smol projects

reverse proxies with nginx

09.08.2023 2 min read

I was tired of nginx proxy manager dying on me (granted, it could very well be a “me thing” - maybe I hadn’t configured it properly) - so I decided to do everything manually (MORE manually, anyway - Certbot still doing quite a bit of work).

Setting up Reverse Proxies with Certbot


  • sudo apt install nginx
  • sudo apt install certbot python3-certbot-nginx

Adding an entry

  • sudo nano /etc/nginx/sites-available/domain.example
server {
    listen 80;
    listen [::]:80;

    server_name domain.example;

    location / {
        proxy_pass http://xxx.xxx.x.xxx:xxxx;
        include proxy_params;
  • sudo nginx -t - test if config is valid
  • sudo systemctl restart nginx
  • sudo ln -s /etc/nginx/sites-available/domain.example /etc/nginx/sites-enabled - create the symlink

Getting the cert

sudo certbot --nginx -d domain.example --staging # Browsers will complain that cert is not secure
sudo certbot --nginx -d domain.example 

certbot will take care of the SSL stuff and add the following into /etc/nginx/sites-available/domain.example:

server {
	# ... all the previous stuff
	# the following is config added by Certbot
	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/domain.example/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.example/privkey.pem;
	# ...etc.

Choose 1: No redirect

Certificate Auto-Renewal

sudo letsencrypt renew --dry-run --agree-tos

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed: 
# Your certs here
12 3 * * *   letsencrypt renew >> /var/log/letsencrypt/renew.log

Test the command with bash:

sudo bash -c "letsencrypt renew >> /var/log/letsencrypt/renew.log"


difference between certbots dry run and staging options

Built with Astro and Tailwind 🚀