search

Reverse Proxy configuration using NGINX

hashtag
Introduction

This guide explains how to configure NGINXarrow-up-right as a reverse proxy for Defguard's components (Core and Proxy). The reverse proxy acts as an intermediary between users and Defguard services, handling HTTPS requests, routing internal gRPC communication, and ensuring encrypted connections between all components.

To provide HTTPS encryption, this guide also uses Certbotarrow-up-right, a free, open-source tool from the Let’s Encryptarrow-up-right project. Certbot automatically issues and renews SSL/TLS certificates, allowing you to secure your Defguard domains without manual certificate management.

hashtag
Installing NGINX and Certbot

To install and prepare NGINX with Let’s Encrypt certificates:

apt install nginx certbot
systemctl enable nginx.service
systemctl start nginx.service

Disable the default configuration to avoid conflicts:

unlink /etc/nginx/sites-enabled/default

hashtag
Obtaining SSL Certificates

Before configuring NGINX, issue valid SSL certificates for your domains. In this example we use:

  • Core: my-server.defguard.net

  • Enrollment (Proxy): enroll.defguard.net

Generate certificates with Certbot:

certbot certonly \
    --non-interactive \
    --agree-tos \
    --standalone \
    --email [email protected] \
    -d my-server.defguard.net \
    -d enroll.defguard.net

Certbot will generate certificate in fullchain.pem and privkey.pem in the following paths:

hashtag
Defguard Core NGINX configuration

Create a new configuration file for the Core service:

/etc/nginx/sites-available/my-server.defguard.net.conf

Enable the configuration and reload NGINX:

To verify, run:

circle-info

If you use this simple setup and run all services on one server, you can use NGINX access restrictionsarrow-up-right for securing core and allowing to access the my-server.defguard.net only to selected networks - blocking the direct access from the Internet.

hashtag
Defguard Proxy (Enrollment Service) NGINX configuration

The Proxy service exposes APIs for enrollment, remote onboarding, and desktop client configuration. Create its NGINX configuration file:

/etc/nginx/sites-available/enroll.defguard.net.conf

Enable and restart NGINX:

hashtag
Security Recommendations

  • Only expose HTTPS ports (443) for web access.

  • Do not expose internal gRPC ports (444, 50051, 50055) directly to the Internet.

hashtag
Summary

After completing the configuration:

  • Defguard Core is available at https://my-server.defguard.net

  • Enrollment and onboarding services are available at https://enroll.defguard.net

  • Both services are secured with SSL and reverse-proxied through NGINX.

PreviousRunning Gateway on MikroTik routersNextHigh Availability and Failover

Was this helpful?