Skip to content

Configure domains and TLS for a reverse proxy

Testing a reverse proxy‘s configurations should be done with a site’s convenience domain URL in preparation for a site launch. When the proxy testing is complete, and the application or network site (for WordPress multisite) is ready to launch, the final production domain (e.g., https://www.example.com) should replace the convenience domain in the configurations.

This ensures that requests returned back to the proxy server have the correct URLs embedded. For more information, reviewBegin a single site launch” or “Begin a site launch on a multisite network“.

Obtaining a TLS certificate and the ACME challenge

TLS certificates for the production domain can be installed in the VIP Dashboard.

Let’s Encrypt uses what is known as an “ACME challenge” to verify a domain’s ownership before issuing a TLS certificate. When using a reverse proxy, or if not pointing DNS directly to VIP for other reasons, the configurations may cause the ACME challenge to fail.

To meet the ACME challenge’s requirements, the reverse proxy must point requests for /.well-known/acme-challenge/* (where * is a wildcard representing any string) to VIP. A reverse proxy’s configuration settings can be confirmed by using a cURL command.

In this example, a positive response that would meet the ACME challenge is returned by the cURL command:

$ curl -I http://www.example.com/.well-known/acme-challenge/fdfxcxvdz
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 22 Mar 2021 15:38:12 GMT
Content-Type: text/plain;charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Vary: Cookie

The reverse proxy must not add any query parameters on the end of the acme-challenge URL. For example, if the reverse proxy adds ?sslEnabled=true to the end of the acme-challenge string, provisioning a Let’s Encrypt certificate will fail.

In addition to a reverse proxy’s own security measures, validating the ACME challenge will ensure that the connection from a proxy to the VIP servers is secure. If it is preferred not to adjust a reverse proxy’s settings, or to not use Let’s Encrypt, it is possible to procure a custom TLS certificate from a third-party certificate authority.

Last updated: July 27, 2022