nGinx is a very powerful webserver which we can configure to our needs. Over the time, in various situations, I have used nGinx to act as reverse proxy, load balancer etc. I have tried to create a note of those configuration so that I can take a look at them whenever I need them. Here are these configurations

Reverse Proxy Configuration

A reverse proxy server is a server that sits in front of web servers and directs client requests to the appropriate web server. This configuration can be used to improve the security, scalability, and reliability of web applications.

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

we have defined an upstream block that defines two servers for load balancing. We have also defined a server block that listens on port 80 and directs traffic to the backend servers using the proxy_pass directive.

SSL/TLS Configuration

SSL/TLS is a protocol that encrypts data sent over the internet. This configuration can be used to improve the security of web applications. Here we have defined a server block that listens on port 443 with SSL/TLS enabled. We have also defined the SSL certificate and key files using the ssl_certificate and ssl_certificate_key directives

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Caching Configuration

Caching is a technique that stores frequently accessed data in memory to improve performance. This configuration can be used to improve the performance of web applications.

http {
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_cache my_cache;
            proxy_cache_valid 200 60m;
            proxy_pass http://localhost:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

In this configuration, we have defined a cache path and zone using the proxy_cache_path directive. We have also defined a server block that uses the proxy_cache directive to cache frequently accessed data.

Securing nGinx

Rate Limiting

Rate limiting is a technique that limits the number of requests that can be made within a certain period of time. This can be used to prevent abuse and protect against DDoS attacks.

http {
    limit_req_zone $binary_remote_addr zone=my_zone:10m rate=1r/s;

    server {
        listen 80;
        server_name example.com;

        location / {
            limit_req zone=my_zone;
            proxy_pass http://localhost:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

here, we have defined a limit_req_zone using the $binary_remote_addr variable to track requests from each IP address. We have also defined a server block that uses the limit_req directive to limit requests to 1 request per second.

IP Blocking

IP blocking is a technique that blocks access from specific IP addresses. This can be used to prevent access from known attackers or malicious users. Here, we have defined a deny directive to block access from the IP address 192.168.0.1. We have also defined a server block that allows access to all other IP addresses.

http {
    deny 192.168.0.1;

    server {
        listen 80;
        server_name example.com;

        location / {
            allow all;
            proxy_pass http://localhost:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

Request Filtering

Request filtering is a technique that blocks requests that match certain patterns. This can be used to prevent access to sensitive files or prevent SQL injection attacks.

http {
    server {
        listen 80;
        server_name example.com;

        location / {
            if ($request_uri ~* "(.*/)?\.git(/.*)?$") {
                return 403;
            }
            if ($query_string ~* "union.*select.*\(") {
                return 403;
            }
            proxy_pass http://localhost:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
        }
    }
}

In this configuration, we have defined two if statements to block requests that match certain patterns. The first if statement blocks requests that contain the “.git” string in the request URI, which can prevent access to sensitive Git repository files. The second if statement blocks requests that contain the “union select” string in the query string, which can prevent SQL injection attacks.

Creating a Load Balancer

To create a load balancer using nginx, we can use the upstream block and the proxy_pass directive as shown in the load balancer configuration above. We can define multiple servers in the upstream block and nginx will distribute incoming traffic across them.

upstream backend {
    server 192.168.0.10;
    server 192.168.0.11;
}

In this upstream block, we have defined two servers with IP addresses 192.168.0.10 and 192.168.0.11. We can then use the proxy_pass directive in the server block to direct traffic to the upstream servers.

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

In this server block, we have defined the listen directive to port 80 and set the server_name directive to example.com. We have also defined a location block that uses the proxy_pass directive to direct traffic to the upstream servers defined in the backend upstream block.