Nginx as Reverse Proxy With Upstream SSL

Better Stack Team
Updated on November 23, 2023

When using Nginx as a reverse proxy with SSL for upstream servers, it's a common scenario to secure the communication between Nginx and the upstream servers while also handling SSL termination at the Nginx level. Here's a basic example of how to set up Nginx as a reverse proxy with SSL termination:

  1. Install Nginx: Ensure Nginx is installed on your server.

  2. Configure Nginx as a Reverse Proxy:

    Create or edit the Nginx configuration file for your site (commonly found at /etc/nginx/sites-available/yoursite or /etc/nginx/nginx.conf).

     
    server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/yourdomain.crt;
    ssl_certificate_key /path/to/yourdomain.key;

    location / {
        proxy_pass https://your_upstream_server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
 
- Replace `yourdomain.com` with your actual domain.
- Set the paths to your SSL certificate and private key using `ssl_certificate` and `ssl_certificate_key` directives.
- Replace `https://your_upstream_server` with the URL of your actual upstream server.

  1. Set Up Upstream Server with SSL:

    The your_upstream_server should have SSL configured. Modify the Nginx configuration on the upstream server to handle SSL if it's not already set up.

  2. Reload Nginx Configuration:

    After making changes, reload Nginx to apply the new configuration:

     
    sudo systemctl reload nginx

This configuration will terminate SSL at Nginx, and the communication between Nginx and the upstream server will be unencrypted. Ensure proper security measures are in place on your local network for this communication. Adjust configurations based on your specific requirements and ensure proper SSL settings, such as SSL protocols and ciphers, for both Nginx and the upstream server.

Also, ensure that any firewall settings or security configurations allow traffic between Nginx and your upstream server on the specified port.

Got an article suggestion? Let us know
Explore more
SSL
How to list all available CA SSL certificates on Ubuntu?
To list all available CA SSL certificates run the following lines of code:
Questions
How to verify SSL certificates on the command line?
To validate an SSL certificate you can use one of the following approaches, depending on the type of the certificate.
Questions
Multiple SSL domains on the same IP address and same port?
Questions
Where to keep SSL certificates and private keys on Ubuntu and Debian?
To list all available CA SSL certificates run the following lines of code:
Questions
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.