Enterprise Nginx Mastery: Rate Limiting, Load Balancing, WebSocket, gRPC & CDN
This comprehensive guide walks you through enterprise‑grade Nginx configurations—including core settings, rate limiting, reverse‑proxy best practices, load‑balancing strategies, uwsgi, static‑file optimization, WebSocket/gRPC support, CDN caching, and ready‑to‑use templates for diverse business scenarios.
1. Core Configuration
Define the number of worker processes and connections to fully utilize multi‑core CPUs.
worker_processes auto;
events {
worker_connections 4096;
}2. Rate Limiting
Nginx provides three built‑in limiting mechanisms:
Connection limiting (limit_conn) – controls concurrent connections per key, e.g., per IP.
Request rate limiting (limit_req) – throttles request frequency, commonly used for API protection.
Bandwidth limiting (limit_rate) – caps download speed for large files or live streams.
Examples:
# Connection limit (2 connections per IP)
limit_conn_zone $binary_remote_addr zone=addr:50m;
server {
limit_conn addr 2;
}
# Request rate limit (1 request per second, burst 5)
limit_req_zone $binary_remote_addr zone=one:50m rate=1r/s;
location / {
limit_req zone=one burst=5 nodelay;
}
# Bandwidth limit (500 KB/s)
location /down/ {
limit_rate 500k;
}3. Reverse Proxy Best Practices
Typical proxy configuration forwards traffic to an upstream service and sets essential headers and timeouts.
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 10;
proxy_read_timeout 30;
proxy_send_timeout 30;
}4. Load Balancing (upstream)
Nginx supports four scheduling strategies:
Round‑robin (default) – simple distribution.
Weight – assigns different capacities to servers.
ip_hash – keeps a client’s requests on the same server (session persistence).
least_conn – directs traffic to the server with the fewest active connections, ideal for long‑lived connections.
Example upstream configuration:
upstream backend {
least_conn;
server 10.0.0.1:8080;
server 10.0.0.2:8080;
}5. Specialized Proxies
uwsgi (Python/Flask) :
location / {
include uwsgi_params;
uwsgi_pass 127.0.0.1:9090;
}Static file optimization – cache control and long‑term expiration:
location /static/ {
alias /data/static/;
expires 30d;
add_header Cache-Control "public, immutable";
}WebSocket support :
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://ws_backend;
}gRPC proxy (HTTP/2) :
location /grpc.Order {
grpc_pass grpcs://backend:50051;
}CDN‑style caching using Nginx’s built‑in cache:
proxy_cache_path /cache levels=1:2 keys_zone=mycache:20m max_size=20g inactive=30m;
location /api/cache/ {
proxy_cache mycache;
proxy_cache_valid 200 1h;
proxy_pass http://backend;
}6. Business‑Specific Configuration Templates
Ready‑to‑use snippets for common scenarios:
Login brute‑force protection – limit 5 requests per minute per IP.
API token‑based rate limiting – 20 requests per second per token.
Flash‑sale peak‑shaving – high burst limit for a short window.
Microservice gateway routing – separate upstreams for order and user services.
Large file upload – increase client_max_body_size to 5 GB and disable buffering.
Large file download with speed cap – limit_rate 1m and enable sendfile.
Video streaming – enable mp4, aio on, and set appropriate I/O size.
Secure admin backend – allow only a specific IP and deny all others.
7. Full Production nginx.conf (Enterprise Template)
worker_processes auto;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# ----- Rate limiting -----
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
limit_req_zone $http_token zone=api_limit:10m rate=20r/s;
# ----- CDN cache -----
proxy_cache_path /cache levels=1:2 keys_zone=mycache:20m max_size=20g inactive=30m;
# ----- Upstream definitions -----
upstream user_service { ip_hash; server 10.0.0.1:8080; }
upstream order_service { least_conn; server 10.0.0.2:8080; server 10.0.0.3:8080; }
server {
listen 80;
server_name example.com;
# Login rate limit
location /login {
limit_req zone=login_limit burst=10 nodelay;
proxy_pass http://user_service;
}
# API token rate limit
location /api/ {
limit_req zone=api_limit burst=40 nodelay;
proxy_pass http://order_service;
}
# Static assets
location /static/ {
alias /data/static/;
expires 30d;
}
# WebSocket endpoint
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://user_service;
}
# CDN cache endpoint
location /api/cache/ {
proxy_cache mycache;
proxy_cache_valid 200 1h;
proxy_pass http://order_service;
}
}
}This end‑to‑end configuration can be deployed directly to production environments, covering the most common and advanced use‑cases for enterprise‑grade Nginx deployments.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Ray's Galactic Tech
Practice together, never alone. We cover programming languages, development tools, learning methods, and pitfall notes. We simplify complex topics, guiding you from beginner to advanced. Weekly practical content—let's grow together!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.