Create a reverse proxy for your application using Nginx and Certbot.

In this post. We will set up and configure Nginx and Certbot for our application.

Installing and Configure

In the first step, We will install Nginx and Certbot on our server, ubuntu 22.04

apt-get install nginx -y #install compile package
sudo apt install certbot python3-certbot-nginx -y # install certbot and nginx support
systemctl enable nginx #run nginx at startup
systemctl restart nginx #using when you want to restart nginx services

After that, We will configure Nginx. The config file is located at /etc/nginx in this directory, and you can see the directory name is sites-enabled. You will push a new reverse proxy config in that directory.

Next, We will create an example config below in /etc/nginx/site-enabled name subgraph.loremboard.finance.conf

server {
 listen 80;

 server_name subgraph.loremboard.finance;

 root /opt/sample-app/public/; #root directory for your application
 access_log /var/log/nginx/subgraph.loremboard.finance.access.log;
 error_log /var/log/nginx/subgraph.loremboard.finance.error.log;

 location / {
  proxy_pass      http://127.0.0.1:3000; #application running on port 3000
 }
}

After that. You can check config is correct using nginx cli. If it is working, you can see “test is successful.”

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Before you go to the next step, you need to check your DNS “subgraph.loremboard.finance” that point to your server IP address (In this step, I don’t explain how to do that. You can search for this step).

ping subgraph.loremboard.finance
PING subgraph.loremboard.finance (122.8.xxx.xx): 56 data bytes
64 bytes from 122.8.xxx.xx: icmp_seq=0 ttl=45 time=24.789 ms
64 bytes from 122.8.xxx.xx: icmp_seq=1 ttl=45 time=24.583 ms

--- subgraph.loremboard.finance ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss

Next, Time to issue a let's encrypt certificate using Certbot

certbot --nginx -d subgraph.loremboard.finance #issued using this command
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for six.graph.loremboard.finance

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/subgraph.loremboard.finance/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/subgraph.loremboard.finance/privkey.pem
This certificate expires on 2023-10-25.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for subgraph.loremboard.finance to /etc/nginx/sites-enabled/subgraph.loremboard.finance.conf
Congratulations! You have successfully enabled HTTPS on https://subgraph.loremboard.finance

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you read this section, you can check the certificate's validity using a browser and go to the URL https://subgraph.loremboard.finance. In your URL address bar, you will see green and lock.

Create a crontab to reload the certificate automatically

Let’s encrypt the certificate. After issued, it will be valid for three months. After three months, we will renew the certificate using certbot-cli, but it’s a waste of time to monitor and do that. The solution for that issue you can use Crontab to do that step for you.

First. Running certbot-cli to install crontab.

certbot renew --dry-run #this command is installed crontab for automate renew
#check crontab
cat /etc/cron.d/certbot

Finally, when Certbot renews your certificate, but Nginx uses an old certificate when you enter the URL, it will show a warning or error because your certificate is still expired. You can automate and fix that problem with Crontab for auto-reload Nginx daily at midnight.

crontab -e
#add text below to the bottom line
59 23 * * * systemctl reload nginx #it will automatically reload config daily at 23.59

What’s Nginx?

NGINX is open-source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers.

What’s Certbot?

Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.