Skip to content

Setting up a Reverse Proxy Server with SSL Certificate using Nginx

Installing Nginx on the Host Machine

1. Install Nginx

sudo apt update && sudo apt install nginx -y

2. Configuring the Reverse Proxy Server

Create a configuration file (for example, /etc/nginx/sites-available/example_gitflic) and add or modify the server section:

server {
    listen 80;
    server_name example_gitflic.ru;

    location / {
        proxy_pass http://127.0.0.1:8080;  # Proxy to internal server
        proxy_send_timeout 3600s;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Ssl "ON";
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_redirect off;
        proxy_buffering off;
        proxy_http_version 1.1;
    }
}

3. Obtaining an SSL Certificate

Getting a Certificate with Let's Encrypt (Certbot)

To obtain an SSL certificate, you can use Let's Encrypt via the Certbot utility:

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d example_gitflic.ru

Connecting a Self-Signed Certificate

Copy the certificate to the server, for example, to /etc/ssl/certs/ for the certificate and /etc/ssl/private/ for the key. Then add the following lines to the Nginx configuration described in step 2.

Add to the server block:

listen 443 ssl;
ssl_certificate /etc/ssl/certs/example_gitflic.ru.crt;
ssl_certificate_key /etc/ssl/private/example_gitflic.ru.key;

4. Redirecting HTTP -> HTTPS

To redirect HTTP traffic to HTTPS when using a self-signed certificate, add the following block to the Nginx configuration described in step 2:

server {
    if ($host = example_gitflic.ru) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name example_gitflic.ru;
    return 404;
}

5. Activating the Configuration

sudo ln -s /etc/nginx/sites-available/example_gitflic /etc/nginx/sites-enabled/
sudo nginx -t
sudo nginx -s reload

6. Access

The application will be available at: https://example_gitflic.ru

Using Nginx in Docker

Use this instruction if GitFlic is deployed in Docker.

1. Adding the Service

Add the Nginx service to docker-compose.yml

  nginx:
    container_name: nginx
    image: nginx:latest
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/cert:/etc/nginx/cert:ro
    ports:
      - "443:443"
    depends_on:
      - gitflic
    networks:
      - git_net

2. Creating a Directory for Certificates and Configuration

Create a nginx directory next to the docker-compose.yml file for certificates and configuration.

3. Configuration

In the root of the nginx directory, create a configuration file nginx.conf.

Example configuration:

http {
    server {
        listen 443 ssl;
        server_name example_gitflic.ru;

        ssl_certificate /etc/nginx/cert/example_gitflic.ru.crt;
        ssl_certificate_key /etc/nginx/cert/example_gitflic.ru.key;

        location / {
            proxy_pass http://gitflic:8080;
            proxy_send_timeout 3600s;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Ssl "ON";
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
            proxy_redirect off;
            proxy_buffering off;
            proxy_http_version 1.1;
        }
    }

    server {
        if ($host = example_gitflic.ru) {
            return 301 https://$host$request_uri;
        }
        listen 80;
        server_name example_gitflic.ru;
        return 404;
    }
}

Please note

Make sure the host name gitflic (used in proxy_pass) matches the name of the container or service in docker-compose.yml, and that both containers are on the same network (git_net).

4. Placing Certificates

Place your certificates in the ./nginx/cert/ directory.

5. Launch

docker-compose up -d

6. Verification

After starting the containers, open https://example_gitflic.ru in your browser and make sure the application is available.

Configuring Docker Client to Trust the Certificate

By default, Docker clients do not trust self-signed certificates. You need to add your certificates to Docker's trusted certificate store.

1. Creating the Certificate Directory

Create a directory to store Docker's trusted certificates:

mkdir -p /etc/docker/certs.d/example_gitflic.ru

2. Copying the Certificate

Copy your self-signed certificate to the created directory:

cp example_gitflic.ru.crt /etc/docker/certs.d/example_gitflic.ru/ca.crt

3. Restarting Docker

Restart the Docker service to apply the changes:

systemctl restart docker

4. Launch

Since restarting Docker will stop the containers, start them again:

docker-compose up -d

Automated translation!

This page was translated using automatic translation tools. The text may contain inaccuracies.