Local Reverse Proxy

Local Reverse Proxy

Laziness drove me to install NGINX as a reverse proxy and to set up a local domain name with a self-signed certificate.

Context

On my Mac, I have installed Docker and deployed several applications within their containers. I don't need to access these applications over the Internet, so I keep them local, accessing them with my browser using localhost and their exposed ports.

However, I'm tired of remembering the ports. To simplify access, I decided to install NGINX on my Mac to set up a local reverse proxy.

Installation

I'm using Homebrew, so the installation is straightforward:

brew install nginx

Now, NGINX is installed on my Mac, nothing complicated.

NGINX Configuration

By default, NGINX serves content on port 8080. I want to change it to port 80:

vim /usr/local/etc/nginx/nginx.conf

Search for the http block. Inside it, there is a server block. In this server block, change listen 8080; to listen 80;.

SSL Configuration

If you're going to use a custom local domain name, you might as well use a self-signed SSL certificate. I'll use OpenSSL for this:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout home.arpa.key -out home.arpa.crt -subj "/CN=home.arpa" \
  -addext "subjectAltName=DNS:home.arpa,DNS:*.home.arpa,IP:127.0.0.1"

You can replace home.arpa with your custom domain name.

Once you have your .key and .crt files, store them carefully. I chose to copy them to a folder next to nginx.conf:

mkdir -p /usr/local/etc/nginx/ssl
mv home.arpa.key home.arpa.crt /usr/local/etc/nginx/ssl/

Server Block Creation

Instead of having one large nginx.conf file with all my server declarations, I decided to use the servers/ directory in /usr/local/etc/nginx/servers:

vim /usr/local/etc/nginx/servers/portainer.home.arpa.conf

Configuration Example

server {
    listen 443 ssl;
    server_name portainer.home.arpa;

    ssl_certificate /usr/local/etc/nginx/ssl/home.arpa.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/home.arpa.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass https://127.0.0.1:9443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    server_name portainer.home.arpa;

    return 301 https://$host$request_uri;
}

NGINX Restart

To apply the changes, restart NGINX with:

sudo brew services restart nginx

Local DNS

Don't forget to update your local DNS. Add this line to your /etc/hosts file:

127.0.0.1 portainer.home.arpa

Conclusion

That's it! Now, you can browse your application using https://portainer.home.arpa instead of https://127.0.0.1:9443.

Happy me! 🌱