Skip to content

Instantly share code, notes, and snippets.

@bashizip

bashizip/how_to_reverseproxy_proxypass_nginx_letsencrypt.md

Forked from gmolveau/how_to_reverseproxy_proxypass_nginx_letsencrypt.md
Created March 26, 2024 18:11
Download ZIP

Revisions

  1. @gmolveau gmolveau revised this gist Jan 10, 2021. 1 changed file with 21 additions and 44 deletions.
    65 changes: 21 additions & 44 deletions how_to_reverseproxy_proxypass_nginx_letsencrypt.md
    View file
    Original file line number Diff line number Diff line change
    @@ -9,15 +9,21 @@
    ## Requirements

    - install **nginx** :
    - `sudo apt-get install nginx`
    - `sudo apt install nginx`
    - stop **nginx** :
    - `sudo service stop nginx`
    - install letsencrypt **certbot** + nginx addon :
    - `sudo apt-get install certbot`
    - install letsencrypt **certbot** : (check here for other distros : https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx)
    - `sudo apt install snapd && sudo snap install --classic certbot`

    ## Configuring nginx
    ## Adding a new app (subdomain)

    - change `/etc/nginx/sites-available/default` to :
    > this example shows how to add a new app, served locally (via docker) on `127.0.0.1:8080` for the subdomain `app1.example.com`.
    - create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN`

    - and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN`

    - then edit the file with : `sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN`

    ```
    server {
    @@ -56,53 +62,24 @@ server {
    - Don't forget to change :
    - `app1.example.com` by your (sub)domain
    - the IP in `proxy_pass` in `location / {...}`
    - the info in `proxy_pass`

    ## Generating letsencrypt certificates

    - Run the next command to generate your certificates :
    - `sudo certbot certonly -d "app1.example.com" --authenticator standalone`
    - `sudo certbot --nginx`

    ## Managing multiple apps

    - If you want to add another app (for another subdomain), simply add another `server {...}` part in `/etc/nginx/sites-available/default`.

    ```
    server {
    server_name app1.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8080;
    [...]
    }
    }
    server {
    server_name app2.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8081;
    [...]
    }
    }
    server {
    server_name app3.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8082;
    [...]
    }
    }
    ```

    - then restart nginx :
    - `service nginx start`
    - If you want to add another app (for another app/subdomain), simply repeat the process in `Adding a new app`.

    ## Automatic certificates refreshing

    - You can use the next command as a CRON to update your certificates :
    - Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot`
    - Make it executable : `sudo chmod +x /etc/cron.weekly/certbot`
    - And add this code :

    - `sudo certbot certonly -d "app1.example.com" -d "app2.example.com" --authenticator standalone --pre-hook "service nginx stop" --post-hook "service nginx start"`

    This command will stop nginx, refresh the certificates, then restart nginx.\
    ```
    #!/bin/sh
    certbot renew
    ```
  2. @gmolveau gmolveau revised this gist Jan 10, 2021. 1 changed file with 25 additions and 25 deletions.
    50 changes: 25 additions & 25 deletions how_to_reverseproxy_proxypass_nginx_letsencrypt.md
    View file
    Original file line number Diff line number Diff line change
    @@ -21,34 +21,34 @@

    ```
    server {
    server_name app1.example.com;
    # HTTP configuration
    listen 80;
    listen [::]:80;
    server_name app1.example.com;
    # HTTP configuration
    listen 80;
    listen [::]:80;
    # HTTP to HTTPS
    if ($scheme != "https") {
    return 301 https://$host$request_uri;
    return 301 https://$host$request_uri;
    } # managed by Certbot
    # HTTPS configuration
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
    ssl_session_timeout 1440m; # managed by Certbot
    location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 900;
    }
    # HTTPS configuration
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 900;
    }
    }
    ```

  3. Grégoire MOLVEAU revised this gist Oct 10, 2018. 1 changed file with 3 additions and 0 deletions.
    3 changes: 3 additions & 0 deletions how_to_reverseproxy_proxypass_nginx_letsencrypt.md
    View file
    Original file line number Diff line number Diff line change
    @@ -96,6 +96,9 @@ server {
    }
    ```

    - then restart nginx :
    - `service nginx start`

    ## Automatic certificates refreshing

    - You can use the next command as a CRON to update your certificates :
  4. Grégoire MOLVEAU revised this gist Oct 10, 2018. 1 changed file with 93 additions and 17 deletions.
    110 changes: 93 additions & 17 deletions how_to_reverseproxy_proxypass_nginx_letsencrypt.md
    View file
    Original file line number Diff line number Diff line change
    @@ -1,29 +1,105 @@
    # How to use nginx as a reverse-proxy with letsencrypt

    ## Your infrastructure

    > generated via [plantuml](http://www.plantuml.com/plantuml)
    ![Imgur](https://i.imgur.com/LiqEo11.png)

    ## Requirements

    - install **nginx** :
    - `sudo apt-get install nginx`
    - stop **nginx** :
    - `sudo service stop nginx`
    - install letsencrypt **certbot** + nginx addon :
    - `sudo apt-get install certbot`

    ## Configuring nginx

    - change `/etc/nginx/sites-available/default` to :

    ```
    server {
    server_name app1.example.com;
    # HTTP configuration
    listen 80;
    listen [::]:80;
    server_name sub.example.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sub.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sub.example.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
    ssl_session_timeout 1440m; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
    ssl_prefer_server_ciphers on; # managed by Certbot
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot

    # Redirect non-https traffic to https
    # HTTP to HTTPS
    if ($scheme != "https") {
    return 301 https://$host$request_uri;
    } # managed by Certbot
    # HTTPS configuration
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
    ssl_session_timeout 1440m; # managed by Certbot
    location / {
    proxy_pass http://127.0.0.1:8443;
    proxy_redirect off;
    proxy_set_header Host $http_host; # required for docker client's sake
    proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
    proxy_pass http://127.0.0.1:8080;
    proxy_redirect off;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 900;
    }
    }
    }
    ```

    > don't worry if those files don't exist yet, they will be created in just a moment.
    - Don't forget to change :
    - `app1.example.com` by your (sub)domain
    - the IP in `proxy_pass` in `location / {...}`

    ## Generating letsencrypt certificates

    - Run the next command to generate your certificates :
    - `sudo certbot certonly -d "app1.example.com" --authenticator standalone`

    ## Managing multiple apps

    - If you want to add another app (for another subdomain), simply add another `server {...}` part in `/etc/nginx/sites-available/default`.

    ```
    server {
    server_name app1.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8080;
    [...]
    }
    }
    server {
    server_name app2.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8081;
    [...]
    }
    }
    server {
    server_name app3.example.com;
    [...]
    location / {
    proxy_pass http://127.0.0.1:8082;
    [...]
    }
    }
    ```

    ## Automatic certificates refreshing

    - You can use the next command as a CRON to update your certificates :

    - `sudo certbot certonly -d "app1.example.com" -d "app2.example.com" --authenticator standalone --pre-hook "service nginx stop" --post-hook "service nginx start"`

    This command will stop nginx, refresh the certificates, then restart nginx.\
  5. Grégoire MOLVEAU renamed this gist Oct 10, 2018. 1 changed file with 0 additions and 0 deletions.
    0 nginx_proxy.conf → ...verseproxy_proxypass_nginx_letsencrypt.md
    View file
    File renamed without changes.
  6. Grégoire MOLVEAU created this gist Oct 10, 2018.
    29 changes: 29 additions & 0 deletions nginx_proxy.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,29 @@
    server {
    listen 80;
    listen [::]:80;
    server_name sub.example.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sub.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sub.example.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
    ssl_session_timeout 1440m; # managed by Certbot
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
    ssl_prefer_server_ciphers on; # managed by Certbot
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
    return 301 https://$host$request_uri;
    } # managed by Certbot

    location / {
    proxy_pass http://127.0.0.1:8443;
    proxy_redirect off;
    proxy_set_header Host $http_host; # required for docker client's sake
    proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 900;
    }
    }