Enterprise‑Grade Nginx Configuration: From Binary Install to High‑Concurrency Production Deployment

What Is Nginx?

Nginx acts as an HTTP server, reverse proxy, and load balancer, routing client requests to static files or backend services.

Installation Options

1. Package Manager (recommended)

Ubuntu/Debian: apt update && apt install nginx CentOS/RHEL: yum install nginx Start and enable the service:

systemctl start nginx
systemctl enable nginx

2. Compile from Source

Compile when custom modules (e.g., SSL) are needed. After compilation, binaries reside in /usr/local/nginx/, the main configuration file is conf/nginx.conf, and the daemon is started with sbin/nginx.

Production Configuration Template

A ready‑to‑use configuration includes key directives: worker_processes auto; – automatically selects the optimal number of worker processes (usually equal to CPU cores). worker_connections 10240; – maximum simultaneous connections per worker, sufficient for many high‑traffic scenarios. use epoll; – Linux‑specific I/O event model that improves request handling efficiency. sendfile on; – enables zero‑copy file transmission. gzip on; – compresses responses to reduce bandwidth.

Reverse Proxy

The reverse proxy forwards client requests to backend services such as Tomcat, Node.js, or Python.

Basic Proxy Configuration

server {
    listen 80;
    server_name myapp.com;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The added headers preserve the original host and client IP, which are essential for logging, rate limiting, and security checks.

Timeout Settings

location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_connect_timeout 5s;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
}

These timeouts prevent Nginx from hanging indefinitely when a backend is slow or unreachable.

Load Balancing

Nginx distributes traffic across an upstream server group.

Strategies

Round Robin (default) – sequentially cycles through servers.

Weight – assigns more requests to higher‑capacity servers (e.g., weight=3).

ip_hash – binds a client IP to the same backend, useful for session affinity.

least_conn – selects the server with the fewest active connections.

backup – designates standby servers that receive traffic only when primary servers fail.

Health Check Example

upstream backend {
    server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;
    server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;
    server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;
}

max_fails=3

marks a server down after three consecutive failures; fail_timeout=30s pauses traffic to that server for 30 seconds before retrying.

Keepalive Connections

upstream backend {
    server 192.168.1.10:8080;
    server 192.168.1.11:8080;
    keepalive 32;
}

Keeping persistent connections reduces handshake overhead.

Failover with proxy_next_upstream

location / {
    proxy_pass http://backend;
    proxy_next_upstream error timeout http_502;
}

If a connection error, timeout, or 502 response occurs, Nginx automatically retries another upstream server.

High‑Concurrency Tuning

For tens of thousands of simultaneous connections, adjust the following:

worker_processes 16;
worker_rlimit_nofile 200000;
events {
    worker_connections 20000;
    use epoll;
    multi_accept on;
}

16 workers × 20 000 connections ≈ 320 000 concurrent connections. Ensure the OS limit matches with ulimit -n 200000.

Static File Caching

open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;

Files not accessed for 30 s are evicted; cache validity is checked every 60 s; files accessed fewer than twice are not cached.

Rate Limiting to Mitigate Attacks

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    limit_req_zone $binary_remote_addr zone=one:10m rate=100r/s;
}
server {
    location /api/ {
        limit_conn addr 20;          # max 20 concurrent connections per IP
        limit_req zone=one burst=50 nodelay; # 100 r/s with burst of 50
    }
}

This configuration blocks most CC attacks by capping requests per second and concurrent connections per IP.

HTTPS Setup

HTTPS is essential for security and SEO.

Self‑Signed Certificate (testing only)

# Generate a self‑signed cert
mkdir -p /etc/nginx/ssl
openssl req -x509 -nodes -days 365 \
    -newkey rsa:2048 \
    -keyout /etc/nginx/ssl/server.key \
    -out /etc/nginx/ssl/server.crt

Let’s Encrypt (recommended)

# Install certbot
apt install certbot python3-certbot-nginx
# Obtain a certificate (domain must resolve to this server)
certbot --nginx -d myapp.com -d www.myapp.com
# Test automatic renewal
certbot renew --dry-run

HTTPS Server Block

server {
    listen 443 ssl http2;
    server_name myapp.com;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

Force HTTP to HTTPS

server {
    listen 80;
    server_name myapp.com www.myapp.com;
    return 301 https://$server_name$request_uri;
}

Common Commands

nginx -t

– test configuration syntax. nginx -s reload – reload configuration without stopping. nginx -s stop – force stop. ps aux | grep nginx – view running Nginx processes. tail -f /var/log/nginx/error.log – monitor error logs.

Summary

Install Nginx via a package manager for simplicity, use reverse proxy with proper headers, configure load‑balancing strategies (weight, backup, health checks), tune workers and connections for high traffic, apply rate limiting to defend against attacks, and secure the site with HTTPS using either self‑signed or Let’s Encrypt certificates.