How to Configure Nginx Reverse Proxy with Ssl for Multiple Domains Using Let’s Encrypt

ByAkensai

How to configure Nginx reverse proxy with SSL for multiple domains using Let’s Encrypt is essential for managing multiple websites efficiently on a single server. This comprehensive tutorial will guide you through setting up a secure reverse proxy configuration that handles SSL certificates automatically for multiple domains. You’ll learn to create a scalable infrastructure that can host multiple applications while maintaining security best practices.

A reverse proxy acts as an intermediary between clients and backend servers. It receives client requests and forwards them to appropriate backend services. When combined with SSL certificates from Let’s Encrypt, you create a secure gateway that encrypts all traffic between clients and your applications.

This setup is particularly valuable for hosting multiple WordPress sites, web applications, or microservices on a single server. You’ll reduce server costs while maintaining professional SSL certificates for each domain. The automated certificate renewal ensures your sites remain secure without manual intervention.

Prerequisites and Requirements for Nginx Reverse Proxy SSL Configuration

Before you begin configuring your Nginx reverse proxy with SSL for multiple domains, ensure you have the necessary components in place. You’ll need a Ubuntu 20.04 or newer server with root access and at least 2GB of RAM. Your server should have a public IP address with proper DNS records pointing your domains to this IP.

Install the required software packages on your system. You’ll need Nginx as your reverse proxy server, Certbot for Let’s Encrypt certificate management, and basic system utilities. Ensure your firewall allows HTTP (port 80) and HTTPS (port 443) traffic.

Your backend applications should be running on different ports or separate servers. For this tutorial, we’ll assume you have applications running on ports 3000, 3001, and 8080. Each application should be accessible locally on your server.

Domain ownership verification is crucial for Let’s Encrypt certificates. Ensure you control the DNS settings for all domains you plan to secure. The domains should resolve to your server’s IP address before starting the SSL configuration process.

Allocate approximately 2-3 hours to complete this entire setup. The process includes installing software, configuring Nginx, obtaining certificates, and testing the configuration. Having basic knowledge of Linux command line and text editing will help you follow along smoothly.

Step-by-Step Guide to Configure Nginx Reverse Proxy with SSL

Related article: How to Install Proxmox on Ubuntu

Step 1: Install and configure Nginx on your server. Begin by updating your system packages and installing Nginx along with necessary dependencies.

sudo apt update
sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx

Verify that Nginx is running correctly by checking its status. The service should show as active and enabled for automatic startup.

sudo systemctl status nginx

Step 2: Install Certbot and the Nginx plugin for automated certificate management. Certbot will handle the Let’s Encrypt certificate acquisition and renewal process.

sudo apt install certbot python3-certbot-nginx -y

This installation includes the Nginx plugin that automatically configures SSL settings in your Nginx configuration files. The plugin simplifies the certificate installation process significantly.

Step 3: Create individual Nginx server blocks for each domain. Start by creating configuration files for your first domain. Replace example1.com with your actual domain name.

sudo nano /etc/nginx/sites-available/example1.com

Add the following configuration for your first domain:

server {
    listen 80;
    server_name example1.com www.example1.com;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Step 4: Create similar configuration files for your additional domains. Each domain should proxy to a different backend port or service.

sudo nano /etc/nginx/sites-available/example2.com

Configure the second domain:

server {
    listen 80;
    server_name example2.com www.example2.com;
    
    location / {
        proxy_pass http://localhost:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Step 5: Enable your site configurations by creating symbolic links in the sites-enabled directory. This activates your domain configurations.

sudo ln -s /etc/nginx/sites-available/example1.com /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/example2.com /etc/nginx/sites-enabled/

Test your Nginx configuration for syntax errors before reloading:

sudo nginx -t
sudo systemctl reload nginx

Step 6: Obtain SSL certificates for all your domains using Certbot. The following command will automatically configure SSL for all your domains simultaneously.

sudo certbot --nginx -d example1.com -d www.example1.com -d example2.com -d www.example2.com

Certbot will prompt you to enter an email address and agree to the terms of service. It will then verify domain ownership and install certificates automatically.

Step 7: Configure automatic certificate renewal to ensure your SSL certificates remain valid. Let’s Encrypt certificates expire every 90 days, but Certbot can renew them automatically.

sudo crontab -e

Add the following line to schedule automatic renewal:

0 12    /usr/bin/certbot renew --quiet

This cron job runs daily at noon and renews certificates that are within 30 days of expiration.

Troubleshooting Common Nginx Reverse Proxy SSL Issues

When learning how to configure Nginx reverse proxy with SSL for multiple domains using Let’s Encrypt, you may encounter several common issues. Understanding these problems and their solutions will help you maintain a stable configuration.

Certificate validation failures often occur when DNS records don’t point to your server correctly. Verify that all your domains resolve to your server’s IP address using the dig command. If DNS propagation is incomplete, wait a few hours before attempting certificate generation again.

Port conflicts can prevent your backend applications from receiving traffic. Ensure each application runs on a unique port and that no other services are using those ports. Use netstat -tlnp to check which ports are in use on your system.

Permission errors may prevent Certbot from writing certificate files. Ensure the www-data user has appropriate permissions to read certificate files. You can verify certificate installation by checking the /etc/letsencrypt/live/ directory for your domain folders.

Proxy header configuration issues can cause backend applications to malfunction. The X-Forwarded-Proto header is particularly important for applications that need to know whether the original request used HTTP or HTTPS. Without proper headers, some applications may generate incorrect redirect URLs.

SSL configuration problems may result in browser security warnings. Check your SSL configuration using online tools like SSL Labs Server Test to identify potential security issues. Modern browsers require strong SSL configurations to display the secure lock icon.

If you encounter “502 Bad Gateway” errors, verify that your backend applications are running and accessible on their configured ports. Use curl http://localhost:3000 to test backend connectivity directly from your server.

Advanced Configuration and Security Enhancements

After successfully implementing your basic reverse proxy setup, consider implementing additional security measures and performance optimizations. These enhancements will improve your server’s security posture and user experience.

Configure security headers to protect against common web vulnerabilities. Add the following configuration block inside your server blocks to enhance security:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

Implement rate limiting to prevent abuse and DDoS attacks. Create a rate limiting configuration that restricts the number of requests per IP address:

http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    
    server {
        location / {
            limit_req zone=api burst=20 nodelay;
            proxy_pass http://localhost:3000;
        }
    }
}

Enable Gzip compression to reduce bandwidth usage and improve page load times. Add compression settings to your main Nginx configuration:

gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private must-revalidate auth;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;

Consider implementing HTTP/2 support for improved performance. Modern browsers support HTTP/2, which can significantly reduce page load times. The Nginx HTTP/2 module documentation provides detailed configuration instructions.

Set up monitoring and logging to track your reverse proxy performance. Configure custom log formats that include proxy-specific information:

log_format proxy '$remote_addr - $remote_user [$time_local] "$request" '

                 '$status $body_bytes_sent "$http_referer" '

                 '"$http_user_agent" "$http_x_forwarded_for" '

Similar Posts