HowTo: Use Nginx As Reverse Proxy Server

Nginx is an open source Web server and a reverse proxy server. You can use nginx for a load balancing and/or as a proxy solution to run services from inside those machines through your host's single public IP address such as In this post, I will explain how to install nginx as reverse proxy server for Apache+php5 domain called and Lighttpd static asset domain called You need to type the following commands on vm00having an IP address only.

DNS Setup

Make sure both and point to public IP address

Install nginx server

Type the following command to install nginx web server:
$ cd /tmp
$ wget
# rpm -iv nginx-release-rhel-6-0.el6.ngx.noarch.rpm
# yum install nginx

Sample outputs:

Loaded plugins: rhnplugin
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 0:1.2.1-1.el6.ngx will be installed
--> Finished Dependency Resolution
Dependencies Resolved
 Package      Arch          Version                   Repository    Size
 nginx        x86_64        1.2.1-1.el6.ngx           nginx        331 k
Transaction Summary
Install       1 Package(s)
Total download size: 331 k
Installed size: 730 k
Is this ok [y/N]: y
Downloading Packages:
nginx-1.2.1-1.el6.ngx.x86_64.rpm                  | 331 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : nginx-1.2.1-1.el6.ngx.x86_64                          1/1
Thanks for using NGINX!
Check out our community web site:
If you have questions about commercial support for NGINX please visit:
  Verifying  : nginx-1.2.1-1.el6.ngx.x86_64                          1/1
  nginx.x86_64 0:1.2.1-1.el6.ngx

Configure the nginx web server as reverse proxy

Edit /etc/nginx/conf.d/default.conf, enter:
# vi /etc/nginx/conf.d/default.conf
Add/correct as follows:

## Basic reverse proxy server ##
## Apache (vm02) backend for ##
upstream apachephp  {
      server; #Apache1
## Lighttpd (vm01) backend for ##
upstream lighttpd  {
      server; #Lighttpd1
## Start ##
server {
    access_log  /var/log/nginx/log/www.example.access.log  main;
    error_log  /var/log/nginx/log/www.example.error.log;
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    ## send request back to apache1 ##
    location / {
     proxy_pass  http://apachephp;
     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
     proxy_redirect off;
     proxy_buffering off;
     proxy_set_header        Host            $host;
     proxy_set_header        X-Real-IP       $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
## End ##
## START ##
server {
   access_log  /var/log/nginx/log/  main;
   error_log   /var/log/nginx/log/;
   root        /usr/local/nginx/html;
   index       index.html;
   location / {
        proxy_pass  http://lighttpd;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header        Host  ;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
## END  ##

Turn on Nginx

Type the following commands:
# chkconfig nginx on
# service nginx start

Configure firewall

Set firewall as follows:

  • Drop all INPUT/OUTPUT chain traffic by default.
  • Only open tcp port and/or 443 on eth0 only.
  • Set eth1 as trusted device so that communication take place between nginx reverse proxy and Apache/Lighttpd backend servers.

Run the following command to set and customize firewall as described above:
# system-config-firewall-tui
You can edit /etc/sysconfig/iptables manually and set the firewall too. See our tutorial for more information.


Edit /etc/sysctl.conf as follows:

# Execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# IPv4 settings
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Increase system file descriptor limit to
fs.file-max = 50000
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Ipv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

Load new Linux kernel settings, run:
# sysctl -p
See Linux Kernel /etc/sysctl.conf Security Hardening faq for detailed explanation of above directives.

Securing Nginx web server

See our previous blog post, "Top 20 Nginx WebServer Best Security Practices" for more information. Also, for more information on nginx, reverse proxy and ssl configuration see our previous tutorials: Source:

  • 5 Users Found This Useful
Was this answer helpful?

Related Articles

How to handle the Google Attack Page?

When you see the dreaded Google attack site warning, you should immediately email : admin [@]...

How to Protect WHMCS?

Move the attachments, downloads & templates_c folders The three folders "attachments",...

How to submit a DMCA complaint?

Reporting copyright infringement? You must follow these steps before submitting any...

My account was hacked!

If you are the victim of a hacker, immediately email and our experts will...

My Joomla has been hacked!

A Joomla is usually compromised when it or its components / modules are outdated. Another very...