Unlock Nginx Power: From Installation to High‑Performance Load Balancing and High Availability

Why Move Beyond a Single‑Node Deployment

As traffic grows, a single server becomes a bottleneck and a single point of failure. Introducing load balancing distributes requests across multiple nodes, improving availability, scalability, and performance.

Understanding Nginx

Nginx is a lightweight, high‑performance HTTP reverse proxy and load balancer that supports TCP, UDP, SMTP, HTTPS and more. It shares a non‑blocking, event‑driven architecture similar to Redis.

Setting Up Nginx

# Create installation directory
mkdir -p /soft/nginx && cd /soft/nginx
# Download source
wget https://nginx.org/download/nginx-1.21.6.tar.gz
# Extract
tar -xvzf nginx-1.21.6.tar.gz
# Install dependencies
yum install -y gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel
# Configure and compile
./configure --prefix=/soft/nginx && make && make install

Reverse Proxy and Load Balancing

upstream nginx_boot {
    server 192.168.0.10:8080 weight=100 max_fails=2 fail_timeout=30s;
    server 192.168.0.11:8090 weight=200 max_fails=2 fail_timeout=30s;
}
server {
    listen 80;
    location / {
        proxy_pass http://nginx_boot;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Static‑Dynamic Separation

location ~* \.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ {
    root /soft/nginx/static_resources;
    expires 7d;
    # Optional anti‑hotlink
    valid_referers none blocked server_names *.example.com;
    if ($invalid_referer) { return 403; }
}

Resource Compression

http {
    gzip on;
    gzip_types text/plain application/javascript text/css application/xml image/jpeg image/gif image/png;
    gzip_comp_level 5;
    gzip_vary on;
    gzip_min_length 2k;
}

Buffering Configuration

http {
    proxy_buffering on;
    client_body_buffer_size 512k;
    proxy_buffers 4 64k;
    proxy_buffer_size 16k;
    proxy_busy_buffers_size 128k;
    proxy_temp_path /soft/nginx/temp_buffer;
}

Caching Mechanism

proxy_cache_path /soft/nginx/cache levels=1:2 keys_zone=hot_cache:128m inactive=3d max_size=2g;
server {
    location / {
        proxy_cache hot_cache;
        proxy_cache_valid 200 302 1d;
        proxy_cache_valid any 30m;
        proxy_cache_key $host$uri$is_args$args;
        proxy_cache_min_uses 3;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 3s;
        add_header Cache-Status $upstream_cache_status;
    }
}

IP Whitelist / Blacklist

# Whitelist (WhiteIP.conf)
allow 192.168.1.100;
allow 10.0.0.0/16;
deny all;
# Blacklist (BlocksIP.conf)
deny 203.0.113.45;
deny 127.0.0.0/8;

Cross‑Origin Resource Sharing (CORS)

location / {
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Credentials true;
    add_header Access-Control-Allow-Methods "GET,POST,OPTIONS,PUT";
    add_header Access-Control-Allow-Headers *;
    if ($request_method = OPTIONS) {
        add_header Access-Control-Max-Age 1728000;
        add_header Content-Type "text/plain; charset=utf-8";
        add_header Content-Length 0;
        return 204;
    }
}

Anti‑Hotlink Protection

location ~* \.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ {
    valid_referers none blocked server_names example.com;
    if ($invalid_referer) { return 403; }
    root /soft/nginx/static_resources;
    expires 7d;
}

Large File Transfer Settings

client_max_body_size 2g;
client_body_timeout 120s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;

SSL/TLS Configuration

server {
    listen 443 ssl;
    server_name www.example.com;
    ssl_certificate /soft/nginx/certificate/example.pem;
    ssl_certificate_key /soft/nginx/certificate/example.key;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / { ... }
}
# Redirect HTTP to HTTPS
server { listen 80; server_name www.example.com; return 301 https://$host$request_uri; }

High Availability with Keepalived

# /etc/keepalived/keepalived.conf (master)
global_defs { router_id 192.168.12.129 }
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 121
    priority 100
    advert_int 1
    virtual_ipaddress { 192.168.12.111 }
    track_script { check_nginx }
}
vrrp_script check_nginx {
    script "/soft/scripts/check_nginx.sh"
    interval 3
    weight -20
}
# keepalived script (check_nginx.sh)
#!/bin/sh
if ! pgrep -x nginx > /dev/null; then
    /soft/nginx/sbin/nginx -c /soft/nginx/conf/nginx.conf
    if ! pgrep -x nginx > /dev/null; then
        systemctl stop keepalived
    fi
fi

Performance Tuning

# Enable keepalive connections
upstream backend {
    server 10.0.0.1;
    keepalive 32;
    keepalive_requests 100;
    keepalive_timeout 60s;
}
# Zero‑copy
sendfile on;
# TCP options (choose one based on workload)
# For low latency (e.g., IM)
# tcp_nodelay on;
# For high throughput (e.g., batch jobs)
# tcp_nopush on;
# Worker processes
worker_processes auto;
worker_rlimit_nofile 20000;
# Event model
events { use epoll; worker_connections 10240; }
# CPU affinity
worker_cpu_affinity auto;
# Enable gzip compression (already shown)
# Enable HTTP/2 if needed
listen 443 ssl http2;

Conclusion

By installing Nginx, configuring reverse proxy, static‑dynamic separation, compression, buffering, caching, security policies, SSL, and high‑availability with keepalived, you obtain a robust, scalable gateway. Further performance tweaks such as keepalive, sendfile, TCP options, worker tuning, and epoll ensure the server can handle production traffic efficiently.