Skip to content

Instantly share code, notes, and snippets.

@jeanpauldejong

jeanpauldejong/nginx-reverse-proxy-letsencrypt.md

Last active June 25, 2025 10:32
Show Gist options
  • Save jeanpauldejong/46ccf67d529f2b6162e0c5c6c7d468f9 to your computer and use it in GitHub Desktop.
Save jeanpauldejong/46ccf67d529f2b6162e0c5c6c7d468f9 to your computer and use it in GitHub Desktop.
Download ZIP
Nginx Reverse Proxy with Let's Encrypt (Certbot Standalone) & TLS Hardening
Raw
nginx-reverse-proxy-letsencrypt.md

Nginx Reverse Proxy with Let’s Encrypt (Certbot Standalone) & TLS Hardening

This guide shows how to use Nginx as a reverse proxy with a legitimate Let’s Encrypt certificate, using Certbot in standalone mode (no need to reconfigure Nginx for HTTP-01 challenge). It also covers certificate renewal testing and TLS hardening in Nginx.

Prerequisites

  • Ubuntu 22.04/24.04 server (or similar)
  • Domain name pointed to your server’s public IP
  • Nginx installed (sudo apt install nginx)
  • Ports 80 and 443 open in your firewall

1. Stop Nginx Temporarily

Certbot standalone needs to bind to port 80 (and 443 for some challenges):

sudo systemctl stop nginx

2. Obtain Let’s Encrypt Certificate (Standalone Mode)

Replace example.com and www.example.com with your domain(s):

sudo certbot certonly --standalone -d example.com -d www.example.com

Certificates will be saved in /etc/letsencrypt/live/example.com/.

3. Start Nginx Again

sudo systemctl start nginx

4. Configure Nginx Reverse Proxy with SSL

Edit /etc/nginx/sites-available/example.com:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # TLS hardening (see below)
    # ...

    location / {
        proxy_pass http://127.0.0.1:8080; # Change to your backend
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the config and reload Nginx:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

5. TLS Hardening in /etc/nginx/nginx.conf

Add or update the following in the http block:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

6. Test Certificate Renewal (Dry Run)

sudo certbot renew --dry-run

If successful, your renewal is working.

Notes

  • Certbot will need to stop Nginx for renewal in standalone mode. You can automate this with hooks if needed.
  • For production, consider using Certbot’s --nginx plugin if you want automatic config edits, or use DNS-01 challenge for wildcard certs.
  • Always back up your Nginx configs before making changes.

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment