Use a self-hosted Nginx reverse proxy to forward HTTPS requests and hide ports_Authoritative Zone - Alibaba Cloud DNS

Deploy an Nginx reverse proxy on an Elastic Compute Service (ECS) instance to control request forwarding rules. This setup enables HTTPS-based URL forwarding and port proxying, overcoming the limitations of Alibaba Cloud DNS, which does not support HTTPS-to-HTTPS URL forwarding and cannot resolve domain names to specific ports. For standard DNS resolution, you can add a DNS record.

Use cases

Alibaba Cloud DNS has the following limitations:

Protocol limitations: Does not support HTTPS-to-HTTPS request forwarding due to its certificate management mechanism.
Port limitations: The standard DNS protocol only allows resolving a domain name to an IP address, not to a specific port. If a backend application uses a non-standard port (such as 3000), users must manually add the port number to the URL (for example, http://www.example.com:3000).

Solution architecture

Original path: A client requests a domain name. After a recursive DNS query, the client receives the backend IP address and connects to it.
New path: After you set up a self-managed Nginx reverse proxy, Nginx acts as the traffic entry point and forwards requests. The access path is as follows:
1. A client requests a domain name. After a recursive DNS query, the query ultimately resolves to the public IP address of the Nginx server.
2. The client sends an HTTP/HTTPS request to this public IP address.
3. Nginx receives the request. Based on forwarding rules that use the Host request header (the requested domain), it proxies the request to the appropriate backend application.
4. The backend application processes the request and returns the response to Nginx, which then delivers it to the client.

Steps

This topic uses an ECS instance running Alibaba Cloud Linux 3 to demonstrate the deployment and configuration process. If you already have Nginx deployed on your system, skip to Step 3: Configure Nginx for different scenarios.

Step 1: Set up the ECS environment

Create an ECS instance. For more information, see Create an ECS instance using the wizard.
- Operating system: Select Alibaba Cloud Linux 3.
- Network: Ensure that a public IP address is allocated.
In the instance's security group configuration, add an inbound rule to allow TCP traffic on ports 22, 80, and 443 for SSH remote access and web services.

Step 2: Install and start Nginx

Log in to the ECS instance by using an SSH client.
Run the following command to install Nginx.
```
sudo yum install -y nginx
```
Start the Nginx service and enable it to start on system boot.
```
sudo systemctl start nginx
sudo systemctl enable nginx
```
Check the status of the Nginx service to confirm it is running.
```
sudo systemctl status nginx
```
If the status is active (running), the service has started successfully.
After modifying the Nginx configuration, run the following command to apply the changes. This command reloads the configuration gracefully without dropping existing connections.
```
sudo systemctl reload nginx
```

Step 3: Configure Nginx for different scenarios

The core Nginx configuration file is located at /etc/nginx/nginx.conf. However, the best practice is to create a separate .conf file for each site and store it in the /etc/nginx/conf.d/ directory. The following sections provide configuration examples for different scenarios.

Scenario 1: HTTPS URL forwarding

Alibaba Cloud DNS does not support HTTPS-to-HTTPS URL forwarding because it does not allow you to upload custom HTTPS certificates. By setting up your own Nginx server, you can configure a valid SSL certificate for your source domain and define URL forwarding rules.

URL redirection (explicit forwarding)

This configuration permanently redirects requests from https://example.com to https://aliyun.com. The browser's address bar updates to the new URL. Add the following content to the /etc/nginx/conf.d/redirect.conf file:

server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        return 301 https://aliyun.com$request_uri;
    }
}

Reverse proxy (implicit forwarding)

This configuration proxies requests for https://example.com to https://aliyun.com. The address bar remains unchanged, but the backend service provides the content. Add the following content to the /etc/nginx/conf.d/proxy.conf file:

# Proxy access to example.com to aliyun.com
server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        # Forward the request to the destination server
        proxy_pass http://aliyun.com;

        # Key configuration: Set the Host request header to the domain name of the destination service to ensure the backend can process the request correctly.
        proxy_set_header Host "aliyun.com";
        
        # Pass the client's originating IP address for backend service logging and analysis.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Scenario 2: Map a domain name to a specific port

This configuration allows an application running on a non-standard port, such as 3000, to be accessed through the standard port 80. This resolves the issue that A records cannot specify ports. Add the following content to the /etc/nginx/conf.d/port_mapping.conf file:

# Access the service on local port 3000 through example.com
server {
    listen 80;
    server_name example.com;

    location / {
        # Forward the request to port 3000 on the local host (localhost)
        proxy_pass http://127.0.0.1:3000;

        # Pass the original Host request header so the backend application can identify the accessed domain name
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Step 4: Configure DNS resolution

After setting up and configuring your Nginx reverse proxy, configure DNS for the domains it handles.

Prepare a domain name. If you do not have one, go to Alibaba Cloud Domain Names. If the website is hosted in the Chinese mainland, you must complete the ICP filing.
Get the public IP address of the server where the Nginx reverse proxy is deployed. In this example, this is the public IP address of the ECS instance.
Go to Alibaba Cloud DNS - Public Zone and find the target domain name.
Add or modify the DNS record.
1. If you have not previously configured a DNS record, add a DNS record. Create an A record for each domain name that is configured in Nginx, such as example.com, and point the record to the public IP address of the ECS instance.
2. If a DNS record already exists, change its value to the public IP address of the Nginx server. Note that after you modify a DNS record, it may take 5 to 10 minutes for the change to propagate and take effect.

Costs and risks

Cost breakdown: The primary cost is for the ECS instance required to run Nginx. The specific cost depends on the instance type, region, and billing method you choose. Nginx itself is open-source software.
Risks and maintenance: You are responsible for maintaining the self-managed reverse proxy. This includes regularly applying security patches to the operating system and Nginx, monitoring service health, and backing up configuration files. Improper configuration or lack of maintenance can lead to service disruptions or introduce a security vulnerability.
Production environment: Harden the Nginx security configuration and establish a monitoring and log analysis system.

FAQs

Does Alibaba Cloud DNS support port resolution?

How do I point a domain name to another site?