Nginx Config Examples

For those of you who use Nginx as a reverse proxy or load balancer, you may find these configuration files useful:

Here’s the example main nginx config I use for load balancing tcp/udp connections:

nginx.conf

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

# In order to load balance TCP connections, we need to ensure that we use the "stream"
# module that's in Nginx's open source offering.
stream {

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  Syslog input. 

  upstream graylog_syslog {
    server logs00.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs01.example.com:1514 max_fails=3 fail_timeout=30s;
    server logs02.example.com:1514 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  GELF input. 

  upstream graylog_gelf {
    server logs00.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs01.example.com:12201 max_fails=3 fail_timeout=30s;
    server logs02.example.com:12201 max_fails=3 fail_timeout=30s;
  }

# This stanza defines an upstream where we're load balancing between 3 Graylog nodes running a  beats input. 

  upstream graylog_beats {
    server logs00.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs01.example.com:5044 max_fails=3 fail_timeout=30s;
    server logs02.example.com:5044 max_fails=3 fail_timeout=30s;
  }
  
# This is where the load balancing takes place and we tell Nginx to listen on 1514 UDP for UDP sysloog

  server {
    listen 1514 udp;
    proxy_pass graylog_syslog;
    proxy_timeout 1s;
    error_log /var/log/nginx/graylog_syslog_udp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP sysloog  

  server {	
    listen 1514;
    proxy_pass graylog_syslog;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_syslog_tcp.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP GELF  

  server {
    listen 12201;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for UDP Gelf  

  server {
    listen 12201 udp;
    proxy_pass graylog_gelf;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_gelf.log;
  }

# This is where we tell Nginx to listen on 1514 UDP for TCP Beats  

  server {
    listen 5044;
    proxy_pass graylog_beats;
    proxy_timeout 10s;
    error_log /var/log/nginx/graylog_beats.log;
  }

}

Here’s a more specific config that I use for load balancing connections to the UI/API:

logs.example.conf
# Here we define our upstream software
upstream graylog {
  server logs00.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs01.example.com:9000 max_fails=3 fail_timeout=30s;
  server logs02.example.com:9000 max_fails=3 fail_timeout=30s;
}

server {
  listen *:80;
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/logs.example.com.access.log combined;
  error_log             /var/log/nginx/logs.example.com.error.log;
}

server {
  listen       *:443 ssl;
  server_name  logs.example.com;

  ssl_certificate           /etc/nginx/ssl/fullchain.pem;
  ssl_certificate_key       /etc/nginx/ssl/privkey.pem;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  ssl_prefer_server_ciphers on;

  index  index.html index.htm index.php;

  access_log /var/log/nginx/ssl-logs.example.com.access.log combined;
  error_log  /var/log/nginx/ssl-logs.example.com.error.log;

  location / {
    # Simple requests
    if ($request_method ~* "(GET|POST)") {
      add_header "Access-Control-Allow-Origin"  *;
    }

    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin"  *;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
      return 200;
    }
 
    proxy_pass https://graylog;
    proxy_redirect https://graylog:443/api /api;
    proxy_read_timeout 90;
    proxy_connect_timeout 90;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Graylog-Server-URL https://$server_name/;
  }
}

Cheers!

7 Likes

A post was split to a new topic: Moving to Xfer and Xfer

@hollowdew

Hey this is some awesome stuff and it works great. I tried it a couple times what you posted, but I was wondering if you could start your own post/s. under
Nginx Config Examples. For example call one redirect specific source ip’s.

This would help others and make it easier for future searching. Thanks :smiley:

Hello @gsmith ,
thank you :slight_smile:
I created a new topic for this: Redirect specific source ip’s
Should I delete my messages in this thread here?

You can since you made a new post of the same thing.