Within this guide, we aim to outline and demonstrate how to setup and configure a reverse proxy using NGINX for various applications including NodeJS-based applications.
1. You will need to make sure the following packages are installed: NGINX (for the webserver) and certbot (for the SSL certificate). If they are not installed, you can run the following commands depending upon your operating system:
Ubuntu/Debian -
apt install -y nginx certbot
CentOS/Fedora -
yum install epel-release
yum install nginx certbot
OpenSUSE -
zypper install nginx certbot python-certbot python-certbot-nginx
2. You will need to prepare your domain or sub-domain ready for NGINX. To do this create a A record within your DNS manager pointing to your server’s IPv4 address. Please note that if you are using Cloudflare, make sure the orange cloud is grey before saving.
3. You will now need to move into the directory where we make the NGINX configuration file, to do this make sure you are connected to your server via SSH (you can see our guide by clicking here on how to do this) then execute the command: cd /etc/nginx/sites-available/
4. After you have accessed the correct directory, you will need to make a new file. You can do this by running: nano <domain name>.conf
5. You can now paste the following content into the newly created file. Please change all instances of '<domain name>' to your domain or sub-domain, for example: oxide.host or billing.oxide.host. As well as modifying the example port (in this case, 3000) and IP address if not hosted locally.
server {
listen 80;
server_name <domain name>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name <domain name>;
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/<domain name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain name>/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
location / {
proxy_pass http://localhost:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
6. After following the above steps, you will need to save and exit the file. If using the command provided, this is done via 'CTRL and X', then 'Y' then 'ENTER'.
7. You now need to activate the new configuration, you can do this by running: ln -s /etc/nginx/sites-available/<domain name>.conf /etc/nginx/sites-enabled/<domain name>.conf
8. You will now need to issue an SSL certificate, we firstly need to stop the NGINX service via: systemctl stop nginx
Then issue a SSL certificate via the command: certbot certonly -d <domain name>
You may wish to also run the following command to ensure there is no other website servers running on the necessary port to issue an SSL certificate: fuser -k 80/tcp
9. You will be prompt with a few options when issuing a certificate in terms of 'how to authenticate'; select 'Spin up a temporary website server', this is usually option one then enter your email address.
10. Any errors with issuing the SSL certificate should be displayed to you to resolve. Once you have completed the above, restart the NGINX service via the command: service nginx restart