Skip to content

Instantly share code, notes, and snippets.

@alifeee

alifeee/nginx and HTTPS setup.md

Last active April 17, 2024 14:38
Show Gist options
  • Save alifeee/92defe5a02a2e1dd17cb517135e80ffe to your computer and use it in GitHub Desktop.
Save alifeee/92defe5a02a2e1dd17cb517135e80ffe to your computer and use it in GitHub Desktop.
Download ZIP
nginx-setup
Raw
nginx and HTTPS setup.md

Nginx setup on Ubuntu

How to set up nginx on an ubuntu server

Steps

install

sudo apt install nginx

start on boot

sudo systemctl enable nginx

start

sudo systemctl start nginx

restart

sudo systemctl restart nginx

allow through firewall

ufw allow 80

edit config

nano /etc/nginx/nginx.conf
nginx -t # test layout
sudo systemctl restart nginx

scp config to save to this gist

scp root@server.alifeee.co.uk:/etc/nginx/nginx.conf .

Config examples

subdomain redirect

This redirects webring.alifeee.co.uk to localhost:8080. Without this, you would have to access the endpoint with webring.alifeee.co.uk:8080, which looks ugly :(

server {
  listen 80;
  server_name webring.alifeee.co.uk;
  location / {
    proxy_pass http://localhost:8080;
  }
}

(default) static site

This serves static files from /var/www/server_homepage

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  root /var/www/server_homepage;
  server_name _;
  location / {
    try_files $uri $uri/ =404;
  }
}

Folder alias

This redirects requests to https://server.alifeee.co.uk/factorio to /var/www/factorio instead of /var/www/server_homepage/factorio

  location /factorio {
    alias /var/www/factorio_map/;
    try_files $uri $uri/ =404;
  }

Authentication

This adds HTTP basic auth (the box with user/password) to a request. First, make a password file with

sudo htpasswd -c /etc/nginx/.htpasswd <user>
                location /calendar {
                        auth_basic "Neil's calendar";
                        auth_basic_user_file /etc/nginx/.htpasswd;
                }

HTTPS

I used let's encrypt: https://letsencrypt.org/getting-started/ with CertBot: https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal.

For the Proxy pass I used this guide: https://gist.github.com/gmolveau/5e5b0bd2773100d85d9302d0fa96632d

sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --nginx
> Certificate is saved at: /etc/letsencrypt/live/webring.alifeee.co.uk/fullchain.pem
> Key is saved at: /etc/letsencrypt/live/webring.alifeee.co.uk/privkey.pem
This certificate expires on 2024-02-20.
sudo certbot renew --dry-run
Raw
nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
server {
server_name webring.alifeee.co.uk;
# HTTP to HTTPS
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# HTTPS configuration
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/webring.alifeee.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/webring.alifeee.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
}
}
server {
server_name steamcollage.alifeee.co.uk;
location / {
proxy_pass http://localhost:5000;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/steamcollage.alifeee.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/steamcollage.alifeee.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name webdiffer.alifeee.co.uk;
location / {
proxy_pass http://localhost:5616;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
auth_basic "website differ";
auth_basic_user_file /etc/nginx/.htpasswd;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/webdiffer.alifeee.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/webdiffer.alifeee.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name influxdb.alifeee.co.uk;
location / {
proxy_pass http://localhost:8086;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 900;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/influxdb.alifeee.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/influxdb.alifeee.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name server.alifeee.co.uk;
listen 80 default_server;
listen [::]:80 default_server;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/server.alifeee.co.uk/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/server.alifeee.co.uk/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
root /var/www/server_homepage;
try_files $uri $uri/ =404;
}
location /static {
alias /var/www/static/;
try_files $uri $uri/ =404;
}
location /bench {
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/localhost/bench.cgi;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
location /factorio {
alias /var/www/factorio_map/;
try_files $uri $uri/ =404;
}
location /bothies {
alias /var/www/bothies/;
try_files $uri $uri/ =404;
# auth_basic "bothies";
# auth_basic_user_file /etc/nginx/.htpasswd;
}
location /calendar {
alias /var/www/calendar/;
try_files $uri $uri/ =404;
# index index.html;
auth_basic "Neil's calendar";
auth_basic_user_file /etc/nginx/.htpasswd;
# location ~ /calendar/.*\.php$ {
# return 200 'this is a php file';
# add_header Content-Type text/plain;
# include snippets/fastcgi-php.conf;
# fastcgi_split_path_info ^(.+\.php)(.*)$;
# fastcgi_pass unix:/var/run/php8.1-fpm-calendar-site.sock;
# fastcgi_pass unix:/var/run/php8.1-fpm.sock;
# fastcgi_index index.php;
# include fastcgi.conf;
# }
# location /calendar {
# try_files $uri $uri/ =404;
# }
# include snippets/fastcgi-php.conf;
# fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
}
server {
if ($host = webring.alifeee.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name webring.alifeee.co.uk;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
}
server {
if ($host = steamcollage.alifeee.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name steamcollage.alifeee.co.uk;
listen 80;
return 404; # managed by Certbot
}
server {
if ($host = webdiffer.alifeee.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name webdiffer.alifeee.co.uk;
listen 80;
listen [::]:80;
return 404; # managed by Certbot
}
server {
if ($host = influxdb.alifeee.co.uk) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name influxdb.alifeee.co.uk;
listen 80;
return 404; # managed by Certbot
}}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment