TCP/UDP – Access via NGINX

warning

⚠️ All configurations in this manual are simple and hypothetical examples. Adapt according to your environment topology.

🔁 Introduction

The stream module of NGINX allows redirection of TCP and UDP traffic directly at the transport layer.

This is useful to publish services such as:

MySQL / PostgreSQL (TCP)
RDP / FTP (TCP)
SNMP (UDP)

🛠️ Step 1 – Editing nginx-jelastic.conf

Open the file /etc/nginx/nginx-jelastic.conf and add the following outside the http {} block, usually at the end of the file:

stream {
  log_format basic '$remote_addr $server_port [$time_local] $protocol $status $bytes_sent $bytes_received $session_time';
  include /etc/nginx/conf.d/stream/*.conf;
}

💾 Save after editing.

📁 Step 2 – Creating the configuration directory

Create the configuration folder for stream:

mkdir -p /etc/nginx/conf.d/stream

⚙️ Configuring the TCP Proxy

This example redirects MySQL connections (port 3306) through NGINX to another internal server:

# Arquivo: /etc/nginx/conf.d/stream/mysql_tcp.conf

server {
  listen 33090;
  listen [::]:33090;

  proxy_pass 10.101.10.10:3306;

  access_log /var/log/nginx/mysql_tcp.log basic;
}

⚙️ Configuring the UDP Proxy

This example redirects SNMP (port 161) to an internal server via UDP:

# Arquivo: /etc/nginx/conf.d/stream/snmp_udp.conf

server {
  listen 161 udp;
  listen [::]:161 udp;

  proxy_pass 10.10.10.50:161;

  access_log /var/log/nginx/snmp_udp.log basic;
}

:::tip

🧩 Understanding the `server` block (TCP/UDP)

Each redirection configuration uses a server block inside the stream module. Below we objectively explain what each directive used represents:

server {
  listen 33090;
  listen [::]:33090;

  proxy_pass 10.101.10.10:3306;

  access_log /var/log/nginx/mysql_tcp.log basic;
}

🔈 `listen`

The listen directive specifies which port NGINX will listen for external connections.
It is possible to use a different port than the original application port. For example, if the MySQL service runs on port 3306, you can configure NGINX to listen on port 33090 externally, which helps secure standard ports.

Additionally, listen [::]:PORTA allows listening for IPv6 connections on the same port.

✅ This is useful to publish internal services using a public port.

🔁 `proxy_pass`

Defines the internal IP address and destination port where NGINX will forward the received connection.
In this example, traffic arriving on port 33090 will be redirected to MySQL running on 10.101.10.10:3306.

📝 `access_log`

Logs accesses to the redirected service, using the log format defined earlier (basic).
The log file path can be customized according to the service, facilitating later analysis.

:::

note

Make sure to open in the firewall the ports configured in NGINX's listen directive

🔄 Step 3 – Restarting NGINX

After configuration, restart NGINX to apply the changes

✅ External usage example

🎯 Accessing MySQL (TCP)

NGINX IP: 203.0.113.10
External port: 33090

mysql -h 203.0.113.10 -P 33090 -u root -p

📚 Useful links

Official NGINX Stream Documentation

🔁 Introduction​

🛠️ Step 1 – Editing nginx-jelastic.conf​

📁 Step 2 – Creating the configuration directory​

⚙️ Configuring the TCP Proxy​

⚙️ Configuring the UDP Proxy​

:::tip​

🧩 Understanding the server block (TCP/UDP)​

🔈 listen​

🔁 proxy_pass​

📝 access_log​

🔄 Step 3 – Restarting NGINX​

✅ External usage example​

🎯 Accessing MySQL (TCP)​

📚 Useful links​