These questions cover the 16 sections of the Web Servers overview and are organized by topic clusters. No answers are provided — the goal is to test your understanding of web server concepts and their practical implications.
The questions mix conceptual understanding, scenario-based debugging, and common configuration pitfalls.
Cluster 1: Server Fundamentals & Architecture (Sections 1–3)
A colleague says "a web server is the physical machine in the data center." What is imprecise about this statement? Distinguish between the software process and the hardware it runs on, and explain why this distinction matters when discussing "scaling a web server."
Ports below 1024 are privileged — only root can bind to them. Explain why Nginx starts as root but then drops privileges to an unprivileged user like www-data. What security risk would exist if the server continued running as root?
Compare process-per-request, thread-per-request, and event-driven architectures for handling 10,000 simultaneous connections. How much memory would each model need, and why does the event-driven approach dominate modern web servers?
Why does calling fs.readFileSync() in a Node.js request handler block all connections, while the same synchronous file read in Apache prefork only blocks one request? What architectural difference explains this?
Explain the C10K problem. What year was it posed, what architecture couldn't solve it, and what OS-level features (epoll, kqueue) made the event-driven solution possible?
Cluster 2: Configuration & Routing (Sections 4–5)
Three different domains all resolve to the same IP address via DNS. Explain how a single Nginx instance serves different content for each domain. What HTTP header makes this possible, and what happens if a request arrives without it?
A developer runs systemctl restart nginx during peak traffic instead of nginx -s reload. What is the practical difference? What happens to active downloads, WebSocket connections, and in-flight API calls in each case?
Nginx checks location blocks in a specific priority order: exact, preferential prefix, regex, and longest prefix. Given a request for /static/style.css, which location block wins if both location ^~ /static/ and location ~* \.css$ are defined? Why?
A developer wants clean URLs where /products/42 internally serves /products.php?id=42. Should they use a redirect or a rewrite? What would happen if they accidentally used a 301 redirect instead of an internal rewrite?
Explain what sendfile() zero-copy does. In traditional file serving, how many times is the file data copied between buffers? How does sendfile() reduce this, and why is user-space never involved?
A team deploys a CSS update, but users still see the old styles despite the file being updated on the server. The CSS file has Cache-Control: max-age=31536000. What went wrong, and what cache busting strategy would prevent this? Why should HTML files use no-cache while versioned assets use immutable?
After adding an Nginx reverse proxy in front of a Node.js application, all request logs in the app show the client IP as 127.0.0.1. What is happening, and which Nginx directive and HTTP header fix this problem?
Compare round-robin, least-connections, and IP-hash load balancing. If the application stores user sessions in memory on the Node.js process (not in Redis), which strategy is required and why? What is the trade-off?
Name at least four things a reverse proxy handles that your application code no longer needs to worry about. Why is this separation of concerns called "defense in depth" for security?
Cluster 4: TLS & Security (Sections 8, 10)
Describe the certificate chain of trust: root CA, intermediate CA, and server certificate. What happens if the server sends only its own certificate without the intermediate — which specific browser error would users see?
A Let's Encrypt certificate expires after 90 days. What tool automates renewal, and what happens to HTTPS visitors if the certificate expires without being renewed? Why are short-lived certificates considered more secure than long-lived ones?
Explain the difference between HSTS (Strict-Transport-Security) and a 301 redirect from HTTP to HTTPS. What specific attack does HSTS prevent that a 301 redirect alone cannot?
A developer adds server_tokens off to their Nginx config and declares the server "secure." What is wrong with this reasoning? List at least four additional security measures that provide real protection beyond hiding the server version.
Rate limiting is configured with limit_req_zone at 10 requests per second with a burst of 20. Explain what burst=20 nodelay does. What happens to the 21st request in a burst? Why would you use stricter limits on /login than on /api/?
Parse this raw access log entry and identify each field: 93.184.216.34 - jane [10/Oct/2025:13:55:36 -0700] "GET /api/books HTTP/1.1" 200 2326 "https://example.com/" "Mozilla/5.0". What is the difference between the Combined log format and Common log format?
Explain what a correlation ID (X-Request-ID) is and why it is essential when debugging across multiple services. If a user reports a slow API call, how would a correlation ID help you trace the problem from Nginx through the application to the database?
A user reports a 502 Bad Gateway error. Walk through the debugging steps in order: what do you check first, second, third? Write the specific commands you would run and what each tells you.
The P95 latency for an endpoint has been steadily increasing over the past week, but the average response time looks normal. Why is P95 a better metric than average? What could cause P95 to rise while the average stays flat?
Cluster 6: Performance & Tuning (Section 11)
Explain why worker_processes auto is recommended over a fixed number. What does this directive actually set, and what happens if you set it higher than the number of CPU cores?
A developer spends a week optimizing their Nginx configuration for maximum throughput, but the site is still slow. The access log shows request_time=2.3s for API endpoints and request_time=0.002s for static files. Where is the actual bottleneck, and why was tuning Nginx the wrong focus?
Compare the three benchmarking tools: ab, wrk, and k6. When would you choose each? Why is benchmarking against localhost misleading compared to testing over a real network?
In the traditional Apache + PHP model, a crash in one request doesn't affect others. In raw Node.js, a single unhandled exception kills the entire server. Explain why this architectural difference exists and how the hybrid model (Nginx + Node.js with PM2) mitigates the risk.
"Serverless" doesn't mean there are no servers. What does it actually mean? Compare the cost model, scaling behavior, and debugging experience of serverless versus a traditional server. When does serverless become more expensive than a fixed server?
A startup is choosing between a single Nginx + Node.js server and a Kubernetes cluster for their new API. Their expected traffic is 100 requests per second. Which architecture should they choose and why? What principle guides this decision?
For each use case, identify the recommended architecture and explain why: (a) a personal blog with 50 visitors/day, (b) a real-time chat application, (c) an image processing webhook that fires 10 times per hour, (d) an e-commerce site handling Black Friday traffic spikes.