Nginx Lets Encrypt SSL Reverse Proxy for Azure Web Apps

Written by Liam McLennan

In 2017, deploying a new web site realistically means having a custom domain name and secure connection (SSL). Unfortunately for Microsoft Azure users custom domains and SSL are two of the segmentation triggers that push you out of the free tier and into higher priced plans.

Without a custom domain name or SSL I can host my application for free. Adding a custom domain name will cost $15/month extra for hosting (plus the cost of the domain and DNS). SSL support pushes me to $54/month for very similar hardware (1 CPU, 1.75GB RAM).

My Situation

I wish to deploy a .net application written in F#. At the time of writing deploying F# to linux is not a good option as I am not prepared to waste huge amounts of time. Therefore, the simplest hosting option is to use an Azure Web App. I can deploy by pushing to a git branch and the hosting will just work for a .net application.

To avoid the costs described above in configuring Azure for a custom domain and SSL I thought I’d try using an existing nginx server as a reverse proxy.

My Solution


Firstly, I purchased a domain name ( and configured the DNS to point the domain name to a Digital Ocean Linux server running nginx.


Next, I added a new site to the nginx configuration. The site won’t actually host any local content it simply receives requests and forwards them on to the Azure Web App, thus, it is a reverse proxy.

In the nginx configuration I specified the underlying host that nginx will be proxying for.

upstream app_komo {                           
} is the domain name of the Azure Web App. 443 is the port to use because I want a secure connection. Later I will specify the protocol.

Next, I created a location, telling nginx to proxy all requests, from the root (/) to the previously declared upstream (the Azure Web App):

location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host;
    proxy_set_header X-Forwarded-Proto $scheme;
    #proxy_set_header X-NginX-Proxy true;

    proxy_ssl_session_reuse off;
    proxy_pass https://app_komo/;
    proxy_redirect off;

At first my configuration did not work. I got an error from Azure about the site not existing. This was happening because the forwarded requests were arriving at Azure as requests for, a domain that Azure knows nothing about. The solution was to add the line proxy_set_header Host;. This means that when a request passes through the reverse proxy the host is changed from to, a domain that Azure knows how to handle.

https (SSL) with Let’s Encrypt

The final step was to secure the connection between user’s browsers and the reverse proxy with SSL. To do this I used the free service Let’s Encrypt. For my setup (nginx on Ubuntu 14.04) the steps were:

  1. Install certbot with apt-get
  2. Run certbot certbox --nginx and follow the prompts to specify which sites require certificates.
  3. Add nginx configuration to redirect http traffic to https
     server {                                       
         listen 80;                                 
         return 301 https://$host$request_uri;      
  4. Restart nginx


It is not the ultimate configuration by an means, but proxying via nginx is simple and effective. It also saved me some hosting cost.