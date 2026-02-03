On This Page
NGINX
This guide covers deploying NGINX over NVIDIA Accelerated IO (XLIO), focusing on best practices and recommended conventions.
NGINX is a web server that is simple to configure for serving static web content and can also be deployed to deliver dynamic content across networks. For more information, visit the official Nginx website.
We recommend using stable, official versions of NGINX and OpenSSL.
# mkdir /opt/nginx_xlio
# cd /opt/nginx_xlio
# git clone https:
//github.com/openssl/openssl.git -b openssl-3.0.2
# git clone https:
//github.com/nginx/nginx.git -b release-1.21.6
# cd nginx
# auto/configure --prefix=/opt/nginx_xlio/install --with-openssl=/opt/nginx_xlio/openssl --with-http_ssl_module --with-http_v2_module --with-openssl-opt=
"enable-ktls -DOPENSSL_LINUX_TLS"
# make -j && make install
This example can be adapted to your specific requirements.
Please pay attention to the following directives: (1), (2), (3), (4), (5).
# (
1) This directive needs to be coherent with XLIO_NGINX_WORKERS_NUM
worker_processes
16;
# (
2) Turning off the deamon - Currently not supported by XLIO.
daemon off;
user root root;
worker_rlimit_nofile
1048575;
worker_priority -
20;
error_log /dev/stdout info;
pid logs/nginx.pid;
events {
worker_connections
200000;
use epoll;
multi_accept off;
accept_mutex off;
}
http {
# (
3) Adjust to XLIO logic
ssl_buffer_size
16128;
# (
4) Zero Copy optimization
for files (sendfile API)
sendfile on;
include mime.types;
default_type application/octet-stream;
access_log off;
client_body_timeout 1800s;
client_header_timeout 1800s;
send_timeout 1800s;
keepalive_timeout 1h;
keepalive_requests
100000000;
# File caching optimizations:
open_file_cache max=
1000 inactive=20s;
open_file_cache_valid 3600s;
open_file_cache_min_uses
2;
open_file_cache_errors on;
server {
# (
5) Enable KTLS usage with NGINX. Comment out
this directive to disable KTLS.
ssl_conf_command Options KTLS;
listen [SPECIFIC_IPV4_ADDR]:
443 ssl default_server backlog=
65535;
listen [SPECIFIC_IPV6_ADDR]:
443 ssl default_server backlog=
65535;
server_name localhost;
ssl_certificate /etc/ssl/certs/nginx-rsa-selfsigned.crt;
ssl_certificate_key /etc/ssl/
private/nginx-rsa-selfsigned.key;
# Please see NVIDIA TLS offload supported ciphers
ssl_protocols TLSv1.
2 TLSv1.
3;
ssl_ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:AES128-GCM-SHA256";
ssl_conf_command Ciphersuites
"TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256";
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
To utilize TLS HW offload, please refer to TLS HW Offload for requirements and supported ciphers.
The Advanced Performance Tuning can be used in the XLIO case for detailed instructions on how to optimally tune your machines for XLIO performance.
Setting unlimited locked memory:
#<host> ulimit -l unlimited
XLIO configuration example for x86:
#<host> export XLIO_SPEC=nginx
#<host> export XLIO_NGINX_WORKERS_NUM=
16
#<host> export XLIO_TX_BUF_SIZE=
16384
#<host> LD_PRELOAD=/path/to/libxlio.so /path/to/nginx -c /path/to/nginx.conf
#<host> XLIO_SPEC=nginx XLIO_NGINX_WORKERS_NUM=
16 XLIO_TX_BUF_SIZE=
16384 <MORE_XLIO_PARAMS> LD_PRELOAD=path/to/libxlio.so path/to/nginx -c path/to/nginx.conf
XLIO configuration example for aarch64 (BlueField):
#<host> export XLIO_SPEC=nginx_dpu
#<host> export XLIO_NGINX_WORKERS_NUM=
16
#<host> export XLIO_TX_BUF_SIZE=
16384
#<host> LD_PRELOAD=/path/to/libxlio.so /path/to/nginx -c /path/to/nginx.conf
XLIO offers additional optimization parameters that can be tuned for specific workloads.
For monitoring XLIO performance counters, please see Monitoring, Debugging, and Troubleshooting
Client-Side Checks:
Is not CPU- or memory-bound
Can receive at full rate without packet drops
Does not trigger excessive retransmissions