Reverse Proxy using The ‘Other’ Open Source Web Server (nginx)

Hi and thanks for the visit. If you're new here you may want to subscribe to my feed.

Have you tried managing multiple Web Servers (with different IPs) behind firewall?
Ever got a problem in accessing the Sites without Port Numbers?

Ever heard of Reverse Proxy?

Definitions of reverse proxy on the Web:

* A reverse proxy or surrogate is a proxy server that is installed within the neighborhood of one or more servers. …

en.wikipedia.org/wiki/Reverse_proxy

* A proxy server that appears to the client as if it is an origin server. This is useful to hide the real origin server from the client for security reasons, or to load balance.

www.php-editors.com/apache_manual/glossary.html

* An application proxy for servers using Hypertext Transfer Protocol (HTTP).

www.ibm.com/developerworks/wikis/display/xdcomputegrid/Glossary

* A caching mode in which the cache acts on the behalf of one or more content hosts.

www.xwire.com/glossary

Ever heard of NGINX?

nginx (pronounced “engine X”) is a lightweight web server/reverse proxy and e-mail (IMAP/POP3) proxy, licensed under a BSD-like license.

source : en.wikipedia.org/wiki/Nginx

Nginx is a fast and efficient web server. It can be configured to serve out files or be a reverse proxy depending on your application. What makes this web server different from Apache, Lighttpd or thttpd is the overall efficiency of the daemon, the number of configuration options and how easy it is to setup.

Nginx ("engine x") is a high-performance HTTP server and reverse proxy server. Nginx was written by Igor Sysoev for rambler.ru, Russia's second-most visited website, where it has been running in production for over two and a half years. Igor has released the source code under a BSD-like license. Although still in beta, Nginx is known for its stability, rich feature set, simple configuration, and low resource consumption.

Simple (Runnng Live) Nginx Config for Reverse Proxy Setup:

#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
sendfile on;
keepalive_timeout 65;
gzip on;
############# www.domain1.com
server {
### IP of Nginx
listen 172.16.0.1:80;
### FQDN (Fully Qualified Domain Name)
server_name www.domain1.com:80 domain1.com;
location / {
### IP of the WWW Server inside the LAN
### (neat trick is to add hostname with corresponding Private IP at /etc/hosts
### or configure a local base DNS Resolver like djbdns's tinydns)
proxy_pass http://172.16.1.1:80/;
### Config File (Default)
include /usr/local/etc/nginx/proxy.conf;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
############# www.domain2.com
server {
### IP of Nginx
listen 172.16.0.1:80;
### FQDN (Fully Qualified Domain Name)
server_name www.domain2.com:80 domain2.com;
location / {
### hostname of the WWW Server inside the LAN
### (neat trick is to add hostname with corresponding Private IP at /etc/hosts
### or configure a local base DNS Resolver like djbdns's tinydns)
proxy_pass http://www.domain2.com:80/;
### Config File (Default)
include /usr/local/etc/nginx/proxy.conf;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
############# www.domain3.com (HTTPS)
# HTTPS server
#
server {
### IP of Nginx
listen 172.16.0.1:443;
### FQDN (Fully Qualified Domain Name)
server_name www.domain3.com domain3.com;
ssl on; <---- Additional option for SSL
ssl_certificate /usr/local/etc/nginx/ssl/server.pem; <---- Certificate PEM
ssl_certificate_key /usr/local/etc/nginx/ssl/server.key; <---- Certificate KEY
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
### hostname of the WWW Server inside the LAN
### (neat trick is to add hostname with corresponding Private IP at /etc/hosts
### or configure a local base DNS Resolver like djbdns's tinydns)
proxy_pass https://www.domain3.com:443/;
### Config File (Default)
include /usr/local/etc/nginx/proxy.conf;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
}
}

Nginx configuration explained:

pid /var/run/nginx.pid : This is the location of the process id file that holds the pid number of the master Nginx process. If you wanted to re-read the nginx.conf file without restarting the daemon you could cat this file and send a HUP like so, "kill -HUP `cat /var/run/nginx.pid` .

user nginx nginx : Is the user and group the child processes will run as. You may need to make this user and group if you install Nginx from source. Make sure this user is completely unprivileged or at least runs with the least privileges necessary to make the server work.

worker_processes 2 : Is the number of worker processes to spawn. A worker is similar to a child process in Apache. Nginx has the ability to use more then one worker process for several reasons: use on (SMP) multiple processors machines, to decrease latency when workers are blocked by disk I/O, or to limit the number of connections per process when select() or poll() is used. The general rule of the thumb is to set the number of nginx workers to two(2) or the number of CPUs your server has; which ever is greater. But, on most servers you will find out that two(2) workers serve pages quickly and put less load on the server. The exception to this rule is if you use ssl and/or compress all of your content. If you use ssl and compression then we suggest testing you site with duble the amount of workers. Our example nginx.conf has 2 workers so we would set it to 4.

For testing, we suggest using the apache benchmark binary (ab) to stress your server and see how many connections your machine can handle. "ab" can be found in any Apache install. To calculate how many total concurrent connections nginx can support, multiply "worker_processes" times "worker_connections". Our example is setup to handle 2*1024=2048 total concurrent connections. Clients who attempt to connect after 2048 clients are already connected will be denied access. It is better to deny clients than overload the machine possibly causing a DOS.

worker_connections 1024 : This is the amount of client connections a single child process will handle by themselves at any one time. (default: 1024) Note: Multiply worker_processes times worker_connections for the total amount of connections Nginx will handle. Our example is setup to handle 2*1024=2048 connection in total. Clients who connect after the max has been reached will be denied access.

MIME types : This section allows nginx to identify files by extension. For example, if we serve out a .txt file then the mime type would be defined as text/plain.

include mime.types is the definition file nginx loads to identify all of the mime types. These directive simply allow our server to send the the proper file type and application type to the clients. Alternatively you can take out this line and instead define your own Mime types by using the following "type" directive".

types {...} Instead of using the "include mime.types" directive you can define your own mime types. This is especially useful option if you want to use the same mime types on many different systems or do not want to rely on a secondary definition file. You also have the option of defining a mime type for a non-standard extension. In our example we define the extension "bob" as a text/plain.

default_type application/octet-stream is the default type if a file extension has not already be defined in the mime.types file. This is useful if you serve out files with no extension or of a non standard extension. Either way, clients will be able to retrieve the file un-obstructed.

Size Limits : These directive specify the buffer size limitations on the amount of data we will consider to be valid for a request. If the client sends to much data in one request, for example in a buffer overflow attack, then the request will be denied.

client_body_buffer_size 1k If the request body is more than the buffer, then the entire request body or some part is written in a temporary file.

client_header_buffer_size 1k is the limit on the size of all of the http headers the client can send to the server. For the overwhelming majority of requests a buffer size of 1K is sufficient. The only time you would need to increase this is if you have a custom header or a large cookie sent from the client.

client_max_body_size 1k is the maximum accepted body size of client request, indicated by the line "Content-Length" in the header of request. If size exceeds this value the client gets sent the error "Request Entity Too Large" (413). If you expect to receive files uploaded to your server through the POST request method you should increase this value.

large_client_header_buffers 1 1k is the limit of the URI request line which can not be larger than the buffer size multiplied by the amount of buffers. In our example we accept a buffer size of 1 kilobyte and there is only one(1) buffer. So, will not accept a URI which is larger than (1x1K=1K) 1 kilobyte of data. If the client sends a bigger request then Nginx will return an error "Request URI too large" (414). The longest header line of the request must also be less than the size of (1x1K=1K) 1 kilobyte, otherwise the client get the error "Bad request" (400). Limiting the client URI is important to keep a scanner or broken client from sending large requests and possibly cause a denial of service (DOS) or buffer overflow.

Timeouts : These values specify the amount of time in seconds that Nginx will wait for the client to complete the specified action.

client_body_timeout 5 is the read timeout for the request body from client. If after this time the client sends nothing, nginx returns error "Request time out" (408).

client_header_timeout 5 is the timeout reading the title of the request of the client. If after this time the client send nothing, nginx returns error "Request time out" (408).

keepalive_timeout 5 5 the first value is for keep-alive connections with the client. The second parameter assigns the value "Keep-Alive: timeout=time" in the header of answer.

send_timeout 5 is response timeout to the client. Timeout is established not on the entire transfer of answer, but only between two operations of reading, if after this time client will accepts nothing, then nginx is shutting down the connection.

Popularity: unranked [?]

Related Posts:

• High Availability Database Clustering : Load Balancing and Redundancy
• XenWALL – Load Balance, Bandwidth Aggregator and Fail Over Gateway
• Squid Proxy backward compatibility — no more

Tagged as: FreeBSD, Nginx, Reverse Proxy, The Other Open Source Web Server