Reverse proxy with SSL

When you want to protect some application that runs on some port on your server with SSL, so you can safely access it from a remote computer, you can add a reverse proxy to that port.

For this tutorial, you will need a domain and a DNS record that points your domain or subdomain to your server public IP. This is because you can only use self-signed certificates when using IPs to access a SSL page, and we are going to use Let’s Encrypt certificates.

Table of Contents

• Nginx
• Apache

Nginx

1. If you don’t have Nginx installed, install it using your system’s package manager:

   # Ubuntu
   sudo apt install nginx -y
   

2. Install Let’s Encrypt for Nginx

   sudo apt install python3-certbot-nginx
   

3. Create a new SSL certificate:

   sudo certbot --nginx certonly
   

4. Disable default Nginx config file (if you are using Nginx for the first time) by deleting /etc/nginx/sites-enabled/default

   sudo rm /etc/nginx/sites-enabled/default
   

5. Create /etc/nginx/sites-available/proxy-test (you can name the file whatever you want):

   sudo vim /etc/nginx/sites-available/proxy-test
   

6. Add the following lines to the file, replace as needed:

   server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
   }
   

   server {
    listen 443    ssl;
    server_name   example.com;
    index         index.html;
    location / {
        proxy_pass http://127.0.0.1:8000;
    }
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers   HIGH:!aNULL:!MD5;
   }
   

7. Apply the configuration

   sudo ln -s /etc/nginx/sites-available/test /etc/nginx/sites-enabled/test
   sudo nginx -s reload
   

Apache

• Install Apache if it’s not already installed.

  #Ubuntu
  sudo apt install apache2 -y
  

• Install Let’s Encrypt for Apache

  sudo apt install python3-certbot-apache -y
  

• Create a new SSL certificate

  sudo certbot --apache certonly
  

• Disable default Apache config file (if you are using Apache for the first time) by typing:

  sudo a2dissite 000-default.conf
  

• Create /etc/apache2/sites-available/test-web (you can name the file whatever you want, but keep .conf suffix).

  sudo vim /etc/apache2/sites-available/test-web.conf
  

• Add following lines to the file, replace as needed:

<VirtualHost *:80>
  ServerName example.com
  RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301]
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

• Enable rewrite, ssl and proxy_http Apache plugins.

  sudo a2enmod rewrite
  sudo a2enmod ssl
  sudo a2enmod proxy_http
  

• Enable the new config file.

  sudo a2ensite test-web.conf
  

• Restart Apache

  sudo systemctl restart apache2
  

If you have any suggestion, feel free to contact me via social media or email.