Skip to content

Instantly share code, notes, and snippets.

@arjenblokzijl

arjenblokzijl/ssl-serverpilot.md

Last active July 25, 2018 20:36
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save arjenblokzijl/175eb731584cc6cfb7bf to your computer and use it in GitHub Desktop.
Save arjenblokzijl/175eb731584cc6cfb7bf to your computer and use it in GitHub Desktop.
Download ZIP
How To Add SSL to ServerPilot nginx
Raw
ssl-serverpilot.md

How To Add SSL to ServerPilot nginx

Requirements

  1. Domain (i.e. example.com)
  2. Subdomain(s): (i.e. www.example.com)
  3. Username
  4. App name

Create the Certificate

  1. Stop nginx service nginx-sp stop
  2. Create certificate ./letsencrypt-auto certonly --standalone -d YOURDOMAIN.COM -d WWW.YOURDOMAIN.COM

It should say:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem. Your
   cert will expire on 2016-06-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
  1. Start nginx service nginx-sp start

Add certificate to host

  1. cd /etc/nginx-sp/vhosts.d
  2. vi YOURAPPNAME.ssl.conf
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name  YOURDOMAIN.COM www.YOURDOMAIN.COM;

	ssl on;

	# letsencrypt certificates
	ssl_certificate      /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem;
	ssl_certificate_key  /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem;

	#SSL Optimization
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:20m;
	ssl_session_tickets off;

	# modern configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;

	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	# verify chain of trust of OCSP response
	ssl_trusted_certificate /etc/letsencrypt/live/YOURDOMAIN.COM/chain.pem;
	#root directory and logfiles
	root /srv/users/YOURUSERNAME/apps/YOURAPPNAME/public;

	access_log /srv/users/YOURUSERNAME/log/YOURAPPNAME/YOURAPPNAME_nginx.access.log main;
	error_log /srv/users/YOURUSERNAME/log/YOURAPPNAME/YOURAPPNAME_nginx.error.log;

	#proxyset
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-SSL on;
	proxy_set_header X-Forwarded-Proto $scheme;

	#includes
	include /etc/nginx-sp/vhosts.d/YOURAPPNAME.d/*.nonssl_conf;
	include /etc/nginx-sp/vhosts.d/YOURAPPNAME.d/*.conf;
}
  1. service nginx-sp restart

Auto update through cronjob

  1. @monthly /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /srv/users/YOURUSERNAME/apps/YOURAPPNAME/public -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment