Master Nginx: Forward & Reverse Proxy Essentials and Performance Tips

Nginx Core Functions

Forward Proxy (Forward Proxy)

Definition

Forward proxy is an intermediate proxy service between client and target server. Its core role is to receive client requests, forward them to the target server on behalf of the client, and return the response while hiding the client’s real identity.

Technical Principle

sequenceDiagram
  participant Client
  participant ForwardProxy
  participant TargetServer
  Client->>ForwardProxy: HTTP/HTTPS request
  ForwardProxy->>TargetServer: Forward request
  TargetServer-->>ForwardProxy: Return response
  ForwardProxy-->>Client: Return data

Application Scenarios

Network access control: corporate intranet restricts employee access to specific sites via proxy filtering.

IP anonymity protection: crawler programs rotate proxy IPs to avoid bans.

Cross‑region acceleration: users access region‑restricted content through overseas proxies.

Cache acceleration: proxy caches frequently accessed resources.

Reverse Proxy (Reverse Proxy)

Definition

Reverse proxy sits on the server side, receiving client requests, distributing them to a backend server pool according to policies, and exposing a unified entry point while hiding backend topology.

Technical Principle

sequenceDiagram
  participant Client
  participant ReverseProxy
  participant Backend1
  participant Backend2
  Client->>ReverseProxy: HTTP/HTTPS request
  ReverseProxy->>Backend1: Forward request
  Backend1-->>ReverseProxy: Return response
  ReverseProxy-->>Client: Return data

Application Scenarios

Load balancing: distribute traffic to multiple servers using weight, round‑robin, etc.

Security protection: integrate WAF, DDoS filtering.

SSL termination: handle TLS decryption at the proxy layer.

Canary/gray release: route a proportion of traffic to new version servers for testing.

Deployment Practice Guide

1. Basic Environment Preparation

Server requirements

# OS version check
cat /etc/redhat-release   # CentOS 7.6+

# Minimum hardware
CPU: 2 cores+
Memory: 2GB+
Disk: 20GB+ (SSD recommended)
Network: 100Mbps+

Dependency installation

yum install -y gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
wget https://nginx.org/download/nginx-1.25.3.tar.gz
tar zxvf nginx-1.25.3.tar.gz
cd nginx-1.25.3

2. Forward Proxy Deployment

Compile and install

./configure --prefix=/usr/local/nginx-proxy --with-http_ssl_module
make && make install

Core configuration (nginx.conf)

# /usr/local/nginx-proxy/conf/nginx.conf
worker_processes 4;
events { worker_connections 10240; }
http {
    resolver 8.8.8.8 114.114.114.114 valid=300s;
    server {
        listen 3128;
        access_log logs/proxy.access.log;
        location / {
            proxy_pass $scheme://$http_host$request_uri;
            proxy_set_header Host $http_host;
            proxy_buffers 256 4k;
            proxy_connect_timeout 30s;
        }
    }
}

Verification

# Test with curl
curl -x http://PROXY_IP:3128 https://www.example.com

# Browser proxy settings: Chrome > Settings > Advanced > System > Open proxy settings > Manual proxy

3. Reverse Proxy Deployment

Compile and install

./configure --prefix=/usr/local/nginx-reverse \
    --with-http_stub_status_module \
    --with-http_ssl_module \
    --with-stream
make && make install

Load balancing configuration

# /usr/local/nginx-reverse/conf/nginx.conf
upstream backend {
    server 192.168.1.101:8080 weight=5;
    server 192.168.1.102:8080 weight=3;
    server 192.168.1.103:8080 backup;
    keepalive 32;
}
server {
    listen 443 ssl;
    server_name www.yourdomain.com;
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    location / {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Advanced features

Health check configuration using check directive.

Cache acceleration with proxy_cache_path and proxy_cache directives.

Configuration validation

# Syntax check
nginx -t
# Reload without downtime
systemctl reload nginx

Technical Comparison & Selection Advice

Core differences

Deployment location: forward proxy at client network edge, reverse proxy at server side.

Configuration: client actively sets proxy for forward, server transparently configures reverse.

Core function: forward hides client identity, reverse provides load balancing and high availability.

Typical use: forward for crawling, IP masking, cross‑region access; reverse for e‑commerce sites, financial platforms, micro‑service gateways.

Performance impact: forward moderate, reverse high due to traffic distribution.

Production environment recommendations

Forward proxy suitable for IP‑masking, internal audit, distributed crawler pools.

Reverse proxy suitable for high‑traffic e‑commerce, SSL centralization, Kubernetes micro‑service ingress.

Security Hardening Measures

Basic security configuration

# Hide version
server_tokens off;
# Restrict request methods
if ($request_method !~ ^(GET|HEAD|POST)$) { return 444; }
# DDoS limit
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

SSL best practice

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

WAF integration (ModSecurity)

# Enable ModSecurity
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# Example rules
SecRule REQUEST_HEADERS:User-Agent "nikto" "id:1001,deny,status:403"
SecRule ARGS:username "@rx <script>" "id:1002,deny,status:403"

Technical Evolution Trends

Cloud‑native adaptation

Service Mesh integration (e.g., Istio Ingress Gateway replacement).

Kubernetes Ingress Controller for automatic service discovery and CRD extensions.

Performance optimization

Hardware acceleration: SSL offload cards, TCP BBR congestion control.

Protocol optimization: HTTP/3 (QUIC) support, 0‑RTT TLS session resumption.

Nginx Regular Expression Core Syntax

Basic metacharacters

.   matches any single character except newline
^   start of string
$   end of string
\   escape special characters
[...] character class
[^...] negated class

Quantifiers

*   0 or more
+   1 or more
?   0 or 1
{n} exactly n
{n,} at least n
{n,m} between n and m

Capture groups

(exp)        capture group, $1, $2 …
(?:exp)      non‑capturing group
(?<name>exp) named capture, $name

Predefined character classes

\d  digit [0-9]
\D  non‑digit
\w  word character [A-Za-z0-9_]
\W  non‑word
\s  whitespace
\S  non‑whitespace

Rewrite Module Deep Dive

Rewrite directive syntax

rewrite regex replacement [flag];

Parameters

regex : PCRE pattern to match the request URI.

replacement : target URI, can reference captured groups.

flag : controls rewrite behavior (last, break, redirect, permanent, etc.).

Execution flow diagram

graph TD
    A[Client request] --> B{URI matches regex}
    B -- success --> C[Apply replacement]
    C --> D{Check flag}
    D -- last --> E[Re‑search location]
    D -- break --> F[Stop further rewrite]
    D -- redirect --> G[302 temporary redirect]
    D -- permanent --> H[301 permanent redirect]
    B -- fail --> I[Continue processing]

Flag details

last : stop current location rewrite, restart location search.

break : stop all rewrite processing, proceed to content handling.

redirect : return 302 temporary redirect.

permanent : return 301 permanent redirect.

no‑flag : default, continue processing subsequent rewrite rules.

Rewrite vs Return

Rewrite performs internal URI rewriting using full PCRE, suitable for complex path logic. Return generates an immediate HTTP response code, ideal for simple redirects or error handling.

Practical Rewrite Rules

Basic path rewrite

location / {
    # Convert /index.php/path to /path
    rewrite ^/index\.php/(.*) /$1 last;

    # Hide entry file
    if ($request_uri ~* "^/index.php") {
        rewrite ^/index.php(.*) $1 permanent;
    }
}

Directory trailing slash

if (-d $request_filename) {
    rewrite ^(.*[^/])$ $1/ permanent;
}

Performance Optimization & Pitfalls

Regex optimization principles

Avoid greedy matches; prefer non‑greedy quantifiers.

Anchor patterns with ^ and $ to limit scope.

Prefer non‑capturing groups (?:) when captures are unnecessary.

Use character class shortcuts like \d instead of [0-9].

Rewrite best practices

Place high‑frequency rules first.

Terminate processing early with last or break to avoid repeated matches.

Minimize use of if inside location blocks.

Keep regex complexity low (no more than three nesting levels).

Leverage map module for complex logic.

Typical problem solutions

Rewrite loop detection

# Add loop counter
set $rewrite_count 0;

location / {
    rewrite ^/path1 /path2;
    rewrite ^/path2 /path1;
    if ($rewrite_count > 3) { return 500; }
    set $rewrite_count $($rewrite_count + 1);
}

Chinese path handling

# Enable UTF‑8
charset utf-8;

location / {
    # Encode Chinese URLs
    rewrite ^/(.*) /$1?args=$arg_args break;
    if ($uri ~* "[\x{4e00}-\x{9fa5}]+") {
        rewrite ^(.*)$ $scheme://$host$1 permanent;
    }
}

Production Deployment Commands

Module compilation check

# Verify rewrite module
nginx -V 2>&1 | grep -o with-http_rewrite_module

Compile with additional modules

./configure --prefix=/usr/local/nginx \
    --with-http_rewrite_module \
    --with-pcre=/path/to/pcre/source
make && make install

Hot reload

# Syntax test
nginx -t
# Reload
nginx -s reload

Automation script (example)

#!/bin/bash
CONF_PATH="/etc/nginx/conf.d/rewrite_rules.conf"
BACKUP_DIR="/etc/nginx/conf.bak/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
cp $CONF_PATH $BACKUP_DIR/

cat > $CONF_PATH <<EOF
location /api {
    rewrite ^/api/v1/(.*)$ /v1/$1 last;
    rewrite ^/api/v2/(.*)$ /v2/$1 break;
}
location ~* \.(php|jsp)$ {
    rewrite ^/(.*)\.(php|jsp)$ /$1.html permanent;
}
EOF

if nginx -t; then
    systemctl reload nginx
    echo "Rewrite rules deployed successfully"
else
    echo "Configuration error, restored backup"
    cp $BACKUP_DIR/rewrite_rules.conf $CONF_PATH
fi

This summary captures the essential concepts, configurations, security practices, performance tips, and deployment procedures for using Nginx as a forward and reverse proxy.