LINUXMIND.DEV

Reverse Proxy with Nginx: Configure HTTPS and One or More Virtual Hosts

Reverse Proxy with Nginx: Configure HTTPS and One or More Virtual Hosts

Introduction

In modern infrastructure design, a reverse proxy sits between clients and application servers to distribute requests, enhance security, and simplify SSL/TLS termination. Nginx is a popular choice for this role due to its lightweight footprint and high performance.

This article offers a step-by-step guide to:

  • Installing Nginx
  • Configuring one or more virtual hosts (server blocks)
  • Enabling HTTPS via Lets Encrypt (ACME protocol)
  • Optimizing security and performance

Prerequisites

  • A Linux server (Debian/Ubuntu/CentOS/etc.) with root or sudo access
  • Proper DNS A/AAAA records pointing to your servers IP
  • Domain names for each virtual host
  • Port 80 and 443 open in firewall
  • Optional: Using OpenVPN or WireGuard for secure remote management

1. Installing Nginx

On Debian/Ubuntu:

sudo apt update
sudo apt install nginx -y

On CentOS/RHEL:

sudo yum install epel-release -y
sudo yum install nginx -y

Start and enable:

sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx

2. Basic Nginx Reverse Proxy Configuration

Create a server block file under /etc/nginx/sites-available/ (Debian/Ubuntu) or /etc/nginx/conf.d/ (CentOS/RHEL).

server {
    listen 80
    server_name example.com www.example.com

    location / {
        proxy_pass http://127.0.0.1:3000
        proxy_set_header Host host
        proxy_set_header X-Real-IP remote_addr
        proxy_set_header X-Forwarded-For proxy_add_x_forwarded_for
        proxy_set_header X-Forwarded-Proto scheme
    }
}

Enable and test:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

3. Securing with HTTPS (Lets Encrypt)

Install Certbot (ACME client):

sudo apt install certbot python3-certbot-nginx -y         # Debian/Ubuntu
sudo yum install certbot python2-certbot-nginx -y         # CentOS/RHEL

Obtain and auto-configure certificates:

sudo certbot --nginx -d example.com -d www.example.com

This integrates SSL directives into the Nginx server block, including automatic HTTP→HTTPS redirection.

Manual SSL Block Example

server {
    listen 80
    server_name example.com
    return 301 https://hostrequest_uri
}

server {
    listen 443 ssl http2
    server_name example.com

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem
    include /etc/letsencrypt/options-ssl-nginx.conf
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem

    location / {
        proxy_pass http://127.0.0.1:3000
        # header forwarding...
    }
}

4. Configuring Multiple Virtual Hosts

For each domain or subdomain, create separate server blocks:

  • app1.example.com → backend port 3001
  • app2.example.com → backend port 3002
# /etc/nginx/sites-available/app1.conf
server {
    listen 80
    server_name app1.example.com
    return 301 https://hostrequest_uri
}
server {
    listen 443 ssl http2
    server_name app1.example.com

    ssl_certificate /etc/letsencrypt/live/app1.example.com/fullchain.pem
    ssl_certificate_key /etc/letsencrypt/live/app1.example.com/privkey.pem
    include /etc/letsencrypt/options-ssl-nginx.conf

    location / {
        proxy_pass http://127.0.0.1:3001
    }
}

# /etc/nginx/sites-available/app2.conf
# similar structure with port 3002 and app2.example.com

Enable both and reload Nginx:

sudo ln -s sites-available/app1.conf sites-enabled/
sudo ln -s sites-available/app2.conf sites-enabled/
sudo nginx -t  sudo systemctl reload nginx

5. Advanced Security Headers

Implement best-practices:

  • add_header Strict-Transport-Security max-age=31536000 includeSubDomains always
  • add_header X-Frame-Options SAMEORIGIN
  • add_header X-Content-Type-Options nosniff
  • add_header Referrer-Policy no-referrer-when-downgrade

6. Performance Optimizations

  • gzip compression 
    gzip on
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml rss text/javascript
  • Caching static assets 
    location ~ .(jpgjpegpnggifcssjssvgwoff2) {
    expires 30d
    add_header Cache-Control public, no-transform
}
  • HTTP/2 enabled with listen 443 ssl http2.

7. Certificate Renewal

Certbot sets up a cron or systemd timer:

# Dry run:
sudo certbot renew --dry-run

Ensure systemctl reload nginx is invoked post-renewal for seamless updates.

Comparison of Certificate Authorities

Provider Cost Automation
Let’s Encrypt Free Certbot
Commercial CA Write an extensive article about Reverse Proxy with Nginx: Configure HTTPS and One or More Virtual Hosts. Note: create a serious, detailed, and very extensive article. Make it rich in content. Do not use markdown use HTML, but avoid using H1 or declaring the full HTML structure. You may use: tables, lists, bold, italics, div, h2-h6. You may include relevant links in HTML (using single quotes). Also, using inline CSS in the HTML, give it a stylish and professional but minimalist design (no flashy colors). Always use single quotes and not normal quotes in any case. Also, put a link in the anchor text of each VPN you mention (except in titles of course). #8211 Write an extensive article about Reverse Proxy with Nginx: Configure HTTPS and One or More Virtual Hosts. Note: create a serious, detailed, and very extensive article. Make it rich in content. Do not use markdown use HTML, but avoid using H1 or declaring the full HTML structure. You may use: tables, lists, bold, italics, div, h2-h6. You may include relevant links in HTML (using single quotes). Also, using inline CSS in the HTML, give it a stylish and professional but minimalist design (no flashy colors). Always use single quotes and not normal quotes in any case. Also, put a link in the anchor text of each VPN you mention (except in titles of course). #8211 Write an extensive article about Reverse Proxy with Nginx: Configure HTTPS and One or More Virtual Hosts. Note: create a serious, detailed, and very extensive article. Make it rich in content. Do not use markdown use HTML, but avoid using H1 or declaring the full HTML structure. You may use: tables, lists, bold, italics, div, h2-h6. You may include relevant links in HTML (using single quotes). Also, using inline CSS in the HTML, give it a stylish and professional but minimalist design (no flashy colors). Always use single quotes and not normal quotes in any case. Also, put a link in the anchor text of each VPN you mention (except in titles of course). #8211 Varies

Conclusion

By leveraging Nginx as a reverse proxy with HTTPS and multiple virtual hosts, you gain:

  • Centralized SSL/TLS termination
  • Improved security and HTTP header control
  • Scalable load distribution
  • Seamless certificate renewal

Implementing the recommendations and examples in this guide will ensure a robust, secure, and maintainable reverse proxy environment.

Download TXT




Powered by LinuxMind

Leave a Reply

Your email address will not be published. Required fields are marked *