NGINX can be deployed in front of web applications to improve the response time (by caching) and to provide additional layer of security. NGINX can perform the functions of Reverse Proxy, SSL Offload and Load Balancing for the Web Applications.
The following guide outlines the deployment methodology and installation instructions for deploying NGINX as reverse proxy. The solution comprises of NGINX web server which sit in front of Web Application Servers and Load Balance the HTTP(s) queries among the backend Web Servers. For deployment CentOS v7.9 server have been used as the Front End Load Balancer with NGINX v1.19.8.
Installation of NGINX Application
Add the NGINX repository for CentOS 7 in the path /etc/yum.repos.d/nginx.repo. Run yum update and install the nginx application. Enable nginx service to start on boot.
[nginx] name=nginx repo baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/ gpgcheck=0 enabled=1
$ sudo yum update $ sudo yum install nginx $ sudo systemctl enable nginx
Configuration of NGINX Application
Edit the main configuration file /etc/nginx/nginx.conf.
. . . .
# Adjust worker processes according to the CPU Cores
worker_processes auto;
. . . .
# Adjust the worker connections by running command ulimit -n
events {
worker_connections 1024;
}
Edit the configuration file /etc/nginx/conf.d/default.conf
proxy_http_version 1.1;
proxy_set_header Connection "";
server {
listen 80 default_server;
server_name revproxy1.domain.com;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /stub_status {
stub_status;
allow 127.0.0.1;
deny all;
}
}
Create the file /etc/nginx/conf.d/www.domain.com.conf
upstream webbackend {
server bacend-ip-1:80 weight=1 max_fails=3 fail_timeout=30s;
server bacend-ip-2:80 weight=1 max_fails=3 fail_timeout=30s;
keepalive 32;
}
server {
listen 443 ssl http2 default_server;
server_name domain.com www.domain.com;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_certificate /etc/nginx/ssl/cert_domain_com.crt;
ssl_certificate_key /etc/nginx/ssl/cert_domain_com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_pass https://webbackend;
proxy_ssl_session_reuse on;
proxy_buffers 1024 8k;
proxy_buffer_size 4096k;
proxy_busy_buffers_size 4096k;
}
}
Copy the Certificate and the Key files to the directory /etc/nginx/ssl and make sure the permissions on the files are as follows to keep these secure.
$ ls -la total 8 drwxr-xr-x. 2 root root 70 Mar 19 10:27 . drwxr-xr-x. 4 root root 188 Mar 20 09:17 .. -rw-r--r--. 1 root nginx 2072 Mar 19 10:26 cert_domain_com.crt -rw-------. 1 root nginx 1730 Mar 19 10:26 cert_domain_com.key
Start the nginx proxy
$ sudo systemctl start nginx
OPTIONAL: Install NGINX Amplify Agent
NGINX Amplify is a cloud based tool for NGINX monitoring. The service is free of cost for upto 5 NGINX instances. Amplify Agent collects various metrics and metadata from the operating system and the NGINX instances, and sends the data to the Amplify backend for visualization.
Download install script using curl.
$ curl -L -O https://github.com/nginxinc/nginx-amplify-agent/raw/master/packages/install.sh
Run the following command as root to install the Amplify Agent package.
$ API_KEY='15xy1234b5c952d804ef0ada7d23abcd' sh ./install.sh
After a successful installation, the new system appears on the Amplify Dashboard.
https://amplify.nginx.com
References
https://docs.nginx.com/
https://www.nginx.com/blog/nginx-caching-guide/
https://www.nginx.com/blog/tuning-nginx/
https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching