NGINX Reverse Proxy

Created: 6 Jul 2025.

• The NGINX reverse proxy fronts all incoming HTTP & HTTPS requests and forwards these to the appropriate IP addresses that are usually hosted in one of the containers.

• It also requests and automatically renews the Let’s Encrypt certificate for all incoming HTTPS requests for the two domains we host - thomas-pk.com and philiptk.com

• The integration with Authelia is such that any container that requires authentication by Authelia, would have its web request forwarded to Authelia. Authelia checks if the request has an active on-going session, if not, the request is sent back to the Authelia login page. If an existing authenticated session already exists, the request is forwarded to the destination container. See Authelia Architecture for more details.

• The configuration to set this up with the NGINX reverse proxy can be seen in the nginx.conf listing below from line 31 onwards.

nginx.conf

• Given that there were not many recent (July 2025) examples for the nginx proxy integration with Authelia, I decided to provide the full listing of my NGINX reverse proxy configuration and Authelia configurations for public reference. I’ve managed to get the first basic flow working on the weekend of the 29th of Jun 2025.

• My reference used for this configuration is based on that found at NGINX Integration with Authelia

nginx.conf reverse proxy configuration file (Created 6 Jul 2025)

worker_processes  1;

events {
  worker_connections  1024;
}

http {
  include           mime.types;
  default_type      application/octet-stream;
  sendfile          on;
  keepalive_timeout 65;

  server {
    server_name  thomas-pk.com www.thomas-pk.com;

    location / {
      proxy_pass http://192.168.1.6:80;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
      ssl_certificate /usr/local/etc/letsencrypt/live/philiptk.com-0001/fullchain.pem; # managed by Certbot
      ssl_certificate_key /usr/local/etc/letsencrypt/live/philiptk.com-0001/privkey.pem; # managed by Certbot
      include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }

  server {
    if ($host = login.thomas-pk.com) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name  login.thomas-pk.com;
    return 301 https://$server_name$request_uri;
  }

  server {
    server_name  login.thomas-pk.com;
    set $upstream http://192.168.1.21:9091;

    location / {
      include /usr/local/etc/nginx/snippets/proxy.conf;
      proxy_pass $upstream;
    }

    location = /api/verify {
      proxy_pass $upstream;
    }

    location /api/authz/ {
      proxy_pass $upstream;
    }

    listen 443 ssl; # managed by Certbot
      ssl_certificate /usr/local/etc/letsencrypt/live/philiptk.com-0001/fullchain.pem; # managed by Certbot
      ssl_certificate_key /usr/local/etc/letsencrypt/live/philiptk.com-0001/privkey.pem; # managed by Certbot
      include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }

  server {
    if ($host = history.thomas-pk.com) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name history.thomas-pk.com;
    return 301 https://$server_name$request_uri;
  }

  server {
    server_name  history.thomas-pk.com;
    include /usr/local/etc/nginx/snippets/authelia-location.conf;
    set $upstream http://192.168.1.22;

    location / {
      include /usr/local/etc/nginx/snippets/proxy.conf;
      include /usr/local/etc/nginx/snippets/authelia-authrequest.conf;
      proxy_pass $upstream;
    }

    listen 443 ssl; # managed by Certbot
      ssl_certificate /usr/local/etc/letsencrypt/live/philiptk.com-0001/fullchain.pem; # managed by Certbot
      ssl_certificate_key /usr/local/etc/letsencrypt/live/philiptk.com-0001/privkey.pem; # managed by Certbot
      include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }

  server {
    server_name  philiptk.com www.philiptk.com;

    location / {
      proxy_pass http://192.168.1.15:80;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl; # managed by Certbot
      ssl_certificate /usr/local/etc/letsencrypt/live/philiptk.com-0001/fullchain.pem; # managed by Certbot
      ssl_certificate_key /usr/local/etc/letsencrypt/live/philiptk.com-0001/privkey.pem; # managed by Certbot
      include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }

  server {
    server_name cal.philiptk.com;
    location / {
      proxy_pass        http://192.168.1.23:5232/;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Host $host;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Port $server_port;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  Host $http_host;
      proxy_pass_header Authorization;
    }

    listen 443 ssl; # managed by Certbot
      ssl_certificate /usr/local/etc/letsencrypt/live/philiptk.com-0001/fullchain.pem; # managed by Certbot
      ssl_certificate_key /usr/local/etc/letsencrypt/live/philiptk.com-0001/privkey.pem; # managed by Certbot
      include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  }

  server {
    if ($host = philiptk.com) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen       80;
    server_name  philiptk.com;
    return 404; # managed by Certbot
  }

  server {
    if ($host = thomas-pk.com) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen       80;
    server_name  thomas-pk.com;
    return 404; # managed by Certbot
  }

  server {
    if ($host = cal.philiptk.com) {
      return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name cal.philiptk.com;
    return 404; # managed by Certbot
  }
}

Being hosted on the FreeBSD MiniPC, the above configuration is found in the /usr/local/etc/nginx/nginx.conf location. It is supported by code snippets under the snippets folder containing the following 3 files which are also listed below.

• proxy.conf

• authelia-location.conf

• authelia-authrequest.conf

Snippets

proxy.conf

• I used the same copy of this snippet as on the Authelia NGINX integration website.

• The original reference for this file can be found at proxy.conf. The file given below is an exact copy of that on the Authelia website.

snippets/proxy.conf file (Created 6 Jul 2025)

## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;

## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;

## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;

authelia-location.conf

• This file is also mostly the same as that on the NGINX Integration page for Authelia, except for the first line where I specify the IP address for my Authelia server.

• The original reference for this file can be found at authelia-location.conf. The file given below is an exact copy of that on the Authelia website.

snippets/authelia-location.conf file (Created 6 Jul 2025)

set $upstream_authelia http://192.168.1.21:9091/api/authz/auth-request;

## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz {
    ## Essential Proxy Configuration
    internal;
    proxy_pass $upstream_authelia;

    ## Headers
    ## The headers starting with X-* are required.
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Content-Length "";
    proxy_set_header Connection "";

    ## Basic Proxy Configuration
    proxy_pass_request_body off;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
    proxy_redirect http:// $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
    client_body_buffer_size 128k;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

authelia-authrequest.conf

The original reference for this file can be found at authelia-authrequest.conf. The file given below is an exact copy of that on the Authelia website.

snippets/authelia-authrequest.conf file (Created 6 Jul 2025)

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;

## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;

## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;

## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.

## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;

## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;

## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;

## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
# error_page 401 =302 https://auth.example.com/?rd=$target_url;