Nginx reverse proxy: subdomain and SSL

April 28, 2021

Seven easy steps to configure a full nginx reverse proxy with ssl:

  • 1: go to your nginx folder
    cd /etc/nginx/sites-available
  • 2: create a new config file with your domain or subdomain name
    nano {}
  • 3: copy this and replace the right values
    map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
    server {
      listen 80;
      server_name {};
      return 301 https://$host$request_uri;
    # SSL configuration
    server {
      listen 443 ssl;
      server_name {};
      ssl_certificate      /etc/letsencrypt/live/{}/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/{}/privkey.pem;
      # Improve HTTPS performance with session resumption
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 5m;
      # Enable server-side protection against BEAST attacks
      ssl_prefer_server_ciphers on;
      ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
      # Disable SSLv3
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      # Diffie-Hellman parameter for DHE ciphersuites
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
      # Enable HSTS (
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
      # Enable OCSP stapling (
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/{}/fullchain.pem;
      resolver valid=300s;
      resolver_timeout 5s;
      location / {
        proxy_pass http://{ip}:{port};
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
  • 4: if you have never certified a domain with certbot please execute openssl as follows:
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  • 5: register the domain on domain provider {} has to point with an A-Record to your public IP adress

  • 6: certificate request
    • sudo systemctl stop nginx
    • sudo certbot certonly -d {}
    • select: Spin up a temporary webserver (standalone) 
    • sudo systemctl start nginx
  • 7: last step symlink
    sudo ln -s /etc/nginx/sites-available/{} /etc/nginx/sites-enabled/