How to Set Up Nginx Reverse Proxy with Let’s Encrypt Ssl on Ubuntu
How to set up Nginx reverse proxy with Let’s Encrypt SSL on Ubuntu is a crucial skill for modern web server administration. This configuration allows you to securely route traffic from your domain to backend applications while providing SSL encryption for enhanced security. Whether you’re running multiple web services or need to add HTTPS to an existing application, this reverse proxy setup offers flexibility and security.
A reverse proxy acts as an intermediary between clients and your backend servers. It receives client requests and forwards them to the appropriate backend service. This setup provides several benefits including load balancing, SSL termination, and improved security by hiding backend server details from clients.
Let’s Encrypt provides free SSL certificates that automatically renew, making it the perfect solution for securing your reverse proxy. Combined with Nginx’s powerful proxy capabilities, you’ll have a production-ready setup that handles encrypted traffic efficiently.
This tutorial will guide you through installing Nginx, configuring it as a reverse proxy, and securing it with Let’s Encrypt SSL certificates. You’ll learn to create virtual hosts, configure proxy settings, and implement automatic SSL renewal.
Prerequisites and Requirements for Nginx Reverse Proxy Setup
Before you begin this tutorial on how to set up Nginx reverse proxy with Let’s Encrypt SSL on Ubuntu, ensure you have the following requirements in place.
You need a fresh Ubuntu 20.04 or 22.04 server with root access or sudo privileges. The server should have at least 1GB of RAM and 10GB of available disk space. A stable internet connection is essential for downloading packages and obtaining SSL certificates.
Your domain name must point to your server’s IP address. Create an A record in your DNS settings that points your domain to the server’s public IP. This DNS configuration is mandatory for Let’s Encrypt certificate validation.
You should have a basic understanding of Linux command line operations and text editing. Familiarity with Nginx configuration syntax will be helpful but not required. The backend application you want to proxy should already be running on your server.
Ensure ports 80 and 443 are open in your firewall. These ports handle HTTP and HTTPS traffic respectively. If you’re using a cloud provider, check their security group settings as well.
The estimated completion time for this tutorial is 30-45 minutes, depending on your familiarity with the tools involved.
Step-by-Step Guide to Configure Nginx Reverse Proxy with SSL
This event shares similarities with: How to Create Custom Wordpress Gutenberg Blocks with the Block Editor Api
Follow these numbered steps to implement your reverse proxy configuration with SSL encryption.
Step 1: Update your system and install Nginx
Start by updating your package list and installing Nginx on your Ubuntu server.
sudo apt update
sudo apt upgrade -y
sudo apt install nginx -yStep 2: Start and enable Nginx service
Enable Nginx to start automatically on boot and start the service immediately.
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginxThe status command should show Nginx as active and running. If it’s not running, check the error logs using sudo journalctl -u nginx.
Step 3: Install Certbot for Let’s Encrypt
Install Certbot and the Nginx plugin to manage SSL certificates automatically.
sudo apt install certbot python3-certbot-nginx -yStep 4: Create Nginx server block configuration
Create a new server block for your domain. Replace yourdomain.com with your actual domain name.
sudo nano /etc/nginx/sites-available/yourdomain.comAdd the following basic configuration:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}This configuration assumes your backend application runs on port 3000. Adjust the proxy_pass directive to match your application’s actual port.
Step 5: Enable the server block
Create a symbolic link to enable your new server block configuration.
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/Step 6: Test Nginx configuration
Verify your configuration syntax is correct before restarting Nginx.
sudo nginx -tIf the test passes, reload Nginx to apply the changes:
sudo systemctl reload nginxStep 7: Obtain Let’s Encrypt SSL certificate
Use Certbot to obtain and install SSL certificates for your domain. The Nginx plugin will automatically update your configuration.
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.comFollow the prompts to enter your email address and agree to the terms of service. Certbot will automatically modify your Nginx configuration to include SSL settings.
Step 8: Verify SSL certificate installation
Check that your SSL certificate was installed correctly by visiting your domain with HTTPS. You should see a secure connection indicator in your browser.
You can also verify the certificate details using the following command:
sudo certbot certificatesTroubleshooting Common Nginx Reverse Proxy Issues
When learning how to set up Nginx reverse proxy with Let’s Encrypt SSL on Ubuntu, you may encounter several common issues. Here are the most frequent problems and their solutions.
If Certbot fails to obtain certificates, check your DNS configuration first. The domain must resolve to your server’s IP address before Let’s Encrypt can validate ownership. Use nslookup yourdomain.com to verify DNS resolution.
Port conflicts can prevent your backend application from starting. Use sudo netstat -tlnp to check which ports are in use. Ensure your backend application isn’t trying to use port 80 or 443, which Nginx needs.
If you see “502 Bad Gateway” errors, your backend application might not be running. Check the application status and logs. Verify the proxy_pass URL in your Nginx configuration matches where your application is actually listening.
Permission issues can cause certificate renewal failures. Ensure the www-data user has proper permissions to read certificate files. You can check certificate renewal with:
sudo certbot renew --dry-runFirewall rules might block traffic. Verify that ports 80 and 443 are open:
sudo ufw status
sudo ufw allow 'Nginx Full'For detailed error diagnosis, check Nginx error logs:
sudo tail -f /var/log/nginx/error.logIf your reverse proxy setup isn’t working correctly, verify the backend application is accessible locally using curl http://127.0.0.1:3000 (replace 3000 with your actual port).
Conclusion
You’ve successfully learned how to set up Nginx reverse proxy with Let’s Encrypt SSL on Ubuntu. This configuration provides a secure, production-ready setup for routing encrypted traffic to your backend applications.
Your reverse proxy now handles SSL termination, forwards requests to your backend service, and includes automatic certificate renewal. The Let’s Encrypt certificates will renew automatically every 90 days through Certbot’s built-in cron job.
Consider implementing additional security measures like rate limiting, IP whitelisting, or Web Application Firewall rules. You can also explore advanced Nginx features such as load balancing across multiple backend servers or implementing custom headers for enhanced security.
For production environments, monitor your setup regularly and keep both Nginx and your Ubuntu system updated. The official Nginx documentation provides comprehensive guidance for advanced configurations. Additionally, the Let’s Encrypt documentation offers detailed information about certificate management and best practices.
This reverse proxy setup forms the foundation for scalable web infrastructure that can grow with your application needs while maintaining security and performance standards.