Nginx advanced configuration

1.`NGINX` (talaffuzi: "engine-x") — bu ochiq kodli, yuqori samaradorlikka ega web server va reverse proxy dasturidir.

NGINX quyidagilarda ishlaydi:

Web server sifatida (statik saytlar uchun)

Reverse proxy (Node.js, Python, PHP backendlarga trafikni uzatish)

Load balancer (yukni bir nechta serverlarga bo'lib tarqatish)

API Gateway (kiruvchi so'rovlarni boshqarish)

Mail proxy (kamdan-kam hollarda)

1.1 `REVERSE PROXY` NIMA?

Reverse Proxy — bu mijoz (foydalanuvchi) bilan backend server (masalan, Node.js, Django, Laravel) o'rtasida vositachi bo'lib ishlaydigan serverdir.

Ya’ni:

Foydalanuvchi https://example.com sahifasini so'raydi.

Bu so'rov avval NGINX (reverse proxy) ga tushadi.

NGINX bu so'rovni orqadagi haqiqiy backend serverga (http://localhost:3000) yuboradi.

Backend javob qaytaradi.

NGINX o'sha javobni foydalanuvchiga yetkazadi.

NGINX BILAN REVERSE PROXY QANDAY ISHLAYDI?

NGINX — eng mashhur reverse proxy server hisoblanadi.

Misol: NGINX bilan Node.js backendga proxy qilish

server {
listen 80;
server_name api.example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

}

Qator	Ma’nosi
`proxy_pass`	So'rovni `localhost:3000` ga uzatadi (Node.js ishlayapti shu portda)
`proxy_set_header Host $host`	Mijoz yuborgan domen nomini backendga ham yuboradi
`proxy_set_header X-Real-IP $remote_addr`	Mijozning IP manzilini backendga uzatadi

NIMA UCHUN REVERSE PROXY ISHLATILADI?

Maqsad	Izoh
Xavfsizlik	Backend server internetdan bevosita ko'rinmaydi.
HTTPS	NGINX HTTPS sertifikatni o'zi qabul qiladi, backend esa faqat HTTP bilan ishlaydi.
Load Balancing	NGINX yukni bir nechta backend serverlarga bo'lib beradi.
Log yuritish	NGINX barcha so'rovlarni logga yozadi.
Keshlash (cache)	Javoblarni vaqtincha saqlab, server yukini kamaytiradi.
Frontend-backend ajratish	Frontend (React) statik fayllari NGINX’dan, API so'rovlar esa backendga yuboriladi.

 server {
listen 80;
server_name localhost;

    location /api/ {
        proxy_pass http://localhost:3000/;
    }

}

Agar brauzerda http://localhost/api/users ni chaqirsangiz, bu aslida http://localhost:3000/users ga so'rov yuboradi.

2. QAYERDAN KELGAN?

Yaratgan: Igor Sysoev — rus dasturchisi

Ishlab chiqilgan yil: 2004

Nima uchun? Apache web serveri yuqori yuklama ostida sekin ishlayotgani sababli, "C10k problem" (ya’ni 10,000 ta bir vaqtning o'zida bog'langan mijozlar) muammosini hal qilish uchun yaratilgan.

Endi u butun dunyoda eng mashhur web serverlardan biri.

3. NGINX NIMAGA KERAK?

Asosiy ishlatilish maqsadlari:

Maqsad	Tavsif
Web server	HTML, CSS, JS kabi statik fayllarni mijozga uzatadi
Reverse proxy	Trafikni backend (Node.js, Django, Laravel) serverga yo'naltiradi
Load balancer	Bir nechta backendlarga yukni teng taqsimlaydi
SSL terminator	HTTPS trafikni qabul qilib, shifrlamasini ochadi
Cache server	Fayllarni vaqtincha saqlab, resurslarni tejaydi
Security layer	IP bloklash, DDOS'ga qarshi konfiguratsiyalar bilan himoya qiladi

4. QAYERLARDA ISHLATISH TO'G'RI?

Soha / Holat	Tavsiya qilinadimi?
Statik saytlar (HTML, CSS, JS)	✅ Ha, juda samarali
Node.js, Django, Laravel API lar	✅ Ha, reverse proxy sifatida
Microservice arxitektura	✅ Ha, API Gateway sifatida
Docker bilan	✅ Ha, `nginx` containerlar orqali yaxshi ishlaydi
SSL/HTTPS boshqarish	✅ Juda mos
Frontend + Backend bo'lingan loyihalar	✅ Frontendni NGINX’dan, backendni alohida serverdan ishlatish
Reklama, media yoki video servisi	✅ Ha, chunki u ko'p trafikni yaxshi boshqaradi

Albatta! Quyida Nginx advanced (murakkab) konfiguratsiyasi bo'yicha to'liq tushunchani bosqichma-bosqich beraman. Bu material sizga Nginx’ni nafaqat oddiy reverse proxy sifatida, balki kuchli, xavfsiz va optimallashtirilgan web server sifatida foydalanish uchun kerakli bilimlarni beradi.

4. NGINX ASOSIY TUZILMASI (RECAP)

Har bir nginx.conf fayli quyidagi strukturalarga ega:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  65;

    include /etc/nginx/conf.d/*.conf;
}

5. VIRTUAL HOST (SERVER BLOCK) - DOMENLAR BILAN ISHLASH

5.1. `server_name` bilan ko'p domenlarni boshqarish:

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/example.com;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

5.2. Wildcard domenlar:

server {
    listen 80;
    server_name *.example.com;
}

6. REVERSE PROXY (BACKENDGA ULANISH)

Node.js backend bilan ulash:

server {
    listen 80;
    server_name api.example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

7. HTTPS (SSL) SOZLAMALARI

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/example.crt;
    ssl_certificate_key /etc/ssl/private/example.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://localhost:3000;
    }
}

8. REDIRECT (301, 302) QILISH

HTTP'dan HTTPS'ga majburlab o'tqizish:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

9. PERFORMANCE TWEAKS (KATTA YUKLAMAGA MOSLASH)

http {
    gzip on;
    gzip_types text/plain application/json text/css application/javascript;
    gzip_min_length 256;

    client_max_body_size 10M;
    keepalive_timeout 20s;

    sendfile on;
    tcp_nopush on;
}

10. CACHE VA STATIC FILELARNI OPTIMALLASHTIRISH

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
    access_log off;
}

11. LOAD BALANCING (KATTA SISTEMALARDA)

upstream backend {
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;
    server 127.0.0.1:3003;
}

server {
    listen 80;
    server_name loadbalancer.example.com;

    location / {
        proxy_pass http://backend;
    }
}

Load balancing metodlari: round-robin (default), least_conn, ip_hash.

12. BASIC AUTH (Parol bilan kirish)

location /admin {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

.htpasswd faylini yaratish uchun:

sudo apt install apache2-utils
htpasswd -c /etc/nginx/.htpasswd username

13. CUSTOM ERROR PAGES

error_page 404 /custom_404.html;
location = /custom_404.html {
    root /var/www/errors;
}

14. LOG FORMAT VA ANALITIKA

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

15. TEST QILISH VA RELOAD

sudo nginx -t     # Konfiguratsiyani tekshirish
sudo systemctl reload nginx

REVERSE PROXY ISHLATILMASA NIMA BO'LADI?

Agar siz reverse proxy qo'llamasangiz, ya’ni foydalanuvchi brauzeri to'g'ridan-to'g'ri backend server (masalan, Node.js) bilan bog'lansa: Foydalanuvchi ─────▶ Node.js server (port 3000)

HTTPS ishlamaydi yoki murakkab bo'ladi

Node.js yoki boshqa backend serverlar HTTPS bilan ishlashi mumkin, lekin:

Sertifikat o'rnatish va yangilash murakkab.

Har bir backend serverda alohida SSL o'rnatish kerak bo'ladi.

Reverse proxy (NGINX) bu muammoni hal qiladi — HTTPS NGINX’da, backend esa faqat HTTP bilan ishlaydi.

Portlar bilan muammo bo'ladi

Node.js odatda localhost:3000 portida ishlaydi. Bu portni brauzerda ochish uchun siz:

http://example.com:3000 deb yozishingiz kerak bo'ladi.

Bunday ko'rinish noestetik va ko'p foydalanuvchilar uchun xavfli ko'rinadi.

NGINX esa bu portni yashiradi va http://example.com dan bemalol kirish mumkin bo'ladi.

Xavfsizlik darajasi past bo'ladi

Backend server to'g'ridan-to'g'ri internetga ochiladi:

Hackerlar backendga bevosita hujum qiladi.

Firewall, DDOS himoya qila olmaydi.

NGINX bilan siz backendni faqat localhostda ishlatib, tashqi dunyoga faqat NGINX orqali yo'l ochasiz.

Statik fayllar (HTML, CSS, JS, rasm) sekin yuklanadi

Node.js yoki boshqa backend serverlar statik fayllarni berishda NGINX darajasida tez emas.

NGINX esa statik fayllarni:

Keshlaydi (cache)

Siqib yuboradi (gzip)

Juda tez xizmat ko'rsatadi

Logging, monitoring va analitika zaif bo'ladi

To'g'ridan-to'g'ri backend bilan ishlaganda foydalanuvchi IP’si noto'g'ri aniqlanishi mumkin.

NGINX X-Real-IP, X-Forwarded-For kabi headerlar orqali real IP adreslarni backendga uzatadi.

1.NGINX (talaffuzi: "engine-x") — bu ochiq kodli, yuqori samaradorlikka ega web server va reverse proxy dasturidir.

1.1 REVERSE PROXY NIMA?

NGINX BILAN REVERSE PROXY QANDAY ISHLAYDI?​

NIMA UCHUN REVERSE PROXY ISHLATILADI?​

2. QAYERDAN KELGAN?​

3. NGINX NIMAGA KERAK?​

4. QAYERLARDA ISHLATISH TO'G'RI?​

4. NGINX ASOSIY TUZILMASI (RECAP)​

5. VIRTUAL HOST (SERVER BLOCK) - DOMENLAR BILAN ISHLASH​

5.1. server_name bilan ko'p domenlarni boshqarish:​

5.2. Wildcard domenlar:​

6. REVERSE PROXY (BACKENDGA ULANISH)​

Node.js backend bilan ulash:​

7. HTTPS (SSL) SOZLAMALARI​

8. REDIRECT (301, 302) QILISH​

HTTP'dan HTTPS'ga majburlab o'tqizish:​

9. PERFORMANCE TWEAKS (KATTA YUKLAMAGA MOSLASH)​

10. CACHE VA STATIC FILELARNI OPTIMALLASHTIRISH​

11. LOAD BALANCING (KATTA SISTEMALARDA)​

12. BASIC AUTH (Parol bilan kirish)​

13. CUSTOM ERROR PAGES​

14. LOG FORMAT VA ANALITIKA​

15. TEST QILISH VA RELOAD​

REVERSE PROXY ISHLATILMASA NIMA BO'LADI?​

HTTPS ishlamaydi yoki murakkab bo'ladi​

Portlar bilan muammo bo'ladi​

Xavfsizlik darajasi past bo'ladi​

Statik fayllar (HTML, CSS, JS, rasm) sekin yuklanadi​

Logging, monitoring va analitika zaif bo'ladi​