Web Servers Basic Operations Nginx & Apache, Virtual Hosts, Reverse Proxy, Logs, TLS

Web servers basics: request lifecycle, virtual hosts, DocumentRoot, static vs dynamic, reverse proxy, logs, TLS, compression, and quick troubleshooting.

What a Web Server Does

• Listens on 80/443 for HTTP/HTTPS.
• Static content: returns files from DocumentRoot with the right MIME type.
• Dynamic content: proxies to an application process (e.g., Node, Gunicorn/UWSGI, PHP-FPM).
• Implements redirects, security headers, caching, compression, and logging.

Request Lifecycle (Server View)

1. TCP/TLS connection established on 80/443.
2. Server matches the Host header to a virtual host.
3. If the path points to a static file, serve it with headers.
4. Else, route via reverse proxy to the app, receive response, and return to client.
5. Write access/error logs; apply gzip/brotli, caching, and security headers.

Core Concepts

• DocumentRoot: Folder that maps URL paths to files (e.g., /var/www/example.com/public).
• Index files: index.html (or index.php) sent for a directory request.
• MIME types: Content-Type: text/html, image/webp, etc.
• Directory listing: Off by default in production; enable only if needed.

Virtual Hosts (Server Blocks)

Host multiple sites on one server using SNI + Host header. Each host has its own root, logs, and TLS config.

Static vs Dynamic (Reverse Proxy)

• Static: images, CSS, JS, docs.
• Dynamic: API routes, server-rendered pages.
• Use proxy_pass (Nginx) or ProxyPass (Apache) to forward to application servers (localhost:3000, unix:/run/php/php-fpm.sock, 127.0.0.1:8000, etc.).

Logs

• Access log: one line per request (method, path, status, bytes, referer, user-agent, request time).
• Error log: startup errors, config issues, upstream timeouts, TLS problems.

Quick reads:

# See live traffic
sudo tail -f /var/log/nginx/access.log
sudo tail -f /var/log/apache2/access.log

# Find slow responses (Nginx if $request_time logged)
grep -E ' [45][0-9]{2} ' /var/log/nginx/access.log | tail -n 50

HTTPS/TLS

• Store private keys securely; use proper cert chain.
• Force HTTPS with 301 redirect and enable HSTS.
• Renew certificates (e.g., Certbot) and monitor expiry.
• Prefer modern protocols/ciphers; enable HTTP/2, and HTTP/3 if available.

Compression & Caching

• Enable gzip (and brotli if supported) for text assets.
• Set Cache-Control and ETag for static files; use long TTL for versioned assets.
• Respect Vary headers (e.g., Accept-Encoding).

Quick Starts

Nginx (server block + reverse proxy)

server {
  listen 80;
  server_name example.com www.example.com;

  root /var/www/example.com/public;
  index index.html;

  location /assets/ {
    # long cache for versioned assets
    expires 30d;
    add_header Cache-Control "public, max-age=2592000, immutable";
  }

  location / {
    try_files $uri @app;   # serve static if exists
  }

  location @app {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://127.0.0.1:3000;
  }

  access_log /var/log/nginx/example.access.log;
  error_log  /var/log/nginx/example.error.log warn;
}

Service basics:

sudo systemctl enable nginx
sudo systemctl restart nginx
sudo nginx -t   # validate config

Apache HTTP Server (vhost + proxy)

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com/public
  DirectoryIndex index.html

  # Static cache
  <Location "/assets/">
    Header set Cache-Control "public, max-age=2592000, immutable"
  </Location>

  # Reverse proxy to app
  ProxyPreserveHost On
  ProxyPass        "/" "http://127.0.0.1:3000/"
  ProxyPassReverse "/" "http://127.0.0.1:3000/"

  ErrorLog  ${APACHE_LOG_DIR}/example.error.log
  CustomLog ${APACHE_LOG_DIR}/example.access.log combined
</VirtualHost>

Modules & service:

sudo a2enmod proxy proxy_http headers
sudo systemctl enable apache2
sudo systemctl restart apache2
sudo apachectl configtest

Hands-On Mini Lab

1. Create /var/www/demo/public/index.html with a hello page.
2. Configure Nginx or Apache vhost pointing to that root.
3. Add a simple Node/Flask/PHP-FPM app on localhost:3000 and configure reverse proxy.
4. Enable gzip and set Cache-Control on /assets.
5. Visit the site, then check access and error logs; note status codes and response times.

Troubleshooting Cheatsheet

• 403 Forbidden: wrong file owner/perms; web user can’t read directory; SELinux/AppArmor.
• 404 Not Found: bad root or missing try_files/FallbackResource.
• 502/504 Gateway: app crashed, wrong upstream address/socket, or timeout too low.
• Redirect loops: duplicate HTTP→HTTPS rules or app-level redirects.
• Certificate “incomplete chain”: serve full chain; update intermediate CA.
• Large file downloads fail: adjust client_max_body_size (Nginx) or LimitRequestBody (Apache).

The approach followed at E Lectures reflects both academic depth and easy-to-understand explanations.

Summary

• Organize sites with virtual hosts.
• Serve static directly; send dynamic to an app server via reverse proxy.
• Watch access/error logs; they tell you nearly everything.
• Ship HTTPS with proper cert chains and HSTS.
• Boost performance with caching and compression.

People also ask: