Nginx is a powerful web server and reverse proxy tool that enhances the performance, scalability, and security of web applications. A reverse proxy acts as an intermediary between clients and backend servers, forwarding client requests to the appropriate server while managing load balancing, caching, and SSL termination.
This guide walks you through the steps to set up an Nginx reverse proxy on an Ubuntu server, including configuring domain-based routing, testing your configuration, and securing your connection with SSL.
Nginx
Install nginx
sudo apt install nginx -y
Check if the service is active and running
sudo systemctl status nginx
Create the configuration file for reverse proxy. Make sure to replace <domain_name>
with your domain name at all places
sudo vim /etc/nginx/sites-available/<domain_name>
Change <port>
to your application’s port and save
server {
listen 80;
listen [::]:80;
server_name <domain_name> www.<domain_name>;
location / {
proxy_pass http://localhost:<port>;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_log /var/log/nginx/<domain_name>.error.log;
access_log /var/log/nginx/<domain_name>.access.log;
}
Next to enable this configuration file create a symbolic link to the sites-enabled
directory from sites-available
directory
sudo ln -s /etc/nginx/sites-available/<domain_name> /etc/nginx/sites-enabled/
Now run the below command to test your configuration file for any errors
sudo nginx -t
You should see the below output if all configurations are correct
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Now restart nginx service to apply changes
sudo systemctl restart nginx
Let’s Encrypt
Install certbot with nginx plugin
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
Run the below command to use nginx plugin with certbot
sudo certbot --nginx
Then you’ll be asked for an email address for renewal purposes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): <email_address>
Enter y
 to agree to their Terms of Services
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Next you can either select y or n to share your email with Electronic Frontier Foundation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Now you’ll see the list of domain names, select the numbers of the domain names which you need to activate HTTPS for and Enter
Account registered.
Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: <domain_name>
2: www.<domain_name>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
And then it’ll activate and issue Lets Encrypt certificate for your domains
Requesting a certificate for <domain_name> and www.<domain_name>
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<domain_name>/fullchain.pem
Key is saved at: /etc/letsencrypt/live/<domain_name>/privkey.pem
This certificate expires on 2025-02-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for <domain_name> to /etc/nginx/sites-enabled/<domain_name>
Successfully deployed certificate for www.<domain_name> to /etc/nginx/sites-enabled/<domain_name>
Congratulations! You have successfully enabled HTTPS on https://<domain_name> and https://www.<domain_name>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If everything went as it should be, you must be able to access your domain with https://<domain_name>