A reverse proxy is an application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience, and security. On the other hand, an SSL certificate displays important information for verifying the owner of a website and encrypting web traffic with SSL/TLS, including the public key, the issuer of the certificate, and the associated subdomains. In this article we will explain how to install an NGINX proxy on a Ubuntu Machine (an EC2 AWS in this case) and how to create an SSL certificate with auto-renewal.
Written by:
Àlex López, DevOps Engineer at Nuvolar |
Here are all the steps you need to follow to successfully install a NGINX reverse proxy server and get it running on a EC2 machine with its correspondent SSL Certificate:
1. Create the EC2 Instance:
For this example, an EC2 machine from AWS with an Ubuntu image will be used. The rest of the steps are valid for any other Ubuntu machine.
How to create the machine:
- Log in to your AWS Console, in a region of your selection
- Use the Launch instance wizard to create an instance with these values
- Ubuntu Server 22.04 LTS (HVM), SSD Volume Type AMI
- t2.micro instance type
- Select an existing key pair or create a new one. We will need to SSH to the machine later!
- Create a new security group allowing HTTPS from anywhere and HTTP and SSH traffic only from your IP
- Add 8GiB in a gp2 volume
- Launch the instance and check you can SSH to it using your key from your local terminal. It will be something like:
If you get a ‘Permissions are too open’ error while connecting to the machine you will need to change the permissions of your key pair using:
2. DNS configuration:
Once your EC2 instance is created or you have your Ubuntu machine accessible from the internet, you need to create an A record in the DNS registry of your domain registrar. Some common domain registrars are GoDaddy, AWS, Bluehost, or Hostinger.
In this example, we will use the https://foo.example.com domain name and we will map it to the Public IP given by the EC2 console.
3. Ask for an SSL Certificate with certbot:
An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. It’s kind of like sealing a letter in an envelope before sending it through the mail.
To be able to add an SSL certificate to our webserver, we will need to request one from a certificate authority, in this case, Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).
We will use certbot to manage the SSL certificates communicating with Let’s Encrypt.
a. Install certbot:
Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. Install it using:
b. Install Acme-dns-certbot-joohoi script:
Download the acme-dns-certbot-joohoi python script which allows using DNS Challenge instead of HTTP one. This way, we don’t need to open port 80 to the world.
Modify the interpreter path in the shebang in the script to your python3 path. Check the path with:
Ask for a certificate:
You will be prompted to add a CNAME in your DNS domain registrar. The prompt will be similar to the example below. Go ahead with the wizard:
Once the CNAME has been added, you have to wait for it to be propagated. You can check it with a simple ‘dig’ command. Once propagated press Enter.
Once done, you will have the path of your certificate and your key. Take note of these paths, we will need them later to be added to the server blocks in the NGINX configuration.
4. How to install a NGINX proxy and create a Server Block:
To be able to add HTTPS with an SSL certificate, we need to use a reverse proxy, we will use NGINX.
a. Install NGINX:
NGINX is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. This command will install NGINX and enable it as a service in the system.
b. Create a Hello world HTML file:
To test our environment we will add a Hello world HTML file which will say Hello if all is working:
Edit the file /var/www/foo.exmaple.com/html/index.html and add the following content:
c. Create a server block
Create a Server Block, aka Virtual Host, in NGINX. “VirtualHost” is an Apache term. NGINX does not have Virtual hosts, it has “Server Blocks” that use the server_name and listen to directives to bind to TCP sockets.
Create a Server Block in /etc/nginx/sites-available/sonar.nuvolar.eu with this data. Check the comments in the code to understand how it works.
d. Enable the Server Block in NGINX
To have it all working, we need to activate the server blocks. This is done by adding a Symlink in the /etc/nginx/sites-enabled folder to the sites-available folder where we defined the server blocks. Then reload the NGINX configuration.
Now you will be able to access via HTTPS and HTTP your Hello World page at https://foo.example.com. Please note that you will be redirected to the HTTPS version of the page.
5. Auto Renew SSL certificates with certbot
The SSL certificates expire every 3 months and they must be renewed. It is very simple, you can do that with:
But we don’t want to access the machine every 3 months to do that, so we can schedule a cron task to do it for us:
Add this line to the file prompted:
This will trigger the renewal process on day 1 of every month, if the certificate is near its renewal date, it will be renewed and it will be ignored otherwise.
If you want to check, just in case, the renewal log is in /var/log/letsencrypt/letsencrypt.log . Enter day 1 of the month and see the result. You can also check the expiration date of a certificate with this command:
6. Additional Resources
- Install the Server | SonarQube Docs
- Operating the Server | SonarQube Docs
- Install SonarQube on Ubuntu 20.04 LTS
- https://cloudness.net/certbot-dns-challenge/
- GitHub: A plugin for branch analysis and pull request decoration in Sonarqube
- Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX – NGINX
- How To Configure Nginx with SSL as a Reverse Proxy for Jenkins | DigitalOcean
- GitHub – joohoi/acme-dns-certbot-joohoi: Certbot client hook for acme-dns
Acerca de Nuvolar:
“Somos una empresa de consultoría, desarrollo e innovación digital dedicada a un único propósito: ¡ayudar a las empresas a adoptar soluciones de software de alta tecnología que les permitan crecer.”