Nginx - Reverse Proxy

Setting up an Nginx reverse proxy is a fairly easy task. You configure the proxy to handle all...

Setting up an Nginx reverse proxy is a fairly easy task. You configure the proxy to handle all incoming traffic on ports 80/443, then route it to the backend servers. This setup keeps the backend secure by blocking unwanted traffic and lets the proxy handle things like SSL/TLS encryption and load balancing.

The main Nginx configuration file will look something like this:

worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
 worker_connections 768;
 # multi_accept on;
}

http {
 ##
 # Basic Settings
 ##

 sendfile on;
 tcp_nopush on;
 types_hash_max_size 2048;
 # server_tokens off;

 # Prevent information disclosure in error messages
 fastcgi_intercept_errors on;

 # server_names_hash_bucket_size 64;
 # server_name_in_redirect off;

 include /etc/nginx/mime.types;
 default_type application/octet-stream;

 ##
 # SSL Settings
 ##

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 ssl_prefer_server_ciphers on;

 ##
 # Logging Settings
 ##

 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;

 ##
 # Gzip Settings
 ##

 gzip on;

 # gzip_vary on;
 # gzip_proxied any;
 # gzip_comp_level 6;
 # gzip_buffers 16 8k;
 # gzip_http_version 1.1;
 # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

 ##
 # Proxy Settings
 ##
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;

 # Configure proxy buffers
 proxy_buffer_size 128k;
 proxy_buffers 4 256k;
 proxy_busy_buffers_size 256k;

 ##
 # Virtual Host Configs
 ##

 include /etc/nginx/conf.d/*.conf;
 include /etc/nginx/sites-enabled/*;
}

Reverse proxy

In our configuration, the reverse proxy will listen to all incoming traffic on ports 80 and 443 .

Here's an example of what the Nginx reverse proxy configuration file will look like:

# Your domain name 
set $domain_name www.mywebsite.com; 

# The proxy stream 
upstream MainProxyStream { 
 # Use IP Hash for session persistence 
 ip_hash; 
 # Your backend server ip 
 server 1.2.3.4; 
} 

# Redirect HTTP to HTTPS 
server { 
 listen 80; 
 server_name $domain_name; 
 return 301 https://$domain_name$request_uri; 
}

# Main 
server { 
 listen 443 ssl http2; 
 server_name $domain_name; 

 # HTTPS
 ssl_certificate /path/to/certificate; 
 ssl_certificate_key /path/to/private_key; 
 ssl_session_cache shared:SSL:1m; 
 ssl_session_timeout 5m; 
 ssl_session_tickets off; 
 ssl_protocols TLSv1.2 TLSv1.3; 
 ssl_prefer_server_ciphers on; 

 location / { 
 proxy_http_version 1.1; 
 proxy_set_header Upgrade $http_upgrade; 
 proxy_set_header Connection 'upgrade'; 
 proxy_set_header Host $host; 
 proxy_pass http://MainProxyStream; 
 }
}

You can place this in a new file in the nginx/sites-enabled or nginx/conf.d folder.

Why use a Reverse Proxy?

First of all, you can separate concerns between different layers of your infrastructure. The reverse proxy can handle all the external traffic, security, and routing, while the backend Nginx servers can be focused purely on serving content or handling application logic.

This allows your reverse proxy server to manage HTTPS encryption/decryption (SSL handshake) on behalf of your backend servers and act as a firewall to filter traffic.

Additionally, a reverse proxy can distribute traffic across multiple backend servers, a process known as load balancing.

Your backend server will only accept connections on port 80 or 443 (or any port you like) from the IP address of the reverse proxy server. If one reverse proxy server becomes overloaded, you can easily switch to another without affecting the backend server.

It also becomes easier to add new proxy servers and expand your network by using DNS.