Skip to content

NGINX Reverse Proxy Setup and SSL Configuration

Jump to bottom
Emmanuel Nwanochie edited this page Jul 20, 2024 · 1 revision

NGINX Configuration

In this section, we will set up NGINX as a reverse proxy for the application and configure SSL to secure the connection using Let's Encrypt. This ensures that the application is accessible through a domain name and that all communications are encrypted. This provides a simple and detailed explanation of the NGINX configuration used to route requests to different backend services based on the environment (production, development, staging).

Upstream Services

The upstream block defines backend servers for each environment. This helps NGINX manage which server to send requests to.

# Define upstream services
upstream app {
    server localhost:7001;  # Production backend server
}

upstream app_dev {
    server localhost:7002;  # Development backend server
}

upstream app_staging {
    server localhost:7003;  # Staging backend server
}

HTTP to HTTPS Redirection

To ensure secure communication, HTTP requests are redirected to HTTPS. Each environment has an HTTP server block to handle this.

Production Environment HTTP Redirection

# Redirect HTTP to HTTPS for api-python.boilerplate.hng.tech
server {
    listen 80;  
    server_name api-python.boilerplate.hng.tech;  
    return 301 https://$host$request_uri;  
}

This server block ensures that all HTTP traffic reaching the server (port 80) for the domain api-python.boilerplate.hng.tech gets redirected to the HTTPS version.

  • listen 80: This directive specifies that the server listens on port 80, the standard HTTP port.
  • server_name: This directive defines the hostname that this server block applies to.
  • return 301: This directive instructs Nginx to send a permanent redirect (status code 301) to the equivalent HTTPS URL.
  • $host and $request_uri variables: These variables are used to construct the new HTTPS URL. For example, a request to http://api-python.boilerplate.hng.tech/path/to/resource would be redirected to https://api-python.boilerplate.hng.tech/path/to/resource.

SSL Configuration with Let's Encrypt

Securing the application with SSL ensures that all communications between the client and server are encrypted. Let's Encrypt provides free SSL certificates and an easy-to-use tool, Certbot, to automate the process.

Setting Up SSL with Let's Encrypt:

1. Install Certbot:

Certbot is a tool that automates the process of obtaining and renewing SSL certificates from Let's Encrypt.

Step 1: Install Certbot and the NGINX plugin:

sudo apt update
sudo apt install certbot python3-certbot-nginx

2. Obtain an SSL Certificate:

Certbot will automatically configure NGINX to use the obtained SSL certificate.

Step 1: Run Certbot and follow the prompts to obtain and install the certificate:

sudo certbot --nginx -d your-domain.com
  • Certbot will ask for your email address and agreement to the terms of service.
  • Certbot will attempt to obtain a certificate for your-domain.com and configure NGINX to use it.

3. Verify SSL Configuration:

Certbot modifies your NGINX configuration to include SSL settings. Verify that the NGINX configuration includes the SSL directives.

HTTPS Server Blocks

These server blocks handle secure (HTTPS) requests and send them to the appropriate upstream server. Each environment has its own server block with SSL certificates and proxy settings.

Production Environment

# HTTPS server for api-python.boilerplate.hng.tech
server {
    listen 443 ssl;  
    server_name api-python.boilerplate.hng.tech;  

    # SSL configuration
ssl_certificate /etc/letsencrypt/live/api-python.boilerplate.hng.tech/fullchain.pem;       
ssl_certificate_key /etc/letsencrypt/live/api-python.boilerplate.hng.tech/privkey.pem; 

    location / {
        # Set proxy headers
        proxy_set_header Host $host;  # Forward the original Host header
        proxy_set_header X-Real-IP $remote_addr;  # Forward the real client IP address
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  # Forward client IP address through proxies
        proxy_set_header X-Forwarded-Proto $scheme;  # Forward the original request scheme (HTTP or HTTPS)

        proxy_pass http://app;  # Send requests to the production backend server
    }
}

HTTPS Configuration

  • listen 443 ssl: This directive specifies that the server listens on port 443, the standard HTTPS port. The ssl keyword enables SSL encryption for secure communication.
  • server_name: This directive defines the hostname that this server block applies to.
  • ssl_certificate and ssl_certificate_key: These directives specify the paths to the SSL certificate and its private key, respectively.

Proxy Configuration

  • location /: This block applies to all requests (/) received by this server.
  • proxy_set_header directives: These directives configure headers that are added to the request before it's forwarded to the backend server.

Prepared By Devops Python Team (Name - Slack Display Name)

  • Nwanochie Emmanuel - nwanochie
  • Omolara Adeboye - laraadeboye
  • Sarah Aligbe - Sarah Aligbe
  • Okesanya Samuel - DrInTech
  • Rotimi Alabi - rtmabiola
  • Aisha Muhammad - aishaM
  • Divine Onyekwuluje - Divine4212

Home

Setting up the remote server and installing prerequisites

Deployment with Systemd

NGINX Reverse Proxy Setup and SSL Configuration

CI CD Pipeline Configuration for the Python Application

Server Monitoring And Alerts

Clone this wiki locally