How to Configure Nginx as a Reverse Proxy for HTTP/HTTPS Traffic


3 views

Nginx is a powerful web server that can also act as a reverse proxy, forwarding client requests to backend servers. This is particularly useful for load balancing, caching, or serving multiple applications through a single entry point.

Here's a minimal Nginx configuration to proxy HTTP traffic to a backend server running on port 8080:


server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

For secure HTTPS proxying, you'll need SSL certificates. Here's how to extend the configuration:


server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

Nginx offers several proxy-related directives for fine-tuning:


location /api/ {
    proxy_pass http://backend-api/;
    proxy_connect_timeout 5s;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
}

For WebSocket applications, additional headers are required:


location /ws/ {
    proxy_pass http://websocket-backend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 86400s;
}

Nginx can distribute traffic across multiple servers:


upstream backend {
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;
}

server {
    location / {
        proxy_pass http://backend;
    }
}

When troubleshooting, enable the error log and consider adding:


proxy_intercept_errors on;
error_page 500 502 503 504 /custom-error.html;

Nginx excels as a high-performance reverse proxy server, capable of handling both HTTP and HTTPS traffic with minimal overhead. The proxy module (ngx_http_proxy_module) comes built into standard Nginx installations, requiring no additional compilation.

Here's a fundamental configuration to proxy HTTP requests to a backend server:

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://backend_server_ip:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

For secure traffic handling, you'll need SSL certificates. This configuration handles HTTPS termination:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://backend_server_ip:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Nginx offers numerous proxy optimizations:

location /api/ {
    proxy_pass http://backend_api/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 300s;
    
    # Buffer optimization
    proxy_buffering on;
    proxy_buffer_size 4k;
    proxy_buffers 256 4k;
}

Combine proxy functionality with load balancing:

upstream backend {
    server backend1.example.com weight=5;
    server backend2.example.com;
    server backend3.example.com backup;
}

server {
    location / {
        proxy_pass http://backend;
        # Include all standard proxy headers
    }
}

Special configuration for WebSocket connections:

location /wsapp/ {
    proxy_pass http://wsbackend;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_read_timeout 86400;
}

Always include security headers and limit direct access:

location / {
    proxy_pass http://backend;
    proxy_hide_header X-Powered-By;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    
    # Only allow specific IPs to access backend
    allow 192.168.1.0/24;
    deny all;
}

Enable these directives when troubleshooting:

proxy_intercept_errors on;
proxy_next_upstream error timeout invalid_header;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;