Victor is a full stack software engineer who loves travelling and building things. Most recently created Ewolo, a cross-platform workout logger.
Configure Nginx with SSL as a reverse proxy for a Node.js application
Crafted on November 21, 2021 | By Victor Parmar

My favourite setup for a Node.js application is to run it on a non-privileged port via pm2 and configure Nginx as a reverse proxy. This way I can use certbot to get and manage SSL certificates and let Nginx do the SSL handshake.

Without further ado, first setup pm2 via npm i -g pm2 and follow the instructions provided via pm2 startup. Setup application to autostart via pm2 start ecosystem.config.js --env production and pm2 save. The pm2 configuration file does not need to be too complicated: 


module.exports = {
  apps: [
    {
      name: "my-cool-app",
      script: "./main.js",
      env_production: {
        NODE_ENV: "production",
      },
    },
  ],
};

Next, setup Nginx sudo apt install nginx and test that the domain is working correctly. Add a virtual host configuration in /etc/nginx/sites-enabled/default as follows: 


map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  server_name cool.domain;

  listen 80;
	listen [::]:80;
  
  location / {
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection $connection_upgrade;
    proxy_set_header   X-Forwarded-For $remote_addr;
    proxy_set_header   Host $http_host;
    proxy_pass         http://localhost:8000;
  }
}

Nginx should now forward http requests to your app. The final step will be to install certbot, see instructions here. Running sudo certbot --nginx should automagically setup an SSL certificate and modify the nginx configuration to look like the following:


map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  server_name cool.domain;

  location / {
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection $connection_upgrade;
    proxy_set_header   X-Forwarded-For $remote_addr;
    proxy_set_header   Host $http_host;
    proxy_pass         http://localhost:8000;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/cool.domain/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/cool.domain/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
  if ($host = cool.domain) {
      return 301 https://$host$request_uri;
  } # managed by Certbot

  listen 80;
  listen [::]:80;

  server_name cool.domain;
  return 404; # managed by Certbot
}

At this point, you should be able to run your application over https :).

Do note that this setup is not really scalable. Ideally you'd want to have some sort of a PaaS running that manages certificates and auto-deploys applications. However, if you are running on a cheap VPS with 1 vCPU and less than 1Gb RAM, this is an ok solution to extract maximum juice out of such a barebones infrastructure.

Contact

(remove '.autobot')

Popular articles

Copying objects in Javascript
Building a simple neural net in Java
Node.js Express api development security checklist

Small Data

© 2013-2024 SmallData Inc.