Scaling API Gateways: Nginx Tuning & The "Safe Harbor" Reality Check
It has been exactly one month since the European Court of Justice invalidated the Safe Harbor agreement. If you are a CTO or Lead Architect in Oslo right now, you are likely scrambling. The legal safety net for sending user data to US-based clouds just evaporated. The Norwegian Data Protection Authority (Datatilsynet) is already signaling strict enforcement. You need to bring data home to Norway/Europe.
But here is the fear: Migration means latency.
It doesn't have to. The problem isn't usually the physical distance to the server—latency from Oslo to a decent datacenter in the Nordics is sub-5ms. The problem is your configuration. Most "high performance" setups I audit are running default Nginx configs on over-provisioned OpenVZ containers. That is a recipe for disaster.
If you are building an API Gateway today—whether for a mobile app backend or microservices—you need raw I/O and a kernel tuned for concurrency. Let's look at how to tune a KVM-based stack to handle 10,000 requests per second (RPS) without choking.
1. The Hardware: Stop Using OpenVZ
Before we touch a config file, let’s talk virtualization. In 2015, too many providers are still selling OpenVZ slices as "VPS." In an OpenVZ environment, you are sharing the kernel with every other tenant on the node. If your neighbor gets DDoS'd, your API latency spikes. This is "steal time," and it is the enemy of consistent API performance.
For an API Gateway, you need KVM (Kernel-based Virtual Machine). You need your own kernel to tune TCP stacks. At CoolVDS, we strictly use KVM with local SSD (and emerging NVMe) storage because isolation isn't a luxury; it's a requirement for predictable I/O.
2. Kernel Tuning for High Concurrency
Linux defaults are designed for general-purpose usage, not for an API Gateway handling thousands of ephemeral connections. Open /etc/sysctl.conf. We need to widen the port range and allow faster recycling of TIME_WAIT sockets.
# /etc/sysctl.conf
# Increase system-wide file descriptors
fs.file-max = 2097152
# Widen the local port range to allow more connections
net.ipv4.ip_local_port_range = 1024 65535
# Reuse TIME_WAIT sockets for new connections (critical for API gateways)
net.ipv4.tcp_tw_reuse = 1
# Increase the maximum number of backlog connections
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 8192
# Speed up TCP window scaling
net.ipv4.tcp_window_scaling = 1Apply this with sysctl -p. Without tcp_tw_reuse, your API Gateway will run out of ephemeral ports during traffic bursts, resulting in dropped connections even if your CPU is idling.
3. Nginx: The Gateway Config
Nginx 1.9.x is currently the gold standard for this. If you are adventurous, the experimental HTTP/2 support in 1.9.5 is promising, but for production stability right now, we focus on SPDY or tuned HTTP/1.1.
Worker Processes & Rlimit
First, ensure Nginx can actually open the files (sockets) the kernel allows. In your main nginx.conf:
user www-data;
worker_processes auto;
worker_rlimit_nofile 100000;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}Upstream Keepalive
This is the most common mistake I see. Nginx speaks HTTP/1.0 to backends by default. This means for every single API call, it opens a new connection to your backend service (PHP-FPM, Node.js, Go). That is expensive. You must enable keepalive to the upstream.
http {
upstream backend_api {
server 10.0.0.2:8080;
server 10.0.0.3:8080;
# Keep 64 idle connections open to the backend
keepalive 64;
}
server {
location /api/ {
proxy_pass http://backend_api;
# Required for keepalive to work
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
}4. SSL Termination: The "Heartbleed" Hangover
Security protocols have shifted rapidly since 2014. SSLv3 is dead (thanks, POODLE). You must disable it. Furthermore, SSL handshakes are CPU intensive. If you are terminating SSL on the gateway, you need to cache sessions to avoid a full handshake for every request.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# Cache SSL sessions for 10 minutes
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;Pro Tip: If you are serving users in Norway, verify your latency to NIX (Norwegian Internet Exchange). CoolVDS infrastructure peers directly at NIX, meaning your API responses don't accidentally route through Stockholm or Frankfurt before hitting a user in Bergen.
5. Comparison: Nginx vs. HAProxy
I often get asked: "Why not HAProxy?" HAProxy is fantastic, but Nginx offers a more robust ecosystem for static content serving alongside proxying. In 2015, if you want a single binary to handle static assets and proxy dynamic API calls, Nginx is often the more pragmatic choice.
| Feature | Nginx | HAProxy |
|---|---|---|
| Architecture | Event-driven (Async) | Event-driven (Async) |
| SSL Termination | Excellent | Supported (since v1.5) |
| Static Files | Native & Fast | Not recommended |
| Caching | FastCGI/Proxy Cache | No native caching |
The CoolVDS Factor
You can apply all these configs, but if the underlying disk I/O is slow, your database (the likely bottleneck behind the API) will stall. We are seeing a massive shift in 2015 toward SSD-based hosting. Standard spinning rust (HDDs) just cannot handle the random read/write patterns of a busy API database.
At CoolVDS, we don't oversell resources. When you deploy a KVM instance, those CPU cycles and that RAM are yours. This predictability is essential when you are trying to debug why a request took 200ms instead of 20ms.
Final Thoughts
The invalidation of Safe Harbor is a wake-up call. We need to build robust, high-performance infrastructure right here in Europe. It is not just about compliance; it is about taking control of your stack.
Don't let legacy infrastructure dictate your API performance. Spin up a CoolVDS KVM instance today, apply these Nginx tunings, and watch your latency drop.