How to Set Up an Nginx Forward Proxy for LAN‑to‑Internet Access (Step‑by‑Step)

Introduction

In some network environments a LAN cannot directly access the Internet due to policy restrictions, so a forward proxy built with Nginx can forward external requests for LAN computers.

Preparation

You need a server that can reach the Internet (e.g., a physical server, VM, or desktop) with Nginx installed and correctly networked. In the example the server IP is 192.168.0.10, and other LAN machines can reach this server.

Basic Nginx Configuration

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    # Forward proxy configuration
    server {
        listen 9000;               # listening port
        server_name localhost;
        set $url "proxy_server_doman_or_ip";  # replace with target domain or IP
        location / {
            proxy_pass http://$url:8082;   # forward request
        }
    }
}

Restart Nginx and test with http://192.168.0.10:9000. The request is forwarded successfully.

Domain Resolution Issue

After a day the proxy stopped working because Nginx cached the resolved IP of the target domain; when the domain’s IP changed, the proxy still used the old IP. Adding DNS resolution to the configuration solves this.

Configuration with DNS Resolver

# Set DNS resolver to Google DNS and cache for 300 seconds (IPv6 disabled)
resolver 8.8.8.8 valid=300 ipv6=off;
resolver_timeout 3s;

proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_connect_timeout 60s;

set $url "proxy_server_doman_or_ip";  # target domain

server {
    listen 9000;
    server_name localhost;
    location / {
        proxy_pass http://$url:9000;
        proxy_buffers 256 4K;
        proxy_max_temp_file_size 0;
        proxy_cache_valid 200 302 1m;
        proxy_cache_valid 301 1h;
        proxy_cache_valid any 1m;
    }
}

Restart Nginx; the forward‑proxy works again.

Debugging Slow Responses

To investigate occasional one‑minute delays, an access log was added.

# Log format definition
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    'upstreamIP: $upstream_addr' 'upgrade: $http_upgrade';

server {
    listen 9000;
    server_name localhost;
    resolver 8.8.8.8 valid=300 ipv6=off;
    resolver_timeout 3s;
    proxy_read_timeout 60s;
    proxy_send_timeout 60s;
    proxy_connect_timeout 60s;
    set $url "proxy_server_doman_or_ip";
    location / {
        proxy_pass http://$url:9000;
        proxy_buffers 256 4K;
        proxy_max_temp_file_size 0;
        proxy_cache_valid 200 302 1m;
        proxy_cache_valid 301 1h;
        proxy_cache_valid any 1m;
        access_log logs/proxy/access.log main;
        error_log logs/proxy/error.log;
    }
}

Sample log entries show two different upstream IPs (e.g., 182.148.159.30 and 172.16.30.6). Requests routed to the internal IP fail, causing the long wait.

Root Cause and Solutions

The domain resolves to both a public and an internal IP; Nginx’s round‑robin selection sometimes picks the internal address, leading to failure. Possible remedies:

Manually specify the target IP in the Nginx config.

Programmatically choose a suitable IP from the resolved list.

Use an upstream block with only the public IPs for load balancing.

Ask the domain owner to remove the internal IP from DNS records (the solution ultimately chosen).

After the DNS entry was corrected, the forward proxy operates reliably.

Original article: https://www.cnblogs.com/lucky-fd/p/18069434 (copyright belongs to the author).