Browse Source

SSL howto and example config for nginx with ssl

master
Yrjo 2 years ago
parent
commit
aa47877489
2 changed files with 90 additions and 0 deletions
  1. +46
    -0
      SSL.md
  2. +44
    -0
      nginx-ssl-example.com

+ 46
- 0
SSL.md View File

@@ -0,0 +1,46 @@
# How to setup SSL with letsencrypt


This is basic how-to for SSL setup which will cover API and WEB frontend (nginx in that case) on ubuntu 16.04 with help of letsencrypt

Prereq:
- you have nginx installed
- you have bc installed
- you have prepared environment for pool itself (nodejs & comp)

Download letsencrypt and generate certs for your domain:
```sh
$ git clone https://github.com/letsencrypt/letsencrypt /opt/services/letsencrypt
$ cd /opt/services/letsencrypt
$ ./certbot-auto certonly --standalone -d YOURDOMAIN
```


Copy those certs also to the directory, where your nodejs sumo pool is and change the ownership for them so your user you are using for running nodejs can read them and use them for API:
```sh
$ cp /etc/letsencrypt/live/YOURDOMAIN/cert.pem /INSTALLATION-PATH-OF-NODEJS-POOL/
$ cp /etc/letsencrypt/live/YOURDOMAIN/privkey.pem /INSTALLATION-PATH-OF-NODEJS-POOL/
$ chown USER:GROUP /INSTALLATION-PATH-OF-NODEJS-POOL/*.pem
```

Make sure that you changed your ssl cert settings in pool's json config to:

```sh
"sslKey": "privkey.pem",
"sslCert": "cert.pem",
```

For nginx you have to create site config and use those certs for https. You can find nginx-ssl-example.com as example config for your site in root of this repo.

If you want to have certs automatically renewed from letsencrypt CA, you can write cron rule:

```sh
$ sudo crontab -e

# Add this to the crontab and save it:
* 7,19 * * * certbot -q renew
```

This will regenerate your certs in /etc/letsencrypt/live/YOURDOMAIN/ so you still have to copy them to your nodejs pool directory and change ownership, or write script which will do it automatically for you.



+ 44
- 0
nginx-ssl-example.com View File

@@ -0,0 +1,44 @@
# HTTP — redirect all traffic to HTTPS
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
server_name YOURDOMAIN;
return 301 https://$host$request_uri;
}

# HTTPS — proxy all requests to the Node app
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name YOURDOMAIN;

# Use the Let’s Encrypt certificates
ssl_certificate /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN/privkey.pem;

# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;

location / {
root /opt/www/YOURDOMAIN;
index index.html;
}
location /api {
rewrite_log on;
rewrite ^/api$ /api/ redirect;
rewrite /api(.*) $1 break;
# THESE ARE IMPORTANT
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is what tells Connect that your session can be considered secure,
# even though the protocol node.js sees is only HTTP:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;
proxy_pass http://YOURDOMAIN:8118;
proxy_redirect off;
}
}

Loading…
Cancel
Save