Nginx is very powerful WEB-server. The primary goal of Nginx - answering on clients' requests. It can serve html, php and static files (css, js, images, etc...). Also Nginx maybe configured as load balancer. This tutorial explain, how to configure Nginx as frontend for your web-based application (reverse proxy) and force redirect HTTP to HTTPS (HSTS - HTTP Strict Transport Security technology).
Installing Nginx from Advanced Packaging Tool (APT) package manager:
sudo apt install nginx -y
Firewall configuration. If you have enabled UFW, create rule for allowing all Nginx listen ports:
sudo ufw allow 'Nginx full'
Generate self-signed SSL certificate and key files with OpenSSL:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Certificate and Key generating outuput:
..........+..+..........+...........+.......+...............+++++++++++++++++++++++++++++++++++++++*...+++++++++++++++++++++++++++++++++++++++*.........+.....+...............+.+...+......+...+..+.........+.......+...+..+.......+..+.+...............+............+..+...+...+.......+......+...........+.+...+..+.........+....+.........+...+..+...+............+.+......+.....+.+........+............+....+.....+.+........+.......+.....+.......+.....+.+..+...+.+..............+....+..+..........+.....+......+.................................+.......+..+..................+....+.........+......+.....+.........+.........+...+....+...+........+...+....+...+.....+.......+......+...............+..............+...............+.+.....+.........+............+......+....+.........+.........+..+.+.....+....+.....+...+.............+.........+.....+....+......+..............+.+........+...+.........................+..+.......+.......................+.......+.........+......+.....+.+.....+...++++++
...+.......+...+............+..+......+.+.....+...+.+++++++++++++++++++++++++++++++++++++++*....+.........+..+...+.........+...+...+....+...+............+...+...+..+....+...+..+++++++++++++++++++++++++++++++++++++++*....+....+..+...+....+......+......+...+.....+.+.....+.......++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Configuring Nginx. Add Nginx configuration for your application in /etc/nginx/sites-available/your-project.com file:
server {
# This block need for redirecting HTTP to HTTPS
# When Nginx receive client request on 80 port by HTTP
# Connection will be redirected on HTTPS
listen 80;
server_name your-project.com www.your-project.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name your-project.com www.your-project.com;
# Certificates PATH:
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
# Setting up reverse proxy to application side
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
}
}
Creating symlink for configuration file:
sudo ln -s /etc/nginx/sites-available/your-project.com /etc/nginx/sites-enabled
Test newly created configurations:
sudo nginx -t
Output of tests should say result. If configurations not contain errors, result must be OK:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Restart Nginx for applying new configurations:
sudo systemctl restart nginx
Testing in browser. When you first time open URL address with self-signed certificate you get "Privacy error" message. Example for Chromium:
Your connection is not private
Attackers might be trying to steal your information from your-project.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Click on "Advanced" button, then open "Proceed to your-project.com (unsafe)" link.
Top comments (0)