Nginx Reverse Proxy dan Load Balancer untuk Production
Nginx adalah web server yang sangat populer dan sering digunakan sebagai reverse proxy dan load balancer. Artikel ini membahas konfigurasi Nginx untuk production environment.
Apa Itu Reverse Proxy?
Reverse proxy adalah server yang berada di depan backend servers dan meneruskan request dari client. Keuntungannya:
- Security: Menyembunyikan backend server dari public
- SSL Termination: Handle HTTPS di satu tempat
- Caching: Cache response untuk performa lebih baik
- Load Balancing: Distribusi traffic ke multiple servers
Instalasi Nginx
Ubuntu/Debian
sudo apt update
sudo apt install nginx
sudo systemctl start nginx
sudo systemctl enable nginxCentOS/RHEL
sudo yum install epel-release
sudo yum install nginx
sudo systemctl start nginxVerifikasi
nginx -v
sudo nginx -t # Test konfigurasiKonfigurasi Dasar Reverse Proxy
Single Backend Server
# /etc/nginx/sites-available/myapp
server {
listen 80;
server_name myapp.com www.myapp.com;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}Aktifkan konfigurasi:
sudo ln -s /etc/nginx/sites-available/myapp /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxMultiple Locations
server {
listen 80;
server_name api.myapp.com;
# API routes
location /api/ {
proxy_pass http://localhost:3000/;
}
# Static files
location /static/ {
alias /var/www/static/;
expires 30d;
}
# WebSocket
location /ws/ {
proxy_pass http://localhost:3001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}Load Balancing
Round Robin (Default)
upstream backend {
server 192.168.1.10:3000;
server 192.168.1.11:3000;
server 192.168.1.12:3000;
}
server {
listen 80;
server_name myapp.com;
location / {
proxy_pass http://backend;
}
}Weighted Load Balancing
upstream backend {
server 192.168.1.10:3000 weight=5; # 5x lebih banyak traffic
server 192.168.1.11:3000 weight=3;
server 192.168.1.12:3000 weight=2;
}Least Connections
upstream backend {
least_conn;
server 192.168.1.10:3000;
server 192.168.1.11:3000;
server 192.168.1.12:3000;
}IP Hash (Sticky Sessions)
upstream backend {
ip_hash;
server 192.168.1.10:3000;
server 192.168.1.11:3000;
server 192.168.1.12:3000;
}Health Checks
upstream backend {
server 192.168.1.10:3000 max_fails=3 fail_timeout=30s;
server 192.168.1.11:3000 max_fails=3 fail_timeout=30s;
server 192.168.1.12:3000 backup; # Hanya digunakan jika yang lain down
}SSL/HTTPS dengan Let’s Encrypt
Install Certbot
sudo apt install certbot python3-certbot-nginxGenerate Certificate
sudo certbot --nginx -d myapp.com -d www.myapp.comKonfigurasi SSL Manual
server {
listen 80;
server_name myapp.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myapp.com;
ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://backend;
}
}Caching
# Definisi cache zone
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m;
server {
listen 80;
server_name myapp.com;
location / {
proxy_pass http://backend;
proxy_cache my_cache;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating;
add_header X-Cache-Status $upstream_cache_status;
}
# Bypass cache untuk dynamic content
location /api/ {
proxy_pass http://backend;
proxy_cache_bypass $http_authorization;
}
}Rate Limiting
# Definisi limit zone
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
listen 80;
server_name api.myapp.com;
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
limit_conn conn_limit 10;
proxy_pass http://backend;
}
}Gzip Compression
http {
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
application/json
application/javascript
application/xml
image/svg+xml;
}Security Headers
server {
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;
# Hide Nginx version
server_tokens off;
}Monitoring dan Logging
# Custom log format
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time uct=$upstream_connect_time '
'uht=$upstream_header_time urt=$upstream_response_time';
server {
access_log /var/log/nginx/myapp_access.log detailed;
error_log /var/log/nginx/myapp_error.log warn;
}Tips Production
- Selalu test konfigurasi sebelum reload:
nginx -t - Gunakan SSL/HTTPS untuk semua traffic
- Set up monitoring dengan tools seperti Prometheus
- Regular backup konfigurasi
- Update Nginx secara berkala untuk security patches
Kesimpulan
Nginx adalah tool yang sangat powerful untuk production deployment. Dengan konfigurasi yang tepat, kamu bisa mendapatkan:
- High availability dengan load balancing
- Security dengan SSL dan headers
- Performance dengan caching dan compression
Referensi:
Komentar
Memuat komentar...
Tulis Komentar