Nginx is a high-performance HTTP server and reverse proxy server, as well as an IMAP/POP3/SMTP server. Since version 1.9.13, Nginx supports port forwarding.
On CentOS 7, rinetd is simple to configure and easy to use, but unfortunately, it does not support UDP forwarding. If your business requires forwarding both TCP and UDP ports, then Nginx is the best choice.
CentOS 7 can also use firewalld for port forwarding, but firewalld only forwards and does not listen on ports, so you still need something to listen on the ports, which is a bit troublesome.
Enough talk, let’s get straight to the point: how to use Nginx to reverse proxy remote TCP and UDP services.
Server environment:
CentOS 7
LNMP stack
Steps:
- Install Nginx with stream module support
- Modify configuration files
1. Install Nginx with stream module support
If you are using the BaoTa panel, it does not include the stream module, but the LNMP one-click install script includes it, so if you use LNMP environment, you can skip this step.
Check Nginx module support by running:
nginx -V
If you see –with-stream in the output as shown in the image, it means the Nginx server meets the requirements. If not, you can compile like this:
wget https://raw.githubusercontent.com/helloxz/nginx-cdn/master/nginx.sh && bash nginx.sh
source /etc/profile
2. Modify configuration files
After installing Nginx, add reverse proxy for TCP and UDP.
Note:
2.1 This proxy is different from the usual website reverse proxy; this is native TCP and UDP protocols.
2.2 The stream reverse proxy module is at the same level as http, do not put stream config inside http block.
2.3 Copy and paste the config directly to the config file; writing by yourself is prone to errors.
Here is an example of my Nginx config file, you can refer and modify as needed:
#/usr/local/nginx/conf/nginx.conf
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
# Specifies the max number of open file descriptors for this process
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
stream {
upstream server_upstreams {
server server1.bobobk.com:443;
server server3.bobobk.com:443;
}
# Forward port 8080 to server3.bobobk.com port 443 (TCP and UDP)
server {
listen 8080;
listen 8080 udp;
proxy_pass server_upstreams;
}
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6].";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
server_tokens off;
access_log off;
server
{
listen 80 default_server reuseport;
listen [::]:80 default_server ipv6only=on;
server_name _;
index index.html index.htm index.php;
root /www/wwwroot/default;
#error_page 404 /404.html;
# Deny access to PHP files in specific directories
#location ~ /(wp-content|uploads|wp-includes|images)/.*.php$ { deny all; }
include enable-php.conf;
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
}
access_log /home/wwwlogs/access.log;
}
include vhost/*.conf;
}
In the config file, the upstream server_upstreams is for load balancing, choosing the best server among different servers.
proxy_pass means forwarding requests to the server.
Summary:
On a CentOS 7 server, using Nginx for UDP and TCP single-port forwarding is really convenient and easy to use. For batch forwarding, you need to configure port by port, which is a bit troublesome.
If you are using the LNMP script installed server environment, then it is really convenient. This article introduced using Nginx on the server to forward TCP and UDP.