Install and Configure NGINX
Prerequisites
Before proceeding with this guide, make sure that you have access to the following on your development machine:
- Fedora/Red Hat Environment
- Sudo Privileges
Install NGINX
The NGINX package can be installed via the dnf package manager:
sudo dnf install nginx
Additionally, the NGINX service must be enabled and started:
sudo systemctl enable --now nginx
# enable: Configures NGINX to start automatically at system boot.
# --now: Starts the NGINX service immediately
Configuring NGINX as a Reverse Proxy
This guide focuses on three kinds of proxy traffic:
- Galvanometer over HTTP or HTTPS
- TCP or TCPS connections using HTTP Preflight
- WS or WSS connections using WebSocket upgrade
For connections over SSL, use tcps:// and wss:// on the client side, /tcps/ and /wss/ on the NGINX side, and https:// backend targets for the secure AMPS transports.
For non-SSL connections, use tcp:// and ws:// on the client side, /tcp/ and /ws/ on the NGINX side, and http:// backend targets.
If you are unsure which connection type to use, see TLS/SSL Transports in the AMPS User Guide.
Modify /etc/nginx/nginx.conf (sudo access is required).
The first step in configuring NGINX is setting the number of worker processes. This determines how many processes will handle incoming requests. For small applications, one worker process is usually sufficient. For production environments, set this to match the number of CPU cores on your server. You can determine the number of CPU cores on your machine with nproc.
Next, define how NGINX handles concurrent connections inside the events block. The worker_connections directive sets the maximum number of simultaneous connections a worker process can handle. If you expect high traffic, consider increasing this number, but ensure your server has enough resources to handle it.
Next, add HTTP requests in the http block.
include mime.types;ensures that NGINX sets the correct Content-Type headers based on file extensions.default_type application/octet-stream;is a fallback for unknown file types.sendfile on;allows NGINX to send files efficiently by reading them directly from disk.keepalive_timeout 65;keeps idle connections open for 65 seconds before closing them.
To properly handle connection upgrades, such as through the use of HTTP Preflight, add a map directive inside the http block. This checks if the Upgrade header is set in an incoming request. If it is, NGINX will upgrade the connection; otherwise, it will close it.
worker_processes 1;
# Event Handling
events {
worker_connections 1024;
}
# HTTP Configuration
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# WebSocket Upgrade Mapping
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
}
Now, we define the main server block within the http block, which tells NGINX how to handle incoming requests.
listen 443 ssl;makes NGINX listen for all HTTPS requests on port443. For a non-SSL configuration, uselisten 80;to listen for all HTTP requests.server_name localhost;means the server will respond to requests sent tolocalhost. Replacelocalhostwith your domain if hosting publicly.
Next, we have to provide the necessary SSL certificates to NGINX by including ssl_certificate and ssl_certificate_key. For this demonstration, we will use the Fedora localhost certificates located at /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key.
Inside the server block, add location blocks to define how different types of requests should be handled.
This guide assumes the AMPS server is running on the same host as the reverse proxy. If this is not the case, replace 127.0.0.1 with the address of your AMPS server.
First, add a location block that proxies /admin/ to the backend service running on port 8085.
location /admin/ {
proxy_pass https://127.0.0.1:8085/;
}
Next, add a block for /tcps/ to forward TCPS connections to port 9007 with an expected connection upgrade.
location /tcps/ {
proxy_pass https://127.0.0.1:9007/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
}
Finally, add a block for /wss/ that will forward Secure WebSocket traffic to port 9008 with an expected connection upgrade.
location /wss/ {
proxy_pass https://127.0.0.1:9008/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
}
The Complete NGINX configuration for SSL connections:
worker_processes 1;
# Event Handling
events {
worker_connections 1024;
}
# HTTP Configuration
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# WebSocket Upgrade Mapping
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Server Block (Handles Incoming HTTPS Requests)
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
location /admin/ {
proxy_pass https://127.0.0.1:8085/;
}
location /tcps/ {
proxy_pass https://127.0.0.1:9007/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
}
location /wss/ {
proxy_pass https://127.0.0.1:9008/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
}
}
}
For a standard non-SSL deployment, use the following server block:
# Server Block (Handles Incoming HTTP Requests)
server {
listen 80;
server_name localhost;
location /admin/ {
proxy_pass http://127.0.0.1:8085/;
}
location /tcp/ {
proxy_pass http://127.0.0.1:9007/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /ws/ {
proxy_pass http://127.0.0.1:9008/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
}
}
Validate and Apply the NGINX Configuration
Validate the NGINX configuration file:
sudo nginx -t
Restart the NGINX service to pick up the new changes:
sudo systemctl restart nginx
Verify the NGINX service is running:
sudo systemctl status nginx
The examples above show both SSL and non-SSL NGINX reverse proxy configurations for AMPS TCP, WebSocket, and Galvanometer connections.