Reverse proxy APEX with Nginx

October 22, 2010  |  apex, linux, security

Today i’ll describe how easy is to use Nginx as a reverse proxy for APEX applications, providing a layer of security by not exposing the APEX database server.

Nginx (pronounced “engine X”) is a lightweight, high-performance Web server/reverse proxy and e-mail (IMAP/POP3) proxy, licensed under a BSD-like license.

It is stable, secure and very easy to configure, as you later can read at this Linux Journal article. However, the main advantages of Nginx over Apache are performance and efficiency.

As you probably know layering traffic with a DMZ is a well know and advised security measure to secure application and database servers. You an read more about it in my DMZ post i wrote some months ago.

The APEX server should be at the intranet layer and it only would accept http or https connections from an Nginx HTTP Server that would be in the firewalled DMZ.

I recommend using Nginx instead of Apache because Nginx is much more stable, reliable and it’s a very low resource demanding http server.  To reverse proxy traffic with Nginx, you can follow these steps:

1. Install Nginx. It’s pretty straightforward… You can read more about it at this link .

2. Create a file named /etc/nginx/reverse_proxy.conf that will contain the proxy default definitions. This file will be included every time on every location or site that we want reverse proxy settings. The content has the following lines:

...
 proxy_redirect  off;
 proxy_set_header   Host             $http_host;
 proxy_set_header   X-Real-IP        $remote_addr;
 proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
 proxy_max_temp_file_size 0;

 client_max_body_size       10m;
 client_body_buffer_size    128k;

 proxy_connect_timeout      90;
 proxy_send_timeout         90;
 proxy_read_timeout         90;

 proxy_buffer_size          4k;
 proxy_buffers              4 32k;
 proxy_busy_buffers_size    64k;
 proxy_temp_file_write_size 64k;

3. Edit your site configuration to make it look like this:

server {
 server_name  mysite.com;

 access_log  /var/log/nginx/rproxy.access.log;
 error_log   /var/log/nginx/rproxy.error.log;
 listen 80;
 keepalive_timeout    70;

 location / {
 root   /var/www/html;
 index  index.html index.htm;
 }
# reverse proxying /apex location
 location /apex {
 proxy_pass         http://myapexserver:8080/apex;
 include /etc/nginx/reverse_proxy.conf;
 }
# reverse proxying /i location
 location /i/ {
 proxy_pass         http://myapexserver:8080/i/;
 include /etc/nginx/reverse_proxy.conf;
# cache settings
 proxy_cache my-cache;
 proxy_cache_key $scheme$proxy_host$uri;
 proxy_cache_valid  200 302 304 10m;
 proxy_cache_valid  301 1h;
 proxy_cache_valid  any 12h;
 }
}
...

These statements say to NGINX that whenever It receives a call to a Location started with “/apex” then it must redirect the call to the host “myapexserver”. The same also happens to the images Location “/i”

If you have any doubts or problems using Nginx with APEX please feel free to ask any question about it… I’ll surely try to help you guys!

Regards

joao


13 Comments


  1. I’ve been looking at moving off Apache as a reverse proxy for a while now. I considered squid, but it didn’t seem to have such good regular expression support. Just touched on Nginx a couple weeks back, so thanks a lot for this APEX specific introduction!

    Does Nginx have something like ProxyPassMatch?

    Also, Apache doesn’t seem to do a good job of manipulating requests down to the query string level in order to rewrite a URL from say http://server/f?p=app:page:session to http://server/app/page/session. Can you do this with Nginx?

    The best I could come up with using Apache was to use RewriteCond and RewriteRule to restrict some access to pages/applications, but the URL’s are still fairly horrible.

    • Hi,

      I’m not nginx expert… what i know is that nginx does not have old style mod_rewrite rules.
      did you take a look at nginx forums?

      regards
      Joao

  2. Hello Sam/Joao,

    I might be missing something, so le me ask: why is better regexp support needed here? Does APEX encounter problems under the current Nginx supported proxying as described here?

    Cheers,
    Jay

    • Hi Jay,

      What do you mean with better regexp support?
      With NGINX i havent problems that I have with Apache proxying sometimes. I have nginx servers running with +300 days uptime.

      Regards
      Joao

      • I found Apache to be perfectly stable as long as you don’t use the Apache 1.3 based OHS (version 10.1.3.1) on the APEX server. Problem then is caused by the Apache reverse proxy trying to use HTTP 1.1 to talk to the ancient APEX Apache and you get random 502 errors. If you use “SetEnv force-proxy-request-1.0 1” and “SetEnv proxy-nokeepalive 1” directives in the virtual host or just install OHS 10.1.3.3 (Apache 2 based), that problem goes away.

        I suspect the only reason nginx works more reliably for you is that it doesn’t support HTTP1.1 proxy yet. Watch out for 502 errors if/when they add this feature!

    • Sorry for taking a while to respond, just revisiting nginx now.

      We use ProxyPassMatch in Apache to proxy some pages to APEX. Eg.
      ProxyPassMatch ^/dyn-stat/([fw].*)$ http://apexserver:7780/apex/$1
      ProxyPassReverse /dyn-stat/ http://apexserver:7780/apex/

      There’s a crude example of something that can serve content starting with /dyn-stat/f* or /dyn-stat/w* from apex and all else as static files located at /dyn-stat. I was just wondering how nginx might support similar and possibly more complex behaviour?

  3. Thanks for the nice tutorial. It works great.

    do you have a solution as I can use more than one apex server. I always fail at the image directory.

    thanks in advance

  4. Hello,
    Reply after 3 years :).
    > If you have any doubts or problems using Nginx with APEX.

    Is there an option to rewrite APEX URL with Nginx and use it with glassfish server ?

    Regards,

Leave a Reply