Anybody up for teaching me how to SSL working with NGINX?

Technical Support
  • SSL is new to me, as such I haven't made it work on any other site that I've run before.

    Looking at Letsencrypt and their directions I don't get any nginx information. Everything is for apache. So I don't know where to begin (I understand generally what I'd do in nginx to point 443 but otherwise I'm pretty lost).

    Anyone have a general step by step overview for me?


  • Started learning about SSL and TLS a couple weeks ago, was still new to me then... was a good starting point back then.
    Found this guide which helped me put a bit, but there were a couple issues with this...
    For one, DON'T NEVER EVER add the trailing slash at proxy_pass;, just use proxy_pass;
    Also lets encrypt wasn't able to validate the ownership of my website, because nodebb isn't using the classic folder structure like most PHP servers do (/index.php /folder/otherFile.php etc.), thats why I had to add that too...
    I tested my site for security on a website (I don't remeber how it's called) and found out, that there was a slight security issue, which i also fixed.
    To make your life easier, I will show you my config, and I'll try to explain what I did there.

    server {
        listen 80;
        rewrite     ^   https://$host$request_uri? permanent; # This redirects all non https requests to https
    server {
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/; #Those are the certificates generated by the certbot
        ssl_certificate_key /etc/letsencrypt/live/;
        # Turn on OCSP stapling as recommended at
        # requires nginx version >= 1.3.7
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000";
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # When using this ciphers, old browsers like IE8 are not supported
        ssl_prefer_server_ciphers on; # This was the security issue I was talking about... shows you how to generate a pem key
        ssl_dhparam /etc/dhparam/dhparams.pem;
        location /.well-known { # this is needed for let's encrypt, so all requests to are redirected to the given folder below instead if nodebb
            alias /var/www/nodebb/.well-known; # this folder needs to be the same folder like the one you specified in your certbot command
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass; # This redirects the http request to your nodebb server
            proxy_redirect off;
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

    I hope I could help you with this!
    If you have any questions, feel free to ask

  • @etakmit
    Goto and choose your webserver/platform for a step-by-step guide.

    It takes a couple of minutes to be up and running:

    > sudo apt-get install letsencrypt 
    > letsencrypt certonly --webroot -w /home/blaha/NodeBB/public -d ****

    The certs will be available in the following folder (this is the nginx config)

     ssl_certificate         /etc/letsencrypt/live/****/fullchain.pem;
     ssl_certificate_key     /etc/letsencrypt/live/****/privkey.pem;

    Then add letsenctypt renew (and service ngninx reload) in a crontab running every day.

    Just point the letsencrypt script to the public folder of your NodeBB install.

  • Just point the letsencrypt script to the public folder of your NodeBB install.

    Hmm should have known that, but works for me, so I'm going to be too lazy to change that...
    Still thanks for the information

  • @hek that's where its getting me. since my nodebb is in /opt/nodebb I could just run the letsencrypt script facing that right?

  • @etakmit

    Yep, just point it to the public folder of your install.

  • @RoiEXLab thanks! Between your reply and @hek 's reply I should be able to figure this out!

  • All set. Thanks guys. Was definitely painless once I wrapped my head around it (and remembered to allow 443 through my firewall ... d'oh)

  • @hek said:

    Then add letsenctypt renew (and service ngninx reload) in a crontab running every day.

    Good lord, that's a bit overkill isn't it? Those servers aren't free to run 😆

    I used to do every other month, but switched to calling letsencrypt-auto renew every month...

  • It will only actually only renew when it is time. So no need to worry! 🙂

  • @julian I'm still determining what is best. I think once a month depending on the timing could be problematic (although a manual renew isn't the worst thing in the world).

    Even the letsencrypt walkthrough says twice a day

    Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.

    I might go with that or I might go weekly. We'll see.

Suggested Topics

  • Always Nginx Startpage

    Unsolved Technical Support
    0 Votes
    2 Posts

    Did you restart nginx after changing config?

  • 0 Votes
    1 Posts

    Not an nginx guru so please bear with me here.

    For simplicity sake let's assume site lives at rather than a subfolder.

    Unless specified otherwise, nginx root dir is /usr/share/nginx/html

    Nodebb nginx configuration docs utilize this when describing setting up a custom error page.

    Nginx is being used exclusively as reverse proxy and not serving any additional sites. I think I read somewhere that under such configuration an explicit default server docroot should not be specified? But even in such cases I think the hard coded default /usr/share/nginx/html still serves up 50x.html error page.

    In absence of a custom error page, nodebb uses nodebb/public/503.html?

    Nginx has been configured for scaling.

    Nginx Pitfalls and Common Mistakes documentation suggest putting doc root inside a location block is bad practice even though it will work.

    Soo... now my question... taking all of above into consideration.. what is proper/correct best practice configuration for a "scaled" nginx nodebb deployment? I know what "could" work. I am curious what "should" be recommended best practice.

    (Yeah, I know I already posted this in a different thread but it was a mistake at the time not to have started a new thread because this is pretty specific w.r.t. best practices configuration rather than "why isn't my stuff isn't working" question. Apologies for that.)

  • 0 Votes
    5 Posts

    @JaredBusch said in Is there a working SMTP/relay plugin:

    @aleksad said in Is there a working SMTP/relay plugin:

    The solution was found for this error? If there is a solution, could You share, thank you.

    Yes, I'm sorry I forgot to post I am on the road right now but I will do so later

    I did not end up using a plugin. I ended up editing /etc/postfix/ myself and adding a relayhost as I happen to have one setup for other purposes.

    relayhost =
  • 0 Votes
    6 Posts

    and this port then sends this to docker with port 4567. I have no nginx involved anywhere. How can I make login work in my case?

    I'm not familiar with Docker, but something is acting as reverse proxy. You'll have to figure out what it is, and add that header in appropriately.

  • Does not work search

    Solved Technical Support
    0 Votes
    15 Posts

    @agusputra yeah its truly, but it can update only from console via npm i nodebb-plugin-dbsearch