NGINX

Lua code embedded in NGINX must be strictly non-blocking to maintain event-driven performance. Using standard Lua libraries or C libraries that perform blocking I/O (e.g., standard `os.time()` or slow file I/O) halts the entire NGINX worker, causing massive performance degradation, high latency, and request timeouts for all concurrent requests.

Lua-based annotation parsers in ingress-nginx (e.g., `auth-url`, `auth-tls-match-cn`, mirror UID parsers) fail to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers can craft malicious Ingress annotations that inject arbitrary directives into the NGINX configuration template via the admission controller's validation logic.

Disabling proxy buffering with `proxy_buffering off` forces NGINX worker processes to handle upstream responses in blocking, synchronous fashion, completely subverting the non-blocking architecture. This typically results in slower transfers, prolonged blocking times, and also disables caching, rate limiting, and request queuing.

NGINX's scalability is constrained by the operating system's maximum file descriptors (FDs), which commonly defaults to 1024. As a reverse proxy, NGINX consumes at least 2 FDs per request (client + upstream server), causing rapid FD depletion and hard connection failures at high concurrency if not manually increased via `worker_rlimit_nofile`.

Errors in third-party Lua modules cause gradual, indefinite memory consumption increases leading to out-of-memory crashes. Without strict control over module versions and dependencies, operators face increased risk of subtle instability that is hard to debug.

Variables set in one Lua phase may not be available or may be stale in later phases if timing and scope are misunderstood. Logic relying on variables set in different phases (e.g., `set_by_lua*` vs. `access_by_lua*`) results in NGINX variables being empty or holding stale values, causing incorrect routing, logging, or access decisions.

Frequent dynamic endpoint updates driven by Lua in ingress-nginx cause the NGINX master process to fail to properly reap worker child processes, resulting in zombie processes accumulating on the host OS. These zombies consume system resources and complicate process management.

Lua-based load balancing logic in Kubernetes ingress-nginx, particularly under high pod counts, results in severe traffic imbalance where a small subset of backend pods receives an overwhelming majority of traffic, creating 'hot pods' and 'cold pods' and degrading overall cluster performance.

NGINX configuration inheritance is opaque and non-intuitive: array directives like `proxy_set_header` or `add_header` in child contexts (e.g., `location{}` blocks) completely override parent context values (e.g., `http{}` blocks) rather than merging. This silently drops critical security or tracing headers, leading to unexpected behavior and security issues.

NGINX Open Source requires graceful reloads for configuration changes, which introduce operational instability, resource spikes, latency, or dropped connections—especially problematic for long-lived connections like WebSockets. This forces production deployments to require NGINX Plus for dynamic upstream reconfiguration.

NGINX thread pools were introduced to mitigate synchronous operations like slow disk I/O, but they require significant memory duplication ('share-nothing' model) to maintain thread safety, partially negating NGINX's traditional low memory advantage. Freeing up the event loop allows workers to accept even more connections, leading to job queue saturation and latency spikes.

NGINX requires deep knowledge of Linux-based terminology and involves complex configuration steps that are difficult to simplify. This high barrier to entry reduces usability and requires significant human involvement for proper setup.

NGINX lacks a holistic view of traffic flows and comprehensive KPI metrics. There is no interactive dashboard to help understand transaction endpoints or application-level troubleshooting, making performance analysis and debugging difficult.

The NGINX status metrics page (`/nginx_status`) provides internal visibility into server utilization and must be manually restricted via authentication and IP-based access control. Operators must continuously adhere to security best practices, as misconfiguration exposes sensitive operational data.

Managing applications across diverse deployment environments (AWS, Azure, on-premise, Kubernetes, serverless) requires different NGINX configurations, tools, and operational knowledge. This diversity leads to complexity sprawl, configuration drift, and increased operational toil.

NGINX is optimized for static content and reverse proxying; handling dynamic content requires complex configuration and delegation to external processors like PHP-FPM. This necessitates meticulous inter-process communication (IPC) setup, increases architectural sprawl, and amplifies resource consumption and configuration burden.

Configuration synchronization issues in Kubernetes ingress-nginx sometimes require manual intervention to delete and recreate Services and Ingresses, creating operational toil and potential downtime.

NGINX has poor support for streaming use cases and lacks robust streaming solutions compared to alternatives.

Incomplete termination of Lua execution phases can lead to inconsistent logging or leaking of internal NGINX headers, causing information disclosure or incorrect log entries.