Master Nginx: From Reverse Proxy to HTTPS in Six Practical Scenarios
This guide walks backend engineers through six real‑world Nginx configurations—reverse proxy and load balancing, static asset handling, rate limiting with IP black/white lists, HTTPS encryption, and step‑by‑step deployment—showing how to secure, accelerate, and stabilize services.
1. What Is Nginx?
Nginx is a high‑performance reverse‑proxy server that sits in front of your backend services, forwards external requests, handles thousands of concurrent connections, serves static files, compresses data, and provides basic security features.
2. Scenario 1: Reverse Proxy & Load Balancing
Goal: Distribute traffic evenly across three backend servers, hide their IPs, and automatically remove failed nodes.
# Global settings
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
upstream backend_servers {
server 192.168.1.10:8080; # A
server 192.168.1.11:8080; # B
server 192.168.1.12:8080; # C
least_conn; # pick the server with fewest connections
keepalive 32;
proxy_next_upstream error timeout http_500;
}
server {
listen 80;
server_name www.yourdomain.com;
location /api/ {
proxy_pass http://backend_servers/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}Key points: Backend IPs are hidden behind Nginx; traffic is balanced across three servers, preventing any single instance from being overloaded.
3. Scenario 2: Static Resource Handling & Separation of Dynamic/Static
Goal: Let Nginx serve images, CSS, and JavaScript directly, reducing backend load.
server {
listen 80;
server_name www.yourdomain.com;
# Static files
location /static/ {
root /data/; # serves /data/static/...
autoindex off;
expires 30d;
gzip on;
gzip_types text/css application/javascript image/png;
}
location /images/ {
root /data/;
valid_referers none blocked www.yourdomain.com;
if ($invalid_referer) { return 403; }
}
# Dynamic API requests
location /api/ {
proxy_pass http://backend_servers/;
}
}Key points: Static assets are delivered 10× faster by Nginx; browser caching and gzip compression dramatically improve repeat‑visit load times.
4. Scenario 3: Rate Limiting & IP Black/White List
Goal: Protect an API (e.g., login) from abusive IPs by limiting concurrent connections, request rate, and applying an IP whitelist/blacklist.
http {
limit_conn_zone $binary_remote_addr zone=ip_conn:10m;
limit_req_zone $binary_remote_addr zone=ip_req:10m rate=5r/s;
set $allow_ip "192.168.1.0/24"; # allowed subnet
deny 10.0.0.1; # explicit block
}
server {
listen 80;
server_name www.yourdomain.com;
location /api/login {
limit_conn ip_conn 10; # max 10 concurrent connections per IP
limit_req zone=ip_req burst=10 nodelay; # max 5 r/s, burst up to 10
if ($remote_addr !~* $allow_ip) { return 403; }
proxy_pass http://backend_servers/;
}
}Key points: Malicious IPs are blocked with a 403 response; rate limiting prevents CC attacks on critical endpoints.
5. Scenario 4: HTTPS Configuration
Goal: Enable TLS encryption so browsers show the green lock and protect data in transit.
server {
listen 443 ssl;
server_name www.yourdomain.com;
ssl_certificate /etc/nginx/ssl/yourdomain.crt;
ssl_certificate_key /etc/nginx/ssl/yourdomain.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
proxy_pass http://backend_servers/;
}
}Key points: HTTPS provides encrypted traffic and satisfies security requirements from product managers.
6. Deploying Nginx (The “Lazy‑Engineer” Way)
Install: yum install nginx (CentOS) or apt-get install nginx (Ubuntu); on Windows download the binary and run nginx.exe.
Start / restart: sudo systemctl start nginx and sudo systemctl restart nginx after changes.
Validate configuration: nginx -t (fix errors before starting).
7. Summary of Nginx Best Practices
Reverse proxy: Hide backend IPs and protect services.
Load balancing: Evenly distribute traffic to avoid server crashes.
Static assets: Let Nginx serve images, CSS, JS so the backend focuses on business logic.
Rate limiting & IP filtering: Block abusive traffic and keep logs clean.
HTTPS: Enable TLS for secure communication and a green lock icon.
Remember that Nginx configuration is iterative; adjust limits, whitelist/blacklist entries, and caching policies as traffic patterns evolve.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Su San Talks Tech
Su San, former staff at several leading tech companies, is a top creator on Juejin and a premium creator on CSDN, and runs the free coding practice site www.susan.net.cn.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.