Skip to content

Instantly share code, notes, and snippets.

@shubhamkakkar

shubhamkakkar/how_to_reverseproxy_proxypass_nginx_letsencrypt.md

Forked from gmolveau/how_to_reverseproxy_proxypass_nginx_letsencrypt.md
Created August 20, 2024 09:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save shubhamkakkar/62241b02e3277ddbf2a8ee46b0aadbc7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save shubhamkakkar/62241b02e3277ddbf2a8ee46b0aadbc7 to your computer and use it in GitHub Desktop.
Download ZIP
How to use nginx as a reverse-proxy with letsencrypt
Raw
how_to_reverseproxy_proxypass_nginx_letsencrypt.md

How to use nginx as a reverse-proxy with letsencrypt

Your infrastructure

generated via plantuml

Imgur

Requirements

Adding a new app (subdomain)

this example shows how to add a new app, served locally (via docker) on 127.0.0.1:8080 for the subdomain app1.example.com.

  • create a new file for this app : sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN

  • and activate this file : sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN

  • then edit the file with : sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN

server {
    server_name app1.example.com;
    
    # HTTP configuration
    listen 80;
    listen [::]:80;
    
    # HTTP to HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    
    # HTTPS configuration
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        proxy_pass  http://127.0.0.1:8080;
        proxy_redirect                      off;
        proxy_set_header  Host              $http_host;
        proxy_set_header  X-Real-IP         $remote_addr;
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_read_timeout                  900;
    }
}

don't worry if those files don't exist yet, they will be created in just a moment.

  • Don't forget to change :
    • app1.example.com by your (sub)domain
    • the info in proxy_pass

Generating letsencrypt certificates

  • Run the next command to generate your certificates :
    • sudo certbot --nginx

Managing multiple apps

  • If you want to add another app (for another app/subdomain), simply repeat the process in Adding a new app.

Automatic certificates refreshing

  • Create a new file in /etc/cron.weekly : sudo touch /etc/cron.weekly/certbot
  • Make it executable : sudo chmod +x /etc/cron.weekly/certbot
  • And add this code :
#!/bin/sh
certbot renew
@shubhamkakkar
Copy link
Author

shubhamkakkar commented Oct 15, 2024

I faced some problem as well

here is what I did

After getting my proxy established for "http" which is pretty standard

I created backup for my domains

then I went ahead and installed the required packages using the following commands ( as given above )
sudo apt install snapd && sudo snap install --classic certbot

After I was done creating my http nginx proxy, I didn't go for doing any edits in my config files
I just did
sudo certbot --nginx
Which asked some questions, answered as per need and on success it autmatically generated the config with https setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment