| by TheIneptOne | 1 comment

NGINX Reverse Proxy with SSL

A reverse proxy server is a type of proxy server that sits behind the firewall in a private network. It redirects client requests to the appropriate backend server and is fantastic to use for your homelab!

Prerequisites

  • A base install of Ubuntu LTS with a static IP address
  • domain or subdomain pointing to the external IP address (like inepttech.com)
  • Firewall ports 80/443 open and pointing towards the Reverse Proxy server
  • When editing a file with Nano, to save your changes to do the following:
    • Ctrl+X to Exit
    • Y to save the edits currently stored in the buffer
    • Enter to write to the current file name

In this post, we’ll use 10.0.10.10 as my proxy server and 10.0.10.11 as my web server hosting my domain/subdomain

Installing NGINX

Nginx is in the default Ubuntu repositories, to install run the following command

sudo apt install nginx

Installing and Setting Up Certbot

Certbot will issue and renew your SSL certificate from Lets Encrypt

Add the PPA for Certbot

sudo add-apt-repository ppa:certbot/certbot

Once added, the repositories should auto update. Now you can install Certbot

sudo apt install python3-certbot-nginx

Creating a NGINX Site

Create a new conf file with the name of the domain, i.e. subdomain.inepttech.com.conf, in /etc/nginx/sites-enabled

sudo touch /etc/nginx/sites-enabled/subdomain.inepttech.com.conf

Use Nano to edit the file

sudo nano /etc/nginx/sites-enabled/subdomain.inepttech.com.conf

Paste the following; adjusting for the domain name and internal IP address where the proxy will pass the connection off too (i.e. my web server will be 10.0.10.11)

server {​
server_name subdomain.inepttech.com;
set $upstream 10.0.10.11;
location / {​

proxy_pass_header Authorization;
proxy_pass http://$upstream;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;

}

listen 80;
}​

Save the changes by pressing ctrl+xY for Yes, and Enter to select the file name to write (by default is the file we have opened)

Once added, check the ensure the file does not contain any errors by running the following

sudo nginx -t

If all is good, you’ll receive a test is successful message

Repeat for any other domains or subdomains

Generating a SSL Cert

To create an SSL cert, run the following command; adjusting the domain/subdomain

sudo certbot --nginx -d inepttech.com -d subdomain.inepttech.com

or, if running the subdomain only without the primary domain pointing to the same IP address

sudo certbot --nginx -d subdomain.inepttech.com

Certbot will begin communication with the Let’s Encrypt servers and once done will ask the security level of the site

OutputPlease choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select Option 2, Secure – Make all requsts redirect to secure HTTPS access and the press Enter

The SSL cert is good for 90 days. Certbot will automatically run every 12 hours and check if the certificate is 30 days from expiration. Once it hits the 30 day mark, it will automatically renew

Done!

 

 

1 Comment

Ubiquiti Unifi Controller Setup – Inept Tech

February 15, 2022 at 8:10 pm Reply

[…] NGINX Reverse Proxy with SSL […]

Leave a Reply