Set up a self-managed NGINX reverse proxy_Public Zone - Alibaba Cloud DNS

You can deploy NGINX on an Alibaba Cloud Elastic Compute Service (ECS) instance to implement URL forwarding, port proxying, and host multiple services. A self-hosted reverse proxy gives you full control over forwarding rules, supports the HTTPS protocol, and lets you consolidate multiple backend applications onto the standard ports 80/443. This approach overcomes the limitations of the built-in URL Forwarding in Alibaba Cloud DNS, which lacks HTTPS support and an SLA guarantee.

Use cases

Common business needs include:

URL redirection: Permanently redirect all traffic from an old domain name (for example, http://example.com) to a new one (for example, https://aliyun.com) due to business changes or a brand upgrade.
Port hiding and proxying: Serve a backend application running on a non-standard port (such as 3000) to the public through a standard domain name (such as http://example.com), while hiding the real port number.
Multi-service port sharing: Route traffic to multiple applications (e.g., an API service, web app, or static asset service) that listen on different ports on the same server, publishing them all on standard public ports 80/443 using distinct subdomains (e.g., api.example.com and www.example.com).

A self-managed NGINX reverse proxy can address these needs. It also provides HTTPS support and an SLA, which are not available with the URL Forwarding feature of Alibaba Cloud DNS.

How it works

NGINX acts as the traffic entry point and distribution hub. Workflow:

Client uses a domain name, triggering a recursive DNS query via a local DNS server. The Authoritative DNS Server returns NGINX's public IP address.
Client sends an HTTP/HTTPS request to NGINX's public IP.
NGINX receives the request. Using the Host header (domain name), it routes the request to the appropriate backend application.
The backend application processes the request and returns the response to NGINX, which then forwards it to the client.

In this architecture, NGINX acts as the sole public-facing entry point, hiding the real IP addresses and ports of your applications and unifying traffic management.

Procedure

These steps demonstrate the process on an ECS instance running Alibaba Cloud Linux 3.

Step 1: Prepare the ECS environment

Create an ECS instance. For instructions, see Create an instance on the Custom Launch tab in the ECS console and manage the instance.
- Image: Select Alibaba Cloud Linux 3.
- Network: Assign a public IP address.
To allow SSH remote access and web services, add an inbound rule for TCP traffic on ports 22, 80, and 443 in the instance's security group configuration.

Step 2: Install and start NGINX

Use an SSH client to log in to your ECS instance.
Run the following command to install NGINX.
```
sudo yum install -y nginx
```

Start NGINX and enable it to start on boot.

sudo systemctl start nginx
sudo systemctl enable nginx

Check the status of NGINX to confirm it is running correctly.
```
sudo systemctl status nginx
```
The status active (running) shows the service has started successfully.
Reload NGINX without dropping existing connections.
```
sudo systemctl reload nginx
```

Step 3: Configure NGINX for different use cases

By default, the core NGINX configuration is located at /etc/nginx/nginx.conf. However, the best practice is to create a separate .conf file for each site and place it in the /etc/nginx/conf.d/ directory. The following examples show configurations for different business use cases.

Use case 1: URL redirection (explicit forwarding)

This configuration redirects all requests for one domain name to another while updating the browser's address bar to the new domain. This is essential for scenarios like retiring old domains and launching new ones, including domain upgrades, brand website consolidations, or site migrations. While URL forwarding offers a functional alternative, it relies on a reverse proxy, lacks an SLA, and does not support HTTPS.

Permanent redirection from HTTP to HTTPS

Permanently redirect requests from http://example.com to https://aliyun.com.

Add the following content to the /etc/nginx/conf.d/redirect.conf file:

# Permanently redirect http://example.com to https://aliyun.com
server {
    listen 80;
    server_name example.com;
    
    # Use the return directive with a 301 status code for permanent redirection
    # The $request_uri variable preserves the original path and query string
    return 301 https://aliyun.com$request_uri;
}

Permanent redirection from HTTPS to HTTPS

This scenario requires a valid SSL certificate for the source domain.

Add the following content to the /etc/nginx/conf.d/ssl_redirect.conf file:

server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        return 301 https://aliyun.com$request_uri;
    }
}

Use case 2: Reverse proxy (implicit forwarding)

This configuration utilizes NGINX as a reverse proxy for backend services. When clients access the proxy domain, NGINX transparently serves content from the backend, keeping the source domain in the browser's address bar. This is ideal for distributors, brand resellers, or situations where backend services should remain hidden from direct customer access. While URL forwarding offers a functional alternative, it relies on a reverse proxy, lacks an SLA, and does not support HTTPS.

Add the following content to the /etc/nginx/conf.d/proxy.conf file:

# Proxy requests for example.com to aliyun.com
server {
    listen 80;
    server_name example.com;

    location / {
        # Forward the request to the target server
        proxy_pass http://aliyun.com;

        # Key configuration: Set the Host request header to the target service's domain
        proxy_set_header Host "aliyun.com";
        
        # Pass the client's real IP address for backend service logging and analysis
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Use case 3: Map a domain name to a specific port

This configuration lets you access an application running on a non-standard port (such as 3000) through the standard port 80. It solves the limitation that a DNS A record cannot specify a port.

Add the following content to the /etc/nginx/conf.d/port_mapping.conf file:

# Access the service on local port 3000 via example.com
server {
    listen 80;
    server_name example.com;

    location / {
        # Forward requests to port 3000 on the local machine (localhost)
        proxy_pass http://127.0.0.1:3000;

        # Pass the original Host request header so the backend application can identify the accessed domain name
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Use case 4: Multiple services sharing port 80

This configuration uses NGINX as a traffic distributor, routing requests to multiple backend applications running on the same server based on different domain names.

Add the following content to the /etc/nginx/conf.d/multi_service.conf file:

# API service, listening on local port 8080
server {
    listen 80;
    server_name api.example.com;
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
    }
}

# Web application, listening on local port 7001
server {
    listen 80;
    server_name www.example.com;
    location / {
        proxy_pass http://127.0.0.1:7001;
        proxy_set_header Host $host;
    }
}

# Static resource service, listening on local port 9000
server {
    listen 80;
    server_name img.example.com;
    location / {
        proxy_pass http://127.0.0.1:9000;
        proxy_set_header Host $host;
    }
}

Step 4: Configure DNS resolution

After setting up and configuring your NGINX reverse proxy service, configure DNS resolution for the domains associated with your proxied services.

Have a domain name ready. If you do not have one, you can purchase one from Alibaba Cloud Domain Names. To host the website associated with your domain name in Chinese mainland, complete the ICP filing process in advance.
Get the public IP address of the ECS instance running the NGINX reverse proxy.
Go to Alibaba Cloud DNS - Public Zone and find your target domain name.
Add DNS records. Create an A record for each domain configured in NGINX (such as example.com and api.example.com), and point each A record to your ECS instance's public IP address.

Cost and operational considerations

Cost breakdown: The primary cost is the ECS instance hosting NGINX. The final cost depends on the instance type, region, and billing method. NGINX itself is open-source and free to use.
Risks and maintenance: You are responsible for maintaining a self-hosted reverse proxy. Key maintenance tasks include: regular OS and NGINX security patching, service health monitoring, and configuration file backups. Improper configuration or lack of maintenance can result in service disruptions or security vulnerabilities.
Production environment recommendations: For a production environment, we recommend implementing robust NGINX security configurations and establishing a comprehensive monitoring and log analysis system.