Community

Anybody up for teaching me how to SSL working with NGINX?

Technical Support
  • E

    SSL is new to me, as such I haven't made it work on any other site that I've run before.

    Looking at Letsencrypt and their directions I don't get any nginx information. Everything is for apache. So I don't know where to begin (I understand generally what I'd do in nginx to point 443 but otherwise I'm pretty lost).

    Anyone have a general step by step overview for me?

    Thanks!

    0
  • RoiEXLabR

    Started learning about SSL and TLS a couple weeks ago, was still new to me then...
    https://certbot.eff.org/ was a good starting point back then.
    Found this guide which helped me put a bit, but there were a couple issues with this...
    For one, DON'T NEVER EVER add the trailing slash at proxy_pass http://127.0.0.1:4567/;, just use proxy_pass http://127.0.0.1:4567;
    Also lets encrypt wasn't able to validate the ownership of my website, because nodebb isn't using the classic folder structure like most PHP servers do (/index.php /folder/otherFile.php etc.), thats why I had to add that too...
    I tested my site for security on a website (I don't remeber how it's called) and found out, that there was a slight security issue, which i also fixed.
    To make your life easier, I will show you my config, and I'll try to explain what I did there.

    server {
    listen 80;
    server_name yourURL.com;
    rewrite     ^   https://$host$request_uri? permanent; # This redirects all non https requests to https
}
server {
    listen 443 ssl;
    server_name yourURL.com;
    ssl_certificate /etc/letsencrypt/live/yourURL.com/fullchain.pem; #Those are the certificates generated by the certbot
    ssl_certificate_key /etc/letsencrypt/live/yourURL.com/privkey.pem;

    # Turn on OCSP stapling as recommended at
    # https://community.letsencrypt.org/t/integration-guide/13123
    # requires nginx version >= 1.3.7
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000";
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # When using this ciphers, old browsers like IE8 are not supported
    ssl_prefer_server_ciphers on; # This was the security issue I was talking about... https://weakdh.org/sysadmin.html shows you how to generate a pem key
    ssl_dhparam /etc/dhparam/dhparams.pem;

    location /.well-known { # this is needed for let's encrypt, so all requests to yourdomain.com/.well-known are redirected to the given folder below instead if nodebb
        alias /var/www/nodebb/.well-known; # this folder needs to be the same folder like the one you specified in your certbot command
    }

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:4567; # This redirects the http request to your nodebb server
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

    I hope I could help you with this!
    If you have any questions, feel free to ask

    E 1 Reply
    0
  • hekH

    @etakmit
    Goto https://certbot.eff.org/ and choose your webserver/platform for a step-by-step guide.

    It takes a couple of minutes to be up and running:

    > sudo apt-get install letsencrypt 
> letsencrypt certonly --webroot -w /home/blaha/NodeBB/public -d **yourdomain.com**

    The certs will be available in the following folder (this is the nginx config)

     ssl_certificate         /etc/letsencrypt/live/**yourdomain.com**/fullchain.pem;
 ssl_certificate_key     /etc/letsencrypt/live/**yourdomain.com**/privkey.pem;

    Then add letsenctypt renew (and service ngninx reload) in a crontab running every day.

    @RoiEXLab
    Just point the letsencrypt script to the public folder of your NodeBB install.

    RoiEXLabR E 2 Replies
    0
  • RoiEXLabR

    Just point the letsencrypt script to the public folder of your NodeBB install.

    Hmm should have known that, but works for me, so I'm going to be too lazy to change that...
    Still thanks for the information

    0
  • E

    @hek that's where its getting me. since my nodebb is in /opt/nodebb I could just run the letsencrypt script facing that right?

    0
  • hekH

    @etakmit

    Yep, just point it to the public folder of your install.

    0
  • E

    @RoiEXLab thanks! Between your reply and @hek 's reply I should be able to figure this out!

    0
  • E

    All set. Thanks guys. Was definitely painless once I wrapped my head around it (and remembered to allow 443 through my firewall ... d'oh)

    0
  • julianJ

    @hek said:

    Then add letsenctypt renew (and service ngninx reload) in a crontab running every day.

    Good lord, that's a bit overkill isn't it? Those servers aren't free to run 😆

    I used to do every other month, but switched to calling letsencrypt-auto renew every month...

    E 1 Reply
    0
  • hekH

    It will only actually only renew when it is time. So no need to worry! 🙂

    0
  • E

    @julian I'm still determining what is best. I think once a month depending on the timing could be problematic (although a manual renew isn't the worst thing in the world).

    Even the letsencrypt walkthrough says twice a day

    Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

    I might go with that or I might go weekly. We'll see.

    0

Suggested Topics

  • kurulumu.NetK

    Custom pages stopped working

    Unsolved Technical Support
    0 Votes
    1 Posts
    102 Views
    kurulumu.NetK

    I noticed that custom pages no longer work. I see the following records in the error logs. I uninstalled and reinstalled the nodebb-custom-pages plugin. I've done several reboots and builds but it didn't work. Why might the problem be caused?
    my NodeBB version: 2.2.5
    custom pages version: 1.3.3

    2022-07-25T11:06:33.959Z [4567/1887] - error: GET /iletisim Error: Failed to lookup view "iletisim" in views directory "/home/nodes/nodebb/build/public/templates" at Function.render (/home/nodes/nodebb/node_modules/express/lib/application.js:597:17) at ServerResponse.render (/home/nodes/nodebb/node_modules/express/lib/response.js:1039:7) at /home/nodes/nodebb/src/middleware/render.js:107:11 at new Promise (<anonymous>) at renderContent (/home/nodes/nodebb/src/middleware/render.js:106:10) at renderMethod (/home/nodes/nodebb/src/middleware/render.js:75:15) at async ServerResponse.renderOverride [as render] (/home/nodes/nodebb/src/middleware/render.js:96:5)
  • E

    Email suddenly no longer works with SMTP Relay Google Workspace

    Solved Technical Support
    0 Votes
    24 Posts
    5310 Views
    gotwfG

    @theopenem said in Email suddenly no longer works with SMTP Relay Google Workspace:

    I'm using postfix to relay all mail to gmail. It ends up being the same thing as if you set the relay in NodeBB.

    Moreover, you now have a mail spool for failed messages, access to meaningful log messages, ability to tweak and tune if necessary, etc. This is a big win. But maybe too much a pita for some. Until something breaks. 😜

    DKIM is lame. Search "DKIM considered bad". Here's one rant from ZDNet.

    Iirc (and it has been a while since I needed to read up cuz my stuff jfw....), SPF has no restrictions on number of different domains - just add the spf txt record to that domain. Then make sure the relay has a reverse dns entry - that does not have to be the same domain, just has to be.

    I was hoping for some better diagnostics, wh/is why I suggested the cli. Establishing an initial connection is easy. It is what comes next that is important and unfortunately OP did not see that bit thru. Why does not somebody test it, eh? I don't have any goog accts, nor do I want/need one, but it may prove illuminating?

    Just my $0.02.

    P.S.; Or maybe ptr is even easier than that for this use case: create a redirect to goog's? then goog worries about the nitty gritty for you. Like I said, been a while and shootin' from the hip. Double check the rfc, eh?

    Here's some DMARC spf resources for the bold and curious.

    P.P.S.; Geronimo, here ya' go. Big medicine!

    Primary domain sporting the smtp relay zone file:

    relaydomain.tld. IN TXT "v=spf1 ip4:xxx.xxx.xxx.xxy ip4:yyy.yyy.yyy.yyz -all"

    otherdom.tld zone file:

    otherdom.tld. IN TXT "v=spf1 redirect=relaydom.tld"

    foodom.tld zone file:

    foodom.tld. IN TXT "v=spf1 redirect=relaydom.tld"

    anotherdom.tld zone file

    @ IN TXT "v=spf1 redirect=relaydom.tld"

    More than one way to do it, note the @ in second example there. Save typing but less explicit. Pick yer' poison.

    Then use a checker. I favor MXToolbox, but note the Goog has one specific for their stuff Google Admin Toolbox Check MX .

  • E

    NGINX not working

    Technical Support
    0 Votes
    6 Posts
    1448 Views
    E

    Sorry my fault, I have that, just sent the wrong file. When I get home today I can take care of it. I deleted the last post with the error log because of the spam, but require a moderator to remove it.
    @PitaJ

    Thanks

  • M

    mentions not working properly

    Technical Support
    1 Votes
    6 Posts
    1566 Views
    M

    @pichalite 😓

    thanks anyway

  • MJM

    My nodeBB website is not working anymore

    Technical Support
    0 Votes
    37 Posts
    10181 Views
    W

    There is no CopyZip in logrotate, so you have to do it in two steps 😉

Copyright © 2023 NodeBB | Contributors