Nginx Reverse Proxy, SSL

Nginx is awesome - awesomely simple! I set it up on my FreeBSD home server. I like the idea of reverse proxy. For any application that can service a local port via HTTP. Nginx is able to serve it publicly via proxy. Here's the scenario:

I have a TiddlyWiki node.js app, which is ONLY capable of HTTP, but not HTTPS. That's dangerous with basic auth (which TIddlyWiki only supports). But no problem. Assuming the TiddlyWiki serves a local 8080 port. We can use Nginx to proxy that to a public facing 443 HTTPS port. Here's how.

Install Nginx on FreeBSD

This is as simple as

pkg install nginx

That's only ~1MB.

Note that configurations are installed at /usr/local/etc/:

• Main configuration at /usr/local/etc/nginx/nginx.conf
• Service script at /usr/local/etc/rc.d/nginx

Setup Nginx

Enable the service in /etc/rc.conf:

nginx_enable="YES"

Start the service manually:

service nginx start

Generate SSL certificate with (refer to freebsd doc). And copy them to /usr/local/etc/nginx/.

openssl req -new -nodes -out cert.crt -keyout cert.key -sha256 -newkey rsa:2048

Configure /usr/local/etc/nginx/nginx.conf according to the nginx document (2,3,4):

Disable the HTTP 80 section by commenting out the below section:

server {
	listen: 80;
	...
}

Enable the HTTPS section likewise.

# HTTPS server
#
server {
    listen       443 ssl;
    server_name  localhost;
    ssl_certificate      cert.crt;
    ssl_certificate_key  cert.key;

    ...

    location / {
        proxy_pass  http://localhost:8080;
    }
}

The proxy_pass line specifies to proxy local endpoint 8080.

References

• nginx newbie doc
• nginx reverse proxy
• nginx https config
• freebsd ssl
• What are the risks of self signing a certificate for SSL