Home
/
Tutorials
/
Use NGINX as a Reverse Proxy

Use NGINX as a Reverse Proxy

Requirements

  1. Start a Coder deployment and be sure to set the following configuration values:

    CODER_HTTP_ADDRESS=127.0.0.1:3000
    CODER_ACCESS_URL=https://coder.example.com
    CODER_WILDCARD_ACCESS_URL=*.coder.example.com
    

    Throughout the guide, be sure to replace coder.example.com with the domain you intend to use with Coder.

  2. Configure your DNS provider to point your coder.example.com and *.coder.example.com to your server's public IP address.

    For example, to use coder.example.com as your subdomain, configure coder.example.com and *.coder.example.com to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard.

  3. Install NGINX (assuming you're on Debian/Ubuntu):

    sudo apt install nginx
    
  4. Stop NGINX service:

    sudo systemctl stop nginx
    

Adding Coder deployment subdomain

This example assumes Coder is running locally on 127.0.0.1:3000 and that you're using coder.example.com as your subdomain.

  1. Create NGINX configuration for this app:

    sudo touch /etc/nginx/sites-available/coder.example.com
    
  2. Activate this file:

    sudo ln -s /etc/nginx/sites-available/coder.example.com /etc/nginx/sites-enabled/coder.example.com
    

Install and configure LetsEncrypt Certbot

  1. Install LetsEncrypt Certbot: Refer to the CertBot documentation. Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin.

Create DNS provider credentials

This example assumes you're using CloudFlare as your DNS provider. For other providers, refer to the CertBot documentation.

  1. Create an API token for the DNS provider you're using: e.g. CloudFlare with the following permissions:

    • Zone - DNS - Edit
  2. Create a file in .secrets/certbot/cloudflare.ini with the following content:

    dns_cloudflare_api_token = YOUR_API_TOKEN
    
    mkdir -p ~/.secrets/certbot
    touch ~/.secrets/certbot/cloudflare.ini
    nano ~/.secrets/certbot/cloudflare.ini
    
  3. Set the correct permissions:

    sudo chmod 600 ~/.secrets/certbot/cloudflare.ini
    

Create the certificate

  1. Create the wildcard certificate:

    sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com
    

Configure nginx

  1. Edit the file with:

    sudo nano /etc/nginx/sites-available/coder.example.com
    
  2. Add the following content:

    server {
        server_name coder.example.com *.coder.example.com;
    
        # HTTP configuration
        listen 80;
        listen [::]:80;
    
        # HTTP to HTTPS
        if ($scheme != "https") {
            return 301 https://$host$request_uri;
        }
    
        # HTTPS configuration
        listen [::]:443 ssl ipv6only=on;
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/coder.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/coder.example.com/privkey.pem;
    
        location / {
            proxy_pass  http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
        }
    }
    

    Don't forget to change: coder.example.com by your (sub)domain

  3. Test the configuration:

    sudo nginx -t
    

Refresh certificates automatically

  1. Create a new file in /etc/cron.weekly:

    sudo touch /etc/cron.weekly/certbot
    
  2. Make it executable:

    sudo chmod +x /etc/cron.weekly/certbot
    
  3. And add this code:

    #!/bin/sh
    sudo certbot renew -q
    

Restart NGINX

sudo systemctl restart nginx

And that's it, you should now be able to access Coder at your sub(domain) e.g. https://coder.example.com.

See an opportunity to improve our docs? Make an edit.