NGINX: High-Performance Web Server and Reverse Proxy (Advanced Guide)

In our previous article on NGINX, we explored the basics —what it is, where to find its configuration, how to restart it on macOS, how to troubleshoot common 404 errors, and how to set up a basic reverse proxy. That guide provided a strong foundation for beginners who wanted to get hands-on with NGINX in Kubernetes, Docker, and traditional Linux environments.

This advanced article builds on the foundation of the introductory article and takes things further. We dive into production-grade NGINX setup, advanced reverse proxy techniques, SSL/TLS security, Dockerized deployments, Kubernetes ingress configurations, and performance tuning. We’ll also integrate many practical questions developers and sysadmins often ask, such as “how to use embedded keys with NGINX,” “what NGINX proxy manager is,” “how to include subdomains in NGINX,” and “how to enable HTTPS NGINX in Docker.”

Recap: What is NGINX?

As highlighted in the introductory article, NGINX is more than just a web server. It is a reverse proxy, load balancer, caching engine, and security layer. Its event-driven, asynchronous architecture makes it outperform traditional web servers like Apache under heavy currency.

What NGINX is used for:

• Handling millions of HTTP requests per second.
• Offloading SSL/TLS encryption.
• Acting as a reverse proxy for Docker, Kubernetes, or VM-based applications.
• Terminating and managing WebSocket connections.
• Serving static content (HTML, CSS, JS, images).
• Integrating with NGINX Proxy Manager, Heimdall dashboards, and third-party services.
• Powering microservices networking with Kubernetes ingress NGINX.

NGINX vs Apache: Why Modern Systems Choose NGINX

While Apache remains widely used, NGINX has distinct advantages:

Feature	NGINX	Apache
Architecture	Event-driven, asynchronous	Process/thread-based
Performance	Lightweight, handles high concurrency	Higher memory usage
Reverse Proxy	Built-in, highly optimized	Add-ons required
Docker Integration First-class support Limited	First-class support	Limited
WebSocket Support	Native	Requires modules

For modern containerized deployments (Docker, Kubernetes), NGINX is almost always the default choice.

Where to See NGINX Config in Kubernetes Pod

In Kubernetes, when using ingress-nginx, you can view the active configuration with the following command:
kubectl exec -it — nginx -T

This will dump /etc/nginx/nginx.conf along with conf.d/*.conf files. If you are troubleshooting apps like Superset config nginx or filecloud nginx, this command is invaluable.

You can also mount your own nginx.conf inside the pod using a ConfigMap command:

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-nginx-config
  namespace: default
data:
  nginx.conf: |
    events {}
    http {
      include /etc/nginx/conf.d/*.conf;
    }

Then mount it into the ingress nginx controller deployment.

Handling “404 Not Found” in Advanced Scenarios

From our previous article, we know 404 errors often come from misconfigured root or location blocks. But in advanced setups, other causes include:

• Ingress path misalignment: Use nginx.ingress.kubernetes.io/rewrite-target annotations.
• Missing subdomain mapping: Use server_name *.example.com for nginx include subdomains.
• Docker volume mount errors: Ensure nginx.conf and html directories are mounted properly.

How to Restart NGINX in Different Environments

Do the following commands in each procedure below:

On macOS (as covered before):
brew services restart nginx

On Ubuntu/Debian:
sudo systemctl restart nginx

Inside a Docker container:
docker exec -it nginx-container nginx -s reload

Inside a Kubernetes pod:
kubectl exec -it — nginx -s reload

Creating Advanced Docker Reverse Proxy with NGINX

In the previous article, we showed a simple Dockerfile with NGINX. Now let’s extend it for multi-service reverse proxy with SSL.

For the docker-compose.yml:, use the following commands:

version: ‘3’
services:
  nginx:
    image: nginx:latest
    volumes:
      – ./nginx.conf:/etc/nginx/nginx.conf
      – ./certs:/etc/nginx/certs
    ports:
      – “80:80”
      – “443:443”

  app1:
    image: php:8-fpm
    volumes:
      – ./app1:/var/www/html

  app2:
    image: node:18
    working_dir: /usr/src/app
    volumes:
      – ./app2:/usr/src/app
 

nginx.conf: events {}
http {
  server {
    listen 443 ssl;
    server_name app1.local;

    ssl_certificate /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;

    location / {
      proxy_pass http://app1:9000;
    }
  }

  server {
    listen 443 ssl;
    server_name app2.local;

    ssl_certificate /etc/nginx/certs/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;

    location / {
      proxy_pass http://app2:3000;
    }
  }
}
This allows NGINX proxy docker setups with multiple domains secured via .pem and .key files.

Using Embedded Keys and Password Protection in NGINX

Some organizations prefer embedded keys inside their NGINX configuration. Instead of referencing external files, you can include the certificate and private key inline.

Additionally, use Basic Auth for restricting access with the following command:

location /admin {
    auth_basic “Restricted”;
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Combine this with SSL to create a secure login-protected area.

NGINX Proxy Manager & Heimdall

For those who prefer GUIs, NGINX Proxy Manager provides an easy way to configure reverse proxies, SSL certificates, and redirects. Similarly, Heimdall can be fronted by NGINX to create a beautiful dashboard.

NGINX with APISIX, FileCloud, and Superset

NGINX integrates tightly with modern ecosystems:

• APISIX NGINX worker: APISIX uses NGINX under the hood for API gateway functionality.
• FileCloud NGINX: Reverse proxy setup for enterprise file sharing.
• Superset config NGINX: Secure BI dashboards behind HTTPS.

Logging, Monitoring, and Performance Tuning

• Logs: Located in /var/log/nginx/ (access.log, error.log).
• Metrics: Use the stub_status module for real-time request stats.
• Tuning: Increase worker processes with the following command:
  • worker_processes auto;
  • worker_connections 10240;
• Caching: Enable fast content delivery with proxy_cache_path.

NGINX and SSL/TLS: Best Practices

• Always redirect HTTP to HTTPS.
• Use Let’s Encrypt (certbot) for free SSL certificates.
• For production, configure HSTS headers.
• Use strong ciphers with the following command:
  • ssl_protocols TLSv1.2 TLSv1.3;
  • ssl_ciphers HIGH:!aNULL:!MD5;

Final Thoughts

In the previous article, we laid the groundwork for understanding NGINX basics. This advanced guide expanded on those foundations by covering Dockerized setups, Kubernetes ingress, embedded keys, Proxy Manager, SSL best practices, APISIX integration, and performance tuning.

Whether you are building a docker php sqlite nginx stack, deploying websocket nginx manager, or setting up a production-grade reverse proxy, NGINX remains the industry standards.

References:

• NGINX Official Docs
• NGINX Admin Guide
• Kubernetes Ingress NGINX
• NGINX Proxy Manager
• Docker Hub NGINX Images
• The Architecture of Open Source Applications (Volume 2) nginx
• Analyze and visualize NGINX access logs in Kibana Dashboard