Help


Documentation & Tutorials

How to Configure a NginX HTTPs Reverse Proxy

Nginx HTTPs Reverse Proxy Overview

A reverse proxy is an intermediary proxy service which takes a client request, passes it on to one or more servers, and subsequently delivers the server’s response back to the client.

There are a few benefits to setting up an Nginx reverse proxy:

  • Load Balancing: A reverse proxy can perform load balancing which helps distribute client requests evenly across backend servers. It also improves redundancy as if one server goes down, the reverse proxy will simply reroute requests to a different server according to the routing policy.
  • Increased Security: A reverse proxy also acts as a line of defense for your backend servers. Configuring a reverse proxy ensures that the identity of your backend servers remains unknown.
  • Better Performance: Nginx has been known to perform better in delivering static content file and analyse URLs
  • Easy Logging and Auditing: Since there is only one single point of access when a reverse proxy is implemented, this makes logging and auditing much simpler.

Requirements:

  • You have an account and are logged into cloud.scaleway.com
  • You have configured your SSH Key
  • You have sudo privileges or access to the root user.
  • You have a Web-server running on localhost port 80 (for security measure)
  • Make sure your domain name points towards your server ip (A or AAAA record)

Installing and Configuring Nginx

In the following example, we will configure an Nginx reverse proxy in front of an Apache web server. As a result, we assume that Apache is already installed and configured (on the same machine).

1 . Install Nginx

apt-get update
apt-get install nginx

2 . Disable the default virtual host

unlink /etc/nginx/sites-enabled/default

3 . Within the /etc/nginx/sites-available, create a reverse proxy configuration file.

cd /etc/nginx/sites-available
nano reverse-proxy.conf

4 . Paste the following. Nginx server listens on port 80 of the private_ip. All connections to the private port 80 are redirected to the internal port 80.

server {
        listen private_ip:80;
        server_name  your.domain.com;

access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;

location / {
         proxy_pass http://127.0.0.1:80;
  }
}

Note: Accesses and errors are located in a log files at /var/log/nginx.

5 . Copy the configuration from /etc/nginx/sites-available to /etc/nginx/sites-enabled. We recommend using a symbolic link.

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

6 . Test the configuration file

nginx -t

which returns

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

7 . To confirm that both servers listen on a different port, launch

root@reverseproxy:/etc/nginx/sites-enabled# curl -I private_ip
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 14 Oct 2018 16:53:53 GMT
Content-Type: text/html
Content-Length: 10918
Connection: keep-alive
Last-Modified: Fri, 12 Oct 2018 09:12:33 GMT
ETag: "2aa6-578047ce1f0a1"
Accept-Ranges: bytes
Vary: Accept-Encoding

and

root@reverseproxy:/etc/nginx/sites-enabled# curl -I 127.0.0.1
HTTP/1.1 200 OK
Date: Sun, 14 Oct 2018 16:54:06 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Oct 2018 09:12:33 GMT
ETag: "2aa6-578047ce1f0a1"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

8 . In your browser, you can also paste you public_ip which will display your web server homepage.

Adding TLS to your HTTP Reverse Proxy using Let’s Encrypt

Important: Make sure your domain name points towards your server ip (A or AAAA record).

For security reason, you must encrypt your http connexion. Let’s encrypt provides TLS certificate for free.

1 . Install Certbot

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx

2 . Using certbot Nginx plugin, install your TLS certificate

certbot --nginx

3 . Answer the prompts that display on the screen

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/reverse-proxy.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/reverse-proxy.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

You can try the configuration by going to your domain in HTTP. You should be automatically redirected to HTTPS.

Discover a New Cloud Experience

Deploy SSD Cloud Servers in seconds.