How to Configure Nginx as a Reverse Proxy with Ssl on Ubuntu 22.04
Learning how to configure Nginx as a reverse proxy with SSL on Ubuntu 22.04 is essential for modern web server management. This configuration allows you to route incoming requests to backend servers while encrypting traffic with SSL certificates. You’ll improve security, load distribution, and overall server performance.
A reverse proxy sits between clients and your backend servers. It receives client requests and forwards them to appropriate backend services. When combined with SSL encryption, this setup provides secure communication channels. This tutorial covers the complete process from installation to SSL certificate implementation.
You’ll learn to install Nginx, configure proxy settings, obtain SSL certificates, and secure your server configuration. This setup is perfect for hosting multiple applications, implementing load balancing, or adding SSL to non-SSL backend services. The configuration works excellently for WordPress sites, API servers, and web applications.
Prerequisites and Requirements for Nginx Reverse Proxy with SSL Setup
Before starting this tutorial on how to configure Nginx as a reverse proxy with SSL on Ubuntu 22.04, ensure you meet these requirements. You need root or sudo access to your Ubuntu 22.04 server. A domain name pointing to your server’s IP address is essential for SSL certificate generation.
Your backend application should be running on a specific port. This could be a Node.js app on port 3000, a Python Flask application on port 5000, or any web service. The application doesn’t need SSL since Nginx will handle encryption.
Basic command-line knowledge is assumed. You should understand file editing with nano or vim. Familiarity with systemd service management helps but isn’t required. The entire process takes approximately 30-45 minutes.
Required software includes:
– Ubuntu 22.04 server with internet access
– Domain name with DNS configured
– Backend application running on localhost
– Firewall access to ports 80 and 443
Step-by-Step Guide to Configure Nginx as a Reverse Proxy with SSL
For more strange history, see: How to Install and Configure Docker on Ubuntu Server 24.04
Step 1: Update System and Install Nginx
Start by updating your package repository and installing Nginx. This ensures you get the latest version with security updates.
sudo apt update
sudo apt upgrade -y
sudo apt install nginx -yVerify the installation by checking Nginx status:
sudo systemctl status nginxEnable Nginx to start automatically on boot:
sudo systemctl enable nginxStep 2: Configure Firewall Rules
Ubuntu 22.04 includes ufw firewall by default. Allow HTTP and HTTPS traffic through the firewall:
sudo ufw allow 'Nginx Full'
sudo ufw statusThis command enables both port 80 (HTTP) and port 443 (HTTPS) access.
Step 3: Create Nginx Configuration File
Create a new server block configuration for your domain. Replace `yourdomain.com` with your actual domain name:
sudo nano /etc/nginx/sites-available/yourdomain.comAdd this initial configuration without SSL:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}Step 4: Enable the Site Configuration
Create a symbolic link to enable the site:
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/Test the Nginx configuration for syntax errors:
sudo nginx -tIf the test passes, reload Nginx:
sudo systemctl reload nginxStep 5: Install Certbot for SSL Certificates
Install Certbot and the Nginx plugin from the official Ubuntu repository. This tool automatically obtains and installs SSL certificates from Let’s Encrypt:
sudo apt install certbot python3-certbot-nginx -yStep 6: Obtain SSL Certificate
Run Certbot to obtain and install the SSL certificate. Replace `yourdomain.com` with your domain:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comFollow the prompts to enter your email address and agree to terms. Certbot will automatically modify your Nginx configuration to include SSL settings.
Step 7: Verify SSL Configuration
Check your updated configuration file:
sudo nano /etc/nginx/sites-available/yourdomain.comCertbot should have added SSL configuration similar to this:
server {
server_name yourdomain.com www.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = www.yourdomain.com) {
return 301 https://$host$request_uri;
}
if ($host = yourdomain.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 404;
}Step 8: Test the Configuration
Test your SSL setup by visiting your domain in a browser. You should see a secure connection indicator. Use this command to verify certificate details:
sudo certbot certificatesTroubleshooting Common Nginx Reverse Proxy SSL Issues
Several issues may occur when implementing this configuration. Here are solutions for the most common problems.
SSL Certificate Renewal Problems
Let’s Encrypt certificates expire every 90 days. Test automatic renewal:
sudo certbot renew --dry-runIf this fails, check your domain’s DNS settings. Ensure your domain points to the correct IP address.
Backend Connection Refused
If Nginx shows “502 Bad Gateway” errors, your backend application isn’t running. Verify your backend service status:
sudo systemctl status your-backend-service
netstat -tlnp | grep :3000Nginx Configuration Errors
Always test configuration changes before applying them:
sudo nginx -tCommon syntax errors include missing semicolons, incorrect server block structure, or invalid proxy_pass URLs.
Firewall Blocking Connections
Verify firewall rules allow the necessary ports:
sudo ufw status numberedEnsure rules allow Nginx Full profile or specifically ports 80 and 443.
SSL Mixed Content Warnings
Add these headers to force HTTPS for all resources:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;For additional security configuration guidance, refer to the official Nginx HTTPS documentation.
Optimizing Your Nginx Reverse Proxy Configuration
After successfully setting up your reverse proxy with SSL, consider these optimization techniques. Performance improvements make your setup more efficient and secure.
Enable Gzip Compression
Add compression settings to reduce bandwidth usage:
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;Configure Caching
Implement proxy caching for static
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off;
location ~ .(jpg|jpeg|png|gif|ico|css|js)$ {
proxy_cache my_cache;
proxy_cache_valid 200 1h;
proxy_cache_use_stale error timeout invalid_header updating;
add_header X-Cache-Status $upstream_cache_status;
}Rate Limiting
Protect against DDoS attacks with rate limiting:
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
location / {
limit_req zone=one burst=5;
proxy_