Last active
February 12, 2024 01:26
-
-
Save DoumanAsh/04292101725eed681c3b76e830be2f45 to your computer and use it in GitHub Desktop.
Simple nginx config to hide redis behind TLS proxy (includes minimal configuration to run acme.sh)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Make sure to create folder /www and grant write access to nginx and yourself | |
$DOMAIN="your domain" | |
# Create file structure to serve static file with challenge | |
sudo mkdir /www | |
sudo mkdir /www/.well-known/ | |
sudo mkdir /www/.well-known/acme-challenge | |
sudo chown nginx /www/.well-known/acme-challenge | |
#As example grant group write permission (e.g. you want www to belong to nginx user and anyone in nginx group) do: | |
chmod g+w /www/.well-known/acme-challenge | |
# Requires write access to /www/.well-known/acme-challenge | |
# Issue certificate (you need to make sure you put yourself into nginx group or granted write access to all users) | |
./acme.sh --issue -d $DOMAIN -w /www --server letsencrypt | |
##Make sure to install cert with reload command | |
./acme.sh --install-cert -d $DOMAIN --key-file /etc/nginx/ssl/$DOMAIN/key.pem --fullchain-file /etc/nginx/ssl/$DOMAIN/cert.pem --reloadcmd "nginx -s reload" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log notice; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 1024; | |
} | |
stream { | |
log_format proxy '$remote_addr [$time_local] $status'; | |
# connection limiter by ip (cache size is 10 megabytes) | |
limit_conn_zone $binary_remote_addr zone=by_ip_addr:10m; | |
# For performance reasons you should run your Redis on unix socket | |
# To enable it you need to modify your redis config file (default location etc/redis.conf) | |
# Add following lines to enable unix socket (note that you need permissions to access it by nginx) | |
# unixsocket /run/redis/redis.sock | |
# unixsocketperm 770 | |
upstream redis { | |
server unix:/run/redis/redis.sock; | |
} | |
# redis | |
server { | |
listen 6379 ssl so_keepalive=10m; | |
# Max 2 connections per IP | |
# This strict, but useful in low end VPC | |
# Even if you password restrict your Redis, you do not want someone to overload your system | |
limit_conn by_ip_addr 2; | |
proxy_pass redis; | |
ssl_certificate /etc/nginx/ssl/<your hostname>/cert.pem; | |
ssl_certificate_key /etc/nginx/ssl/<your hostname>/key.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | |
} | |
access_log /var/log/nginx/redis-access.log proxy; | |
} | |
http { | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
log_format http '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
sendfile on; | |
access_log /var/log/nginx/http-access.log http; | |
keepalive_timeout 65; | |
root /www; | |
server { | |
listen 80; | |
server_name <your hostname>; | |
#If running for the first time: meaning you do not have SSL cert yet | |
# Comment this line | |
return 301 https://$host$request_uri; | |
# And uncomment next location | |
# But once you have SSL certificate you can reverse it | |
#location /.well-known/acme-challenge/ { | |
#} | |
} | |
server { | |
listen 443 ssl; | |
server_name <your hostname>; | |
ssl_certificate /etc/nginx/ssl/<your hostname>/cert.pem; | |
ssl_certificate_key /etc/nginx/ssl/<your hostname>/key.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | |
location /.well-known/acme-challenge/ { | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment