This guide will help you set up SSL with NGINX using Certbot to automatically obtain and configure SSL certificates for your domain.
Important: Before proceeding, ensure that the DNS A record for your domain (e.g., example.domain.com) is correctly set up and propagating. The domain should point to your server's IP address for Certbot to verify and issue the SSL certificate.
| Type | Host | Value | TTL |
|---|---|---|---|
| A | example.domain.com | 192.168.1.100 | 3600 |
As a side note, this was done on Ubuntu 22
First, ensure that UFW is installed to manage firewall rules on your server.
sudo apt install ufwAdd or remove any specific ports that you may or may not need.
sudo ufw allow 22/tcp #SSH Port
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
sudo ufw statusNGINX will act as the reverse proxy for your web application. Install it with the following command:
sudo apt install nginxThe first step is to create a server block configuration for your domain. This is similar to a virtual host configuration in Apache. Create a configuration file for your site:
sudo nano /etc/nginx/sites-available/example.domain.comserver {
listen 80;
server_name example.domain.com;
location / {
proxy_pass http://localhost:5678; # <-- the port or url you are trying to point to
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
This config sets up the basic reverse proxy. It listens on port 80 (HTTP) for requests to example.domain.com and forwards them to a local application running on port 5678.
Explanation of the proxy headers:
- proxy_set_header Host $host; passes the original host header.
- proxy_set_header X-Real-IP $remote_addr; forwards the real client IP.
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; adds the forwarding header.
- proxy_set_header X-Forwarded-Proto $scheme; ensures that the protocol (HTTP or HTTPS) is forwarded.
Save and exit the file.
To enable the site, create a symbolic link in the sites-enabled directory:
sudo ln -s /etc/nginx/sites-available/example.domain.com /etc/nginx/sites-enabled/This tells NGINX to include the configuration for your domain.
Test the NGINX configuration to ensure there are no errors:
sudo nginx -tIf everything is correct, reload NGINX to apply the changes:
sudo systemctl reload nginxNow that NGINX is configured, the next step is to secure your site with SSL using Certbot.
Install Certbot and the NGINX plugin (if not installed already):
sudo apt install python3-certbot-nginxsudo certbot --nginx -d example.domain.comCertbot will prompt you through the setup process, including agreeing to terms and selecting whether to redirect all HTTP traffic to HTTPS.
What happens during this process:
- Certbot will obtain a free SSL certificate from Let’s Encrypt.
- Certbot will automatically modify your NGINX configuration to enable HTTPS (port 443).
- The NGINX service will be reloaded to apply the changes.
After Certbot finishes, you can test if SSL is working correctly by visiting your site in a browser.
https://example.domain.comIf everything is set up correctly, your site should now load securely over HTTPS with a valid SSL certificate.
- You installed UFW, NGINX, and Certbot.
- You configured NGINX to act as a reverse proxy for your domain.
- You used Certbot to automatically secure your site with SSL certificates.
- Your site is now accessible via HTTPS and is secure.
