Nginx Reverse proxy principle and configuration explained

Source: Internet
Author: User
Tags nginx reverse proxy

Recently intends to study the Nginx source code, see the online introduction Nginx can be used as a reverse proxy server to complete load balancing. So the content of the reverse proxy server is collected and consolidated.

an overview

The reverse proxy method is a proxy server that accepts connection requests on the Internet, then forwards requests to servers on the internal network, and returns the results from the server to the clients that request connections on the Internet, Reverse. At this point the proxy server is represented as a server externally.

The usual proxy server, which is used only to proxy connection requests to the Internet by the internal network, must specify a proxy server and send HTTP requests that would otherwise be sent directly to the Web server to the proxy server. When a proxy server is able to proxy hosts on an external network, this proxy service is called a reverse proxy service when it accesses the internal network.

Figure 1 Rationale for reverse proxy server

How the two reverse proxy servers work

A reverse proxy server typically has two models, which can be used as an alias for a content server or as a load balancer for a content server cluster.

1, as an alias for the content server

If your content server has sensitive information that must be kept secure, such as a credit card number database, you can set up a proxy server outside the firewall as an alias for the content server. When an external client tries to access the content server, it is sent to the proxy server. The actual content is located on the content server and is secured inside the firewall. The proxy server is outside the firewall and appears to the client as a content server.

When the client requests the site, the request goes to the proxy server. The proxy server then sends the client's request to the content server through a specific path in the firewall. The content server then passes the results back to the proxy server through the channel. The proxy server sends the retrieved information to the client, as if the proxy server is the actual content server (see Figure 2). If the content server returns an error message, the proxy server intercepts the message and changes any URLs that are listed in the header, and then sends the message to the client. This prevents external clients from getting the redirect URL of the internal content server.

In this way, the proxy server provides another barrier between the secure database and possible malicious attacks. As opposed to having access to the entire database, the perpetrator is at best limited to accessing the information involved in a single transaction, even if it is a fluke attack. An unauthorized user cannot access a real content server because the firewall path only allows the proxy server to have access.

Figure 2 Reverse proxy Server as an alias for a content server

A firewall router can be configured to allow only specific servers on a specific port (in this case, the proxy server on its assigned port) to have access through the firewall without allowing any other machines to enter or leave.

2, as a load balancer for content servers

You can use multiple proxy servers within an organization to balance Network load across WEB servers. In this model, you can leverage the caching characteristics of the proxy server to create a server pool for load balancing. At this point, the proxy server can be on either side of the firewall. If the Web server receives a large number of requests per day, you can use a proxy server to share the load on the Web server and improve network access efficiency.

The proxy server acts as an intermediary mediator for requests made by the client to the real server. The proxy server stores the requested document in the cache. If there is more than one proxy server, DNS can select its IP address with "cyclic multiplexing" and randomly select the route for the request. The client uses the same URL each time, but the route taken by the request may go through a different proxy server at a time.

Multiple proxy servers can be used to handle requests for a high-volume content server, and the benefit is that content servers can handle higher loads and are more efficient than when they are working alone. During the initial boot, the proxy server retrieves the document from the content server for the first time, and thereafter the number of requests to the content server drops significantly.

Figure 3 Reverse proxy Server as a load balancer

Reference content:

1, Baidu Encyclopedia


    1. Chapter:nginx Basic Operation Explanation
      1. 1. Nginx Port Modification Problem
      2. 2. Nginx 301 Redirection Configuration
      3. 3. Configure the Nginx to support PHP under Windows
      4. 4. Configure the Nginx to support PHP under Linux
      5. 5. Install PHP and PHP-FPM in the form of source code compilation
      6. 6. One practice of Nginx multi-site configuration
      7. 7. Configuration of Nginx Reverse proxy

Nginx as a Web server an important function is the reverse proxy. In fact, we in the previous article "Nginx Multi-site configuration of a practice" in the use of Nginx reverse proxy, here simply to mention.

Here are the settings for configuring Nginx as a reverse proxy for tornado:

01 upstream tornado {
02     server;
03 }
05 server {
06     listen   80;
07     root /root/nmapp2_venv;
08     index index.html;
10     server_name server;
12     location / {
13         #if (!-e $request_filename) {
14         #    rewrite ^/(.*)$ /$1 last;
15         #}
16     }
18     location ~ /index\.py {
19         proxy_pass_header Server;
20         proxy_set_header Host $http_host;
21         proxy_set_header X-Real-IP $remote_addr;
22         proxy_set_header X-Scheme $scheme;
23         proxy_pass http://tornado;
24     }
25 }

Nginx Reverse proxy instructions do not need to add additional modules, the default comes with proxy_pass instructions, only need to modify the configuration file can be implemented reverse proxy.

Let me give you one more example. For example, to configure the backend to run the Apache service IP and port, that is, our goal is to achieve through Http://ip:port can access to your website.

Just create a new vhost.conf and add the following (remember to modify the IP and domain name for your IP and domain name). Modify the nginx.conf, add include quancha.conf to http{} segment, Reload Nginx is available.

Nginx Reverse Proxy Template:

01 ## Basic reverse proxy server ##
02 upstream apachephp  {
03     server ip:8080; #Apache
04 }
06 ## Start ##
07 server {
08     listen 80;
09     server_name;
11     access_log  logs/quancha.access.logmain;
12     error_log  logs/quancha.error.log;
13     root   html;
14     index  index.html index.htm index.php;
16     ## send request back to apache ##
17     location / {
18         proxy_pass  http://apachephp;
20         #Proxy Settings
21         proxy_redirect     off;
22         proxy_set_header   Host             $host;
23         proxy_set_header   X-Real-IP        $remote_addr;
24         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
25         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
26         proxy_max_temp_file_size 0;
27         proxy_connect_timeout      90;
28         proxy_send_timeout         90;
29         proxy_read_timeout         90;
30         proxy_buffer_size          4k;
31         proxy_buffers              4 32k;
32         proxy_busy_buffers_size    64k;
33         proxy_temp_file_write_size 64k;
34    }
35 }

This completes the Nginx reverse proxy configuration.

Nginx Reverse proxy principle and configuration explained

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.