How to Configure Nginx Reverse Proxy with SSL for Multiple Domains

How to configure Nginx reverse proxy with SSL for multiple domains is a crucial skill for modern web administrators managing multiple websites or applications. This comprehensive tutorial will guide you through setting up a secure reverse proxy configuration that can handle multiple domains with SSL encryption. You’ll learn to create a scalable infrastructure that routes traffic efficiently while maintaining security standards.

A reverse proxy acts as an intermediary between clients and backend servers. It receives requests from clients and forwards them to appropriate backend servers based on domain names or other criteria. When combined with SSL certificates, this setup provides encrypted communication and can significantly improve your server’s performance through load balancing and caching capabilities.

This tutorial covers the complete process from initial Nginx installation to SSL certificate configuration using Let’s Encrypt. You’ll also learn best practices for security hardening and performance optimization. By the end of this guide, you’ll have a production-ready reverse proxy setup capable of handling multiple domains securely.

Prerequisites and Requirements for Nginx Reverse Proxy with SSL Configuration

Before starting this tutorial on how to configure Nginx reverse proxy with SSL for multiple domains, ensure you have the following prerequisites in place:

You need a Ubuntu 20.04 or 22.04 server with root or sudo access. The server should have at least 1GB RAM and 20GB storage space. Your domains must be pointing to your server’s IP address through DNS A records. This is essential for SSL certificate validation.

Install the required packages by running system updates first. You’ll need Nginx, Certbot for SSL certificates, and basic networking tools. Ensure your firewall allows HTTP (port 80) and HTTPS (port 443) traffic. Backend services should be running on different ports or separate servers.

Basic knowledge of Linux command line, text editing with nano or vim, and understanding of DNS concepts is assumed. You should also understand how HTTP and HTTPS protocols work. The estimated completion time for this tutorial is 45-60 minutes depending on the number of domains you’re configuring.

Prepare your domain names and backend service details. You’ll need to know the internal IP addresses and ports where your applications are running. For example, if you’re proxying to WordPress sites, note their local addresses like `127.0.0.1:8080` or `192.168.1.100:80`.

Step-by-Step Guide to Configure Nginx Reverse Proxy with SSL Setup

For more strange history, see: How to Create and Register Custom Post Types in WordPress with the Register_post_type() Function

Step 1: Install and Configure Nginx

First, update your system packages and install Nginx:

sudo apt update
sudo apt upgrade -y
sudo apt install nginx -y

Start and enable Nginx to run automatically on boot:

sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx

Verify the installation by visiting your server’s IP address in a web browser. You should see the default Nginx welcome page.

Step 2: Install Certbot for SSL Certificates

Install Certbot and the Nginx plugin for automatic SSL certificate management:

sudo apt install certbot python3-certbot-nginx -y

Verify the installation by checking the Certbot version:

certbot --version

Step 3: Create Nginx Server Blocks for Multiple Domains

Navigate to the Nginx sites-available directory and create configuration files for each domain:

cd /etc/nginx/sites-available/

Create a configuration file for your first domain (replace `domain1.com` with your actual domain):

sudo nano domain1.com

Add the following configuration:

server {
    listen 80;
    server_name domain1.com www.domain1.com;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Create similar configurations for additional domains, adjusting the `server_name` and `proxy_pass` directives accordingly.

Step 4: Enable Site Configurations

Create symbolic links to enable your site configurations:

sudo ln -s /etc/nginx/sites-available/domain1.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/domain2.com /etc/nginx/sites-enabled/

Test the Nginx configuration for syntax errors:

sudo nginx -t

If the test passes, reload Nginx to apply the changes:

sudo systemctl reload nginx

Step 5: Obtain SSL Certificates with Let’s Encrypt

Use Certbot to obtain SSL certificates for all your domains simultaneously. The official Nginx documentation provides additional configuration options for advanced setups:

sudo certbot --nginx -d domain1.com -d www.domain1.com -d domain2.com -d www.domain2.com

Follow the interactive prompts to complete the certificate installation. Certbot will automatically modify your Nginx configurations to include SSL settings.

Step 6: Configure Security Headers and Optimization

Edit each domain configuration to add security headers and performance optimizations:

sudo nano /etc/nginx/sites-available/domain1.com

Update the configuration with enhanced security headers:

server {
    listen 443 ssl http2;
    server_name domain1.com www.domain1.com;
    
    ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }
}

Step 7: Set Up Automatic Certificate Renewal

Configure automatic SSL certificate renewal by testing the renewal process:

sudo certbot renew --dry-run

If successful, the certificates will automatically renew before expiration. You can check the renewal timer status:

sudo systemctl status certbot.timer

Troubleshooting Common Nginx Reverse Proxy SSL Issues

When learning how to configure Nginx reverse proxy with SSL for multiple domains, you may encounter several common issues. Here are the most frequent problems and their solutions:

SSL Certificate Validation Failures: If Certbot fails to validate your domain, ensure DNS records are properly configured and propagated. Check that your domain points to the correct server IP using `nslookup domain.com` or `dig domain.com`. Firewall rules must allow HTTP traffic on port 80 for initial validation.

502 Bad Gateway Errors: This typically indicates backend services are unreachable. Verify your backend applications are running and accessible on the specified ports. Check the proxy_pass URLs in your Nginx configuration match your backend service addresses. Use `curl` to test backend connectivity directly.

Mixed Content Warnings: When proxying HTTP backends through HTTPS, ensure all resources load over HTTPS. Add the `proxy_set_header X-Forwarded-Proto $scheme;` directive to inform backend applications about the original protocol.

Certificate Chain Issues: If browsers show certificate warnings, verify the full certificate chain is properly installed. The Let’s Encrypt documentation provides detailed troubleshooting steps for certificate validation problems.

Performance Issues: Large file uploads may fail due to default size limits. Add `client_max_body_size 100M;` to your server blocks to increase upload limits. Configure appropriate timeout values for slow backend responses using `proxy_read_timeout` and `proxy_connect_timeout` directives.

Redirect Loops: Avoid infinite redirects by properly configuring the `X-Forwarded-Proto` header and ensuring backend applications don’t force additional redirects when already receiving HTTPS traffic.

Optimizing and Securing Your Multi-Domain Setup

After successfully implementing how to configure Nginx reverse proxy with SSL for multiple domains, focus on optimization and security hardening to ensure production readiness.

Configure rate limiting to protect against DDoS attacks and abuse. Add rate limiting directives to your server blocks:

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req zone=api burst=20 nodelay;

Implement proper logging for monitoring and debugging. Configure separate access and error logs for each domain:

access_log /var/log/nginx/domain1.com.access.log;
error_log /var/log/nginx/domain1.com.error.log;

Enable Gzip compression to improve performance by adding compression settings to your main Nginx configuration:

gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;

Configure SSL session caching and optimization parameters in the main configuration file `/etc/nginx/nginx.conf`:

ssl_session_cache shared:SSL:10m;

ssl_session_