This is part one of a two-part series for using NGINX as a reverse proxy for microservices on the same server or hosted on other servers/ports

Click here for part two.

In this article, we will:

  • Install NGINX
  • Install LetsEncrypt CertBot
  • Obtain free SSL certificate
  • Configure NGINX for SSL

In part two, we will go over how to turn the basic HTTPS encrypted NGINX site into a reverse proxy for your other services.

Installing NGINX and CertBot Auto

We are using Ubuntu 14.04.5

Download certbot-auto to the /usr/local/sbin directory

Make sure it is executable:

 

Install NGINX

 

Modify default config

Certbot looks for a file .well-known to validate your domain before issuing a certificate. This is how we will obtain our SSL certificate, so this means you must already have your HTTP/HTTPS ports open on your firewall and your DNS pointed to your server’s IP for when we run the script.

We need to add a snippet to our default site config for this validation.

Open the config in nano

 

In  your config, somewhere between the” server { ” opening tag and the ” } ” corresponding closing tag, add the following snippet:

 

It might look something like this:

Save and quit the editor.

Check the configuration file for syntax errors:

As long as there are no errors, restart NGINX

Let’s Encrypt!

Here is where we request a free SSL cert, also specifying our domain names with the -d option. If you want a single cert to work with multiple domain names (e.g. example.com and www.example.com), be sure to include all of them, starting with the most high level domain (e.g. example.com).

Replace example.com entries with your own domain.

 If this is a success, you should be told so by the script and be presented the directory locations for your certificates.

Next, it’s recommended to generate a strong Diffie-Hellman group.

 

Finishing up

We’re almost done. We just need to enable new SSL security and define the SSL cert location in your site config.

Edit the Nginx configuration that contains your server block. Again, it’s at /etc/nginx/sites-available/default by default:

 

Basically, you can clear or comment out most of this file. You want yours to look like this: (make sure to replace example.com with your domain name)

 

With the configuration above, you are automatically redirected to HTTPS any time you try to use HTTP. It utilizes the DH group we generated earlier and also defines the location of our SSL certs.

Save your configuration.

Check it for errors:

If there are no errors in your config, go ahead and restart the NGINX service to make the changes go live.

Testing

If your NGINX config test didn’t fail and you were able to restart the nginx service without an error, go ahead and browse to your domain. The SSL cert will be valid if everything went well.

You should see the default nginx page when browsing to your domain, as right now, you’re only hosting out of your document root:

/usr/share/nginx/html

You can analyze your SSL certificate and perform tests on it with:

 

This concludes part 1 of how to install and configure NGINX to act as a reverse proxy.

 

In summary, right now, our Ubuntu 14.04.5 server is runing NGINX on port 80 and 443, and when browsing to the domain name, we are automatically redirected to the HTTPS site. The site is encrypted with a valid SSL certificate for free from Lets Encrypt, but we still need to configure the site blocks for our reverse-proxy.

Please feel free to comment with your experiences or if you have any problems/comments.

Look out for part two coming soon.


3 Comments

scottocsscott · September 26, 2017 at 8:25 pm

I doubt this has to do with me installing it on Ubuntu 16.04, but in the final /etc/nginx/sites-available/default file on line 21, I had to add the ending ‘; to the line.

How to install NGINX, get a free SSL certificate, and configure a reverse proxy (part two) – Tyler N. Woods · April 28, 2017 at 10:54 am

[…] that you have successfully installed NGINX and obtained a free SSL cert, you can proceed turning your server into a reverse […]

Leave a Reply