Nginx

    Reverse proxy

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
    
        server_name subdomain.domain.tld;
    
        # ssl_trusted_certificate /root/certs/ca.crt; # optional
        ssl_certificate /path/subdomain.domain.tld.crt;
        ssl_certificate_key /path/subdomain.domain.tld.key;
    
        location / {
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto https;
          proxy_pass http://internal-service/;
          proxy_read_timeout 90;
        }
    }
    

    Secure reverse proxy

    Reduce the chance of man-in-the-middle if you don't trust the in-between network (e.g., no vlan at home)

    server {
        listen 443 ssl;
    
        server_name subdomain.domain.tld;
    
        ssl_certificate /path/subdomain.domain.tld.crt;
        ssl_certificate_key /path/subdomain.domain.tld.key;
    
        location / {
          # ...
    
          # Secure reverse proxy with SSL
          proxy_ssl_trusted_certificate /root/certs/internal.crt;
          proxy_ssl_certificate     /root/certs/internal.crt;
          proxy_ssl_certificate_key /root/certs/internal.key;
    
          proxy_ssl_verify        on;
          proxy_ssl_session_reuse on;
    
          # ...
          proxy_pass https://internal-service/;
        }
    }
    

    Notes:

    • in some case the domain is not in the certificate, you can use proxy_ssl_name "subdomain.domain.tld"; source. For a real fix, regenerate the certificates with the right domain.
    • proxy_ssl_trusted_certificate consider a self-signed certificate with no authority (ca), explaining why we use the certificate himself

    SSL

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256";
    

    Note: use openssl ciphers

    source

    Tips

    Check before restart

    nginx -T && echo OK