Anybody up for teaching me how to SSL working with NGINX?
-
Started learning about SSL and TLS a couple weeks ago, was still new to me then...
https://certbot.eff.org/ was a good starting point back then.
Found this guide which helped me put a bit, but there were a couple issues with this...
For one, DON'T NEVER EVER add the trailing slash atproxy_pass http://127.0.0.1:4567/;
, just useproxy_pass http://127.0.0.1:4567;
Also lets encrypt wasn't able to validate the ownership of my website, because nodebb isn't using the classic folder structure like most PHP servers do (/index.php /folder/otherFile.php etc.), thats why I had to add that too...
I tested my site for security on a website (I don't remeber how it's called) and found out, that there was a slight security issue, which i also fixed.
To make your life easier, I will show you my config, and I'll try to explain what I did there.server { listen 80; server_name yourURL.com; rewrite ^ https://$host$request_uri? permanent; # This redirects all non https requests to https } server { listen 443 ssl; server_name yourURL.com; ssl_certificate /etc/letsencrypt/live/yourURL.com/fullchain.pem; #Those are the certificates generated by the certbot ssl_certificate_key /etc/letsencrypt/live/yourURL.com/privkey.pem; # Turn on OCSP stapling as recommended at # https://community.letsencrypt.org/t/integration-guide/13123 # requires nginx version >= 1.3.7 ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000"; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # When using this ciphers, old browsers like IE8 are not supported ssl_prefer_server_ciphers on; # This was the security issue I was talking about... https://weakdh.org/sysadmin.html shows you how to generate a pem key ssl_dhparam /etc/dhparam/dhparams.pem; location /.well-known { # this is needed for let's encrypt, so all requests to yourdomain.com/.well-known are redirected to the given folder below instead if nodebb alias /var/www/nodebb/.well-known; # this folder needs to be the same folder like the one you specified in your certbot command } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://127.0.0.1:4567; # This redirects the http request to your nodebb server proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
I hope I could help you with this!
If you have any questions, feel free to ask -
@etakmit
Goto https://certbot.eff.org/ and choose your webserver/platform for a step-by-step guide.It takes a couple of minutes to be up and running:
> sudo apt-get install letsencrypt > letsencrypt certonly --webroot -w /home/blaha/NodeBB/public -d **yourdomain.com**
The certs will be available in the following folder (this is the nginx config)
ssl_certificate /etc/letsencrypt/live/**yourdomain.com**/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/**yourdomain.com**/privkey.pem;
Then add
letsenctypt renew
(and service ngninx reload) in a crontab running every day.@RoiEXLab
Just point the letsencrypt script to the public folder of your NodeBB install. -
@hek said:
Then add letsenctypt renew (and
service ngninx reload
) in a crontab running every day.Good lord, that's a bit overkill isn't it? Those servers aren't free to run
I used to do every other month, but switched to calling
letsencrypt-auto renew
every month... -
It will only actually only renew when it is time. So no need to worry!
-
@julian I'm still determining what is best. I think once a month depending on the timing could be problematic (although a manual renew isn't the worst thing in the world).
Even the letsencrypt walkthrough says twice a day
Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
I might go with that or I might go weekly. We'll see.