# Nginx as Reverse Proxy With Upstream SSL When using Nginx as a reverse proxy with SSL for upstream servers, it's a common scenario to secure the communication between Nginx and the upstream servers while also handling SSL termination at the Nginx level. Here's a basic example of how to set up Nginx as a reverse proxy with SSL termination: 1. Install Nginx: Ensure Nginx is installed on your server. 2. Configure Nginx as a Reverse Proxy: Create or edit the Nginx configuration file for your site (commonly found at `/etc/nginx/sites-available/yoursite` or `/etc/nginx/nginx.conf`). ``` server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/yourdomain.crt; ssl_certificate_key /path/to/yourdomain.key; location / { proxy_pass https://your_upstream_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } ``` - Replace `yourdomain.com` with your actual domain. - Set the paths to your SSL certificate and private key using `ssl_certificate` and `ssl_certificate_key` directives. - Replace `https://your_upstream_server` with the URL of your actual upstream server. 3. Set Up Upstream Server with SSL: The `your_upstream_server` should have SSL configured. Modify the Nginx configuration on the upstream server to handle SSL if it's not already set up. 4. Reload Nginx Configuration: After making changes, reload Nginx to apply the new configuration: ```bash sudo systemctl reload nginx ``` This configuration will terminate SSL at Nginx, and the communication between Nginx and the upstream server will be unencrypted. Ensure proper security measures are in place on your local network for this communication. Adjust configurations based on your specific requirements and ensure proper SSL settings, such as SSL protocols and ciphers, for both Nginx and the upstream server. Also, ensure that any firewall settings or security configurations allow traffic between Nginx and your upstream server on the specified port.