Nginx Reverse Proxy with SSL: Production Configuration

Introduction

Nginx is a standard reverse proxy for production. This guide focuses on a secure, maintainable setup.

Installation

terminal

$sudo apt update
$sudo apt install nginx -y
$sudo systemctl enable nginx

Basic Reverse Proxy

nginx

1# /etc/nginx/sites-available/app.conf
2server {
3    listen 80;
4    server_name app.example.com;
5 
6    location / {
7        proxy_pass http://127.0.0.1:3000;
8        proxy_set_header Host $host;
9        proxy_set_header X-Real-IP $remote_addr;
10        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
11        proxy_set_header X-Forwarded-Proto $scheme;
12    }
13}

SSL with Let’s Encrypt

terminal

$sudo apt install certbot python3-certbot-nginx -y
$sudo certbot --nginx -d app.example.com

Security Headers

nginx

1# /etc/nginx/snippets/security-headers.conf
2add_header X-Frame-Options "SAMEORIGIN" always;
3add_header X-Content-Type-Options "nosniff" always;
4add_header Referrer-Policy "strict-origin-when-cross-origin" always;
5add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Include it in the server block:

nginx

1server {
2    include /etc/nginx/snippets/security-headers.conf;
3}

Rate Limiting

nginx

1limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
2location /api/ {
3    limit_req zone=api burst=20 nodelay;
4    proxy_pass http://127.0.0.1:3000;
5}

Test and Reload

terminal

$sudo nginx -t
$sudo systemctl reload nginx

Conclusion

A well-configured Nginx proxy improves security and reliability in production.

Nginx

SSL

Linux

Security

Load Balancing

Written by

Corentin Tujague

Network & Security Engineer

Passionate about building secure, scalable infrastructure and sharing technical knowledge.