How to Set Up Nginx HTTPs Reverse Proxy on Ubuntu

Set Up Nginx HTTPs Reverse Proxy on Ubuntu

This tutorial explains how to set up Nginx as an HTTPS reverse proxy on Linux Ubuntu,

What is Nginx?

Nginx is a popular web server, reverse proxy, load balancing, mail proxy, and HTTP caching software package which can be run on the Linux Operating System.

It’s a very flexible web server and proxy solution and is an alternative to the Apache HTTP Server.

What is a Proxy Server

A proxy server acts as a relay between a client and a server at the client’s request.

For example, you (the client) wish to access a website (the server) that is hosted in another country, which only allows visitors from that country. You could set up your traffic to go through a proxy within that country, and the server will think traffic is coming from the proxy, not you.

It’s like asking a friend to pass a message on for you to someone who’s decided they don’t want to speak to you directly.

What is a Reverse Proxy Server

A reverse proxy acts as a relay between a client and the server at the server’s request.

For example, you (the client) wish to access a website (the server) that is hosted on a private network, a proxy may be used to facilitate your access – sitting between the internet, and the private network, to act on the client’s behalf. This keeps the private parts of the private network private and only allows the client access to the resources configured to be passed by the reverse proxy.

It’s like you are studying for an exam and ask a friend to take messages for you and only pass them on if it’s about dogs.

Why A Reverse Proxy

If you’re hosting a number of applications, you may want to serve them all from the same address on the network, even if the applications are running in different environments (for example, you’re hosting both a NodeJS and a PHP application and want to serve both applications from the same machine), or even on separate machines entirely.

Sure, you could run your NodeJS app on port 80 and your PHP app on port 81, but that will look weird. A reverse proxy solves this by allowing you to run as many applications as you want and present them all from the same web server endpoint.

It can also be expanded to cache, compress, and secure content you are serving from insecure applications.

Installing

Install Nginx using Ubuntu’s package manager:

sudo apt-get install nginx

And disable the default configured host:

unlink /etc/nginx/sites-enabled/default

Setting Up Reverse Proxy

Create a configuration file for the reverse proxy:

sudo touch /etc/nginx/sites-available/my-reverse-proxy.conf

And edit it:

sudo nano /etc/nginx/sites-available/my-reverse-proxy.conf

Populate the file with the following configuration:

server {

    listen 80;
    listen [::]:80;

    location / {
        proxy_pass http://127.0.0.1:8888;
        proxy_set_header X-Real-IP $remote_addr;
    }

    access_log /var/log/nginx/my-reverse-proxy-access.log;
    error_log /var/log/nginx/my-reverse-proxy-error.log;

}

So what is this doing? We’re telling Nginx to listen on port 80 and to reverse proxy using proxy_pass traffic from http://127.0.0.1:8888 to the location /.

In effect, when the user accesses the / path on the server on the default HTTP port, it should serve content from port 8888.

Take note of some of the other configuration values:

  • Logfile locations are defined so that we can zero in on any issues we may encounter, rather than having them all go into the default log files where other log records may get in the way.
  • proxy_set_header is used to set a header on the incoming request, in this case, so that the application being proxied can read the IP address of the requesting client

Nginx organizes its site configuration files into directories – /etc/nginx/sites-available is where you store configuration files themselves, regardless of whether they are enabled. To enable them, you simply add a link to the file in the /etc/nginx/sites-enabled directory.

To enable the new configuration, you create a soft link to it in /etc/nginx/sites-available/:

ln -s /etc/nginx/sites-available/my-reverse-proxy.conf /etc/nginx/sites-enabled/my-reverse-proxy.conf

If you want to disable the reverse proxy configuration file

unlink /etc/nginx/sites-enabled/my-reverse-proxy.conf

Once you’ve enabled the site configuration, you’ll need to restart Nginx for the configuration to take effect.

sudo service nginx reload

If you did something wrong, Nginx will complain and refuse to restart.

Adding SSL/HTTPS with Let’s Encrypt

To quickly add SSL support to your proxied content, without having to purchase SSL certificates or perform any additional configuration, you can use the Let’s Encrypt project’s certbot tool:

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo certbot --nginx

certbot will ask you a few questions about your location and server configuration and prompt you to automatically redirect HTTP traffic to HTTPS.

Make sure you enable this option as it will automatically update your Nginx configuration for you.

Conclusion

One of the most useful results of using a reverse proxy is being able to serve multiple applications from the same server and domain name. Sharing resources between your projects means fewer overheads and less time maintaining multiple servers.

If your project gets big, your reverse proxy can then be updated to do load balancing – distributing requests to your application over several servers to speed things up and providing an additional layer of security between your users and your backend.

For more networking and server tutorials – click this link!

SHARE:
nv-author-image

Brad Morton

I'm Brad, and I'm nearing 20 years of experience with Linux. I've worked in just about every IT role there is before taking the leap into software development. Currently, I'm building desktop and web-based solutions with NodeJS and PHP hosted on Linux infrastructure. Visit my blog or find me on Twitter to see what I'm up to.

Leave a Reply

Your email address will not be published. Required fields are marked *