Skip to main content

Install Nginx Proxy

5. Install and configure Nginx and Let’s Encrypt

5.1. Install Nginx

  1. Update package lists:
    sudo apt update
  2. Install Nginx:
    sudo apt install nginx -y
  3. Start and enable Nginx:
    sudo systemctl start nginx
sudo systemctl enable nginx

5.2. Install Certbot for Let’s Encrypt

  1. Add repositories and update:
    sudo apt install software-properties-common -y
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot -y
sudo apt update
  2. Install Certbot with Nginx plugin:
    sudo apt install certbot python3-certbot-nginx -y

5.3. Obtain a certificate for your domain

  1. Make sure your DNS A record for abeta-proxy.finmars.com points to 16.170.231.65.
  2. Run:
    sudo certbot --nginx -d abeta-proxy.finmars.com
  3. Follow the prompts:
    1. Enter your email, then press Enter.
    2. Agree to terms by typing A, then Enter.
    3. Choose option 2 to redirect HTTP to HTTPS, then Enter.

Certbot will create an Nginx site file and install the certificate under /etc/letsencrypt/live/abeta-proxy.finmars.com/.

6. Configure Nginx to proxy to APISIX

  1. Open the site file Certbot created:
    sudo nano /etc/nginx/sites-available/abeta-proxy.finmars.com.conf
  2. Inside the server { ... } block for port 443, find these lines:
    listen 443 ssl;
server_name abeta-proxy.finmars.com;

ssl_certificate /etc/letsencrypt/live/abeta-proxy.finmars.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abeta-proxy.finmars.com/privkey.pem;
  3. Right below them, add:
    location / {
    proxy_pass http://127.0.0.1:9080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

    After editing, that server { } block looks like:
    server {
    listen 443 ssl;
    server_name abeta-proxy.finmars.com;

    ssl_certificate /etc/letsencrypt/live/abeta-proxy.finmars.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/abeta-proxy.finmars.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:9080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
  4. Make sure there is also a block that redirects HTTP to HTTPS. It looks like:
    server {
    listen 80;
    server_name abeta-proxy.finmars.com;
    return 301 https://$host$request_uri;
}
  5. Save and close:
    • Press Ctrl+O, then Enter.
    • Press Ctrl+X.
  6. Test Nginx configuration:
    sudo nginx -t

    You should see “syntax is ok” and “test is successful”.
  7. Reload Nginx so it uses the new config:
    sudo systemctl reload nginx

7. Open firewall ports (if you use UFW)

  1. Allow HTTP (port 80) and HTTPS (port 443), and APISIX port (9080) in UFW:
    sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 9080/tcp
  2. Check UFW status:
    sudo ufw status

8. Final tests

  1. Test HTTPS through Nginx:
    In a browser or terminal, go to:
    https://abeta-proxy.finmars.com/demo/md/3.0/accounts
    • Enter Basic Auth user foo and password bar.
    • If your Base64 tokens are correct, you see JSON from Exante.
  2. Test other routes:
    https://abeta-proxy.finmars.com/live/md/3.0/accounts
    • Use the same Basic Auth.
    • Should return JSON if live token is correct.
  3. Test local APISIX again (no Nginx):
    curl -u foo:bar http://127.0.0.1:9080/demo/md/3.0/accounts
    • This hits APISIX directly, without Nginx.
    • Should return JSON if config is correct.

9. Automatic certificate renewal

  1. Certbot already set up automatic renewal.
  2. To test renewal, run:
    sudo certbot renew --dry-run
  3. If it says “Congratulations, all renewals succeeded,” your auto-renew is working.

10. How to update your APISIX config later

  1. Edit /opt/apisix/apisix.yaml any time:
    sudo nano /opt/apisix/apisix.yaml
  2. Save changes and exit.
  3. Run the restart script:
    ./restart_apisix.sh
  4. Check logs:
    sudo docker logs apache-apisix
  5. Test again with curl or in a browser.

Complete Recap

  1. Create folder /opt/apisix.
  2. Create and fill /opt/apisix/apisix.yaml (with role: data_plane, consumers, upstreams, plugin_configs, routes, and #END).
  3. Make restart_apisix.sh script that stops any old container and starts a new one, mounting /opt/apisix/apisix.yaml as both config.yaml and apisix.yaml.
  4. Run ./restart_apisix.sh to start APISIX.
  5. Test APISIX locally: curl -u foo:bar http://127.0.0.1:9080/demo/md/3.0/accounts.
  6. Install Nginx (sudo apt install nginx).
  7. Install Certbot (sudo apt install certbot python3-certbot-nginx).
  8. Get SSL: sudo certbot --nginx -d abeta-proxy.finmars.com.
  9. Edit Nginx site at /etc/nginx/sites-available/abeta-proxy.finmars.com.conf to add:
    location / {
    proxy_pass http://127.0.0.1:9080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}
  10. Reload Nginx (sudo nginx -t then sudo systemctl reload nginx).
  11. Open firewall ports 80, 443, 9080 (sudo ufw allow ...).
  12. Test https://abeta-proxy.finmars.com/demo/md/3.0/accounts in a browser.
  13. Auto-renew is handled by Certbot.
  14. To update, edit /opt/apisix/apisix.yaml and run ./restart_apisix.sh.

That is the full, clear set of instructions. Now your APISIX runs behind Nginx with a Let’s Encrypt SSL certificate, and you can update the config anytime by editing the file and restarting with the script.

Back to top