Scaling Past Apache: The Ultimate Nginx Reverse Proxy Guide for High-Load Systems
I still remember the first time I watched a server die. It was 2009, and a client's e-commerce site got featured on a major Norwegian news outlet. The traffic wasn't even a DDoS; it was legitimate users trying to buy wool sweaters. But the Apache process count skyrocketed, swap memory filled up in seconds, and the kernel OOM-killer started murdering processes like a scene from a horror movie.
The site went dark. The client lost money. I lost sleep.
The problem wasn't the code. The problem was architecture. Apache is fantastic, but its threaded model (especially with mod_php) is heavy. Every client connection eats a chunk of RAM, regardless of whether it's processing PHP or just slow-lorising a JPEG download.
In 2012, we have a better way. We don't replace Apache; we protect it. By placing Nginx in front as a reverse proxy, we can handle tens of thousands of concurrent connections with a tiny memory footprint, passing only the dynamic requests back to Apache.
This is the standard architecture we deploy at CoolVDS for clients who need stability without buying a dedicated rack.
The Architecture: Why This Works
Think of Nginx as the bouncer and Apache as the bartender. If everyone crowds the bar asking for directions (static files) or waiting for their friend (slow connections), the bartender can't pour drinks (PHP/MySQL). Nginx handles the line, serves the static content instantly, and only lets someone talk to the bartender when they actually need a drink.
| Feature | Apache (Prefork) | Nginx (Event-Driven) |
|---|---|---|
| Architecture | Process/Thread per connection | Asynchronous, Event-based |
| Memory Usage | High (scales with connections) | Low (constant, predictable) |
| Static Files | Good, but expensive | Insanely fast |
| Concurrency | Struggles above 10k | Designed for C10k+ |
Step 1: Installation on CentOS 6 / RHEL
If you are still compiling from source, stop. The EPEL repositories are stable enough for production now. Let's get Nginx 1.2.x installed.
# First, add the EPEL repo if you haven't
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
# Install Nginx
yum install nginx
# Turn it on at boot
chkconfig nginx on
service nginx startStep 2: Configuring Nginx as the Shield
We are going to move Apache to port 8080 and have Nginx listen on port 80. This requires editing your Apache httpd.conf to Listen 8080 first.
Here is the battle-hardened nginx.conf configuration I use. This handles the proxy pass and, crucially, passes the correct headers so Apache knows the real IP address of the visitor (essential for logs and Norway's Data Retention nuances).
server {
listen 80;
server_name example.com www.example.com;
root /var/www/vhosts/example.com/httpdocs;
index index.php index.html;
# 1. Serve Static Files Directly (Save Apache RAM)
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 30d;
}
# 2. Deny Access to Hidden Files
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
# 3. Pass PHP to Apache
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Timeouts are critical for long PHP scripts
proxy_connect_timeout 60;
proxy_send_timeout 90;
proxy_read_timeout 90;
}
}Step 3: The Critical Apache Mod (mod_rpaf)
This is where most tutorials fail you. If you just do the above, your Apache logs will show 127.0.0.1 for every single visitor. This is a nightmare for security audits and makes fail2ban useless.
You must install mod_rpaf (Reverse Proxy Add Forward) on Apache. It reads the X-Real-IP header from Nginx and overwrites the remote address.
yum install mod_rpaf
# Edit /etc/httpd/conf.d/rpaf.conf
RPAFenable On
RPAFproxy_ips 127.0.0.1Performance Tuning: Buffers and I/O
The default Nginx settings are safe, but they aren't optimized for high-traffic sites. If your backend sends a large response, Nginx has to buffer it. If you don't have enough memory allocated for buffers, Nginx starts writing to disk. Disk I/O is the enemy of latency.
Pro Tip: Even with the SSDs we use on CoolVDS, you want to avoid disk writes for temporary files. RAM is always faster.
Add this to your http block in /etc/nginx/nginx.conf:
http {
# ... other settings ...
# Buffer size handling
client_body_buffer_size 128k;
client_max_body_size 10m;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
output_buffers 1 32k;
postpone_output 1460;
# Timeouts to drop dead connections faster
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
# Keepalive is vital for SSL/Performance
keepalive_timeout 65;
}Data Sovereignty and The "Norwegian Cloud"
Working with clients in Oslo, I often hear concerns about the Personopplysningsloven (Personal Data Act). When you proxy traffic, you are handling user data. It is critical that your logs and your physical servers reside within a jurisdiction you trust.
Using a US-based budget host often means higher latency (ping times to Oslo from Texas are 140ms+; from CoolVDS in Europe, it's under 30ms) and murky data handling practices. If you are configuring Nginx to log access details, ensure that data stays on drives you control.
Why Underlying Hardware Matters
Software optimization can only take you so far. I've tuned Nginx on cheap VPS providers where the "steal time" (CPU stolen by neighbors) was over 20%. Nginx is event-driven; it needs the CPU now, not when the hypervisor feels like giving it to you.
At CoolVDS, we utilize KVM virtualization. Unlike OpenVZ, KVM prevents noisy neighbors from eating your RAM. Furthermore, we are aggressively rolling out Solid State Drives (SSDs) across our fleet. While Nginx reduces disk reads for static files via caching, your database (MySQL) still hammers the disk. On a standard 7200RPM drive, MySQL bottlenecks. On our SSD arrays, it flies.
Final Verification
Before you restart Nginx, always test your configuration syntax. I've seen too many production servers go down because of a missing semicolon.
nginx -t
# Output should be: syntax is ok, test is successfulDon't let legacy configurations slow down your growth. Implementing Nginx as a reverse proxy is the single most cost-effective upgrade you can make in 2012.
Ready to test this setup? Spin up a KVM instance on CoolVDS today. We offer pure SSD storage options that make Nginx cache purges instantaneous. Deploy your server now.