Creating a secure, reliable, and scalable reverse proxy is crucial for businesses and IT professionals managing high-traffic websites or complex applications. Nginx, an open-source web server and reverse proxy, is a powerful solution for routing, optimizing, and securing traffic to your backend services. In this guide, we’ll walk through the process of setting up a robust reverse proxy using Nginx on Ubuntu 24.04, covering critical steps such as TLS encryption, rate limiting, and integration with Cloudflare.

If you’re managing enterprise-level websites, e-commerce platforms, or media servers, this guide will empower you to enhance performance, ensure uptime, and protect your infrastructure from vulnerabilities.

What Is an Nginx Reverse Proxy?

An Nginx reverse proxy acts as an intermediary server between clients and backend services. It forwards client requests to the appropriate backend server, optimizing load distribution, enhancing security, and enabling features like caching, SSL termination, and traffic filtering. This setup is particularly useful for hosting media servers, multi-site applications, and services behind firewalls.

sbb-itb-59e1987

Why You Need a Reverse Proxy

A reverse proxy provides several key benefits:

• Enhanced Security: Hides backend servers’ IPs and enables encryption via TLS/SSL.
• Load Balancing: Distributes traffic evenly across multiple backend servers.
• Optimization: Reduces latency and improves resource efficiency.
• Scalability: Makes it easier to manage high-traffic scenarios.
• Ease of Management: Simplifies the configuration of multiple backend services behind a unified domain.

In this tutorial, we’ll demonstrate how to:

• Set up Nginx as a reverse proxy.
• Secure your setup with Let’s Encrypt TLS certificates.
• Configure advanced optimizations like rate limiting and request forwarding.
• Integrate Cloudflare to bypass ISP port restrictions.

Step 1: Installing Nginx and Certbot on Ubuntu 24.04

Update Your System

Before installing any software, ensure your system is up to date:

sudo apt update && sudo apt upgrade 

Install Nginx and Certbot

Use the following commands to install Nginx and Certbot with the Nginx plugin:

sudo apt install nginx -y sudo apt install certbot python3-certbot-nginx -y 

Verify Installation

Confirm that Nginx is running:

sudo systemctl status nginx 

To test access, determine your server’s IP address:

ip a 

Visit the IP address in a browser. If successful, you’ll see the default Nginx welcome page.

Step 2: Configuring Firewall Rules

Enable Uncomplicated Firewall (UFW)

UFW allows you to manage firewall rules easily:

sudo ufw allow 'Nginx Full' sudo ufw allow OpenSSH sudo ufw enable 

Check the status of your firewall to ensure the correct ports are open:

sudo ufw status 

Step 3: Setting Up Nginx Proxy Configuration

Create Custom Configuration Files

For better flexibility and security, use snippet files to store specific configurations. Create the following files:

1. Security Headers:

   sudo nano /etc/nginx/snippets/security-headers.conf 

   Define security headers to enhance protection:

   add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; 

2. Proxy Settings:

   sudo nano /etc/nginx/snippets/proxy.conf 

   Optimize long streams and prevent slow responses:

   proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; 

3. Rate Limits:

   sudo nano /etc/nginx/snippets/rate-limit.conf 

   Mitigate excessive requests:

   limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s; 

Include Snippets in Main Configuration

Edit the main Nginx configuration:

sudo nano /etc/nginx/nginx.conf 

Add the following under the http block:

include /etc/nginx/snippets/*.conf; 

Restart Nginx to apply changes:

sudo systemctl reload nginx 

Step 4: Setting Up Reverse Proxy for a Backend Service

Create a Virtual Host

Create a configuration file for your backend service:

sudo nano /etc/nginx/sites-available/jellyfin 

Example configuration for a Jellyfin media server:

server {     listen 80;     server_name jelly.yourdomain.com;      location / {         proxy_pass http://10.10.0.112:8096;         include /etc/nginx/snippets/proxy.conf;     } } 

Enable the site by creating a symbolic link:

sudo ln -s /etc/nginx/sites-available/jellyfin /etc/nginx/sites-enabled/ 

Test and reload Nginx:

sudo nginx -t sudo systemctl reload nginx 

Step 5: Securing Your Domain with Let’s Encrypt TLS

To secure your domain, use Let’s Encrypt to issue free certificates:

sudo certbot --nginx -d jelly.yourdomain.com 

Certbot automatically configures SSL in your Nginx site file. To ensure certificates are renewed automatically, verify the systemd timer is active:

sudo systemctl list-timers | grep certbot 

Step 6: Integrating Cloudflare for Additional Security and ISP Port Bypass

Install Cloudflared

Cloudflared creates a secure tunnel to route traffic through Cloudflare, bypassing ISP restrictions on ports 80 and 443:

1. Download the .deb package from Cloudflare’s GitHub page.
2. Install the package:

   sudo dpkg -i cloudflared-version.deb 

Configure a Tunnel

Authenticate with your Cloudflare account:

cloudflared tunnel login 

Create a new tunnel:

cloudflared tunnel create my-tunnel 

Edit the Cloudflare configuration file:

sudo nano /etc/cloudflared/config.yml 

Example configuration:

tunnel: my-tunnel credentials-file: /home/user/.cloudflared/my-tunnel.json ingress:   - hostname: jelly.yourdomain.com     service: http://localhost:8096   - service: http_status:404 

Start and enable the tunnel service:

sudo systemctl enable cloudflared sudo systemctl start cloudflared 

Key Takeaways

• Nginx Reverse Proxy: Essential for routing traffic securely and optimizing backend services.
• TLS Encryption: Use Let’s Encrypt to secure your domains with free SSL certificates.
• Firewall Rules: Open necessary ports for HTTP (80), HTTPS (443), and SSH (22).
• Security Optimization: Implement headers and rate limiting to prevent attacks.
• Cloudflare Integration: Use Cloudflared tunnels for secure, ISP-friendly hosting.
• Automation: Systemd timers ensure SSL certificates are automatically renewed.

Conclusion

Setting up a secure Nginx reverse proxy requires attention to detail and careful configuration, but the rewards are well worth the effort. Whether you’re hosting media servers like Jellyfin or managing enterprise applications, this guide equips you with the tools and knowledge to build a highly secure and efficient environment. With features like TLS, Cloudflare tunnels, and advanced optimizations, your infrastructure is ready for modern demands.

Source: "Stop Exposing Your Apps! Build a Secure Nginx Reverse Proxy!" – KeepItTechie, YouTube, Aug 19, 2025 – https://www.youtube.com/watch?v=MzbhS2S7H_g

Use: Embedded for reference. Brief quotes used for commentary/review.

Related Blog Posts

• Mastering Nginx Configurations for Optimal Web Server Performance
• Mastering NGINX Config: How Serverion Unlocks B2B Web Hosting Success
• NGINX Config Rewind: Serverion Revives the Lost Art of Proxy Cache Tuning
• The Forgotten NGINX Config Frontier: Serverion’s Dive into FastCGI Microcaching