TL;DR — Quick Summary
Configure Nginx as a forward proxy server for HTTP and HTTPS traffic using ngx_http_proxy_connect_module. Includes authentication, access control, caching, and comparison with reverse proxy.
Using Nginx as a Forward Proxy
Forward proxying is the opposite of Nginx’s typical role. Instead of accepting incoming requests and forwarding them to backend servers (reverse proxy), a forward proxy accepts requests from clients on your network and forwards them to the internet.
Forward Proxy vs. Reverse Proxy
| Aspect | Forward Proxy | Reverse Proxy |
|---|---|---|
| Direction | Client → Proxy → Internet | Internet → Proxy → Backend |
| Who initiates? | Client (user) | External user |
| Use case | Access control, caching, anonymity | Load balancing, SSL termination |
| Client knows about proxy? | Yes (configured in browser/OS) | No (transparent) |
| Nginx designed for? | ❌ Not natively | ✅ Yes |
Use Cases for a Forward Proxy
- Bypass geo-restrictions — route traffic through a server in another country
- Web caching — cache frequently accessed content for faster access
- Access control — restrict which websites users can access
- Privacy — hide client IP addresses from destination servers
- Security monitoring — log and inspect outbound traffic
Prerequisites
Nginx does not natively support the HTTP CONNECT method needed for HTTPS forward proxying. You need to compile Nginx with the ngx_http_proxy_connect_module:
# Download the module
git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
# Download Nginx source
wget https://nginx.org/download/nginx-1.27.0.tar.gz
tar xzf nginx-1.27.0.tar.gz
cd nginx-1.27.0
# Apply patch and compile
patch -p1 < /path/to/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --add-module=/path/to/ngx_http_proxy_connect_module \
--with-http_ssl_module
make && sudo make installConfiguration
Basic Forward Proxy
server {
listen 8080;
server_name proxy.yourdomain.com;
# Enable CONNECT method for HTTPS
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_data_timeout 10s;
# DNS resolver
resolver 8.8.8.8 8.8.4.4 ipv6=off;
location / {
proxy_pass $scheme://$http_host$request_uri;
proxy_set_header Host $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0;
}
}With Basic Authentication
server {
listen 8080;
# Require authentication
auth_basic "Proxy Authentication";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_connect;
proxy_connect_allow 443;
resolver 8.8.8.8;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}Create the password file:
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd proxyuserTesting
# HTTP
curl -x http://your-proxy:8080 http://example.com
# HTTPS
curl -x http://your-proxy:8080 https://example.com
# With authentication
curl -x http://proxyuser:password@your-proxy:8080 https://example.com
# Set as system proxy
export http_proxy=http://your-proxy:8080
export https_proxy=http://your-proxy:8080Nginx Forward Proxy vs. Dedicated Proxies
| Feature | Nginx (forward) | Squid | Privoxy |
|---|---|---|---|
| HTTPS proxying | ✅ (with module) | ✅ (native) | ✅ |
| Caching | Basic | Advanced (disk + memory) | ❌ |
| Content filtering | ❌ | Basic | ✅ (ad blocking) |
| ACLs | Basic (IP, auth) | Advanced (time, URL, regex) | Basic |
| Logging | Standard access log | Detailed (squidanalyzer) | Basic |
| Performance | Excellent | Good | Good |
| Already using Nginx? | ✅ No extra software | ❌ Separate install | ❌ Separate install |
Summary
Nginx can work as a forward proxy, but it requires compilation with the ngx_http_proxy_connect_module for HTTPS support. It is best suited for simple use cases where you already run Nginx and want a single tool. For advanced forward proxy features, consider Squid.