How to Configure Nginx Service on SONiC-based Open Intelligent Gateway

This guide provides step-by-step instructions to configure Nginx services on the Asterfusion Open Intelligent Gateway running AsterNOS-VPP. Leveraging Asterfusion’s unique LDP (LD_PRELOAD) architecture, AsterNOS achieves 100% compatibility with native Nginx configurations while delivering extreme concurrency performance through the VPP user-space data plane and hardware-accelerated crypto offloading.

• Scenario 1: Native Static Web Server – Utilizing the gateway’s local storage (NVMe/eMMC) to provide high-performance file hosting services.
• Scenario 2: High-Performance L7 Reverse Proxy – Acting as an application-aware intermediary to forward traffic to backend server pools.
• Scenario 3: HTTPS & SSL Termination – Terminating SSL/TLS securely at the gateway edge to simplify centralized certificate management and relieve backend computational workloads.
• Scenario 4: Upstream Load Balancing – Distributing incoming traffic across multiple real backend nodes for high availability.

Before deploying specific business scenarios, the underlying network and global Nginx parameters must be initialized.

Enter the SONiC CLI to start the Nginx process and isolate CPU cores to ensure maximum data plane performance.

To configure Nginx service in follow 3 scenarios:

This scenario demonstrates how AsterNOS serves local files through the VPP-LDP path directly to external clients.

Note: Since AsterNOS Nginx runs within a Docker container, only directories under /etc/sonic/ are persistently mounted into the container’s file system. Files placed elsewhere may be inaccessible to Nginx.

Create the static_web.conf file on the host.

Apply the configuration using AsterNOS specific commands:

  1. Client Test: Execute a request from an external client by using ‘curl -­v’ command

  2. Expected Result: The terminal should display the “Success! AsterNOS Static Web Server is ALIVE!” text with an ‘200 OK’ status:

Reverse Proxy is the most common gateway deployment. AsterNOS intercepts external traffic and transparently forwards it to the internal backend (172.16.10.100).

Note:
Please avoid having multiple server blocks listening on the same port to prevent traffic conflicts.
You can view the current configuration of Nginx by using the ‘show nginx status’ command.
If a previous configuration occupies the target port, remove it first using the ‘delete’ command:
sonic(config)# nginx delete server /home/admin/static_web.conf

Prepare proxy.conf following the official test case syntax:

Update and reload:

1. Start Backend Service: Run command on backend server(172.16.10.100) as shown in below picture. 
2. Client Test: Run curl -­v ht­tp­:­//­192.168.1.166­:­8080.
3. Backend Log Check: Return to the backend server’s terminal. You should see the access log generated by the Python HTTP server. 172.16.10.1 with 200 status.

In a typical enterprise environment, backend application servers should not be burdened with managing certificates across dozens of internal nodes.

AsterNOS serves as a unified secure boundary, terminating HTTPS traffic at the edge (SSL Termination) and proxying plain HTTP to the backend. It also provides a simplified CLI for persistent certificate management inside the containerized environment.

Do not manually copy certificates into the Linux file system, as the Nginx process runs inside an isolated container. Use the native SONiC CLI to import them into the persistent vault.

Assuming you have uploaded your commercial certificate (asterfusion.crt) and private key (asterfusion.key) to /home/admin/:

Create a new configuration file (e.g., ht­tps­_­proxy.conf) using the standardized certificate paths.

Apply the HTTPS proxy configuration and reload the service.

1. Client Test: Run curl -­v -­k ht­tps­:­//­192.168.1.166­:­8443
2. Expected Result: A successful TLS handshake (SSL connection using TLSv1.3) followed by an HT­T­P/­1.1 200 OK response with the backend content. The backend server logs will show a standard HTTP connection.

In a real-world production environment, critical applications are rarely hosted on a single server. To ensure high availability (HA) and distribute high-concurrency workloads, organizations deploy multiple identical backend servers.

AsterNOS natively supports Nginx’s upstream module, allowing the gateway to act as an intelligent Layer 7 load balancer. It distributes incoming traffic across a pool of real backend nodes using various scheduling algorithms.

In this scenario, assume you have three backend business servers located at 172.16.10.101, 172.16.10.102, and 172.16.10.103. 

Create a configuration file (e.g., load_balancer.conf). The default distribution method is Round Robin, which distributes requests sequentially and evenly.

Apply the configuration. Always use absolute paths to avoid directory context errors:

Run curl -­s ht­tp­:­//­192.168.1.166­:­8080 multiple times. You will see responses alternately and evenly coming from Node 101, 102, and 103.

When backend servers have different hardware specifications, you can assign weights to distribute traffic proportionally.

To make the first node process 3 times more traffic than the others, modify the upstream block in your file:

Reload Nginx, and execution results will show a 3:1:1 request distribution ratio.

For stateful applications (e.g., shopping carts, user logins), ensuring a specific client always reaches the same backend server is critical.

Add the ip_hash directive to bind the client’s IP to a specific node:

Reload Nginx, and multiple requests from the same client IP will consistently be routed to the exact same backend server.

This guide has successfully demonstrated the comprehensive Layer 7 application delivery capabilities of AsterNOS-VPP. By walking through real-world scenarios—from basic static file hosting to complex, high-availability upstream load balancing and secure SSL termination—we have verified the gateway’s readiness for enterprise deployments.