Snapshot Site

Nginx Load Balancing and Security Features: A Guide to Optimizing Your Server Configuration

Nginx is a high-performance web server that can be used to optimize the configuration of your server for improved performance. Here are some tips for optimizing your server configuration using Nginx:

  1. Use Nginx as a reverse proxy: Nginx can be used as a reverse proxy to offload static content and SSL processing from your application server. This can help reduce the load on your application server and improve the overall performance of your application.
  2. Use gzip compression: Nginx supports gzip compression, which can help reduce the size of files sent over the network and improve page load times.
  3. Use caching: Nginx can be used to implement various types of caching, such as caching of static files, caching of responses from your application server, and caching of API responses. This can help reduce the load on your application server and improve response times for your users.
  4. Use HTTP/2: Nginx supports HTTP/2, which can help improve page load times by allowing multiple requests to be sent over a single connection.
  5. Use load balancing: Nginx can be used to implement load balancing across multiple application servers. This can help distribute the load across multiple servers and improve the overall performance of your application.
  6. Use security features: Nginx provides various security features, such as SSL termination, rate limiting, and IP blocking, which can help protect your application from attacks and improve its overall security.

How you can optimize your server configuration using Nginx:

  • Use Nginx as a reverse proxy:
server {
    listen 80;
    server_name tutostartup.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

This configuration sets up Nginx to act as a reverse proxy for an application running on port 3000. Requests to example.com will be forwarded to the application server running on localhost:3000.

  • Use gzip compression:
gzip on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
   text/plain
   text/css
   text/js
   text/xml
   text/javascript
   application/javascript
   application/json
   application/xml

This configuration enables gzip compression for the specified file types.

  • Use caching:
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;
server {
    ...
    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 60m;
        proxy_cache_bypass $http_pragma;
        proxy_cache_revalidate on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://localhost:3000;
    }
}

This configuration sets up caching of responses from an application server running on localhost:3000. The responses will be cached in a directory specified by the proxy_cache_path directive, and will be served from cache for 60 minutes (proxy_cache_valid directive).

  • Use HTTP/2:
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/tutostartup.crt;
ssl_certificate_key /etc/ssl/private/tutostartup.key;

This configuration enables HTTP/2 for SSL-enabled requests.

  • Use load balancing:
upstream backend {
    server backend1.tutostartup.com;
    server backend2.tutostartup.com;
}

server {
    ...
    location / {
        proxy_pass http://backend.tutostartup;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

This configuration sets up load balancing across two backend servers (backend1.tutostartup.com and backend2.tutostartup.com).

  • Use security features:
server {
    listen 80;
    server_name tutostartup.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name tutostartup.com;

    ssl_certificate /etc/ssl/certs/tutostartup.crt;
    ssl_certificate_key /etc/ssl/private/tutostartup.key;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /admin {
        auth_basic "Restricted Access";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://localhost:3000/admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

This configuration sets up SSL and redirects all requests to HTTPS (return 301 https://$server_name$request_uri;). It also sets up HTTP basic authentication for requests to the /admin path (auth_basic directive), and proxies those requests to an application server running on localhost:3000. The credentials for the basic authentication are stored in a file specified by the auth_basic_user_file directive.

  • Blacklist in Nginx

Block IP addresses: To block a specific IP addres

location / {
    deny 123.123.123.123;
    ...
}

Block user agents: To block specific user agents (e.g., bots, spiders)

if ($http_user_agent ~* (bot|spider)) {
    return 403;
}

Block requests to specific URLs: This will block access to any URL that starts with “/admin”.

location /admin {
    deny all;
    ...
}

Note that Nginx also supports whitelists, which allow you to specify IP addresses, user agents, or URLs that should be allowed access. Whitelists can be implemented using similar techniques, but with “allow” statements instead of “deny” statements.

  • Nginx API gateway :

Nginx listen for incoming API requests on port 80, forward them to a backend server, and include the proxy parameters in the request.

http {
  server {
    listen 80;
    server_name api.tutostartup.com;
    location /api/admin {
      
      location /api/admin/product {
        limit_except GET {
            deny all;
        }
        error_page 403 = @405; # Convert deny response from '403 (Forbidden)'
                               # to '405 (Method Not Allowed)'
        pproxy_pass http://product.tutostartup;
        include /etc/nginx/proxy_params;
      }
	  
	  location /api/admin/price {
        limit_except GET {
            deny all;
        }
        error_page 403 = @405; # Convert deny response from '403 (Forbidden)'
                               # to '405 (Method Not Allowed)'
        pproxy_pass http://price.tutostartup;
        include /etc/nginx/proxy_params;
      }
	  return 404; # Catch-all
    }
  }
}
  • Create a rate-limiting policy by adding the following to your nginx.conf file:

create a rate-limiting zone called "api_zone" that limits the rate of requests to 10 requests per second per IP address.

limit_req_zone $binary_remote_addr zone=api_zone:10m rate=10r/s;
  • Apply the rate-limiting policy to your API endpoint
http {
  server {
    listen 80;
    server_name api.tutostartup.com;
    location / {
      limit_req zone=api_zone burst=20;
      proxy_pass http://backend.tutostartup;
      include /etc/nginx/proxy_params;
    }
  }
}
5.0
Rated 5 out of 5
Excellent100%
Very good0%
Average0%
Poor0%
Terrible0%