Raspberry Pi Reverse Proxy with NGNIX and Letsencrypt SSL Encryption
--
One IP address and many or sometimes too may websites hosted on your environment comes with the problem “How to uses standard SSL / HTTPs or HTTP for all of these instead of custom TCP Ports?”. A Raspberry Pi (B3+) in my case Reverse Proxy provide excellent solution to the problem . It is easy to manege Secured by Lets encrypt SSL and energy efficient.
To begin with lets just update the Raspbian to the latest version .
sudo apt update
sudo apt upgradeNext step is install NGINX on Pi and verify the installed version
sudo apt install nginx
pi@raspberrypi:~ $ sudo nginx -v
nginx version: nginx/1.14.2Install the certbot for NGINX
sudo apt install python-certbot-nginxBefore proceeding to next step please make sure the raspberry pi is running on static IP and your firewall or router is forwarding the ports TCP/80 and TCP/443 to that IP. Assuming that the domain which will be proxied is already setup to the IP address of your router /firewall. In case of dynamic DNS please refer to the previous post https://www.affan.info/google-domain-ddns-raspberry-pi-or-linux-systems/. Certbot need bot port 80 and 443 to be redirected to the NGINX web server . Once this is done move to next step creation of SSL certificate for the domain.
sudo certbot --nginx --domain demo2.affan.infoFollow the instructions on the console and create the certificate. Next step is to create a NGINX configuration for your website and attach the SSL certificate generated above with it.Verify the certificates created.
pi@raspberrypi:~$ sudo ls /etc/letsencrypt/live/demo1.affan.info/
cert.pem chain.pem fullchain.pem privkey.pem READMECreate a configuration file for NGINX in sites-available directory .
sudo vi /etc/nginx/sites-available/demo1.affan.info.confCreate the following configuration in the above file and assign the ssl_certificate and ssl_certificate_key parameters. Set the internal IP address for the web server where website is hosted.
server {
listen 80;
listen 443 ssl;
server_name demo1;
index index.php index.html index.html; #Depend on your Webserver #ssl on;
ssl_certificate /etc/letsencrypt/live/demo1/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/demo1/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.10.0.11; # Internal IP of web server
}
}
Save the config file and create the link in Sites-enabled directory for NGINX.
sudo ln -s /etc/nginx/sites-available/demo1.affan.info.conf /etc/nginx/sites-enabled/demo1.affan.info.confTest NGINX Configuration and Reload id test is ok
pi@raspberrypi:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
pi@raspberrypi:~$ sudo nginx -s reloadCheck your website form WAN to make sure everything works. I have run Raspberry-pi B3+ using Ethernet connection to host 5 Websites including a nextcloud instance and depending on internet connection it works fine.
