Skip to content

Instantly share code, notes, and snippets.

@bashizip

bashizip/how_to_reverseproxy_proxypass_nginx_letsencrypt.md

Forked from gmolveau/how_to_reverseproxy_proxypass_nginx_letsencrypt.md
Created March 26, 2024 18:11
Show Gist options
  • Save bashizip/f2ad8eea432df96268aab8f00ae40290 to your computer and use it in GitHub Desktop.
Save bashizip/f2ad8eea432df96268aab8f00ae40290 to your computer and use it in GitHub Desktop.
Download ZIP
How to use nginx as a reverse-proxy with letsencrypt
Raw
how_to_reverseproxy_proxypass_nginx_letsencrypt.md

How to use nginx as a reverse-proxy with letsencrypt

Your infrastructure

generated via plantuml

Imgur

Requirements

  • install nginx :
    • sudo apt-get install nginx
  • stop nginx :
    • sudo service stop nginx
  • install letsencrypt certbot + nginx addon :
    • sudo apt-get install certbot

Configuring nginx

  • change /etc/nginx/sites-available/default to :
server {
    server_name app1.example.com;
    
    # HTTP configuration
    listen 80;
    listen [::]:80;
    
    # HTTP to HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
    # HTTPS configuration
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass  http://127.0.0.1:8080;
        proxy_redirect                      off;
        proxy_set_header  Host              $http_host;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_read_timeout                  900;
    }
}

don't worry if those files don't exist yet, they will be created in just a moment.

  • Don't forget to change :
    • app1.example.com by your (sub)domain
    • the IP in proxy_pass in location / {...}

Generating letsencrypt certificates

  • Run the next command to generate your certificates :
    • sudo certbot certonly -d "app1.example.com" --authenticator standalone

Managing multiple apps

  • If you want to add another app (for another subdomain), simply add another server {...} part in /etc/nginx/sites-available/default.
server {
	server_name app1.example.com;
	[...]
	location / {
		proxy_pass	http://127.0.0.1:8080;
		[...]
	}
}

server {
	server_name app2.example.com;
	[...]
	location / {
		proxy_pass	http://127.0.0.1:8081;
		[...]
	}
}

server {
	server_name app3.example.com;
	[...]
	location / {
		proxy_pass	http://127.0.0.1:8082;
		[...]
	}
}
  • then restart nginx :
    • service nginx start

Automatic certificates refreshing

  • You can use the next command as a CRON to update your certificates :

    • sudo certbot certonly -d "app1.example.com" -d "app2.example.com" --authenticator standalone --pre-hook "service nginx stop" --post-hook "service nginx start"

This command will stop nginx, refresh the certificates, then restart nginx.\

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment