HowTo: Use Nginx As Reverse Proxy Server

Nginx is an open source Web server and a reverse proxy server. You can use nginx for a load balancing and/or as a proxy solution to run services from inside those machines through your host’s single public IP address such as 202.54.1.1. In this post, I will explain how to install nginx as reverse proxy server for Apache+php5 domain called www.example.com and Lighttpd static asset domain called static.example.com. You need to type the following commands on vm00 having an IP address 192.168.1.1 only.

DNS Setup

Make sure both www.example.com and static.example.com point to public IP address 202.54.1.1.

Install nginx server

Type the following command to install nginx web server:
$ cd /tmp $ wget http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm # rpm -iv nginx-release-rhel-6-0.el6.ngx.noarch.rpm # yum install nginx
Sample outputs:

Loaded plugins: rhnplugin
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 0:1.2.1-1.el6.ngx will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================
 Package      Arch          Version                   Repository    Size
=========================================================================
Installing:
 nginx        x86_64        1.2.1-1.el6.ngx           nginx        331 k

Transaction Summary
=========================================================================
Install       1 Package(s)

Total download size: 331 k
Installed size: 730 k
Is this ok [y/N]: y
Downloading Packages:
nginx-1.2.1-1.el6.ngx.x86_64.rpm                  | 331 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : nginx-1.2.1-1.el6.ngx.x86_64                          1/1
----------------------------------------------------------------------

Thanks for using NGINX!

Check out our community web site:
* http://nginx.org/en/support.html

If you have questions about commercial support for NGINX please visit:
* http://www.nginx.com/support.html

----------------------------------------------------------------------
  Verifying  : nginx-1.2.1-1.el6.ngx.x86_64                          1/1

Installed:
  nginx.x86_64 0:1.2.1-1.el6.ngx

Complete!

Configure the nginx web server as reverse proxy

Edit /etc/nginx/conf.d/default.conf, enter:
# vi /etc/nginx/conf.d/default.conf
Add/correct as follows:

## Basic reverse proxy server ##
## Apache (vm02) backend for www.example.com ##
upstream apachephp  {
      server 192.168.1.11:80; #Apache1
}
 
## Lighttpd (vm01) backend for static.example.com ##
upstream lighttpd  {
      server 192.168.1.10:80; #Lighttpd1
}
 
## Start www.example.com ##
server {
    listen       202.54.1.1:80;
    server_name  www.example.com;
 
    access_log  /var/log/nginx/log/www.example.access.log  main;
    error_log  /var/log/nginx/log/www.example.error.log;
    root   /usr/share/nginx/html;
    index  index.html index.htm;
 
    ## send request back to apache1 ##
    location / {
     proxy_pass  http://apachephp;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header        Host            $host;
     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}
## End www.example.com ##
 
## START static.example.com ##
server {
   listen      202.54.1.1:80;
   server_name static.example.com;
   access_log  /var/log/nginx/log/static.example.com.access.log  main;
   error_log   /var/log/nginx/log/static.example.com.error.log;
   root        /usr/local/nginx/html;
   index       index.html;
 
   location / {
        proxy_pass  http://lighttpd;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header        Host            static.example.com;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
## END static.example.com  ##

Turn on Nginx

Type the following commands:
# chkconfig nginx on # service nginx start

Configure firewall

Set firewall as follows:

Drop all INPUT/OUTPUT chain traffic by default.
Only open tcp port 202.54.1.1:80 and/or 443 on eth0 only.
Set eth1 as trusted device so that communication take place between nginx reverse proxy and Apache/Lighttpd backend servers.

Run the following command to set and customize firewall as described above:
# system-config-firewall-tui
You can edit /etc/sysconfig/iptables manually and set the firewall too. See our tutorial for more information.

/etc/sysctl.conf

Edit /etc/sysctl.conf as follows:

# Execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# IPv4 settings
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
# Increase system file descriptor limit to
fs.file-max = 50000
 
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
 
# Ipv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

Load new Linux kernel settings, run:
# sysctl -p
See Linux Kernel /etc/sysctl.conf Security Hardening faq for detailed explanation of above directives.

Securing Nginx web server

See our previous blog post, “Top 20 Nginx WebServer Best Security Practices” for more information. Also, for more information on nginx, reverse proxy and ssl configuration see our previous tutorials:

LAMP Stack Security Best Practices

Encrypt data communication – Use ssh and vpns while configuring your vms. Use the scp/sftp client to upload files.
Do you really need all sort of web services installed? Avoid installing unnecessary software to avoid vulnerabilities in software. Use the RPM package manager such as yum or apt-get and/or dpkg to review all installed apps.
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. All security update should be reviewed and applied as soon as possible.
Give the least privilege necessary for user accounts and software to perform tasks. Do not give ssh access to everyone.
Read our rest of the security tips and best practices:

Conclusion:

I hope this guide provided you enough information to configure and use vm for serving exactly one network service for the CentOS and RHEL based operating system.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

13 comment

Jalal Hajigholamali says:
June 23, 2012 at 2:31 am
hi,
thanks, useful article
Roozbeh says:
June 25, 2012 at 5:30 pm
Hi,
I wanted to know how to configure apache and lighthttp to log X-Real-IP X-Forwarded-For instead of proxy box ip on the httpd server side. I have seen rpaf for Apache that will do this but is there a built-in module or config for apache that will take care of this?
Roozbeh says:
June 25, 2012 at 5:39 pm
I have seen rpaf for Apache that will change nginx proxy server ip with X-Real-IP and X-forward to log the correct ip. can this be done with out a use of a module on apache?
Thanks,
eyoon masr says:
July 7, 2012 at 11:27 pm
I’ve installed the Nginx reverse proxy on your server and have checked each one of my sites and they all appear to be loading much quicker now that it’s handling the static content
Vit says:
November 25, 2013 at 11:19 am
This guide purpose is hard to understand. Im really unsure what i can achieve with it. Very badly introduced. Lost my time
Angelo Corbo says:
April 8, 2014 at 12:52 am
Excellent stuff Nix,
Iâ€™m running nginx on Ubuntu 12.10 with 5 web apps in one box, AND then Apache on OS X (Mac Mini) with a web photo gallery (gallery3) serving a few thousand pictures and videos. I thought about configuring nginx as a reverse proxy for Apache for all the performance benefits it provides. It should be feasible to have Apache handle the gallery app except the actual media (static pictures and videos), which nginx would be ideal to handle, but Iâ€™m not sure on the actual details. Do you have any suggestions?
Michael Somerville says:
June 5, 2014 at 8:09 pm
Thanks for this guide. It was very helpful and I have managed to setup nginx as reverse proxy for a couple VM’s i’m hosting. Only problem is that when accessing my WordPress site via nginx, all the style elements are being stripped away. I appear to be only seeing raw html output with no formatting info. It only happens when accessing WordPress via reverse proxy so it must be something that nginx is doing or not doing.
This is a problem as I want this to be a very professional site accessible on the internet.
Any ideas how to correct are welcome.
davejal says:
July 17, 2014 at 12:40 am
Hi,
Using windows 7 and nginx 1.7.3 . I used the mentioned conf above, but I get an error
nginx: [emerg] “upstream” directive is not allowed here in C:xamppnginx-1.7.3/
conf/nginx.conf:16
Anyone know some way around this?
autoclick says:
November 26, 2014 at 4:12 pm
any example for apache config at origin server?

Hi I have done the same as above but still for me it is not working can you pls help me.

##bassic reverse proxy server ##
## Domino (vm02) backend for www.xyz.com ##
upstream yyy  {
      server xxx.xxx.xxx.xxx:80; #Domino
}

## Start www.xyz.com ##
server {
    listen       xxx.xxx.xxx.xxx:80;
    server_name  www.xyz.com;

    access_log  /var/log/nginx/log/www.xyz.access.log;
    error_log  /var/log/nginx/log/www.xyz.error.log;
    root   /usr/share/nginx/html;
    index  index.html index.htm;

    ## send request back to apache1 ##
    location / {
     proxy_pass  http://yyy;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header        Host            $host;
     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}
## End www.xyz.com.com ##
## START yyy.xyz.com ##
server {
   listen      xxx.xxx.xxx.xxx:80;
   server_name yyy.xyz.com;
   access_log  /var/log/nginx/log/yyy.xyz.com.access.log;
   error_log   /var/log/nginx/log/yyy.xyz.com.error.log;
   root        /usr/local/nginx/html;
   index       index.html;

   location / {
        proxy_pass  http://yyy;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header        Host            yyy.xyz.com;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
## END yyy.xyz.com  ##

Debjit says:
October 26, 2016 at 10:38 am
I am getting 502 Bad Gateway from nginx after configuring.
misr369 says:
January 5, 2017 at 2:19 pm
any example for apache config at origin server?

Have a question? Post it on our forum!