When you want to protect some application that runs on some port on your server with SSL, so you can safely access it from a remote computer, you can add a reverse proxy to that port.

For this tutorial, you will need a domain and a DNS record that points your domain or subdomain to your server public IP. This is because you can only use self-signed certificates when using IPs to access a SSL page, and we are going to use Let’s Encrypt certificates.

Table of Contents

Nginx

  1. If you don’t have Nginx installed, install it using your system’s package manager:
    # Ubuntu
    sudo apt install nginx -y
    
  2. Install Let’s Encrypt for Nginx
    sudo apt install python3-certbot-nginx
    
  3. Create a new SSL certificate:
    sudo certbot --nginx certonly
    
  4. Disable default Nginx config file (if you are using Nginx for the first time) by deleting /etc/nginx/sites-enabled/default
    sudo rm /etc/nginx/sites-enabled/default
    
  5. Create /etc/nginx/sites-available/proxy-test (you can name the file whatever you want):
    sudo vim /etc/nginx/sites-available/proxy-test
    
  6. Add the following lines to the file, replace as needed:
    server {
     listen 80;
     server_name example.com;
     return 301 https://$server_name$request_uri;
    }
    
    server {
     listen 443    ssl;
     server_name   example.com;
     index         index.html;
     location / {
         proxy_pass http://127.0.0.1:8000;
     }
     ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
     ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_ciphers   HIGH:!aNULL:!MD5;
    }
    
  7. Apply the configuration
    sudo ln -s /etc/nginx/sites-available/test /etc/nginx/sites-enabled/test
    sudo nginx -s reload
    

Apache

  • Install Apache if it’s not already installed.
    #Ubuntu
    sudo apt install apache2 -y
    
  • Install Let’s Encrypt for Apache
    sudo apt install python3-certbot-apache -y
    
  • Create a new SSL certificate
    sudo certbot --apache certonly
    
  • Disable default Apache config file (if you are using Apache for the first time) by typing:
    sudo a2dissite 000-default.conf
    
  • Create /etc/apache2/sites-available/test-web (you can name the file whatever you want, but keep .conf suffix).
    sudo vim /etc/apache2/sites-available/test-web.conf
    
  • Add following lines to the file, replace as needed:
<VirtualHost *:80>
  ServerName example.com
  RewriteEngine On
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R=301]
</VirtualHost>
<VirtualHost *:443>
  ServerName example.com
  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
  • Enable rewrite, ssl and proxy_http Apache plugins.
    sudo a2enmod rewrite
    sudo a2enmod ssl
    sudo a2enmod proxy_http
    
  • Enable the new config file.
    sudo a2ensite test-web.conf
    
  • Restart Apache
    sudo systemctl restart apache2