Edge Security: Architecting Nginx Reverse Proxy with SSL Termination and Certbot

In a modern microservices architecture, managing SSL certificates for every individual service is an operational nightmare. The solution is SSL Termination at the Edge. By placing an Nginx Reverse Proxy at the entry point of your network, you can handle all encryption and decryption in one place, allowing your backend services to communicate over a high-speed, isolated internal network.

This guide explores the architectural workflow of setting up an Nginx gateway with automated Let's Encrypt certificates via Certbot, all orchestrated within Docker.

---

Phase 1: The Isolated Fabric (Network Setup)

To ensure backend services are not exposed to the public internet, we establish a private Docker bridge network. This allows Nginx to communicate with applications via their container names while keeping them invisible to external traffic.

bashCopy
docker network create app-net

Phase 2: Provisioning the Backend Microservices We deploy three redundant instances of our application. Note that these containers do not expose any ports to the host; they only exist within the app-net fabric.

bashCopy
docker container run -d --name app1 --network app-net nidhinb143/hostname:1
docker container run -d --name app2 --network app-net nidhinb143/hostname:1
docker container run -d --name app3 --network app-net nidhinb143/hostname:1

Phase 3: Automated Certificate Orchestration (Certbot)

Before Nginx can serve HTTPS, we must obtain a valid certificate from Let's Encrypt. We use the Certbot Standalone mode, which temporarily spins up its own web server to verify domain ownership.

1. DNS Preparation: Create an A Record in Route 53 (e.g., api.nidhin.com) pointing to your EC2 IP.
2. Certificate Retrieval:

bashCopy
sudo apt install certbot -y
sudo certbot certonly --standalone -d api.nidhin.com

3. Credential Management: Move the certificates to a dedicated staging directory for Docker mounting.

bashCopy
mkdir -p ~/ssl/certs
sudo cp /etc/letsencrypt/live/api.nidhin.com/fullchain.pem ~/ssl/certs/cert.pem
sudo cp /etc/letsencrypt/live/api.nidhin.com/privkey.pem ~/ssl/certs/privkey.pem

Phase 4: The Edge Blueprint (default.conf)

The Nginx configuration acts as the brain of the reverse proxy. It handles the HTTP-to-HTTPS upgrade and distributes traffic across the backend upstream cluster.

nginxCopy
upstream appservers {
    server app1:80;
    server app2:80;
    server app3:80;
}
server {
    listen 80;
    listen 443 ssl;
    server_name api.nidhin.com;
    # Global HTTPS Redirection
    if ($scheme != "https") {
        rewrite ^ https://$host$uri permanent;
    }
    # SSL Identity
    ssl_certificate /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/privkey.pem;
    location / {
        # Preservation of Client Metadata
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        # Internal Handover
        proxy_pass http://appservers;
    }
}

Phase 5: Initializing the Edge Node

Finally, we launch the Nginx container, mapping ports 80 and 443 and mounting our persistent configuration and certificates.

bashCopy
docker container run -d \
  --name nginx \
  -p 80:80 -p 443:443 \
  --network app-net \
  -v /home/ubuntu/ssl/default.conf:/etc/nginx/conf.d/default.conf \
  -v /home/ubuntu/ssl/certs:/etc/nginx/certs \
  nginx:alpine

Why this handles scale:

1. SSL Termination: The high-cpu task of decrypting traffic happens only once at the Nginx layer.
2. Upstream Balancing: New backend containers can be added to the appservers block without changing the public-facing SSL setup.
3. Resource Efficiency: Using nginx:alpine ensures the edge node consumes minimal system resources.

Conclusion

Setting up an Nginx reverse proxy with SSL termination turns a collection of containers into a professional, secure application stack. By centralizing encryption management and isolating your backend fabric, you achieve a resilient architecture that is both easy to maintain and inherently scalable.