SSL : yes or not



  • @julian said:

    Edit: Oh, while I'm here... I know of exactly zero people running NodeBB with SSL certs handled by NodeBB. It's always through nginx...

    This is how I see it. Most people should be running it behind a proxy of some kind.


  • GNU/Linux

    Ok , thanks to all .
    I user nginx , ubuntu 14.04 LTS and Nginx , so is there any guide to install it ?



  • @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.


  • GNU/Linux

    @a_5mith said:

    @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.

    Can you help me to install it ? or explain me , thanks 🙂
    I have read this : https://letsencrypt.org/howitworks/ but im usimg nginx and ubuntu 14.04



  • More or less this guide: http://huytd.github.io/2015/12/16/setup-free-ssl-with-lets-encrypt/index.html

    Few notes:
    I had to stop Nginx or it errors out with already in use and won't create the live folder.
    You might get permission denied errors when trying to navigate to the live folder. Just run as root.
    Then search this forum for the SSL code and replace as needed. Can send mind if needed. Then just make sure everything you link to uses https://


  • GNU/Linux

    @a_5mith said:

    @Matthew-Dowling said:

    But if you don't want all your users getting an SSL warning every time they browse to your page you will need to purchase a signed SSL certificate from a trusted certificate authority. (GoDaddy, comodo etc). This can run you a few hundred bucks and you'll need to renew once the cert expired.

    Let's Encrypt is free and gives you a fully signed certificate. https://35hz.co.uk uses it, didn't cost me anything, took me about 10 minutes to configure.

    Its free for live or for 90 days? thanks



  • @djcyry Life


  • GNU/Linux

    @a_5mith said:

    @djcyry Life

    Can you please show me your code?
    I have install it but :

    http://www.hercio.net/ - works ok .
    https://www.hercio.net/ - default nginx page .




  • GNU/Linux

    @a_5mith said:

    Use https://community.nodebb.org/topic/7183/which-file-to-edit-when-getting-rid-of-the-4567-port-number/5

    Just replace all references of that URL and IP with yours.

    No results..



  • @djcyry did you restart nginx?


  • GNU/Linux

    @a_5mith said:

    @djcyry did you restart nginx?

    Sure .
    I have installed the ssl , everything ok .
    But is not redirected , and if is do , is redirectiing to nginx default page . (with https)



  • What's your. Nginx? Port 80 should redirect. 443 should load your site.

    What's the content of your site in sites-available?


  • GNU/Linux

    @a_5mith said:

    What's your. Nginx? Port 80 should redirect. 443 should load your site.

    What's the content of your site in sites-available?

    Without ssl , this :

    server {
    listen 80;
    server_name www.hercio.net;

    #charset koi8-r;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_pass http://62.75.159.105:4567;
        proxy_redirect off;
    
        # Socket.IO Support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
    

    }
    }

    server {
    listen 80;
    server_name www.nodebb.es;

    #charset koi8-r;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_pass http://62.75.159.105:4568;
        proxy_redirect off;
    
        # Socket.IO Support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
    

    }
    }

    server {
    listen 80;
    server_name hercio.net;

    return 301 http://www.hercio.net$request_uri;
    

    }

    server {
    listen 80;
    server_name www.hercio.net;

    return 301 http://www.hercio.net$request_uri;
    

    }

    server {
    listen 80;
    server_name nodebb.es;

    return 301 http://www.nodebb.es$request_uri;
    

    }

    server {
    listen 80;
    server_name www.nodebb.es;

    return 301 http://www.nodebb.es$request_uri;
    

    }



  • Here's mine. Compare:

    
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name 35hz.co.uk;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://188.226.239.27:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name 35hz.co.uk;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    
    

  • GNU/Linux

    @a_5mith said:

    Here's mine. Compare:

    
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name 35hz.co.uk;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/35hz.co.uk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/35hz.co.uk/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://188.226.239.27:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name 35hz.co.uk;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    
    

    Thanks @a_5mith .
    Look at this :

    https://hercio.net/ - ssl works without www.
    https://www.hercio.net/ - ssl works with www

    https://nodebb.es/ - ssl works without www.
    https://www.nodebb.es/ - ssl not works with www

    Both forums are hosted on same server, same configuration , etc ...any idea?


  • Admin

    @djcyry

    0_1450812333479_Selection_052.png

    Your configuration for nodebb.es is serving the SSL certificate for hercio.net



  • @djcyry So we run it behind a reverse proxy too. Here's the config:

    HTTP (file include)

    server {
      listen 80;
      server_name www.social.example.com social.example.com;
      return 301 https://social.example.com$request_uri;
    }
    

    HTTPS (file include)

    server {
    
        listen 443 ssl;
        server_name www.social.example.com social.example.com;
    
        ssl_certificate /etc/nginx/ssl/example.crt;
        ssl_certificate_key /etc/nginx/ssl/example.key;
    
        # SSL caching override
        ssl_session_cache shared:SSL:10m;
    
        # Enable long duration HSTS
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Host $http_host;
    
        proxy_redirect off;
        #proxy_next_upstream off;
    
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    
        include /var/www/social.example.com/conf/error.conf;
    
        location @nodebb {
            proxy_pass http://io_nodes;
        }
    
        location ~ ^/(images|language|sounds|templates|uploads|vendor|src\/modules|nodebb\.min\.js|stylesheet\.css|admin\.css) {
            root /srv/http/domain/example.com/social/public/;
            try_files $uri $uri/ @nodebb;
        }
    
        location / {
    
            # These need to be defined in the location block to
            # override express status message handler
            error_page 404 /404.html;
            error_page 502 /502.html;
            error_page 503 /503.html;
    
            proxy_intercept_errors on;
    
            client_max_body_size 10M;
    
            proxy_pass http://io_nodes;
        }
    
    }
    

    Also the following upstream (2 workers):

    upstream io_nodes {
        server 127.0.1.4:4567;
        server 127.0.1.4:4568;
    }
    

    Finally, also a upstream loopback in /etc/hosts

    127.0.1.4 nbb.node.example.com
    

    Note that we defined both server names, www.social.example.com and social.example.com


  • GNU/Linux

    @julian
    @supersym

    It·s fixed but , its respond with www and without www , i want to
    redirect all to www. ..any idea? thanks

    in my config /etc/nginx/conf.d/.conf i have :

    server {
    listen 80;
    server_name www.hercio.net hercio.net;
    return 301 https://hercio.net$request_uri;
    }

    server {
    listen 80;
    server_name www.nodebb.es nodebb.es;
    return 301 https://nodebb.es$request_uri;
    }

    I restarting nginx but still responding from both.


  • Plugin & Theme Dev

    @djcyry changing return 301 https://nodebb.es$request_uri; to return 301 https://www.nodebb.es$request_uri; should do it I think


 

Suggested Topics

| |