DEV Community

Cover image for How to install NGINX as Reverse Proxy and configure Certbot on Amazon Linux 2023
0xFedev
0xFedev

Posted on

How to install NGINX as Reverse Proxy and configure Certbot on Amazon Linux 2023

In today's digital landscape, the importance of securing your web server and website cannot be overstated. One of the ways to achieve this is by using an HTTPS protocol, which encrypts the data transmitted between the server and client, ensuring that the information is safe from prying eyes. One of the most popular web servers used to achieve this is NGINX, which offers a robust and efficient platform for serving web content. In this article, we will walk you through the process of installing and configuring NGINX on an Amazon Linux 2023 instance, as well as setting up Certbot to obtain and renew SSL/TLS certificates for your website, ensuring that your website remains secure and trustworthy. Whether you are a seasoned web developer or a novice, this article will provide you with the knowledge and skills you need to secure your website on the AWS cloud.

Disclaimer

In this article, only NGINX and Certbot will be installed for educational purposes. The configuration of NGINX may not be production ready.

Preconditions

In this guide, we will connect to an AWS EC2 instance running Amazon Linux 2023 that has already been started and configured with an Elastic IP.
You can follow these steps by referring to the official AWS guide:

Install NGINX

First of all, let's connect via SSH to our EC2 instance:

$ ssh -i ~/<PATH_TO_YOUR_PEM_FILE> ec2-user@<EC2_ELASTIC_IP>
Enter fullscreen mode Exit fullscreen mode

Next, execute these commands to install NGINX and enable on startup:

$ sudo yum install nginx
$ sudo systemctl enable nginx && sudo systemctl start nginx
Enter fullscreen mode Exit fullscreen mode

Now, let's assume that we want to configure NGINX to act as a reverse proxy on port 80 for a service running on port 5555.

Let's open the NGINX configuration file:

sudo nano /etc/nginx/nginx.conf
Enter fullscreen mode Exit fullscreen mode

And let's modify the server configuration by changing the value of YOUR_DOMAIN with the domain name associated with the EC2 instance (if any), and EC2_PRIVATE_IPV4_ADDRESS with the private IPv4 address of the EC2 instance, which can be retrieved from the AWS control panel:

    server {
        listen       80;
        listen       [::]:80;
        server_name  <YOUR_DOMAIN>;
        location / {
            proxy_pass http://<EC2_PRIVATE_IPV4_ADDRESS>:5555;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }

Enter fullscreen mode Exit fullscreen mode

After saving and closing the file, let's run a test to verify if the configuration is valid and restart the process:

$ sudo nginx -t
$ sudo systemctl restart nginx
Enter fullscreen mode Exit fullscreen mode

Now, if the configuration is correct, it should be possible to reach our service through the address http://<EC2_ELASTIC_IP> or http://<YOUR_DOMAIN>.

Install Cerbot

For installing Certbot and enabling HTTPS on NGINX, we will rely on Python. So, first of all, let's set up a virtual environment:

$ sudo python3 -m venv /opt/certbot/
$ sudo /opt/certbot/bin/pip install --upgrade pip
Enter fullscreen mode Exit fullscreen mode

Afterwards, run this command to install Certbot:

$ sudo /opt/certbot/bin/pip install certbot certbot-nginx
Enter fullscreen mode Exit fullscreen mode

Now, execute the following command to ensure that the certbot command can be run:

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
Enter fullscreen mode Exit fullscreen mode

Finally, run the following command to obtain a certificate and let Certbot automatically modify the NGINX configuration, enabling HTTPS:

$ sudo certbot --nginx
Enter fullscreen mode Exit fullscreen mode

After following the certificate generation wizard, we will be able to access our EC2 instance via HTTPS using the address https://<EC2_ELASTIC_IP> or https://<YOUR_DOMAIN>.

Set up automatic renewal

To enable Certbot to automatically renew the certificates, it is sufficient to add a cron job by running the following command:

$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Enter fullscreen mode Exit fullscreen mode

Top comments (3)

Collapse
 
jean_fredson profile image
Jean Fredson

Realy thank you, great idea to use certbot in virtualenv.

Collapse
 
inefable027 profile image
Inefable KOUMBA

Good work!

Collapse
 
thabisoddx profile image
Thabiso Mohatlane

This article save me some time, even though my approach was little bit different.