HTTPS on Ngnix with Certbot

A quick guide on how to enable HTTPS with Nginx, Certbot and Letsencrypt on a reverse proxy. My stack usually looks like this: a bunch of apps running in Docker on localhost through various ports. Nginx runs on the machine and just reverse-proxies my domains to those different ports.

Let’s say you have an app running on localhost:5555 and you want it to be reacheable from myexample.com and have HTTPS enabled.

Nginx

First, in case it’s not already done, we’ll set up Nginx from scratch.

Install:

sudo apt-get update
sudo apt-get install nginx

Start:

sudo service nginx start

Check status:

sudo service nginx status

Certbot

Install Certbot from scratch:

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt install python-certbot-nginx

Adding a simple reverse proxy

These are the reverse proxies configured with Nginx. The simplest way is to add .conf files to the /etc/nginx/sites-enabled directory. They get sourced automatically.

In the configuration directory:

cd /etc/nginx/sites-enabled

Add a config file with the domain name:

sudo nano myexample.com.conf

With the following contents:

server {

    server_name    myexample.com;  # <<< edit this part

    location / {

        proxy_pass_header    Authorization;
        proxy_pass           http://localhost:5555;  # <<< and this part
        proxy_set_header     Host $host;
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version   1.1;
        proxy_set_header     Connection "";
        proxy_buffering      off;
        client_max_body_size 0;
        proxy_read_timeout   36000s;
        proxy_redirect       off;

    }

}

(By the way, if this is a fresh Ngnix install, it comes with a default virtual host that should be disabled:)

sudo unlink /etc/nginx/sites-enabled/default

It should be running at this point, though no HTTPS so far. After reloading Nginx, any app that’s running on localhost:5555 is now reacheable from myexample.com (provided that DNS is set up correctly).

Generating the certificate

sudo certbot --nginx -d myexample.com

Choose option 2. This will modify myexample.com.conf and redirect all accesses to HTTPS

Applying settings

Check the syntax of your configuration edits:

sudo nginx -t

Restart Nginx:

sudo service nginx reload

Renewal

Renew all certificates known to certbot and reload nginx:

sudo certbot renew --renew-hook "service nginx reload"

Test renewals. With --dry-run, it won’t store the resulting certificates:

sudo certbot --dry-run renew

Force an early renewal:

sudo certbot renew --force-renew --renew-hook "service nginx reload"

Auto-renewing with crontab

This part is optional since Certbot should have already created a script and placed it in /etc/cron.d to automate. Otherwise you can do the following:

Open crontab:

crontab -e

Add the following line:

0 12 * * *    root    certbot renew --renew-hook "service nginx reload"

References

• https - Lets Encrypt with an nginx reverse proxy - Server Fault
• How to set up Nginx reverse proxy with let’s encrypt
• How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04 - DigitalOcean