Nginx als Reverse Proxy mit SSL – Konfiguration 2025

Nginx und Certbot installieren

apt update && apt install -y nginx certbot python3-certbot-nginx
systemctl enable --now nginx

Basis Reverse Proxy Konfiguration

# /etc/nginx/sites-available/app.firma.de
server {
    listen 80;
    server_name app.firma.de;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name app.firma.de;

    ssl_certificate     /etc/letsencrypt/live/app.firma.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.firma.de/privkey.pem;

    # Moderne SSL-Konfiguration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    # Security Headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header Content-Security-Policy "default-src 'self'" always;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 90;
    }
}

Let's Encrypt Zertifikat

# Zertifikat ausstellen (Nginx-Plugin)
certbot --nginx -d app.firma.de -d www.firma.de     --email [email protected]     --agree-tos     --no-eff-email

# Test-Renew
certbot renew --dry-run

# Auto-Renew Status
systemctl status certbot.timer

Mehrere Domains (Virtual Hosts)

# Symbolischen Link erstellen
ln -s /etc/nginx/sites-available/app.firma.de /etc/nginx/sites-enabled/

# Konfiguration testen
nginx -t

# Nginx neu laden (ohne Downtime!)
systemctl reload nginx

Nginx als Load Balancer

upstream backend {
    least_conn;  # Least Connections Algorithmus
    server 192.168.1.10:3000 weight=3;
    server 192.168.1.11:3000 weight=1;
    server 192.168.1.12:3000 backup;  # Nur wenn andere ausgefallen
}

server {
    listen 443 ssl;
    server_name api.firma.de;

    location / {
        proxy_pass http://backend;
        proxy_next_upstream error timeout;
    }
}

Rate Limiting

# /etc/nginx/nginx.conf (http-Block)
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

# In server-Block:
location /api/ {
    limit_req zone=api burst=20 nodelay;
    proxy_pass http://localhost:3000;
}

Nginx Performance-Tuning

# /etc/nginx/nginx.conf
worker_processes auto;  # CPU-Anzahl

events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/javascript;
}

FAQ

Wie teste ich Nginx-Konfigurationsänderungen?
Immer erst mit nginx -t testen. Bei OK: systemctl reload nginx (kein Neustart nötig, Zero-Downtime).

Fazit

Nginx als Reverse Proxy mit Let's Encrypt ist der Standard für HTTP/S-Zugang zu Linux-Diensten – kostenlos, schnell und sicher.

Nginx und Webserver-Konfiguration für KMU in Heidelberg, Mannheim und der Rhein-Neckar-Region. Beratung anfragen.