DocsICP FilingConsole
官方文档
首页

Self-managed Nginx: HTTPS forwarding and port mapping

更新时间:
复制 MD 格式
产品详情
我的收藏

An Nginx reverse proxy on an ECS instance enables HTTPS URL forwarding and port mapping, two capabilities that Alibaba Cloud DNS does not natively support. For standard scenarios, add a DNS record instead.

Use cases

Alibaba Cloud DNS has these limitations:

  • Protocol restriction: HTTPS-to-HTTPS URL forwarding is not supported because the DNS service cannot manage SSL certificates.

  • Port limitation: DNS resolves domain names to IP addresses, not ports. If your backend runs on a non-standard port (for example, 3000), users must append the port to the URL: http://www.example.com:3000.

Solution architecture

image

  • Original path: The client resolves the domain name through DNS and connects directly to the backend service IP.

  • New path: With an Nginx reverse proxy, requests flow through the following path:

    1. The client resolves the domain name through DNS, which returns the public IP of the Nginx server.

    2. The client sends an HTTP or HTTPS request to this public IP address.

    3. Nginx matches the Host header against its forwarding rules and proxies the request to the appropriate backend service.

    4. The backend processes the request and returns a response through Nginx to the client.

Procedure

This tutorial uses an ECS instance running Alibaba Cloud Linux 3. If Nginx is already deployed, skip to Step 3: Configure Nginx for different scenarios.

Step 1: Prepare the ECS environment

  1. Create an ECS instance. Create an instance by using the wizard.

    • Operating system: Select Alibaba Cloud Linux 3.

    • Network: Assign a public IP address to the instance.

  2. Add a security group inbound rule to allow TCP on ports 22, 80, and 443.

Step 2: Install and start Nginx

  1. Log on to the ECS instance by using an SSH client.

  2. Run the following command to install Nginx.

    sudo yum install -y nginx

  3. Start Nginx and enable it on boot.

    sudo systemctl start nginx
sudo systemctl enable nginx

  4. Verify that Nginx is running.

    sudo systemctl status nginx

    If the status is active (running), the service has started successfully.

  5. Reload the Nginx configuration without dropping connections.

    sudo systemctl reload nginx

Step 3: Configure Nginx for different scenarios

The main configuration file is /etc/nginx/nginx.conf. The recommended approach is to create a separate .conf file per site in /etc/nginx/conf.d/.

Scenario 1: HTTPS URL forwarding

Alibaba Cloud DNS does not support HTTPS-to-HTTPS forwarding because SSL certificates cannot be uploaded. With Nginx, you can install your own SSL certificate and define custom forwarding rules.

  • URL redirection (explicit forwarding)

    Permanently redirects https://example.com to https://aliyun.com. The browser address bar updates to the new URL. Add the following to /etc/nginx/conf.d/redirect.conf:

    server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        return 301 https://aliyun.com$request_uri;
    }
}

  • Reverse proxy (implicit forwarding)

    Proxies requests from https://example.com to https://aliyun.com. The browser address bar stays unchanged while content is served from the backend. Add the following to /etc/nginx/conf.d/proxy.conf:

    # Proxy requests for example.com to aliyun.com
server {
    listen 443 ssl http2;
    server_name example.com;

    # Configure the SSL certificate and private key for the source domain name
    ssl_certificate /etc/nginx/certs/example.com.fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/example.com.key;

    location / {
        # Forward the request to the target server
        proxy_pass http://aliyun.com;

        # Key configuration: Set the Host request header to the target service's domain name to ensure the backend can process the request correctly.
        proxy_set_header Host "aliyun.com";
        
        # Pass the client's real IP address for backend logging and analysis
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Scenario 2: Map domain to a specific port

Routes traffic from port 80 to a backend application on a non-standard port such as 3000, so users do not need to specify the port in the URL. Add the following to /etc/nginx/conf.d/port_mapping.conf:

# Access the service on local port 3000 through example.com
server {
    listen 80;
    server_name example.com;

    location / {
        # Forward requests to port 3000 on the local host
        proxy_pass http://127.0.0.1:3000;

        # Pass the original Host request header so the backend application can identify the domain name being accessed
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Step 4: Configure DNS resolution

After Nginx is configured, add DNS records for the domains it serves.

  1. Obtain a domain name. If you do not have one, register one at Alibaba Cloud Domain Names. If the website is hosted in the Chinese mainland, complete the ICP filing first.

  2. Obtain the public IP address of the ECS instance running Nginx.

    On the Instances page of the ECS console, locate your instance and check the IP Address column.

  3. Go to the Alibaba Cloud DNS - Public Zone console and find your target domain name.

  4. Add or modify a DNS record.

    1. If no DNS record is configured, add a DNS record. Create an A record for each domain name configured in Nginx, such as example.com, and point it to the public IP address of your ECS instance.

    2. If a DNS record already exists, update its value to the Nginx server's public IP. DNS changes may take 5–10 minutes to propagate.

      In the Add Record panel, set record type to A -- Maps a domain name to an IPv4 address, host record to demo, Resolution Line to Default, TTL to 10 minutes, and record value to the Nginx server's public IP.

Costs and risks

  • Cost: The main cost is the ECS instance. Pricing depends on instance specifications, region, and billing method. Nginx itself is free and open source.

  • Risks and maintenance: You are responsible for operating the reverse proxy, including applying security patches, monitoring service health, and backing up configurations. Improper setup or neglected maintenance can cause outages or security vulnerabilities.

  • Production recommendation: Harden the Nginx security configuration and set up monitoring and log analysis.

FAQ

Does Alibaba Cloud DNS support port resolution?

How do I point a domain name to another website?

Previous:Guide for combining GTM and WAFNext:Configure CAA records