How to Set Up a Reverse NGINX Proxy on Alibaba Cloud
This article was created in partnership with Alibaba Cloud. Thank you for supporting the partners who make SitePoint possible.
Think you got a better tip for making the best use of Alibaba Cloud services? Tell us about it and go in for your chance to win a MacBook Pro (plus other cool stuff). Find out more here.
Need to serve many websites from a single Linux box, optimizing resources, and automating the site launch process? Let’s get serious then, and set up a production-ready environment using Ubuntu, NGINX, and Docker — all of it on Alibaba Cloud.
This is a somewhat advanced tutorial, and we’ll assume some knowledge of networking, server administration, and software containers.
Understanding the Scenario
If you are looking at this guide, chances are that you need to manage a cluster of servers, or an increasing number of websites — if not both — and are looking at what your options are for a secure, performant, and flexible environment. Well then, you came to the right place!
Why a Reverse Proxy
In a nutshell, a reverse proxy takes a request from a client (normally from the Internet), forwards it to a server that can fulfill it (normally on an Intranet), and finally returns the server’s response back to the client.
Those making requests to the proxy may not be aware of the internal network.
So the reverse proxy is the “public face” sitting at the edge of the app’s network, handling all of the requests; so it is, in a way, similar to a load balancer. But while implementing a load balancer only makes sense when you have multiple servers, you can deploy a reverse proxy with just one web server hosting multiple sites, and this can be particularly useful when there are different configuration requirements for those sites.
There are some benefits to this approach:
- Performance. A number of web acceleration techniques that can be implemented, including:
- Compression: server responses can be compressed before returning them to the client to reduce bandwidth.
- SSL termination: decrypting requests and encrypting responses can free up resources on the back-end, while securing the connection.
- Caching: returning stores copies of content for when the same request is placed by another client, can decrease response time and load on the back-end server.
- Security. Malicious clients cannot directly access your web servers, with the proxy effectively acting as an additional defense; and the number of connections can be limited, minimizing the impact of distributed denial-of-service (DDoS) attacks.
- Flexibility. A single URL can be the access point to multiple servers, regardless of the structure of the network behind them. This also allows requests to be distributed, maximizing speed and preventing overload. Clients also only get to know the reverse proxy’s IP address, so you can transparently change the configuration for your back-end as it better suits your traffic or architecture needs.
NGINX Plus and NGINX are the best-in-class reverse-proxy solutions used by high-traffic websites such as Dropbox, Netflix, and Zynga. More than 287 million websites worldwide, including the majority of the 100,000 busiest websites, rely on NGINX Plus and NGINX to deliver their content quickly, reliably, and securely.
What Is a Reverse Proxy Server? by NGINX.
Apache is great and probably best for what it’s for — a multi-purpose web server, all batteries included. But because of this very reason, it can be more resource hungry as well. Also, Apache is multi-threaded even for single websites, which is not a bad thing in and of itself, especially for multi-core systems, but this can add a lot of overhead to CPU and memory usage when hosting multiple sites.
Tweaking Apache for performance is possible, but it takes savvy and time. NGINX takes the opposite approach in its design — a minimalist web server that you need to tweak in order to add more features in, which to be fair, also takes some savvy.
In short, NGINX beats Apache big time out-of-the-box performance and resource consumption-wise. For a single site you can chose not to even care, on a cluster or when hosting many sites, NGINX will surely make a difference.
Why Alibaba Cloud
Part of the Alibaba Group (Alibaba.com, AliExpress), Alibaba Cloud has been around for nearly a decade at the time of this writing. It is China’s largest public cloud service provider, and the third of the world; so it isn’t exactly a “new player” in the cloud services arena.
However, it hasn’t been until somewhat recently that Alibaba has decidedly stepped out of the Chinese and Asian markets to dive into the “Western world”. It’s a fully-featured offering: elastic computing, database services, storage and CDN, application service, domain and website, security, networking, analytics, Alibaba Cloud covers it all.
Deploying to Alibaba Cloud
You’ll need an Alibaba Cloud account before you can set up your Linux box. And the good news is that you can get one for free! For the full details see How to Sign Up and Get Started.
For this guide will use Ubuntu Linux, so you can see the How to Set Up Your First Ubuntu 16.04 Server on Alibaba Cloud) guide. Mind you, you could use Debian, CentOS, and in fact, you can go ahead and check 3 Ways to Set Up a Linux Server on Alibaba Cloud.
Once you get your Alibaba Cloud account and your Linux box is up and running, you’re good to go.
If we wanted to use the whole process ourselves, we would first need to install NGINX.
On Ubuntu we’d use the following commands:
$ sudo apt-get update $ sudo apt-get install nginx
And you can check the status of the web server with
$ systemctl status nginx
systemctl you can also
restart the server, and
disable the launch of NGINX at boot time.
These are the two main directories of interest for us:
/var/www/htmlNGINX default website location.
/etc/nginxNGINX configuration directory.
Now, setting a reverse proxy can be a somewhat cumbersome enterprise, as there are a number of network settings we need to go through, and files we need to update as we add sites/nodes behind our proxy.
That is, of course, unless we automate the whole thing using software containers…
Docker to the Rescue
Before we can start using software containers to automate our workflow, we first we need to install Docker, which for Ubuntu is a fairly straight forward process.
Uninstall any old version:
$ sudo apt-get remove docker docker-engine docker.io
Install the latest Docker CE version:
$ sudo apt-get update $ sudo apt-get install docker-ce
If you want to install a specific Docker version, or set up the Docker repository, see Get Docker CE for Ubuntu.
Setting the Network
Part of setting a reverse proxy infrastructure is properly setting networking rules.
So let’s create a network with Docker:
$ docker network create nginx-proxy
And believe or not, the network is set!
Now that we have Docker running on our Ubuntu server, we can streamline the process of installing, setting up the reverse proxy, and launching new sites.
Jason Wilder did an awesome job putting together a Docker image that does exactly that–jwilder/nginx-proxy, a automated NGINX proxy for Docker containers using docker-gen, that works perfectly out-of-the-box.
Here’s how you can run the proxy:
$ docker run -d -p 80:80 -p 443:443 --name nginx-proxy --net nginx-proxy -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
- we told Docker to run NGINX as a daemon/service (
- mapped the proxy’s HTTP and HTTPS ports (80 and 443) the web server(s) ports behind it (
-p 80:80 -p 443:443),
- named the NGINX proxy for future reference (
- used the network we previously set (
- mapped the UNIX socket that Docker daemon is listening to, to use it across the network (
And believe or not, the NGINX reverse proxy is up and running!
Launching Sites, Lots of Sites
Normally when using Docker you would launch a “containerized” application, being a standard WordPress site, a specific Moodle configuration, or your own images with your own custom apps.
Launching a proxied container now is as easy as specifying the virtual your domain with
$ docker run -d --net nginx-proxy -e VIRTUAL_HOST=subdomain.yourdomain.com --name site_name your_docker_image
your_docker_image may be a WordPress site, your own web app, etc.
And believe or not, your web app is online!
… but okay, let’s explain what just happened. jwilder/nginx-proxy transparently took care of creating all of the NGINX configuration files using the host name your provided, and doing all of the necessary network routing to the software container running your app; all of it with a single bash line — isn’t that crazy?
Notice that the IP address that you’ll use to access your web apps will always be the same, the internal routing and setting for your sites has already been taken care of, but you’ll just need to make sure that you’ve mapped your domains and subdomains appropriately to the proxy.
Extra Tip: Using Docker Compose
For those of you who are Docker power users, we can take the automation a little further with Docker Compose.
Putting everything together in a
version: "2" services: nginx-proxy: image: jwilder/nginx-proxy networks: - nginx-proxy ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro app_name: container_name: your_app_name image: your_docker_image environment: - VIRTUAL_HOST: subdomain.yourdomain.com networks: - nginx-proxy networks: nginx-proxy: external: name: nginx-proxy back: driver: bridge
Additionally, with Docker Compose you can also set pretty much all of the infrastructure that you need — databases, all of your apps each with their own Apache/NGINX configuration, etc. That is out of the scope for this article, but you can find more info in Overview of Docker Compose.
About Alibaba Cloud:
- Alibaba Cloud, an integrated suite of cloud products, services and solutions.
- Free Trial,
learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD.
- Getting Started with Alibaba Cloud.
- NGINX, a high performance load balancer, web server, and reverse proxy.
- NGINX Reverse Proxy.
- Automated Nginx Reverse Proxy for Docker by Jason Wilder.
- Docker, build, ship, and run any app, anywhere.
- Understanding Docker, Containers and Safer Software Delivery.
Wrapping It Up
We just accomplished something quite elaborate—an infrastructure capable of managing hundreds of sites from a single entry point, with a strong focus on resource optimization, and an automated pipeline. Kudos!
As we mentioned, reverse proxies can be just the starting point when implementing server load balancing (SLB), a web application firewall (WAF), and even a content delivery network (CDN). We’ll get into more of that in the future.