Igor L.R. Azevedo

How nginx work

Let’s dive into the basics of how Nginx works and how to deploy websites using VPCs. Reference: Deploying a Static Website to Digital Ocean

From Wikipedia

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license

To start, I’ve created a DigitalOcean Droplet. A droplet is a virtual private server (VPS), like a computer you rent from DigitalOcean to run websites, apps, or other projects. It has its own memory, storage, and processing power, just like a physical computer, but it’s hosted in the cloud. You can use it to host multiple websites, run applications, or store files, and you have full control over its setup and management.

Once you create a droplet, you can access a terminal, like a Linux one. Inside this terminal, the magic happens. First, it is good practice to make some security configurations in the droplet, so let’s dive into this very quickly.

  1. Public Network
    • The public network on your Droplet allows it to be accessed from the internet using its public IP address. You use this public IP address when you want to access your Droplet (e.g., to visit your website or connect via SSH). It’s the outward-facing connection that anyone with internet access can use to interact with your Droplet, provided you allow it via your firewall settings.
    • For example, if you have a website hosted on your Droplet, visitors reach it via the public network using HTTP (port 80) or HTTPS (port 443).
  2. Private Network
    • A private network is an internal connection that only works between Droplets or resources in the same Virtual Private Cloud (VPC) network on DigitalOcean. It allows secure communication between your servers without exposing traffic to the public internet.
    • For instance, if multiple Droplets work together (like a web server and a database server), they can communicate privately through their private IP addresses, which are only accessible to other Droplets within the same VPC. This ensures better security and faster internal communication.
    • Key point: Only other members of the same VPC can access your Dropket using its private IP address, ensuring privacy and security for internal data transfers
  3. Firewalls
    • A firewall controls what kind of traffic is allowed in or out of your Droplet. You can configure it to permit or block specific types of traffic based on their source, destination, and protocol (e.g., SSH, HTTP). This helps protect your Droplet from unwanted access or attacks.
    • Inbound Firewall: The inbound rules define which traffic is allowed into your Droplet from the Internet or other networks.
      • SSH (TCP, Port 22): This allows you to connect to your Droplet via SSH (secure shell) from any IPv4 or IPv6 address. SSH is used to manage your server remotely.
      • HTTP (TCP, Port 80): This allows anyone online to visit websites hosted on your Droplet using standard HTTP (unsecured) connections.
      • HTTPS (TCP, Port 443): This allows anyone to access your Droplet over a secure, encrypted HTTPS connection, typically for secure websites.
      • These rules ensure that you can manage your Droplet via SSH and that web traffic (HTTP/HTTPS) can reach your Droplet to access websites or applications.
    • Outbound Firewall: The outbound firewall rules control what traffic is allowed out of your Droplet, meaning what your Droplet can send to other devices or servers.
      • ICMP (All IPv4, All IPv6): ICMP is used for things like ping, which checks if a connection to another server is working. This rule allows your Droplet to send ICMP messages that are useful for network diagnostics.
      • All TCP (All ports, All IPv4, All IPv6): This rule allows your Droplet to send out any TCP traffic to any IP address on any port. TCP is used for most internet communication, including web requests, SSH, and database connections.
      • All UDP (All ports, All IPv4, All IPv6): This rule allows your Droplet to send out any UDP traffic. UDP is used for certain types of communication, like DNS lookups or streaming data, which do not require the reliability of TCP.

Please follow the security instructions provided at Deploying a Static Website to Digital Ocean. Those videos are amazing and totally worth watching.


How Nginx Works

Nginx is a high-performance web server that can function as a reverse proxy, load balancer, and HTTP cache. Unlike traditional web servers that handle one request per process, Nginx uses an event-driven, asynchronous architecture, which allows it to handle multiple requests in a single thread. This makes Nginx highly efficient, scalable, and ideal for handling large web traffic.

Nginx processes incoming client requests (e.g., visiting a website) and responds by serving static files (like HTML, CSS, or JavaScript) or forwarding the request to an application server (for dynamic content, such as PHP or Python). Additionally, Nginx can act as a reverse proxy, meaning it forwards client requests to other servers and sends the response back to the client, all while masking the underlying infrastructure.


Deploying Multiple Websites and Subdomains with Nginx

That’s what motivated me to write this simple post: I was trying to deploy three websites with different domains using the same droplet + Nginx.


One of Nginx’s strengths is its ability to host multiple websites and subdomains on the same server, a technique known as virtual hosting. Virtual hosting allows you to use a single server to serve multiple domains or subdomains, saving costs and simplifying management.

There are two main types of virtual hosting in Nginx:

  1. Name-based virtual hosting: This is the most common type, where different domain names (e.g., example.com, anotherdomain.com) point to the same server IP address, and Nginx distinguishes between them using the server_name directive in the configuration.
  2. Port-based or IP-based virtual hosting: Here, different domains are served from different IP addresses or ports, though this is less common than name-based hosting.


Steps to Deploy Multiple Websites and Subdomains:

DNS Configuration: First, ensure that your domain names and subdomains (e.g., example.com, sub.example.com) are correctly configured to point to the public IP address of your DigitalOcean Droplet. You can do this through your domain registrar or DNS provider. In my case, I need to log into my Cloudflare account and follow these steps:

  1. Go to the DNS tab in Cloudflare for each domain.
  2. Add an A record for each domain pointing to the IP address of your DigitalOcean droplet:
    • Name: @ (root domain) or www if you want to configure a subdomain.
    • Type: A
    • Content: The IP address of your DigitalOcean droplet.
  3. Repeat for all domains, ensuring they all point to the same droplet IP.

Nginx Server Blocks: Nginx uses server blocks (similar to Apache’s virtual hosts) to manage multiple websites on one server. Each block specifies the domain, root directory, and other settings required to serve a particular site.

Server Block Example: To deploy multiple sites, you’ll need separate configuration files for each site in Nginx. Here’s an example of a server block for a website:

server {
    listen 80;
    server_name example.com www.example.com;
    
    root /var/www/example.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

You can create similar blocks for each domain or subdomain (e.g., anotherdomain.com, sub.example.com), pointing each to its specific directory.

SSL for HTTPS: If you want to enable HTTPS for your sites, you will need to install SSL certificates for each domain or subdomain. You can use Let’s Encrypt to get free SSL certificates. More specifically, I just configured this using Certbot.


sites-available and sites-enabled

Nginx uses two directories, sites-available and sites-enabled, to manage configuration files for different websites:

  • sites-available: This directory contains all the configuration files available for the websites you want to serve. Each file in this directory represents a configuration for a specific website or subdomain.
  • sites-enabled: This directory contains symbolic links to the active configuration files. When you create a new website, you place its configuration in sites-available and then create a symbolic link in sites-enabled to activate it.


Role of Cloudflare with Nginx and Droplets


Cloudflare is a Content Delivery Network (CDN) and security service that helps protect and accelerate your website. When combined with Nginx on a DigitalOcean Droplet, Cloudflare adds several benefits:

  1. DNS Management: Cloudflare can act as your DNS provider, allowing you to manage DNS records for your domains and subdomains. This makes pointing your domain to your Droplet’s IP address easier.
  2. SSL/TLS Encryption: Cloudflare provides free SSL certificates and manages the encryption between users and Cloudflare’s servers. You can use Cloudflare’s Flexible SSL mode (where Cloudflare handles the HTTPS requests and forwards them to your Droplet via HTTP) or Full SSL mode (where traffic between Cloudflare and your Droplet is also encrypted).
  3. Caching and Performance: Cloudflare caches static content from your websites (like images, CSS, and JavaScript) on its edge servers worldwide, reducing the load on your Nginx server and speeding up delivery to users.
  4. DDoS Protection: Cloudflare protects your Droplet from Distributed Denial of Service (DDoS) attacks by filtering malicious traffic before it even reaches your server.
  5. Firewall and Security Rules: Cloudflare adds an extra layer of security by allowing you to configure firewall rules, block specific IP addresses, or challenge suspicious visitors with CAPTCHAs.


How Cloudflare Fits with Nginx:

  • After configuring your websites in Nginx, you can enable Cloudflare by updating the DNS settings for your domains in the Cloudflare dashboard to point to your Droplet’s IP address.
  • Once Cloudflare is active, traffic to your websites will first go through Cloudflare’s network, which helps filter and accelerate requests before they reach your Nginx server.

I hope this proves to be helpful to someone other than just me!

✧⁺⸜(^-^)⸝⁺✧

Leave a Reply

Your email address will not be published. Required fields are marked *

The Pink Ipê tree, or “Ipê Rosa,” is celebrated for its stunning clusters of pink, trumpet-shaped flowers that bloom in late winter to early spring. This tree, native to Brazil, is a striking symbol of renewal, with its vibrant blossoms often appearing before its leaves.

Original image by @ota_cardoso