Nginx Reverse Proxy

Overview

A reverse proxy sits in front of your application and forwards requests to it. Nginx is commonly used to handle HTTPS termination and route traffic to services running on local ports.

Prerequisites

• A Debian/Ubuntu server with a public IP
• A domain name pointing to that IP
• Ports 80 and 443 open in your firewall

Install Nginx

sudo apt update
sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Create a Site Config

Create a new config file for your domain:

sudo nano /etc/nginx/sites-available/example.conf

Basic reverse proxy config (replace app.example.com and port 3000):

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site and reload:

sudo ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Add HTTPS with Certbot

Install Certbot:

sudo apt install -y certbot python3-certbot-nginx

Obtain and install a certificate:

sudo certbot --nginx -d app.example.com

Certbot will modify your config to add HTTPS and redirect HTTP → HTTPS automatically.

Certificates renew automatically via a systemd timer. Test renewal with:

sudo certbot renew --dry-run

Useful Commands

Command	Description
sudo nginx -t	Test config for syntax errors
sudo systemctl reload nginx	Apply config changes without downtime
sudo systemctl restart nginx	Full restart
sudo tail -f /var/log/nginx/access.log	Watch live access log
sudo tail -f /var/log/nginx/error.log	Watch live error log

Multiple Services

Add a separate config file per domain/service under sites-available/, then symlink each one into sites-enabled/. This keeps configs isolated and easy to disable individually.