pedrouid/setup-ssl.md

## setup-ssl.md

      
    Raw
  

              setup-ssl.md
            
          
    Get a Free SSL Certificate With Let’s Encrypt

Let’s Encrypt is a free, automated, and open Certificate Authority.

Install tools for using the Let's Encrypt certificates using Certbot

  sudo apt-get update \
  sudo apt-get install software-properties-common
  sudo add-apt-repository ppa:certbot/certbot
  sudo apt-get update
  sudo apt-get install python-certbot-nginx


Configure your domain DNS to point to your droplet's IP


Check if your domain is pointing correctly
$ dig +short example.com
> 138.68.174.154


Run Certbot to create the SSL certificate
sudo certbot --nginx certonly


Setup Nginx with SSL


Install Nginx
sudo apt-get install nginx


Redirect all traffic traffic to SSL
# Open the following file
sudo vim /etc/nginx/sites-enabled/default

# Delete everything and add the following
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
}


Create a secure Diffie-Hellman group (takes a few minutes)
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


Create a configuration file for SSL
# Open the following file
sudo vim /etc/nginx/snippets/ssl-params.conf

# Paste the following from https://cipherli.st/ (follow the link for more info)
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


# Paste this at the bottom of the file
ssl_dhparam /etc/ssl/certs/dhparam.pem;


Configure the server to use SSL
ATTENTION: Replace all the example.com with your domain
# Open the following file
sudo vim /etc/nginx/sites-enabled/default

# Paste the following bellow the existing config
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com; # REPLACE HERE

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # REPLACE HERE
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # REPLACE HERE

    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_pass http://localhost:5000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_pass_header Server;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}


Test the Nginx config
$ sudo nginx -t
> nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
> nginx: configuration file /etc/nginx/nginx.conf test is successful


Start Nginx
sudo systemctl start nginx


Finally, test your app by visiting your domain on your browser!