ensure it’s on.
• proxy_buffer_size: Sets the size of the buffer used for the first part of the response. A common value is 16k or 32k.
• proxy_buffers: Defines the number and size of buffers for reading the response from the upstream server. For example, 8 16k means 8 buffers of 16KB each.

Consider the following Nginx configuration snippet for a typical setup proxying to a Gunicorn or PHP-FPM backend. This example assumes the backend is listening on a local Unix socket or a specific IP/port.

Example Nginx Configuration

This configuration is placed within your http block or a specific server block.

# Global settings
worker_processes auto;
events {
    worker_connections 4096; # Adjust based on ulimit -n and expected load
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    keepalive_timeout 65;
    keepalive_requests 1000;

    # Gzip compression for dynamic content
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    # Buffering settings for upstream
    proxy_buffering on;
    proxy_buffer_size 32k;
    proxy_buffers 8 64k; # Increased buffer size for potentially larger responses
    proxy_busy_buffers_size 128k; # Larger buffer for busy connections

    # Timeouts
    proxy_connect_timeout 10s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;

    # Headers to pass to upstream
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Optional: For WebSocket support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Server block for your application
    server {
        listen 80;
        server_name your_domain.com www.your_domain.com;

        # Serve static files directly
        location /static/ {
            alias /path/to/your/app/static/;
            expires 30d;
            access_log off;
            add_header Cache-Control "public";
        }

        # Proxy dynamic requests to Gunicorn/PHP-FPM
        location / {
            # For Gunicorn (Python)
            # proxy_pass http://unix:/path/to/your/app.sock;

            # For PHP-FPM
            # try_files $uri $uri/ /index.php?$query_string;
            # location ~ \.php$ {
            #     include snippets/fastcgi-php.conf;
            #     fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; # Adjust PHP version and path
            #     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            #     fastcgi_read_timeout 300s; # Increase timeout for long PHP scripts
            # }

            # Example for Gunicorn
            proxy_pass http://127.0.0.1:8000; # Or your Gunicorn host:port
        }

        # Error pages
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root /usr/share/nginx/html;
        }
    }

    # Include other server blocks or configurations
    # include /etc/nginx/conf.d/*.conf;
}

Gunicorn Tuning for C++ APIs

While your core application logic might be in C++, you might use Gunicorn as a Python WSGI server to interface with it or manage its HTTP layer. Gunicorn’s performance is critical for the overall responsiveness of your application.

Gunicorn Worker Processes and Threads

Gunicorn’s worker model significantly impacts its ability to handle concurrent requests. The default sync worker type is single-threaded and can become a bottleneck if your C++ application has blocking I/O or long-running operations that are exposed via Python.

• --workers: This is the number of worker processes. A common recommendation is (2 * Number of CPU Cores) + 1. For a 4-core server, this would be 9 workers.
• --threads: If using the gthread worker type (which supports threading), this defines the number of threads per worker. This is less common for CPU-bound C++ applications but can be useful for I/O-bound Python wrappers.
• --worker-connections: (Deprecated in newer versions, use --threads with gthread workers).

For CPU-bound C++ applications, using the sync worker type with a sufficient number of worker processes is generally preferred to avoid the overhead of Python’s Global Interpreter Lock (GIL) if your C++ code is called directly from Python. If your C++ application is a separate process that Gunicorn communicates with (e.g., via IPC or another network socket), then Gunicorn’s worker count is more about managing HTTP connections and Python overhead.

Gunicorn Configuration Example

You can launch Gunicorn with specific arguments or use a configuration file.

# Example command line
gunicorn --workers 9 \
         --bind unix:/path/to/your/app.sock \
         --timeout 120 \
         --graceful-timeout 120 \
         --log-level info \
         --access-logfile /var/log/gunicorn/access.log \
         --error-logfile /var/log/gunicorn/error.log \
         your_wsgi_app:app

Key Gunicorn Directives:

• --bind: The address and port or Unix socket Gunicorn listens on. Using a Unix socket is generally faster than TCP/IP for local communication between Nginx and Gunicorn.
• --timeout: The number of seconds Gunicorn will wait for a worker to respond before considering it dead. This should be set higher than your expected longest request time, but not excessively high to avoid hanging.
• --graceful-timeout: The number of seconds to wait for existing requests to finish when a worker is being restarted.
• --log-level: Controls the verbosity of logging.
• --access-logfile and --error-logfile: Essential for monitoring and debugging.

PHP-FPM Tuning for C++ Backends

If your C++ application is exposed via PHP scripts, PHP-FPM (FastCGI Process Manager) is the standard way to interface PHP with web servers like Nginx. Tuning PHP-FPM is critical for handling concurrent PHP requests efficiently.

PHP-FPM Process Management

PHP-FPM offers several process management strategies. The most common are static, dynamic, and ondemand. For production environments, dynamic or static are typically preferred.

• pm: Process manager control. Set to dynamic or static.
• pm.max_children: The maximum number of child processes that can be spawned. This is a hard limit and directly impacts memory usage. Set this based on your server’s available RAM, considering Nginx and other services.
• pm.start_servers: The number of child processes to start when PHP-FPM starts.
• pm.min_spare_servers: The minimum number of idle respawned server processes.
• pm.max_spare_servers: The maximum number of idle respawned server processes.
• pm.max_requests: The number of requests each child process will execute before respawning. This helps prevent memory leaks. A value between 500 and 1000 is common.

If using static, pm.max_children, pm.start_servers, pm.min_spare_servers, and pm.max_spare_servers should all be set to the same value, effectively fixing the number of children.

PHP-FPM Configuration Example

This configuration is typically found in /etc/php/[version]/fpm/pool.d/www.conf.

; /etc/php/7.4/fpm/pool.d/www.conf (example for PHP 7.4)

[www]
user = www-data
group = www-data
listen = /var/run/php/php7.4-fpm.sock ; Or use TCP/IP: listen = 127.0.0.1:9000
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

pm = dynamic
pm.max_children = 100       ; Adjust based on RAM and expected load
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500

; Request timeouts
request_terminate_timeout = 120s ; Corresponds to Nginx's proxy_read_timeout for PHP

; Other useful settings
; php_admin_value[memory_limit] = 256M
; php_admin_value[upload_max_filesize] = 64M
; php_admin_value[post_max_size] = 64M

Important Notes for PHP-FPM:

• Ensure the listen directive matches what Nginx is configured to proxy to.
• request_terminate_timeout in PHP-FPM should be greater than or equal to Nginx’s proxy_read_timeout for PHP requests to prevent premature termination.
• Monitor memory usage closely. pm.max_children is the primary driver of memory consumption.

Elasticsearch Performance Tuning on OVH

For logging, analytics, or search capabilities integrated with your C++ application, Elasticsearch is a common choice. Optimizing Elasticsearch on OVH infrastructure involves JVM tuning, disk I/O considerations, and network settings.

JVM Heap Size Configuration

The Java Virtual Machine (JVM) heap size is the most critical Elasticsearch tuning parameter. It dictates how much memory Elasticsearch can use for its operations.

• Xms: Initial heap size.
• Xmx: Maximum heap size.

Rule of Thumb: Set Xms and Xmx to the same value to prevent the JVM from resizing the heap, which can cause pauses. The recommended maximum heap size is typically 50% of the system’s RAM, but not exceeding 30-32GB. This is due to compressed ordinary object pointers (compressed oops), which are enabled by default and provide performance benefits up to this limit. If you exceed this, you lose the benefits of compressed oops, and performance can degrade.

Elasticsearch JVM Configuration Example

This is configured in the jvm.options file, usually located at /etc/elasticsearch/jvm.options.

# /etc/elasticsearch/jvm.options

# Example for a server with 64GB RAM
# Set heap to 30GB (approx 50% of RAM, below 32GB limit)
-Xms30g
-Xmx30g

# Other JVM settings
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSCompactAtFullCollection
-XX:+DisableExplicitGC
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djna.nosys=true
-Djdk.nio.maxCachedBufferSize=2048
-XX:+HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=/var/lib/elasticsearch
-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log

Important Considerations for OVH:

• Disk I/O: Elasticsearch is I/O intensive. Use SSDs on OVH for better performance. Consider RAID configurations for redundancy and performance if applicable.
• Swapping: Ensure Elasticsearch is configured to disable swapping. Add bootstrap.memory_lock: true to elasticsearch.yml and ensure the Elasticsearch user has the necessary `ulimit` settings (e.g., `memlock` unlimited).
• Network: For distributed clusters, ensure low latency between nodes. OVH’s private network options can be beneficial.
• Sharding Strategy: Design your index shards carefully. Too many shards can overwhelm the cluster; too few can limit parallelism.

Elasticsearch Indexing and Search Tuning

Beyond JVM, index-level settings are crucial.

• index.refresh_interval: Controls how often new documents become searchable. Default is 1s. For high-volume indexing, increasing this (e.g., to 5s or 10s) can improve indexing throughput at the cost of near-real-time search.
• index.number_of_shards: Number of primary shards. Should be set at index creation. Aim for 1-3 primary shards per GB of estimated shard size.
• index.number_of_replicas: Number of replica shards. Set to 0 during initial bulk indexing and then increased to 1 or more for high availability.
• index.translog.durability: Set to async for higher indexing performance if you can tolerate a small risk of data loss in case of a node failure during a translog flush. Default is request.

Example of updating settings for an existing index:

PUT /my-index/_settings
{
  "index": {
    "refresh_interval": "5s",
    "number_of_replicas": 1
  }
}

For optimal performance on OVH, combine these tuning strategies. Regularly monitor your system’s CPU, memory, disk I/O, and network traffic using tools like htop, iostat, netstat, and Elasticsearch’s own monitoring APIs to identify bottlenecks and adjust configurations accordingly.