Configuring SSL with letsencrypt certbot on NGINX reverse proxy

In a previous article we configured a Nginx reverse proxy to work behind a single public IP on a Proxmox node.

We are now able to send requests from Nginx to our internal network, the focus in this guide is on how to get SSL termination on the Nginx reverse proxy in order to serve HTTPS content. The configuration of SSL will only take place in Nginx as our backend server, Apache, will reply in HTTP over the private network back to Nginx which will then send the request to the client over HTTPS.

We will use two tricks to make this work in our reverse proxy setup.

1 – We will add the .well-known location described in RFC-5785 in our Nginx configuration which sets up a webroot on the Nginx server instead of proxying it to the backend server. This folder will allow us to validate the SSL certificate using the Automatic Certificate Management Environment with Certbot.

2 – The Apache module mod_rpaf will help setting our HTTP headers to the right values to fetch our visitors information instead of the proxy’s and allow our SSL certs to work with any websites on apache without further configuration.

Continue reading “Configuring SSL with letsencrypt certbot on NGINX reverse proxy”