Blog

Victor is a full stack software engineer who loves travelling and building things. Most recently created Ewolo, a cross-platform workout logger.

    Configure Nginx with SSL as a reverse proxy for a Node.js application

    My favourite setup for a Node.js application is to run it on a non-privileged port via pm2 and configure Nginx as a reverse proxy. This way I can use certbot to get and manage SSL certificates and let Nginx do the SSL handshake.

    Without further ado, first setup pm2 via npm i -g pm2 and follow the instructions provided via pm2 startup. Setup application to autostart via pm2 start ecosystem.config.js --env production and pm2 save. The pm2 configuration file does not need to be too complicated:

    module.exports = {
      apps: [
        {
          name: "my-cool-app",
          script: "./main.js",
          env_production: {
            NODE_ENV: "production",
          },
        },
      ],
    };
    

    Next, setup Nginx sudo apt install nginx and test that the domain is working correctly. Add a virtual host configuration in /etc/nginx/sites-enabled/default as follows:

    map $http_upgrade $connection_upgrade {
      default upgrade;
      '' close;
    }
    
    server {
      server_name cool.domain;
    
      listen 80;
    	listen [::]:80;
      
      location / {
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection $connection_upgrade;
        proxy_set_header   X-Forwarded-For $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_pass         http://localhost:8000;
      }
    }
    

    Nginx should now forward http requests to your app. The final step will be to install certbot, see instructions here. Running sudo certbot --nginx should automagically setup an SSL certificate and modify the nginx configuration to look like the following:

    map $http_upgrade $connection_upgrade {
      default upgrade;
      '' close;
    }
    
    server {
      server_name cool.domain;
    
      location / {
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection $connection_upgrade;
        proxy_set_header   X-Forwarded-For $remote_addr;
        proxy_set_header   Host $http_host;
        proxy_pass         http://localhost:8000;
      }
    
      listen [::]:443 ssl ipv6only=on; # managed by Certbot
      listen 443 ssl; # managed by Certbot
      ssl_certificate /etc/letsencrypt/live/cool.domain/fullchain.pem; # managed by Certbot
      ssl_certificate_key /etc/letsencrypt/live/cool.domain/privkey.pem; # managed by Certbot
      include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }
    
    server {
      if ($host = cool.domain) {
          return 301 https://$host$request_uri;
      } # managed by Certbot
    
      listen 80;
      listen [::]:80;
    
      server_name cool.domain;
      return 404; # managed by Certbot
    }
    

    At this point, you should be able to run your application over https :).

    Do note that this setup is not really scalable. Ideally you'd want to have some sort of a PaaS running that manages certificates and auto-deploys applications. However, if you are running on a cheap VPS with 1 vCPU and less than 1Gb RAM, this is an ok solution to extract maximum juice out of such a barebones infrastructure.

    HackerNews submission / discussion

    Back to the article list.

    SmallData newsletter

    Subscribe to get articles as they are published direct to your inbox!