Introduction#
In this post we will go over setting up an NGINX reverse proxy to allow different web services to reach the outside world. We will also cover setting up auto renewing SSL certificates.
Why not just port forward the services, it does the same thing Right? Reverse proxies are a great way to expose web services to the outside world in a more secure and customisable manner. Some of the features that a reverse proxy provides are as follows:
- Host multiple services using the same HTTP/HTTPS ports
- Hides the origin server
- HTTPS TLS encryption
- Caching
- Compression
Creating a Reverse Proxy#
Prerequisites#
- a server to act as the reverse proxy
- a web server
- a registered domain name
- Have A records setup for the Domain name
Install NGINX#
I’ll be using the apt package manager as I’m on Ubuntu server, this may differ for you
Update packages, then install NGINX
sudo apt update
sudo apt install nginx
Now we want to enable NGINX so the program will start when the server boots
sudo systemctl enable --now nginx
Firewall#
Quick Note: now is a good time to port forward ports 80 and 443 from the router to the reverse proxy
Ubuntu server comes with a firewall (ufw), so be sure to allow access to NGINX and enable it.
The reverse proxy handles both HTTP and HTTPS so allow “Nginx Full”
sudo ufw allow 'Nginx full'
If you are using SSH allow it through
sudo ufw allow 'OpenSSH'
Configure NGINX#
Unlink the default NGINX config
sudo unlink /etc/nginx/sites-enabled/default
Create NGINX Config#
Create a config file in /etc/nginx/site-available
Quick Note: use whichever text editor you want, I’m using vim
sudo vim /etc/nginx/sites-available/blog.conf
server {
listen 80;
server_name blog.example.com;
location / {
proxy_pass http://ip-of-server:port;
}
}
- server_name is the domain name you want use this can include sub-domains
- proxy_pass is the IP address of the web server
Enable NGINX Config#
To activate a config file we need to link the file from the sites-available folder to sites-enabled.
Pro Tip: make sure to use full paths when creating symlinks
sudo ln -s /etc/nginx/sites-available/blog.conf /etc/nginx/sites-enabled/blog.conf
Check the config, this is an important step as it warns you of any errors before reloading NGINX
sudo nginx -t
If the output looks simmiler to below then you’re good to go !!
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Now restart the NGINX service
sudo systemctl restart nginx
you should now have a working reverse proxy !!
Setting up SSL#
Prerequisites#
- Make sure HTTP and HTTPS are port forwarded to the reverse proxy
- Make sure server_name is set in the config file you created
Installing Certbot#
Certbot is a tool that requests an SSL certificate and makes sure it is renewed when needed. Install Certbot as well as the python NGINX plug-in
sudo apt install certbot python3-certbot-nginx
Quick Note: double check firewall rules
Request SSL Certificate#
Now all we need to do is request the certificate !!
sudo certbot --nginx -d blog.example.com
- –nginx specifies we are using NGINX, this will update the config file we created to allow the use of SSL
- -d is the domain name you want to use
If this is the first time running Certbot you will be asked to enter an email as well as agree to terms and services.
If the certificate request is successful you will be prompted with
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
If you want all traffic to be SSL encrypted choose option 2 That’s it we have SSL certificates installed. You will need a new certificate for each different domain name or subdomain.
Verify Auto Renewal#
All we need to do now is make sure that Certbot can automatically renew certificates.
sudo certbot renew --dry-run
If you see no errors then you are ready to go.
Conclusion#
By following this you have hopefully managed to setup an NGINX Reverse proxy to handle incoming HTTP/HTTPS requests as well as configured automatically renewing SSL certificates.
This posts barely scratches the surface of what NGINX can do, I would highly recommend reading more into this great piece of software !!
My reverse proxy handling non existent traffic
Give it a few months and this blog will …