Oliver Nichols

How to Setup a Local HTTPS Nginx Reverse Proxy

by

Oliver Nichols
in ,

Overview

This guide provides details on how to setup a local HTTPS Nginx reverse proxy. This is useful when you want to secure HTTP traffic and allow multiple web apps to be served on common ports. Let’s get started!

Docker Install

This guide assumes that you have Docker Compose installed to follow along. Docker is a great way to abstract applications. Here are some benefits of using Docker apps:

  • Simplifies dependency management
  • Easy to start/stop applications
  • Networking options
  • Easily migrate to a new operating system

Nginx Setup

This guide sets up a local HTTPS secured environment. If your server is accessible from the internet, I recommend using Let’s Encrypt.

I recommend creating a separate directory for your Nginx app:

mkdir nginx
cd nginx

Within the directory, using your favorite text editor, create the docker-compose.yaml:

version: '3'

services:
  proxy:
    image: nginx
    restart: always
    volumes:
      - ./certs:/etc/ssl/certs:ro
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    network_mode: "host"

  omgwtfssl:
    image: paulczar/omgwtfssl
    restart: "no"
    volumes:
      - ./certs:/certs
    environment:
      - SSL_SUBJECT=example.com
      - CA_SUBJECT=Home Issued
      - CA_EXPIRE=3650
      - SSL_KEY=/certs/server.key
      - SSL_CSR=/certs/server.csr
      - SSL_CERT=/certs/server.crt
      - SSL_CONFIG=/certs/openssl.cnf
      - SSL_EXPIRE=3650

The https://github.com/paulczar/omgwtfssl automates creating the local certificate for us. If you have not generated a local certificate before, your browser will generate a warning when visiting the website. You can verify the details and accept the risk to continue to use it. The only way to bypass the warning is to have a trusted Certificate Authority. This requires using a legitimate Certificate Authority like Let’s Encrypt or creating your own and adding it to the list of trusted Certificate Authorities.

Within the same directory, create a nginx.conf:

worker_processes 1;

events {
    #debug_connection 127.0.0.1;
    worker_connections 512;
}

http {
    server {
        listen      443 ssl;
        server_name pihole.home; 

        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;

        location / {
            proxy_pass http://127.0.0.1:8080; 
            proxy_ssl_session_reuse on;
        }
    }
}

Within the file, you will want to customize the server name to the hostname you would like and the proxy pass to the appropriate destination (or port in this case). For this example, I am using Nginx to encrypt my traffic to the pihole. My local network DNS is configured to route pihole.home to my server. Nginx routes the request to the appropriate destination. Note: you will may need to configure your hostname in the app for everything to work properly.

Keep in mind that Nginx can be very particular about the contents of the file. Any syntax errors can results in Nginx not working.

Start the Container

To start the Docker Compose container, you can simply run the following in the same directory as the yaml file:

sudo docker-compose up -d

To stop the container run the following command:

sudo docker-compose down

Wrap Up

That’s it. You can now securely route traffic to an insecure web application.