Let’s Encrypt is a free, automated, and open Certificate Authority.
- Install tools for using the Let's Encrypt certificates using Certbot
sudo apt-get update \
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
-
Configure your domain DNS to point to your droplet's IP
-
Check if your domain is pointing correctly
$ dig +short example.com > 138.68.174.154 -
Run Certbot to create the SSL certificate
sudo certbot --nginx certonly
-
Install Nginx
sudo apt-get install nginx
-
Redirect all traffic traffic to SSL
# Open the following file sudo vim /etc/nginx/sites-enabled/default # Delete everything and add the following server { listen 80; listen [::]:80 default_server ipv6only=on; return 301 https://$host$request_uri; }
-
Create a secure Diffie-Hellman group (takes a few minutes)
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
-
Create a configuration file for SSL
# Open the following file sudo vim /etc/nginx/snippets/ssl-params.conf # Paste the following from https://cipherli.st/ (follow the link for more info) ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 208.67.222.222 208.67.220.220 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # Paste this at the bottom of the file ssl_dhparam /etc/ssl/certs/dhparam.pem;
-
Configure the server to use SSL
ATTENTION: Replace all the
example.comwith your domain# Open the following file sudo vim /etc/nginx/sites-enabled/default # Paste the following bellow the existing config server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; # REPLACE HERE ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # REPLACE HERE ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # REPLACE HERE include snippets/ssl-params.conf; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-NginX-Proxy true; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_pass http://localhost:5000/; proxy_ssl_session_reuse off; proxy_set_header Host $http_host; proxy_pass_header Server; proxy_cache_bypass $http_upgrade; proxy_redirect off; } }
-
Test the Nginx config
$ sudo nginx -t > nginx: the configuration file /etc/nginx/nginx.conf syntax is ok > nginx: configuration file /etc/nginx/nginx.conf test is successful
-
Start Nginx
sudo systemctl start nginx
-
Finally, test your app by visiting your domain on your browser!
In addition to the aforementioned guide, there exists a graphical user interface (GUI) known as Nginx Proxy Manager, which may appeal to individuals who prefer not to work with code directly. The suggested approach to utilizing the Nginx Proxy Manager involves installing it on Docker and utilizing it to forward traffic to Docker containers within the same network. Following installation, generating SSL certificates is a simple process that can be achieved with a single click.
References: