How to configure nginx reverse proxy on centos stream 9

Configure an Nginx reverse proxy on CentOS safely and predictably. A reverse proxy centralizes TLS, shields upstream apps, and enables caching and rate limiting.

Step 1: Verify OS and update packages

Confirm the platform and ensure the system is current to avoid dependency issues.

cat /etc/os-release
sudo dnf -y update
sudo reboot

Step 2: Install and start Nginx

Install Nginx from the default repositories, enable it at boot, and confirm it is running.

sudo dnf -y install nginx
sudo systemctl enable --now nginx
sudo systemctl status nginx --no-pager

● nginx.service - The nginx HTTP and reverse proxy server
   Active: active (running)

Step 3: Allow HTTP/HTTPS in firewalld

Open required ports so external clients can reach Nginx.

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-services

Step 4: Prepare SELinux rules

Permit Nginx to connect to upstream services and define extra ports if needed.

sudo setsebool -P httpd_can_network_connect 1
sudo dnf -y install policycoreutils-python-utils
# If your upstream listens on 8080 (example):
sudo semanage port -a -t http_port_t -p tcp 8080 || sudo semanage port -m -t http_port_t -p tcp 8080

Step 5: Create a basic reverse proxy

Route requests from your domain to an internal/upstream app. Replace example.com and port 8080.

sudo tee /etc/nginx/conf.d/proxy_example.conf >/dev/null <<'EOF'
upstream backend_app {
    server 127.0.0.1:8080;  # your app or service
    keepalive 32;
}

server {
    listen 80;
    server_name example.com www.example.com;

    # Max upload size (adjust as needed)
    client_max_body_size 20m;

    # Compression for text assets
    gzip on;
    gzip_types text/plain text/css application/json application/javascript application/xml;
    gzip_min_length 1024;

    # Security headers (basic)
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header Referrer-Policy strict-origin-when-cross-origin;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket/HTTP2 upgrades
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        # Timeouts and buffers
        proxy_connect_timeout 5s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        proxy_buffering on;
        proxy_buffers 32 16k;
        proxy_busy_buffers_size 64k;

        proxy_http_version 1.1;
        proxy_pass http://backend_app;
    }

    # Health endpoint passthrough (optional)
    location = /health {
        proxy_pass http://backend_app/health;
        access_log off;
    }
}
EOF

Step 6: Validate syntax and reload Nginx

Check configuration correctness, then apply changes without downtime.

sudo nginx -t
sudo systemctl reload nginx
curl -I http://example.com/

Step 7: Enable HTTPS with Let’s Encrypt

Issue and auto-renew certificates. EPEL provides the Nginx Certbot plugin.

sudo dnf -y install epel-release
sudo dnf -y install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com --redirect -m [email protected] --agree-tos -n
systemctl list-timers | grep certbot

Step 8: Harden TLS and headers (optional)

Strengthen security and privacy while preserving compatibility.

sudo tee /etc/nginx/conf.d/ssl_hardening.conf >/dev/null <<'EOF'
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;

# Additional headers
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(), microphone=()";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
EOF

sudo nginx -t
sudo systemctl reload nginx

Step 9: Add proxy caching (optional but powerful)

Cache upstream responses to reduce load and latency. Tune sizes and keys for your app.

sudo tee /etc/nginx/conf.d/proxy_cache.conf >/dev/null <<'EOF'
proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=proxy_cache_zone:100m max_size=2g inactive=60m use_temp_path=off;

map $request_method $no_cache {
    default 0;
    POST 1;
    PUT 1;
    DELETE 1;
    PATCH 1;
}

# Example location snippet to include inside your server/location:
# location / {
#     proxy_cache proxy_cache_zone;
#     proxy_cache_bypass $http_cache_control $no_cache;
#     proxy_no_cache $http_pragma $http_authorization $no_cache;
#     proxy_cache_valid 200 302 10m;
#     proxy_cache_valid 404 1m;
# }
EOF

sudo mkdir -p /var/cache/nginx/proxy
sudo chown -R nginx:nginx /var/cache/nginx
sudo nginx -t
sudo systemctl reload nginx

Step 10: Quick troubleshooting

Verify listeners, logs, and SELinux alerts when something fails.

ss -lntp | grep :80\|:443
journalctl -u nginx -e --no-pager
sudo tail -f /var/log/nginx/access.log /var/log/nginx/error.log
curl -I http://127.0.0.1/
sudo ausearch -m avc -ts recent | tail -n 20

With Nginx running as a reverse proxy on CentOS Stream 9/RHEL-family systems, your apps gain TLS offload, clean URLs, caching, and better observability. For more study, guidance, server purchases, and support, you can use dropvps.