Browse Source

SSL howto and example config for nginx with ssl

Yrjo 2 years ago
2 changed files with 90 additions and 0 deletions
  1. +46
  2. +44

+ 46
- 0 View File

@@ -0,0 +1,46 @@
# How to setup SSL with letsencrypt

This is basic how-to for SSL setup which will cover API and WEB frontend (nginx in that case) on ubuntu 16.04 with help of letsencrypt

- you have nginx installed
- you have bc installed
- you have prepared environment for pool itself (nodejs & comp)

Download letsencrypt and generate certs for your domain:
$ git clone /opt/services/letsencrypt
$ cd /opt/services/letsencrypt
$ ./certbot-auto certonly --standalone -d YOURDOMAIN

Copy those certs also to the directory, where your nodejs sumo pool is and change the ownership for them so your user you are using for running nodejs can read them and use them for API:
$ cp /etc/letsencrypt/live/YOURDOMAIN/cert.pem /INSTALLATION-PATH-OF-NODEJS-POOL/
$ cp /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /INSTALLATION-PATH-OF-NODEJS-POOL/

Make sure that you changed your ssl cert settings in pool's json config to:

"sslKey": "privkey.pem",
"sslCert": "cert.pem",

For nginx you have to create site config and use those certs for https. You can find as example config for your site in root of this repo.

If you want to have certs automatically renewed from letsencrypt CA, you can write cron rule:

$ sudo crontab -e

# Add this to the crontab and save it:
* 7,19 * * * certbot -q renew

This will regenerate your certs in /etc/letsencrypt/live/YOURDOMAIN/ so you still have to copy them to your nodejs pool directory and change ownership, or write script which will do it automatically for you.

+ 44
- 0 View File

@@ -0,0 +1,44 @@
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name YOURDOMAIN;
return 301 https://$host$request_uri;

# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name YOURDOMAIN;

# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN/privkey.pem;

# Include the SSL configuration from
include snippets/ssl-params.conf;

location / {
root /opt/www/YOURDOMAIN;
index index.html;
location /api {
rewrite_log on;
rewrite ^/api$ /api/ redirect;
rewrite /api(.*) $1 break;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://YOURDOMAIN:8118;
proxy_redirect off;