Use NGINX as a Reverse Proxy

With SSL using certbot

What is a Reverse Proxy?

A reverse proxy is a server that sits between internal applications and external clients, forwarding client requests to the appropriate server. While many common applications, such as Node.js, are able to function as servers on their own, NGINX has a number of advanced load balancing, security, and acceleration features that most specialized applications lack. Using NGINX as a reverse proxy enables you to add these features to any application. This guide uses a simple Node.js app to demonstrate how to configure NGINX as a reverse proxy.

Install NGINX

These steps install NGINX Mainline on Ubuntu 16.04 from NGINX official repository

  1. Open /etc/apt/sources.list in a text editor and add the following line to the bottom. Replace CODENAME in this example with the codename of your Ubuntu release.

    deb http://nginx.org/packages/mainline/ubuntu/ xenial-xerus nginx
  2. Import the repository’s package signing key and add it to apt

    sudo wget http://nginx.org/keys/nginx_signing.key
    sudo apt-key add nginx_signing.key
  3. Install NGINX

    sudo apt update
    sudo apt install nginx
  4. Ensure NGINX is running and and enabled to start automatically on reboot:

    sudo systemctl start nginx
    sudo systemctl enable nginx

Configure NGINX

  1. Disabled current default.conf sudo mv /etc/nginx/sites-available/default.conf /etc/nginx/sites-available/default.conf.disabled
  2. Create a configuration file for the app in /etc/nginx/sites-available/default. Replace example.com in this example with your app’s domain or public IP address:

    server {
      listen 80;
      listen [::]:80;
    
      server_name example.com;
    
      location / {
          proxy_pass http://localhost:3000/;
      }
    }
  3. symlink the above from sites-available the config to /etc/nginx/sites-enabled/default
  4. Test the config sudo nginx -t
  5. If no errors are reported, reload the new configuration: sudo nginx -s reload
  6. In a browser, navigate to your server’s public IP address. You should see it redirect to your proxy_pass destination.

Advanced

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  location / {
      proxy_buffers 	16 4k;
      proxy_buffer_size 2k;
      proxy_pass 	    http://destination.com;
      proxy_set_header 	X-Real-IP 		    $remote_addr;
      proxy_set_header 	X-Forwarded-For 	$proxy_add_x_forwarded_for;
      proxy_set_header 	X-Forwarded-Host 	$host;
  }

  location /tcash/ {
     proxy_buffers 	    16 4k;
     proxy_buffer_size  2k;
     proxy_pass         http://destination.com;
     proxy_set_header 	X-Real-IP 		    $remote_addr;
     proxy_set_header 	X-Forwarded-For 	$proxy_add_x_forwarded_for;
     proxy_set_header 	X-Forwarded-Host 	$host;
  }
}

Configure HTTPS with Certbot

One advantage of a reverse proxy is that it is easy to set up HTTPS using a TLS certificate. Certbot is a tool that allows you to quickly obtain free certificates from Let’s Encrypt. This guide will use Certbot on Ubuntu 16.04, but the official site maintains comprehensive installation and usage instructions for all major distros.

  1. Add certbot PPA

    sudo apt-get update
    sudo apt-get install software-properties-common
    sudo add-apt-repository ppa:certbot/certbot
  2. Update package and install

    sudo apt-get update
    sudo apt-get install python-certbot-nginx
  3. Use NGINX plugin to setup

    sudo certbot --nginx
  4. Follow the prompts to choose which domains will be covered by the new certificate. You will also be asked to decide whether to redirect HTTP traffic to HTTPS automatically. Regardless of what you choose, Certbot will automatically update your NGINX configuration files to use the new certificate