Operations 16 min read

Master Nginx Load Balancing, Caching, and SSL: A Complete Configuration Guide

This tutorial walks through setting up Nginx on Debian to serve static files, reverse‑proxy dynamic requests to Tomcat, configure load‑balancing upstreams, enable gzip compression, implement on‑disk and memory caching, and secure the server with SSL, providing full configuration examples and practical tips.

MaGe Linux Operations

Feb 25, 2019

Master Nginx Load Balancing, Caching, and SSL: A Complete Configuration Guide

Using a Debian environment, install Nginx (default settings) and Tomcat, then configure Nginx to separate static and dynamic content, improve performance, and secure traffic.

Basic Nginx Settings

worker_processes 8;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;

events {
    use epoll;
    worker_connections 65535;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 16 64k;
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain application/x-javascript text/css application/xml application/javascript;
    gzip_vary on;
}

Upstream (Load‑Balancing) Groups

# Static server group
upstream static {
    server 127.0.0.1:808 weight=1;
    server 192.168.8.203:808 weight=1;
}

# Dynamic server group
upstream dynamic {
    server 127.0.0.1:8080;
    # server 192.168.8.203:8080;  # optional additional node
}

# Dynamic group with IP‑hash for session affinity
upstream dynamic_iphash {
    ip_hash;
    server 127.0.0.1:8080;
    server 192.168.0.203:8080;
}

Server Blocks

# Main site (static + dynamic)
server {
    listen 80;
    server_name erp.zh-jieli.com;

    # Serve static files directly from Tomcat's webapps directory
    location / {
        index index.jsp;
    }

    # Static assets (js, css, images, fonts) – cache 30 days
    location ~ .*(js|css|ico|png|jpg|eot|svg|ttf|woff) {
        proxy_cache cache_one;
        proxy_cache_valid 200 304 302 5d;
        proxy_cache_valid any 5d;
        proxy_cache_key "$host:$server_port$request_uri";
        add_header X-Cache "$upstream_cache_status from $host";
        proxy_pass http://static;
        expires 30d;
    }

    # Dynamic pages – forward to Tomcat
    location ~ .*$ {
        proxy_pass http://dynamic;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout 65;
        proxy_send_timeout 65;
        proxy_read_timeout 65;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;
    }
}

# Static file server (direct disk access)
server {
    listen 808;
    server_name static;
    location / {
        # optional root for static files
    }
    location ~ .*(js|css|ico|png|jpg|eot|svg|ttf|woff) {
        root /var/lib/tomcat7/webapps/JieLiERP/WEB-INF;
        expires 30d;
    }
}

# HTTPS server
server {
    listen 443 ssl;
    server_name localhost;
    root html;
    ssl on;
    ssl_certificate keys/client.pem;
    ssl_certificate_key keys/client.key.unsecure;
    location / {
        index index.html index.htm;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name localhost;
    rewrite ^(.*)$ https://$host$1 permanent;
}

Caching Configuration

# Cache settings (stored in shared memory)
proxy_cache_key "$host:$server_port$request_uri";
proxy_temp_file_write_size 64k;
proxy_temp_path /dev/shm/JieLiERP/proxy_temp_path;
proxy_cache_path /dev/shm/JieLiERP/proxy_cache_path levels=1:2 keys_zone=cache_one:200m inactive=5d max_size=1g;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;

SSL Certificate Generation (self‑signed)

# Create CA key and certificate
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

# Create server certificate signed by the CA
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -out client.pem -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
# Remove password from key
openssl rsa -in client.key -out client.key.unsecure

After reloading Nginx, the site serves static assets from disk or cache, forwards dynamic requests to Tomcat, compresses responses with gzip, and can be accessed securely via HTTPS. The guide also notes common pitfalls such as firewall rules, file permissions for /dev/shm, and the need for trusted certificates for production.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

Linux NGINX Server Configuration SSL

Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.