How To Terminate HTTPS at the Nginx Reverse Proxy Server

Infrastructure,NginxNginx,Reverse Proxy

If you want to know how to setup a basic HTTP reverse proxy server with NGINX, please visit “How To Setup HTTP Reverse Proxy with Nginx" at first.

In this article, we assumed that the basic setup for a basic http reverse proxy is already finished.

Obtain Certificates for HTTPS Connection

As first step, you need to get certificates for SSL connection. Here as an example, introduce free certificates “Let’s encrypt".

Install Certbot

Here is an example of Ubuntu. By using apt command, install certbot.

sudo apt install certbot
sudo ln -s /usr/bin/certbot /usr/sbin/certbot

Create directory in Nginx for Let’s Encrypt trial

mkdir /var/www/<Your domain>/.well-known/acme-challenge

Edit Nginx config file to open the created challenge directory

##For Getting Lets Encrypt Certificates###########################
server {
    listen 80;
    server_name <Your domain>;
    
    location ^~ /.well-known/acme-challenge {
    default_type "text/plain";
    root /var/www/<Your domain>;
    }
}

Check config’s syntax.

$ nginx -t

Reload a config file.

$ nginx -s reload

Execute Certbot to get Let’s Encrypt Certificates

Execute the following command. Your challenge to get certificates will start.

certbot certonly --manual -d <Your domain> -m <Your mail address>

At the middle of the trial, you will be asked to put an appropriate file. If you put the file under the “/var/www/<Your domain>/.well-known/acme-challenge" directory and the file can be accessed via internet, press enter key to complete the trial.

When trial is completed successfully, certificates are created under the following directory.

/etc/letsencrypt/live/<Your domain>/


Edit Configuration File for HTTPS Reverse Proxy

In this case, HTTPS connections are terminated by NGINX, and they are forwarded to the web server with HTTP.

##For HTTPS(443) To HTTP(8080)########################
server{
    listen 443 ssl ;
    listen [::]:443 ssl;
    server_name    <Your domain>;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EECDH+AES;
    ssl_ecdh_curve prime256v1;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ## Certificate Keys------------------------------------
    ssl_certificate     /etc/letsencrypt/live/<Your domain>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<Your domain>/privkey.pem;
    keepalive_timeout    70;
    sendfile             on;
    client_max_body_size 0;
    proxy_set_header    Host                $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Host    $host;
    proxy_set_header    X-Forwarded-Server  $host;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;

    ##For Other HTTPS Connection To HTTP------------------
    location / {
        proxy_pass  http://<Web Server address>:8080; 
        proxy_socket_keepalive on;
    }
}

Check config’s syntax.

$ nginx -t

Reload a config file.

$ nginx -s reload



<<Previous Step

Infrastructure,NginxNginx,Reverse Proxy

Posted by Kei