What is a Reverse Proxy?Permalink

A reverse proxy is a server that sits between internal applications and external clients, forwarding client requests to the appropriate server. While many common applications, such as Node.js, are able to function as servers on their own, NGINX has a number of advanced load balancing, security, and acceleration features that most specialized applications lack. Using NGINX as a reverse proxy enables you to add these features to any application.

This guide uses a simple Node.js app to demonstrate how to configure NGINX as a reverse proxy.

Install NGINXPermalink

These steps install NGINX Mainline on Ubuntu from NGINX Inc’s official repository. For other distributions, see the NGINX admin guide. For information on configuring NGINX for production environments, see our Getting Started with NGINX series.

1. Open /etc/apt/sources.list in a text editor and add the following line to the bottom. Replace CODENAME in this example with the codename of your Ubuntu release. For example, for Ubuntu 18.04, named Bionic Beaver, insert bionic in place of CODENAME below:

   /etc/apt/sources.list

   1	deb http://nginx.org/packages/mainline/ubuntu/ CODENAME nginx

2. Import the repository’s package signing key and add it to apt:

   sudo wget http://nginx.org/keys/nginx_signing.key
   sudo apt-key add nginx_signing.key
   

3. Install NGINX:

   sudo apt update
   sudo apt install nginx
   

4. Ensure NGINX is running and and enabled to start automatically on reboot:

   sudo systemctl start nginx
   sudo systemctl enable nginx
   

Create an Example AppPermalink

Install Node.jsPermalink

1. Use curl to download the setup script provided by NodeSource. Replace the Node version in the curl command with the version you would like to install:

   curl -sL https://deb.nodesource.com/setup_9.x -o nodesource_setup.sh
   

2. Run the script:

   sudo bash nodesource_setup.sh
   

3. The setup script will run an apt-get update automatically, so you can install Node.js right away:

   sudo apt install nodejs
   

The Node Package Manager (NPM) will be installed alongside Node.js.

Configure the AppPermalink

1. Create a directory for the example app:

   mkdir nodeapp && cd nodeapp
   

2. Initialize a Node.js app in the directory:

   npm init
   

   Accept all defaults when prompted.

3. Install Express.js:

   npm install --save express
   

4. Use a text editor to create app.js and add the following content:

   app.js

   1 2 3 4 5 6 7

   const express = require('express') const app = express() app.get('/', (req, res) => res.send('Hello World!')) app.listen(3000, () => console.log('Node.js app listening on port 3000.'))

5. Run the app:

   node app.js
   

6. In a separate terminal window, use curl to verify that the app is running on localhost:

   curl localhost:3000
   

   
   Hello World!
   

Configure NGINXPermalink

At this point, you could configure Node.js to serve the example app on your Linode’s public IP address, which would expose the app to the internet. Instead, this section configures NGINX to forward all requests from the public IP address to the server already listening on localhost.

Basic Configuration for an NGINX Reverse ProxyPermalink

1. Create a configuration file for the app in /etc/nginx/conf.d/. Replace example.com in this example with your app’s domain or public IP address:

   /etc/nginx/conf.d/nodeapp.conf

   1 2 3 4 5 6 7 8 9 10

   server { listen 80; listen [::]:80; server_name example.com; location / { proxy_pass http://localhost:3000/; } }

   The proxy_pass directive is what makes this configuration a reverse proxy. It specifies that all requests which match the location block (in this case the root / path) should be forwarded to port 3000 on localhost, where the Node.js app is running.

2. Disable or delete the default Welcome to NGINX page:

   sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.disabled
   

3. Test the configuration:

   sudo nginx -t
   

4. If no errors are reported, reload the new configuration:

   sudo nginx -s reload
   

5. In a browser, navigate to your Linode’s public IP address. You should see the “Hello World!” message displayed.

Advanced OptionsPermalink

For a simple app, the proxy_pass directive is sufficient. However, more complex apps may need additional directives. For example, Node.js is often used for apps that require a lot of real-time interactions. To accommodate, disable NGINX’s buffering feature:

/etc/nginx/conf.d/nodeapp.conf

1 2 3 4

location / { proxy_pass http://localhost:3000/; proxy_buffering off; }

You can also modify or add the headers that are forwarded along with the proxied requests with proxy_set_header:

/etc/nginx/conf.d/nodeapp.conf

1 2 3 4

location / { proxy_pass http://localhost:3000/; proxy_set_header X-Real-IP $remote_addr; }

This configuration uses the built-in $remote_addr variable to send the IP address of the original client to the proxy host.

Configure HTTPS with CertbotPermalink

One advantage of a reverse proxy is that it is easy to set up HTTPS using a TLS certificate. Certbot is a tool that allows you to quickly obtain free certificates from Let’s Encrypt. This guide will use Certbot on Ubuntu 16.04, but the official site maintains comprehensive installation and usage instructions for all major distros.

Follow these steps to get a certificate via Certbot. Certbot will automatically update your NGINX configuration files to use the new certificate:

1. Install the Certbot and web server-specific packages, then run Certbot:

   sudo apt-get update
   sudo apt-get install software-properties-common
   sudo add-apt-repository ppa:certbot/certbot
   sudo apt-get update
   sudo apt-get install python-certbot-nginx
   sudo certbot --nginx
   

2. Certbot will ask for information about the site. The responses will be saved as part of the certificate:

   
   # sudo certbot --nginx
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator nginx, Installer nginx
   
   Which names would you like to activate HTTPS for?
   -------------------------------------------------------------------------------
   1: example.com
   2: www.example.com
   -------------------------------------------------------------------------------
   Select the appropriate numbers separated by commas and/or spaces, or leave input
   blank to select all options shown (Enter 'c' to cancel):
   

3. Certbot will also ask if you would like to automatically redirect HTTP traffic to HTTPS traffic. It is recommended that you select this option.
4. When the tool completes, Certbot will store all generated keys and issued certificates in the /etc/letsencrypt/live/$domain directory, where $domain is the name of the domain entered during the Certbot certificate generation step.
   

   Note

   Certbot recommends pointing your web server configuration to the default certificates directory or creating symlinks. Keys and certificates should not be moved to a different directory.

   Finally, Certbot will update your web server configuration so that it uses the new certificate, and also redirects HTTP traffic to HTTPS if you chose that option.

5. If you have a firewall configured on your Linode, you can add a firewall rule to allow incoming and outgoing connections to the HTTPS service. On Ubuntu, UFW is a commonly used and simple tool for managing firewall rules. Install and configure UFW for HTTP and HTTPS traffic:

   sudo apt install ufw
   sudo systemctl start ufw && sudo systemctl enable ufw
   sudo ufw allow http
   sudo ufw allow https
   sudo ufw enable
   

Next StepsPermalink

For more information about general NGINX configuration, see our NGINX series. For practical examples of NGINX used to reverse proxy applications, see our guides on RStudio Server and Thingsboard.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

• NGINX Reverse Proxy – NGINX