Last active
May 31, 2022 20:08
-
-
Save IliasDeros/69bfc3de47cc64a4e61e52c9f3c45c50 to your computer and use it in GitHub Desktop.
Add HTTPS to your server using Nginx. Adapted from https://www.yeetpc.com/blog/nginx-reverse-proxy/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/nginx/sites-available/reverse-proxy.conf | |
| server { | |
| listen 80; | |
| server_name yourdomain.com; | |
| return 301 https://yourdomain.com$request_uri; | |
| } | |
| server { | |
| listen 443 ssl; | |
| server_name yourdomain.com; | |
| # Temporary SSL configuration | |
| ssl_certificate /home/user/certificate.pem; # managed by Certbot | |
| ssl_certificate_key /home/user/key.pem; # managed by Certbot | |
| # After you run certbot --nginx -d yourdomain.com, the 3 lines above should be updated to: | |
| # ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; # managed by Certbot | |
| # ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; # managed by Certbot | |
| ssl_session_cache builtin:1000 shared:SSL:10m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; | |
| ssl_prefer_server_ciphers on; | |
| # Set the access log location | |
| access_log /var/log/nginx/yourdomain.access.log; | |
| location / { | |
| # Set the proxy headers | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| # Configure which address the request is proxied to | |
| proxy_pass http://localhost:3000/; | |
| proxy_read_timeout 90; | |
| # Security headers | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| add_header X-XSS-Protection "1; mode=block"; | |
| add_header Referrer-Policy "origin"; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Symlink config to the sites-available directory (which Nginx reads) | |
| sudo ln -s /etc/nginx/sites-enabled/reverse-proxy.conf /etc/nginx/sites-available/reverse-proxy.conf | |
| # Generate certificate | |
| cd /home/user | |
| openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem | |
| # Encrypt certificate using LetsEncrypt | |
| apt install python3-certbot-nginx | |
| certbot --nginx -d yourdomain.com | |
| # Load changes | |
| systemctl restart nginx | |
| # Automatically try to renew the certificate at 1:00am every day. | |
| # crontab -e | |
| # 0 1 * * * certbot renew |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment