This guide will offer you a practical guide to install and configure Nginx as a reverse proxy before Apache on distribution Ubuntu 18.04 LTS (Bionic Beaver). Nginx will be available for use simultaneously for the webserver for PHP and other application. Part of the tutorial is also the configuration of SSL and proxying of only designated file types.
Note: Tutorial is focused on virtual server (VPS) from Active24 but it is applicable to any environment, platforms and providers with the same distribution of operating system.
Nginx as well as Apache belong to the wide spread web servers. The advantage for these two technologies is mostly the fact that you don’t need to choose. It is not necessary to own separate IP addresses so each could be running, nor set the URL in the form of https://example.com:80, or https://example.com:81.
Note: Before you make any changes to the virtual server, we would recommend to create a snapshot of the server. By restoring a snapshot you can go back to the exact moment when the snapshot was created.
Before we begin
Note: For the basic installation we recommend at least package of virtual server V3 – CPU, RAM memory, SSD disc can be of course upgraded any time
Operating system in this case we choose Ubuntu 18.04 LTS (its official support will be till 2023), minimal configuration, therefore without any preinstalled packages (you can proceed even with LAMP or LEMP configuration)
As the first step after the creation of VPS and logging in via root account (or an account with sufficient rights) we initiate an update and upgrade of packages (in case of update of the package, e.g. grub, we would recommend to keep the current settings):
apt update && apt upgrade -y
Installation and configuration of Apache
After successful download of newest packages we install and configure the Apache. Installation is relatively simple – you can even use the LAMP configuration of the server.
Download the most important package – apache2 and newest version of PHP:
apt install apache2 php -y
After installing the Appache web-server listens on the port 80. We want to keep this port free for Nginx, that will stand before Apache. We need to change the port to another, for example 8080 for unsecure communication and 8443 for secured. For editing text files we can use CLI text editors in our case it is nano:
nano /etc/apache2/apache2.conf
Edit the configuration file as follows:
Listen 8080 <IfModule ssl_module> Listen 8443 </IfModule> <IfModule mod_gnutls.c> Listen 8443 </IfModule>
Safe the file. As the second part we need to edit the VirtualHost itself, so it would work correctly on the new port:
nano /etc/apache2/sites-available/000-default.conf
Edit the line:
nano /etc/apache2/sites-available/000-default.conf
Edit the first line:
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
After activation of all changes it is necessary to restart the apache2 :
/etc/init.d/apache2 restart
Checking the availability of apache2 is also possible via URL browser. For a domain with extensive DNS records (in our case example.com) enter http://example.com:8080. If the domain does not have DNS records set, we can use the IP address of the server along with the port 8080. We should be welcomed by the default page of Ubuntu.
Installing and configuration Nginx
After the successful configuration of Apache, we can install the Nginx:
apt install nginx -y
After we install it, make sure that the service nginx will turn on after the server restarts and of course if it is actually running.
systemctl enable nginx.service /etc/init.d/nginx restart
In the basic installation the server nginx will listen on port 80 and after our changes the server apache2 will listen on the port 8080. To check these settings we will check the currently open port of our server via netstat:
netstat -tlpn
Configuration parameters proxying from Nginx to Apache are located in file /etc/nginx/proxy_params. Among the basic parameters we will locate these:
proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
Parameters can be edited with many useful directives. Their list can be found at nginx.org/en/docs/http/ngx_http_proxy_module.html. From the perspective of our setting we will add four more directives under the already existing directives:
proxy_buffering on; proxy_buffer_size 64k; proxy_buffers 256 8k; proxy_read_timeout 120;
Parameters can be specified at the VirtualHost itself and under Nginx server.
Then we will edit the default Nginx page (/etc/nginx/sites-available/default) in a way that all requests on port 80 will be send (proxied) to server Apache:
server {
listen 80 default_server;
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:8080;
include /etc/nginx/proxy_params;
}
}
To apply the changes we need to restart the Nginx server:
/etc/init.d/nginx restart
We can check the proxying for example with the help of developer tool in the browser. Simply enter the domain name or server IP to the URL field (in our case 195.210.29.181), while focusing on Response headers – Server:
Faster configuration
How to decrease the VPS response of the web server? How to lift the load from the Apache server to make it work faster? We will not gain as much by simple proxying. We will introduce two ways of improving the configuration.
a) Processing SSL security on the Nginx service
Among the standards of today websites there is SSL certificate and protocol HTTPS. These certificates can be purchased, or gainde for free versions such as Let’s Encrypt. On the VPS ve will create a directory where we will keep all certificate files (replace the example.com with the domain name) and we will move two files there – private.key and certificate along with chain (certificate.crt):
mkdir -p /etc/ssl/example.com nano /etc/ssl/example.com/private.key nano /etc/ssl/example.com/certificate.crt
Then we will edit the file VirtualHost for the Nginx (/etc/nginx/sites-available/default) so the unsecured requrest via protocol HTTP via port 80 would be forwarded to a secured protocol HTTPS and port 443 by simple redirect and then served by the backend server Apache:
server {
listen 80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name;
}
server {
listen 443 default_server;
ssl on;
ssl_certificate /etc/ssl/example.com/certificate.crt;
ssl_certificate_key /etc/ssl/example.com/private.key;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://localhost:8080;
include /etc/nginx/proxy_params;
}
}
To apply the changes, we have to restart the Nginx server:
/etc/init.d/nginx restart
After we enter the domain to URL we will be currently redirected to the Nginx server on HTTPS and our request will be served by the certificate even though the request will be redirected to the backend of the Apache server.
b) Proxying request only for selected files
Since the Nginx is known for its speed, it is advantageous to serve as many files on this service and not send them over to Apache. We can select the option to proxy only .php files while others will be served right away. For testing create a file phpinfo() in the directory with website /var/www/html/info.php
After it is created edit the directives location. Add a new directive index that will define the Nginx to find the base web page to display under the file index.nginx-debian.html, which will server for much simpler illustration of differences between files served by Nginx and by Apache server:
server {
listen 80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name;
}
server {
listen 443 default_server;
root /var/www/html;
ssl on;
ssl_certificate /etc/ssl/example.com/certificate.crt;
ssl_certificate_key /etc/ssl/example.com/private.key;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
location / {
index index.nginx-debian.html;
}
location ~ \.php {
proxy_pass http://localhost:8080;
include /etc/nginx/proxy_params;
}
}
Currently our domain example.com redirects to HTTPS protocol and displays the basic page of Nginx. After entering example.com/info.php we are proxied to Apache server that will process our PHP file.
Proxying of specific files has large possibilities of use for speeding up the website loading. In practice it is defining static files by the extension that can be stored in cache memory for up to 3 month and will be served compressed via gzip. We do not need to write to access log and we will add custom header Cache-Control. This configuration would look like this:
server {
listen 80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name;
}
server {
listen 443 default_server;
root /var/www/html;
ssl on;
ssl_certificate /etc/ssl/example.com/certificate.crt;
ssl_certificate_key /etc/ssl/example.com/private.key;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
location ~* .(ico|png|gif|jpg|jpeg|swf|woff|css|js|html)$ {
access_log off;
gzip_static on;
gzip_comp_level 5;
expires 3M;
add_header Cache-Control private;
}
location / {
index index.nginx-debian.html;
}
location ~ \.php {
proxy_pass http://localhost:8080;
include /etc/nginx/proxy_params;
}
}
Fro the most common usage it is ideal to define so-called “fallback” – define on the Nginx server paths, where the files should be searched for, and if they are not found, proxy them to Apache server. This setting is mostly used for CMS WordPress or other application, that use n Apache mod_rewrite. We activate mod_rewrite:
a2enmod rewrite systemctl restart apache2
Enrich the last configuration with the fallback on the Apache server (by this step we will also enable logo on the basic website of Apache – example.com/index.html), and deny the direct access to the files with dot (like .htaccess, .htpasswd:
server {
listen 80 default_server;
server_name proxyngap.docolomansky.sk www.proxyngap.docolomansky.sk;
return 301 https://$server_name;
}
server {
listen 443 default_server;
root /var/www/html;
ssl on;
ssl_certificate /etc/ssl/example.com/certificate.crt;
ssl_certificate_key /etc/ssl/example.com/private.key;
ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
location ~* .(ico|jpg|png|gif|jpeg|css|swf|js|woff|html)$ {
access_log off;
gzip_static on;
gzip_comp_level 5;
expires 3M;
add_header Cache-Control private;
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://localhost:8080;
}
location / {
index index.nginx-debian.html;
}
location ~ \.php {
proxy_pass http://localhost:8080;
include /etc/nginx/proxy_params;
}
location ~ /\. {
deny all;
}
}
After the change of configuration it is necessary to restart the nginx service:
/etc/init.d/nginx restart
Other sources
- How to install nginx as a Reverse Proxy for Apache on Ubuntu 16.04
- Apache and Nginx Together
- How to configure Nginx as a reverse proxy for Apache on Debian and Ubuntu
- How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 18.04 Server
- How To Configure Nginx as a Reverse Proxy for Apache
- Apache vs Nginx: Practical Considerations
- How to do an Nginx redirect
- Ubuntu Releases