SSL Certificates For Website Hosting
Thu Dec 08 2022 08:00:55 GMT+0000 (Coordinated Universal Time)
#1 Install Certbot
snap install --classic certbot
cp /etc/nginx/nginx.conf /etc/nginx/nginx-copy.conf
VAR_DOMAIN_NAME='<Domain name>'
cat /home/configs/nginx.conf |\
sed "s,server_name web_client,server_name web_client $VAR_DOMAIN_NAME,g" \
> /etc/nginx/nginx.conf
certbot --no-eff-email --agree-tos -m hristo.trendafilov93@gmail.com
=============================================================================
cat /home/configs/nginx-tls.conf |\
sed "s,__DOMAIN_NAME__,$VAR_DOMAIN_NAME,g" \
> /etc/nginx/nginx.conf
systemctl restart nginx
=============================================================================
# Add renew for the certificates to crontab
27 23 * * * /usr/bin/certbot-auto renew >> /var/log/le-renew.log
=============================================================================
# Конфигурационните файлове
- nginx-tls.conf
=============================================================================
worker_processes auto;
worker_rlimit_nofile 10240;
pid /run/nginx.pid;
events {
worker_connections 10240;
accept_mutex off;
multi_accept off;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
map $host $scheme_for_domain {
hostnames;
default "http";
__DOMAIN_NAME__ "https";
}
# Добавяне на IP-та, които да достъпват съръра по IP
# "~127.0.0.1" "alow";
map $remote_addr $allowed_http_addresses {
default "deny";
}
server {
server_name web_client __DOMAIN_NAME__;
listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/__DOMAIN_NAME__/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/__DOMAIN_NAME__/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme_for_domain != $scheme) {
return 301 $scheme_for_domain://$host$request_uri;
}
location '/.well-known/acme-challenge' {
root /etc/letsencrypt/live;
}
set $http_request $scheme;
if ($http_request = http ) {
set $http_request "${http_request};${allowed_http_addresses}";
}
if ($http_request = "http;deny" ) {
return 400;
}
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_buffers 16 8k;
gzip_min_length 50;
gzip_types
text/css
text/plain
text/javascript
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
client_max_body_size 100M;
keepalive_timeout 300s;
keepalive_requests 1000000;
root /home/eventManager/client;
location / {
try_files $uri $uri/ /index.html;
add_header Cache-Control 'no-store';
expires 0;
}
location ~* \.(?:css|js)$ {
add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate';
}
location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ {
expires 5m;
add_header Cache-Control 'public';
}
location /api {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Cache-Control 'no-store';
error_page 502 =200 /error.json;
proxy_pass http://127.0.0.1:5000/api;
}
}
}
=============================================================================
- nginx.conf
=============================================================================
worker_processes auto;
worker_rlimit_nofile 10240;
pid /run/nginx.pid;
events {
worker_connections 10240;
accept_mutex off;
multi_accept off;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Добавяне на IP-та, които да достъпват съръра по IP
# "~127.0.0.1" "alow";
map $remote_addr $allowed_http_addresses {
default "deny";
}
server {
listen 0.0.0.0:80;
server_name web_client;
location '/.well-known/acme-challenge' {
root /etc/letsencrypt/live;
}
set $http_request $scheme;
if ($http_request = http ) {
set $http_request "${http_request};${allowed_http_addresses}";
}
if ($http_request = "http;deny" ) {
return 400;
}
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_comp_level 9;
gzip_http_version 1.0;
gzip_buffers 16 8k;
gzip_min_length 50;
gzip_types
text/css
text/plain
text/javascript
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
client_max_body_size 100M;
keepalive_timeout 300s;
keepalive_requests 1000000;
root /home/eventManager/client;
location / {
try_files $uri $uri/ /index.html;
add_header Cache-Control 'no-store';
expires 0;
}
location ~* \.(?:css|js)$ {
add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate';
}
location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ {
expires 5m;
add_header Cache-Control 'public';
}
location /api {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Cache-Control 'no-store';
error_page 502 =200 /error.json;
proxy_pass http://127.0.0.1:5000/api;
}
}
}
=============================================================================
Comments