All Products
Search

This Product

    Alibaba Cloud DNS:Use a self-hosted Nginx reverse proxy to forward HTTPS requests and hide ports

    Document Center

    Alibaba Cloud DNS:Use a self-hosted Nginx reverse proxy to forward HTTPS requests and hide ports

    Last Updated:Dec 15, 2025

    By deploying an Nginx reverse proxy on an Elastic Compute Service (ECS) instance, you can control request forwarding rules to support features such as URL forwarding for the HTTPS protocol and port proxying. This solution overcomes the limitations of Alibaba Cloud DNS, which does not support URL forwarding over HTTPS or allow you to configure DNS records to resolve to specific ports. For standard DNS resolution scenarios, you can add a DNS record.

    Scenarios

    The resolution configuration of Alibaba Cloud DNS has limitations in certain scenarios:

    • Protocol limitations: The URL forwarding feature of Alibaba Cloud DNS does not support forwarding requests from HTTPS to HTTPS. This causes client access to fail.

    • Port limitations: The standard DNS protocol specifies that a domain name can only be resolved to an IP address, not a specific port. If a backend application uses a non-standard port, such as 3000, users must manually add the port number to the URL to access the application, such as http://www.example.com:3000.

    Solution architecture

    image

    • Original path: A client initiates an access request using a domain name. A local DNS performs a recursive query to retrieve the IP address of the backend service. The client then directly accesses the backend service at that IP address.

    • New path: After you deploy a self-hosted Nginx reverse proxy, Nginx acts as the traffic entry point and forwards requests. The overall access path is as follows:

      1. A client initiates an access request using a domain name. A local DNS performs a recursive query. This query eventually retrieves the public IP address of the Nginx server from the authoritative DNS server.

      2. The client sends an HTTP/HTTPS request to this public IP address.

      3. The Nginx server receives the request. Nginx then uses forwarding rules in its configuration file to proxy the request to the correct backend application. These rules are based on the Host request header, which contains the domain name being accessed.

      4. The backend application processes the request and returns a response to Nginx. Nginx then delivers the final response to the client.

    Implementation steps

    This topic uses an Elastic Compute Service (ECS) instance that runs the Alibaba Cloud Linux 3 operating system as an example to show how to deploy and configure Nginx. If you have already deployed Nginx, you can skip to Step 3: Configure Nginx for different scenarios.

    Step 1: Prepare the ECS environment

    1. Create an ECS instance. For more information, see Create an ECS instance using the wizard.

      • Operating system: Select Alibaba Cloud Linux 3.

      • Network: Ensure that a public IP address is allocated.

    2. In the security group configuration of the instance, add an inbound rule to allow traffic on TCP ports 22, 80, and 443. These ports are used for Secure Shell (SSH) remote connections and web services.

    Step 2: Install and start Nginx

    1. Use an SSH client to log on to the ECS instance.

    2. Run the following command to install Nginx.

      sudo yum install -y nginx

    3. Start the Nginx service and set it to start on boot.

      sudo systemctl start nginx
sudo systemctl enable nginx

    4. Check the status of the Nginx service to confirm that it is running.

      sudo systemctl status nginx

      If the status is active (running), the service started successfully.

    5. After you modify the Nginx configuration, run the following command to apply the changes. This command reloads the configuration without interrupting existing connections.

      sudo systemctl reload nginx

    Step 3: Configure Nginx for different scenarios

    The core Nginx configuration file is located at /etc/nginx/nginx.conf. However, a best practice is to create a separate .conf file for each site's configuration and store these files in the /etc/nginx/conf.d/ folder. The following sections provide configuration examples for different scenarios.

    Scenario 1: URL forwarding for the HTTPS protocol

    Alibaba Cloud DNS does not support URL forwarding from HTTPS to HTTPS. This is because you cannot upload custom SSL Certificates to the service. With a self-hosted Nginx instance, you can configure a valid SSL Certificate for the source domain name and set up URL forwarding rules.

    • URL redirection (explicit forwarding)

      Permanently redirect access from https://example.com to https://aliyun.com. The browser's address bar changes to the redirected address. Add the following content to the /etc/nginx/conf.d/redirect.conf file:

      server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        return 301 https://aliyun.com$request_uri;
    }
}

    • Reverse proxy (implicit forwarding)

      Forwards requests for the https://example.com site to be processed by the https://aliyun.com domain. The address in the browser's address bar remains unchanged, but the content is provided by a different backend service. Add the following content to the /etc/nginx/conf.d/proxy.conf file:

      # Proxy access to example.com to aliyun.com
server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        # Forward the request to the destination server
        proxy_pass http://aliyun.com;

        # Key configuration: Set the Host request header to the domain name of the destination service to ensure the backend can process the request correctly.
        proxy_set_header Host "aliyun.com";
        
        # Pass the client's originating IP address for backend service logging and analysis.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

    Scenario 2: Resolve a domain name to a specific port

    This configuration allows an application running on a non-standard port, such as 3000, to be accessed through the standard port 80. This resolves the issue that a DNS A record cannot specify a port. Add the following content to the /etc/nginx/conf.d/port_mapping.conf file:

    # Access the service on local port 3000 through example.com
server {
    listen 80;
    server_name example.com;

    location / {
        # Forward the request to port 3000 on the local host (localhost)
        proxy_pass http://127.0.0.1:3000;

        # Pass the original Host request header so the backend application can identify the accessed domain name
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

    Step 4: Configure DNS resolution

    After you deploy and configure the self-hosted Nginx reverse proxy service, you must configure DNS resolution for the proxied services and their associated domain names.

    1. Obtain a domain name. If you do not have a domain name, you can purchase one from Alibaba Cloud Domain Names. If the site associated with the domain name is deployed in the Chinese mainland, you must complete the ICP filing in advance.

    2. Obtain the public IP address of the server where the Nginx reverse proxy is deployed. In this example, this is the public IP address of the ECS instance.

      image

    3. Go to Alibaba Cloud DNS - Public Zone and find the target domain name.

    4. Add or modify the DNS record.

      1. If you have not previously configured a DNS record, add a DNS record. Create an A record for each domain name that is configured in Nginx, such as example.com, and point the record to the public IP address of the ECS instance.

      2. If a DNS record already exists, change its value to the public IP address of the Nginx server. Note: After you modify a DNS record, it may take 5 to 10 minutes for the change to take effect.

        image

    Costs and risks

    • Cost components: The main cost is for the ECS instance that is required to run Nginx. The cost depends on the instance type, region, and billing method that you choose. Nginx is open-source software and is free to use.

    • Risks and maintenance: You are responsible for the operations and maintenance (O&M) of a self-hosted reverse proxy service. This includes regularly updating the operating system and Nginx security patches, monitoring service health, and backing up configuration files. Improper configuration or a lack of maintenance can lead to service interruptions or introduce security vulnerabilities.

    • Production environment recommendations: For a production environment, we recommend that you strengthen the Nginx security configuration and establish a monitoring and log analysis system.

    FAQ

    Does Alibaba Cloud DNS support port resolution?

    How do I point a domain name to another site?