jspw/ssl.md

## ssl.md

      
    Raw
  

              ssl.md
            
          
    Configuration for SSL Certificate

Install Certbot


sudo apt install certbot python3-certbot-nginx

Config will depend on your server apache or nginx

Note : I am using nginx
NGINX

Run Certbot to request and install SSL certificates for your domains. You'll need to run Certbot separately for each domain:
I do have two domains

neogenacademy.com
api.neogenacademy.com

So you know what to do bitch

certbot --nginx -d neogenacademy.com
certbot --nginx -d api.neogenacademy.com

These commands will automatically configure Nginx with the SSL certificates for each domain. It will ask several shitty questions you have no fucking idea on.
Just copy their whole shit into chatgpt and it will help you with that.
Question

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 


Chat GPT

The choice between redirecting HTTP traffic to HTTPS or not depends on your specific requirements and preferences. Here's a brief explanation of the options presented:

1. **No redirect**: Choosing option 1 means that your server will continue serving both HTTP and HTTPS traffic. This option is suitable if you want to support both HTTP and HTTPS access to your website. It can be useful during the transition phase or if you have specific reasons to keep HTTP access available.

2. **Redirect**: Choosing option 2 will configure your server to redirect all HTTP traffic to HTTPS. This means that whenever a user tries to access your website using HTTP, they will be automatically redirected to the HTTPS version. This option is recommended if you want to enforce HTTPS and ensure that all traffic is securely encrypted. It provides a better user experience by automatically redirecting users to the secure version of your website.

If you choose option 2, it's important to ensure that your website works correctly on HTTPS. Make sure all the necessary resources (CSS, JavaScript, images, etc.) are loaded securely over HTTPS. Additionally, verify that any API endpoints or backend services your website depends on are also accessible over HTTPS.

Consider the security and privacy implications of your website and the data transmitted between the server and clients. If your website handles sensitive information, such as user login credentials or personal data, it's generally recommended to use HTTPS and enable the redirect to enforce secure connections.

Ultimately, the choice depends on your specific use case and requirements. If you're unsure, you can start with option 1 (no redirect) and later enable the redirect to HTTPS once you have verified that everything works correctly.


All done I hope with the prompts. Now check your nginx sites confiq file and surprise MFFF!
Before SSL

 ⚡ root@ubuntu-s-4vcpu-8gb-intel-sgp1-01  ~  cat  /etc/nginx/sites-available/my-react-app
server {
    listen 80;
    server_name neogenacademy.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 80;
    server_name api.neogenacademy.com;

    location / {
        proxy_pass http://localhost:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

After SSL

 ⚡ root@ubuntu-s-4vcpu-8gb-intel-sgp1-01  ~  cat  /etc/nginx/sites-available/my-react-app     
server {
    listen 80;
    server_name neogenacademy.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/neogenacademy.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/neogenacademy.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    listen 80;
    server_name api.neogenacademy.com;

    location / {
        proxy_pass http://localhost:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}


NOTE : there is a symbolic link from /etc/nginx/sites-available/my-react-app to /etc/nginx/sites-enabled/. To learn more, check this out : Config nginx with symlink | Explanation on How Nginx works with Symbolic Link
Restart Nginx

After updating the configuration, you'll need to restart Nginx for the changes to take effect:

sudo systemctl restart nginx

With these changes, Nginx should now be configured to serve your website over HTTPS using the SSL certificate you obtained from Let's Encrypt.
You can test the SSL configuration of your websites using the SSL Labs test:
neogenacademy.com: https://www.ssllabs.com/ssltest/analyze.html?d=neogenacademy.com
api.neogenacademy.com: https://www.ssllabs.com/ssltest/analyze.html?d=api.neogenacademy.com
Congratulations on enabling HTTPS for your websites!
.
.
.
.
.
Still having some issues ?
Firewall

Are you using any firewall in your server ?
Check firewall status


sudo ufw status

Status: inactive

As we have already seen the nginx configuration we have two public ports 3000 and 5000 opened, so guessing you are already using firewall and necessary ports are open.
though as you didn't have ssl so 443 is not opened yet. So can be something like this ?
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
3000/tcp                   ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
27018                      ALLOW       Anywhere                  
27019                      ALLOW       Anywhere                  
27020                      ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
3000/tcp (v6)              ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
27018 (v6)                 ALLOW       Anywhere (v6)             
27019 (v6)                 ALLOW       Anywhere (v6)             
27020 (v6)                 ALLOW       Anywhere (v6) 

Yes need to allow 443  :

sudo ufw allow 443

Now check again :

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
3000/tcp                   ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
27018                      ALLOW       Anywhere                  
27019                      ALLOW       Anywhere                  
27020                      ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
3000/tcp (v6)              ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)             
27018 (v6)                 ALLOW       Anywhere (v6)             
27019 (v6)                 ALLOW       Anywhere (v6)             
27020 (v6)                 ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6) 

Hopefully we are done here. At least for 3 months* ????