SSL : yes or not
-
At present, Let's Encrypt requires that the python dependency be installed, which is a blocker to integration into NodeBB.
If there were a way to do so via node then we'd adopt it immediately. The only one I did find was a debug version that hadn't been updated in quite some time.
Theoretically, we could run code to execute the python lib. I will look into it.
Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx... so I'd be bundling it with NodeBB and then if they wanted to use it with nginx, they'd need to disable the SSL termination via NodeBB and then set it up with nginx anyway, since that's not handled automatically by even the python lib yet.
Either way, really looking forward to it, but not quite there for us yet
-
@julian said:
Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx...
This is how I see it. Most people should be running it behind a proxy of some kind.
-
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
-
@a_5mith said:
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
Can you help me to install it ? or explain me , thanks
I have read this : https://letsencrypt.org/howitworks/ but im usimg nginx and ubuntu 14.04 -
More or less this guide: http://huytd.github.io/2015/12/16/setup-free-ssl-with-lets-encrypt/index.html
Few notes:
I had to stop Nginx or it errors out with already in use and won't create the live folder.
You might get permission denied errors when trying to navigate to the live folder. Just run as root.
Then search this forum for the SSL code and replace as needed. Can send mind if needed. Then just make sure everything you link to uses https:// -
@a_5mith said:
@Matthew-Dowling said:
But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.
Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.
Its free for live or for 90 days? thanks
-
@a_5mith said:
@djcyry Life
Can you please show me your code?
I have install it but :http://www.hercio.net/ - works ok .
https://www.hercio.net/ - default nginx page . -
@a_5mith said:
What's your. Nginx? Port 80 should redirect. 443 should load your site.
What's the content of your site in sites-available?
Without ssl , this :
server {
listen 80;
server_name www.hercio.net;#charset koi8-r; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Nginx-Proxy true; proxy_pass http://62.75.159.105:4567; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";}
}server {
listen 80;
server_name www.nodebb.es;#charset koi8-r; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-Nginx-Proxy true; proxy_pass http://62.75.159.105:4568; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";}
}server {
listen 80;
server_name hercio.net;return 301 http://www.hercio.net$request_uri;}
server {
listen 80;
server_name www.hercio.net;return 301 http://www.hercio.net$request_uri;}
server {
listen 80;
server_name nodebb.es;return 301 http://www.nodebb.es$request_uri;}
server {
listen 80;
server_name www.nodebb.es;return 301 http://www.nodebb.es$request_uri;}
-
Here's mine. Compare:
server { client_max_body_size 40M; listen 443 ssl; server_name 35hz.co.uk; ssl on; ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://188.226.239.27:4567; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { client_max_body_size 40M; listen 80; server_name 35hz.co.uk; rewrite ^ https://$server_name$request_uri? permanent; } -
@a_5mith said:
Here's mine. Compare:
server { client_max_body_size 40M; listen 443 ssl; server_name 35hz.co.uk; ssl on; ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://188.226.239.27:4567; proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { client_max_body_size 40M; listen 80; server_name 35hz.co.uk; rewrite ^ https://$server_name$request_uri? permanent; }Thanks @a_5mith .
Look at this :https://hercio.net/ - ssl works without www.
https://www.hercio.net/ - ssl works with wwwhttps://nodebb.es/ - ssl works without www.
https://www.nodebb.es/ - ssl not works with wwwBoth forums are hosted on same server, same configuration , etc ...any idea?
-
@djcyry So we run it behind a reverse proxy too. Here's the config:
HTTP (file include)
server { listen 80; server_name www.social.example.com social.example.com; return 301 https://social.example.com$request_uri; }HTTPS (file include)
server { listen 443 ssl; server_name www.social.example.com social.example.com; ssl_certificate /etc/nginx/ssl/example.crt; ssl_certificate_key /etc/nginx/ssl/example.key; # SSL caching override ssl_session_cache shared:SSL:10m; # Enable long duration HSTS add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Host $http_host; proxy_redirect off; #proxy_next_upstream off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; include /var/www/social.example.com/conf/error.conf; location @nodebb { proxy_pass http://io_nodes; } location ~ ^/(images|language|sounds|templates|uploads|vendor|src\/modules|nodebb\.min\.js|stylesheet\.css|admin\.css) { root /srv/http/domain/example.com/social/public/; try_files $uri $uri/ @nodebb; } location / { # These need to be defined in the location block to # override express status message handler error_page 404 /404.html; error_page 502 /502.html; error_page 503 /503.html; proxy_intercept_errors on; client_max_body_size 10M; proxy_pass http://io_nodes; } }Also the following upstream (2 workers):
upstream io_nodes { server 127.0.1.4:4567; server 127.0.1.4:4568; }Finally, also a upstream loopback in
/etc/hosts127.0.1.4 nbb.node.example.comNote that we defined both server names,
www.social.example.comandsocial.example.com -
It·s fixed but , its respond with www and without www , i want to
redirect all to www. ..any idea? thanksin my config /etc/nginx/conf.d/.conf i have :
server {
listen 80;
server_name www.hercio.net hercio.net;
return 301 https://hercio.net$request_uri;
}server {
listen 80;
server_name www.nodebb.es nodebb.es;
return 301 https://nodebb.es$request_uri;
}I restarting nginx but still responding from both.
