How to Use Tcp/udp Streams in Nginx

Learning how to use TCP/UDP streams in Nginx opens up powerful possibilities for load balancing and proxying non-HTTP traffic like database connections, mail servers, and real-time applications. The stream module extends Nginx beyond its traditional HTTP proxy capabilities, allowing you to handle TCP and UDP traffic efficiently. This tutorial will guide you through configuring stream blocks, setting up upstream servers, and implementing load balancing for various protocols.

Nginx’s stream module provides layer 4 load balancing capabilities. This means you can distribute traffic based on IP addresses and ports rather than HTTP content. You’ll learn to configure database proxying, mail server load balancing, and UDP traffic handling. By the end of this guide, you’ll have practical knowledge of implementing stream configurations for production environments.

Prerequisites and Requirements for TCP/UDP Streams in Nginx

Before you begin implementing TCP/UDP streams in Nginx, ensure you meet these requirements. You need root access to your server and Nginx compiled with the stream module. Most modern Nginx installations include this module by default, but older versions might require recompilation.

Your system should run Ubuntu 20.04 or later, CentOS 8+, or similar Linux distributions. You’ll need at least 2GB of RAM and sufficient network bandwidth for your intended traffic load. Basic understanding of Nginx configuration syntax and server administration is assumed.

Check if your Nginx installation includes the stream module by running:

nginx -V 2>&1 | grep -o with-stream

If the command returns “with-stream”, you’re ready to proceed. Otherwise, you’ll need to install or recompile Nginx with stream support. The estimated completion time for this tutorial is 45-60 minutes, depending on your specific use case complexity.

Step-by-Step Guide to Configuring TCP/UDP Streams in Nginx

This event shares similarities with: VPN on Linode using Debian (PPTP)

Step 1: Create the Stream Configuration Directory

First, create a dedicated directory for stream configurations to keep your setup organized. This separation helps maintain clean configuration files and makes troubleshooting easier.

sudo mkdir -p /etc/nginx/streams-available
sudo mkdir -p /etc/nginx/streams-enabled

Create a symbolic link structure similar to sites-available and sites-enabled directories. This approach follows Nginx best practices and makes configuration management more straightforward.

Step 2: Modify the Main Nginx Configuration

Edit the main Nginx configuration file to include the stream block. The stream context must be placed at the same level as the http block, not inside it.

sudo nano /etc/nginx/nginx.conf

Add the following stream block after the http block but before the closing brace:

stream {
    include /etc/nginx/streams-enabled/;
}

This configuration tells Nginx to load all stream configurations from the streams-enabled directory. Save the file and exit the editor.

Step 3: Configure TCP Load Balancing

Create your first stream configuration for TCP load balancing. This example demonstrates load balancing MySQL database connections across multiple backend servers.

sudo nano /etc/nginx/streams-available/mysql-lb.conf

Add the following configuration:

upstream mysql_backend {
    server 192.168.1.10:3306 weight=3;
    server 192.168.1.11:3306 weight=2;
    server 192.168.1.12:3306 weight=1 backup;
}

server {
    listen 3306;
    proxy_pass mysql_backend;
    proxy_timeout 1s;
    proxy_responses 1;
    error_log /var/log/nginx/mysql_lb.log;
}

This configuration creates an upstream group with three MySQL servers. The weight parameter controls traffic distribution, and the backup server only receives traffic when primary servers are unavailable.

Step 4: Enable the Stream Configuration

Create a symbolic link to enable your stream configuration:

sudo ln -s /etc/nginx/streams-available/mysql-lb.conf /etc/nginx/streams-enabled/

Test the configuration syntax before applying changes:

sudo nginx -t

If the test passes, reload Nginx to apply the new configuration:

sudo systemctl reload nginx

Step 5: Configure UDP Load Balancing

UDP traffic requires different handling due to its connectionless nature. Create a configuration for UDP load balancing, such as DNS servers:

sudo nano /etc/nginx/streams-available/dns-lb.conf

Add the UDP-specific configuration:

upstream dns_backend {
    server 8.8.8.8:53;
    server 8.8.4.4:53;
    server 1.1.1.1:53 backup;
}

server {
    listen 53 udp;
    proxy_pass dns_backend;
    proxy_timeout 1s;
    proxy_responses 1;
    proxy_bind $remote_addr transparent;
    error_log /var/log/nginx/dns_lb.log;
}

The key difference is the udp parameter in the listen directive. The proxy_responses directive tells Nginx how many expected responses to wait for before considering the request complete.

Step 6: Implement Health Checks and Monitoring

Configure health checks to ensure backend servers remain available. Add health check parameters to your upstream configuration:

upstream mysql_backend {
    server 192.168.1.10:3306 weight=3 max_fails=3 fail_timeout=30s;
    server 192.168.1.11:3306 weight=2 max_fails=3 fail_timeout=30s;
    server 192.168.1.12:3306 weight=1 backup;
}

These parameters define failure detection thresholds. A server becomes unavailable after three consecutive failures and remains marked down for 30 seconds before Nginx attempts to use it again.

Step 7: Configure SSL/TLS Termination for TCP Streams

For applications requiring SSL/TLS termination, configure certificate handling within the stream block. This example shows SSL termination for a secure database connection:

server {
    listen 3307 ssl;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    proxy_pass mysql_backend;
}

Enable the configuration and test the setup thoroughly before deploying to production environments.

Troubleshooting Common Issues with TCP/UDP Streams in Nginx

When implementing TCP/UDP streams in Nginx, several common issues may arise. Connection timeouts often occur due to incorrect proxy_timeout values. Increase timeout values for long-running connections or applications with high latency.

If backend servers appear unavailable despite being online, check firewall rules and network connectivity. Verify that Nginx can reach backend servers on specified ports using telnet or nc commands.

UDP load balancing issues frequently stem from incorrect proxy_responses values. Monitor your application’s response patterns and adjust accordingly. Some UDP applications send multiple responses per request, requiring higher proxy_responses values.

Log analysis provides valuable troubleshooting information. Check stream-specific log files for connection errors and backend server status. The official Nginx stream module documentation contains detailed parameter explanations and troubleshooting guidance.

For performance optimization, monitor connection counts and adjust worker_connections in the main Nginx configuration. Stream connections consume fewer resources than HTTP connections but still require proper sizing for high-traffic environments.

Advanced Stream Configuration and Best Practices

Advanced stream configurations support complex routing scenarios and enhanced security features. Implement IP-based routing using the map directive to direct traffic based on client addresses or other variables.

Session persistence ensures clients connect to the same backend server consistently. Use the ip_hash directive in upstream blocks for applications requiring session affinity:

upstream app_backend {
    ip_hash;
    server 192.168.1.20:8080;
    server 192.168.1.21:8080;
    server 192.168.1.22:8080;
}

Rate limiting prevents abuse and ensures fair resource distribution. Configure connection limits using limit_conn_zone and limit_conn directives within stream contexts. This protection helps maintain service availability during traffic spikes.

Security hardening includes implementing access controls and connection limits. Use allow and deny directives to restrict access to specific IP ranges. The Nginx Plus documentation provides additional security configuration examples.

Monitor stream performance using built-in status modules or external monitoring tools. Track connection counts, response times, and backend server health to maintain optimal performance. Regular monitoring helps identify bottlenecks before they impact users.

Performance tuning involves adjusting buffer sizes, connection limits, and timeout values based on your specific traffic patterns. Test different configurations under load to find optimal settings for your environment.

You’ve successfully learned how to use TCP/UDP streams in Nginx for advanced load balancing scenarios. The stream module extends Nginx capabilities beyond HTTP traffic, enabling efficient handling of database connections, mail servers, and other TCP/UDP applications. Your configuration now supports health checks, SSL termination, and performance optimization features. Continue exploring advanced features like session persistence and rate limiting to further enhance your stream configurations. Regular monitoring and maintenance ensure optimal performance as your traffic patterns evolve.