API Gateway Tuning: Scaling Nginx for High-Load REST Architectures
The mobile revolution is here, and it is noisy. Unlike the monolithic web applications of five years ago, today's iOS and Android apps are chatty. They bombard your backend with thousands of small, sporadic REST requests. If you are still running a default Apache setup or an unoptimized Nginx proxy as your API gateway, you are likely bleeding latency on every handshake.
I recently audited a payment processing backend for a client here in Oslo. They were running on a budget VPS provider (who shall remain nameless), experiencing 500ms latency spikes during peak traffic. They blamed the PHP code. I blamed the TCP stack and the virtualization overhead. After moving them to a proper KVM-based environment and tuning the gateway, latency dropped to 45ms.
Here is the reality: Linux distributions like CentOS 6 are designed for general-purpose computing, not for acting as a high-concurrency API gateway handling 10,000 requests per second. Let's fix that.
1. The OS Layer: Tuning the Linux Kernel
Before we touch the web server, we must look at the kernel. When your API gateway acts as a reverse proxy, it opens a connection to the client and another to the backend application server. This exhausts ephemeral ports rapidly.
You need to modify /etc/sysctl.conf. The defaults are too conservative for 2014 traffic levels.
# /etc/sysctl.conf
# Allow reusing sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 1
# Increase the range of ephemeral ports
net.ipv4.ip_local_port_range = 1024 65023
# Maximize the backlog of incoming connections
net.core.somaxconn = 4096
net.ipv4.tcp_max_syn_backlog = 4096
# Increase TCP buffer sizes for 10Gbps networks
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216Apply these changes with sysctl -p. If you skip this, your Nginx error logs will be full of "Resource temporarily unavailable" alerts when traffic spikes.
2. Nginx Configuration: The Gateway Engine
Nginx 1.4 is the standard for high-performance reverse proxying right now. However, most people simply `yum install nginx` and walk away. This is a mistake. For an API gateway, you specifically need to manage upstream keep-alives.
By default, Nginx closes the connection to your backend (PHP-FPM, Python/Django, or Node.js) after every request. Re-establishing that TCP handshake for every single API call is a waste of CPU cycles.
Optimizing Upstream Blocks
Here is a production-ready snippet for nginx.conf that maintains persistent connections to the backend:
http {
# Define the backend group
upstream backend_api {
server 127.0.0.1:8080;
# IMPORTANT: Keep 32 idle connections open per worker
keepalive 32;
}
server {
listen 80;
server_name api.example.no;
location /v1/ {
proxy_pass http://backend_api;
# HTTP 1.1 is required for keep-alive
proxy_http_version 1.1;
# Clear the Connection header to enable persistence
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}Pro Tip: Do not set the `keepalive` value too high if your backend application has a low memory limit. Each open connection consumes RAM. Balance is key.
3. SSL Termination: The Heavy Lifter
With security concerns rising, more APIs are moving to HTTPS. SSL handshakes are computationally expensive. If you terminate SSL at the gateway, you must optimize session caching to avoid full handshakes for returning mobile clients.
server {
listen 443 ssl;
server_name api.example.no;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Enable Session Cache: 10MB can store ~40,000 sessions
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Disable SSLv3 to avoid known vulnerabilities (POODLE is a risk, stick to TLS)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Prioritize server ciphers to enforce strong encryption
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
}The Hardware Factor: Why "Cloud" Isn't Always Enough
You can tune software all day, but if the underlying virtualization is fighting you, you will lose. In the hosting market today, there is a lot of noise about "Cloud," but often that just means oversold OpenVZ containers.
For an API gateway, you need consistent CPU scheduling and low I/O wait. This is why we at CoolVDS strictly use KVM (Kernel-based Virtual Machine). It provides true hardware virtualization. When your API logs 500 requests a second, you are generating massive I/O. If your neighbor on the physical host is running a backup script, and you are on shared storage without isolation, your API latency spikes.
Furthermore, geography matters. If your user base is in Norway, hosting in a data center in Frankfurt or Amsterdam adds 20-30ms of round-trip time (RTT) just for physics. Hosting in Oslo, directly connected to NIX (Norwegian Internet Exchange), ensures that the network path is as short as possible.
Compliance and Datatilsynet
Operating in Norway also brings us to the Data Protection Act (Personopplysningsloven). Ensuring your data stays within national borders or trusted partners is not just good for latency; it simplifies compliance with Datatilsynet requirements regarding personal data storage.
Benchmarking Your Changes
Never deploy without measuring. Use ab (Apache Bench) to stress test your gateway. Here is how I test a keep-alive configuration:
# Simulate 100 concurrent users, 10,000 requests, with Keep-Alive enabled
ab -n 10000 -c 100 -k http://api.example.no/v1/statusLook for the "Requests per second" metric. On a standard 2GB RAM CoolVDS instance with SSD storage, properly tuned Nginx should easily handle 2,000+ requests per second for a lightweight JSON endpoint.
Conclusion
Building a robust API gateway isn't about buying the most expensive server; it's about removing the bottlenecks in the default Linux and Nginx configurations. By tuning your kernel parameters, enabling upstream keep-alives, and choosing a virtualization platform that doesn't steal your CPU cycles, you can achieve sub-50ms response times.
Don't let latency kill your mobile user experience. If you need a sandbox to test these configurations, deploy a CoolVDS KVM instance in Oslo today. We offer the raw performance and SSD speeds required for modern API workloads.