Nginx reverse proxy: subdomain and SSL

April 28, 2021

Seven easy steps to configure a full nginx reverse proxy with ssl:

  • 1: go to your nginx folder
    cd /etc/nginx/sites-available
  • 2: create a new config file with your domain or subdomain name
    nano {subdomain.domain.de.conf}
  • 3: copy this and replace the right values
    map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
    }
    server {
      listen 80;
      server_name {subdomain.domain.de};
      return 301 https://$host$request_uri;
    }
    
    # SSL configuration
    server {
      listen 443 ssl;
      server_name {subdomain.domain.de};
      ssl_certificate      /etc/letsencrypt/live/{subdomain.domain.de}/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/{subdomain.domain.de}/privkey.pem;
    
      # Improve HTTPS performance with session resumption
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 5m;
    
      # Enable server-side protection against BEAST attacks
      ssl_prefer_server_ciphers on;
      ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    
      # Disable SSLv3
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
      # Diffie-Hellman parameter for DHE ciphersuites
      ssl_dhparam /etc/ssl/certs/dhparam.pem;
    
      # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    
      # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/{subdomain.domain.de}/fullchain.pem;
      resolver 8.8.8.8 8.8.4.4 valid=300s;
      resolver_timeout 5s;
    
      location / {
        proxy_pass http://{ip}:{port};
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
      }
    }
  • 4: if you have never certified a domain with certbot please execute openssl as follows:
    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
  • 5: register the domain on domain provider {subdomain.domain.de} has to point with an A-Record to your public IP adress

  • 6: certificate request
    • sudo systemctl stop nginx
    • sudo certbot certonly -d {subdomain.domain.de}
    • select: Spin up a temporary webserver (standalone) 
    • sudo systemctl start nginx
  • 7: last step symlink
    sudo ln -s /etc/nginx/sites-available/{subdomain.domain.de.conf} /etc/nginx/sites-enabled/