NGINX reverse proxy SSL letsencrypt

 

Wondering how to configure NGINX reverse proxy SSL letsencrypt? Bobcares as a part of Server Management Services helps with installing SSL on different applications for your Domain.

How to configure NGINX reverse proxy SSL letsencrypt?

The 

certbotCopy Code

utility by the EFF can use DNS authentication to obtain, install, and renew free trusted SSL certificates on a variety of webserver configurations, including a nginx reverse proxy.

This configuration can use on internal and external websites.

It is particularly useful in situations where you want to have a trusted certificate for an internal web application without the time, effort, and risks of creating and maintaining your own internal Certificate Authority (CA).

Today, let us see how our Support Techs configure NGINX.

1.Install certbot

Let’s Encrypt certificates expire every 90 days, so they would a pain to maintain without certbot handling the renewals automatically.

Of course, appliance servers like the Unifi Controller can’t run certbot themselves.

While certbot can be found in the package repositories of most Linux distributions, the EFF recommends using the snap release, because the snap release is published directly by the EFF, so it is always the latest release.

First, install snapd.

Remove any 

certbotCopy Code

 packages you may have already installed on your system.

Then use 

snapdCopy Code

 to install 

certbotCopy Code

.

sudo snap install core; sudo snap refresh core
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbotCopy Code

 

2.Configure NGINX reverse proxy SSL letsencrypt

Install nginx. For example, on Debian or Ubuntu servers run

sudo apt install -y nginxCopy Code

If your upstream site (the site that nginx is in front of) uses a self-signed SSL certificate, download a copy of the certificate.

The easiest way to do this is to visit the website in Google Chrome or Microsoft Edge, click on the padlock on the address bar, and click certificate. On Windows, click on the Details tab, then

click Copy to file...Copy Code

. Click next, and select Base-64 format.

Save the certificate, then upload it to the webserver using SCP, and move it into a proper directory, for example:

sudo mkdir /etc/nginx/ssl
sudo mv unifi.cer /etc/nginx/ssl
sudo chown root:root /etc/nginx/ssl/unifi.cer
sudo chmod u=rw,go=r /etc/nginx/ssl/cert/unifi.cerCopy Code

Create a new file within 

/etc/nginx/sites-availableCopy Code

 

sudo nano /etc/nginx/sites-available/unifi.example.netCopy Code

Add configuration details for a basic HTTP reverse proxy. 

certbotCopy Code

 will add the HTTPS configuration for you later.

If the upstream site is using plain HTTP and not HTTPS, omit the 

proxy_ssl_trusted_certificateCopy Code

 line.

server {
    listen 80;
    listen [::]:80;
    server_name unifi.example.net;

    location / {
        proxy_pass https://127.0.0.1:8443;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/unifi.cer;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}Copy Code

Save the file.

Enable the new configuration

ln -s /etc/nginx/sites-available/unifi.example.net /etc/nginx/sites-enabled/unifi.example.net
sudo service nginx reloadCopy Code

Next install the 

certbotCopy Code

 plugin for your DNS provider.  There, you will find links to specific instructions for each plugin/DNS provider.

 

DNS is a reliable authentication method that 

certbotCopy Code

can use even if your webserver is not expose to the public internet.

In this example we’ll use Google DNS.

sudo snap install certbot-dns-googleCopy Code

Request a certificate for your domain/subdomain using 

sudo certbot certonlyCopy Code

, and pass in the configuration options required by your DNS plugin, according to that plugin’s documentation. The example below uses Google DNS.

sudo certbot certonly --dns-google --dns-google-credential /etc/letsencrypt/creds/google-dns-creds.json -d unifi.example.netCopy Code

Once the certificate is acquired, use 

certbotCopy Code

 to add SSL configuration to the nginx configuration earlier.

sudo certbot --nginx  -d unifi.example.netCopy Code

You will see output like this

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/unifi.example.net.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Copy Code

Select option 1.

Reload the configuration for nginx

sudo service nginx reloadCopy Code

Edit the renewal configuration file for the certificate

sudo nano /etc/letsencrypt/renewal/unifi.example.net.confCopy Code

Under the 

[renewalparams]Copy Code

 section, add the line

renew_hook = systemctl reload nginxCopy Code

and save the changes to the file

This configures 

certbotCopy Code

 to reload the nginx configuration after the certificate has been renewed.

Conclusion

To sum up, you have learned step-by-step procedures on how to NGINX reverse proxy SSL letsencrypt .SSL Certificates are small data files that bind cryptographic keys digitally for an organization.