Setup an NGINX Reverse Proxy
How to setup an NGINX Reverse Proxy.

Created by / Mohammad Hajjiri

We aim to outline and demonstrate how to setup and configure an NGINX Reverse Proxy for various applications including Node.JS-Based Applications.
- Install NGINX (for the webserver) & certbot (for the SSL certificate).
Ubuntu/Debian -
apt install -y nginx certbot
CentOS/Fedora -
yum install epel-release
yum install nginx certbot
OpenSUSE -
zypper install nginx certbot python-certbot python-certbot-nginx
-
Create an A Record via your Domain's DNS manager pointing to your Server's IPv4 Address. However, in such cases you were to use CloudFlare, make sure that the orange cloud is grey before saving.
-
Connect to your server via SSH:
ssh -p 22 username@serverip
, and navigate to the following directory:cd /etc/nginx/sites-available/
. -
Create a new file with this format:
nano <domain name>.conf
. -
Paste the following content into the newly created file (for example,
hamoodihajjiri.com.conf
); however, modify the content by replacing all instances of<domain name>
with your own domain or sub-domain. Additionally, modify the IP Address & port if the app's not hosted locally.
server {
listen 80;
server_name <domain name>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name <domain name>;
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/<domain name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain name>/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
-
Save & exit the file by typing
CTRL + X
->Y
->ENTER
. -
To activate the new configuration, we'll need to create a symbolic link from the available sites directory to the enabled sites directory; this tells NGINX where to find the active configuration for our domain:
ln -s /etc/nginx/sites-available/<domain name>.conf /etc/nginx/sites-enabled/<domain name>.conf
. -
We'll issue an SSL certificate; however, we'll need to first stop NGINX:
systemctl stop nginx
. Afterwards, we'll issue the SSL certificate:certbot certonly -d <domain name>
. If there's another process using port 80 that's preventing you from issuing an SSL certificate, you could terminate the process:fuser -k 80/tcp
. -
You will be prompt with a few options when issuing a certificate in terms of 'how to authenticate'; make sure you select
Spin up a temporary website server
, this is usually option one; then, enter your email address. -
Any errors during the issuance of the SSL certificate should be displayed to you to resolve. Once you have completed the above, restart the NGINX service:
systemctl restart nginx
.
We have successfully setup & configured an NGINX Reverse Proxy.