How To Terminate HTTPS at the Nginx Reverse Proxy Server
If you want to know how to setup a basic HTTP reverse proxy server with NGINX, please visit “How To Setup HTTP Reverse Proxy with Nginx" at first.
In this article, we assumed that the basic setup for a basic http reverse proxy is already finished.
Obtain Certificates for HTTPS Connection
As first step, you need to get certificates for SSL connection. Here as an example, introduce free certificates “Let’s encrypt".
Install Certbot
Here is an example of Ubuntu. By using apt command, install certbot.
sudo apt install certbot
sudo ln -s /usr/bin/certbot /usr/sbin/certbot
Create directory in Nginx for Let’s Encrypt trial
mkdir /var/www/<Your domain>/.well-known/acme-challenge
Edit Nginx config file to open the created challenge directory
##For Getting Lets Encrypt Certificates###########################
server {
listen 80;
server_name <Your domain>;
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/<Your domain>;
}
}
Check config’s syntax.
$ nginx -t
Reload a config file.
$ nginx -s reload
Execute Certbot to get Let’s Encrypt Certificates
Execute the following command. Your challenge to get certificates will start.
certbot certonly --manual -d <Your domain> -m <Your mail address>
At the middle of the trial, you will be asked to put an appropriate file. If you put the file under the “/var/www/<Your domain>/.well-known/acme-challenge" directory and the file can be accessed via internet, press enter key to complete the trial.
When trial is completed successfully, certificates are created under the following directory.
/etc/letsencrypt/live/<Your domain>/
Edit Configuration File for HTTPS Reverse Proxy
In this case, HTTPS connections are terminated by NGINX, and they are forwarded to the web server with HTTP.
##For HTTPS(443) To HTTP(8080)########################
server{
listen 443 ssl ;
listen [::]:443 ssl;
server_name <Your domain>;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
## Certificate Keys------------------------------------
ssl_certificate /etc/letsencrypt/live/<Your domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<Your domain>/privkey.pem;
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
##For Other HTTPS Connection To HTTP------------------
location / {
proxy_pass http://<Web Server address>:8080;
proxy_socket_keepalive on;
}
}
Check config’s syntax.
$ nginx -t
Reload a config file.
$ nginx -s reload
Discussion
New Comments
No comments yet. Be the first one!