Ghost blog letsencrypt example for skylar.tech

skylar.tech.conf

# I used to redirect all traffic to https but that broke
# letsencrypt validation because it needs to run on http.
#server {
#	listen 80;
#	server_name skylar.tech;
#	return 301 https://$host$request_uri;
#}

server {
    listen 80;
    listen [::]:80;

    server_name skylar.tech;
    root /ghost; # Used for acme.sh SSL verification (https://acme.sh)

    # letsencrypt directory
    location ~ /.well-known {
        allow all;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.1.10:2368;
    }

    client_max_body_size 50m;
}

server {
	listen 443 ssl;
    resolver 1.1.1.1 ipv6=off;

	server_name skylar.tech;
    root /ghost;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	# cloudflare IPs (uncomment if using Cloudflare's Proxy)
	# set_real_ip_from 103.21.244.0/22;
    # set_real_ip_from 103.22.200.0/22;
    # set_real_ip_from 103.31.4.0/22;
    # set_real_ip_from 104.16.0.0/12;
    # set_real_ip_from 108.162.192.0/18;
    # set_real_ip_from 131.0.72.0/22;
    # set_real_ip_from 141.101.64.0/18;
    # set_real_ip_from 162.158.0.0/15;
    # set_real_ip_from 172.64.0.0/13;
    # set_real_ip_from 173.245.48.0/20;
    # set_real_ip_from 188.114.96.0/20;
    # set_real_ip_from 190.93.240.0/20;
    # set_real_ip_from 197.234.240.0/22;
    # set_real_ip_from 198.41.128.0/17;
    # set_real_ip_from 2400:cb00::/32;
    # set_real_ip_from 2606:4700::/32;
    # set_real_ip_from 2803:f800::/32;
    # set_real_ip_from 2405:b500::/32;
    # set_real_ip_from 2405:8100::/32;
    # set_real_ip_from 2c0f:f248::/32;
    # set_real_ip_from 2a06:98c0::/29;
    
    client_max_body_size 1024M;

    # if using proxy use one of these (first one is for CloudFlare only whereas the second supports any proxy)
    # real_ip_header CF-Connecting-IP;
    # real_ip_header X-Forwarded-For;

    # example to show proxying multiple services to different paths on the same domain
    # in this case I am using the isso comment system and wanted it to be on my blog's domain
    # remove this for your own setup.
    location /isso {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Script-Name /isso;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://192.168.1.10:8084;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.1.10:2368;
    }
}

I have this running on the linuxserver/letsencrypt docker container for automating SSL generation.

I commented out the Cloudflare stuff but left comments if people want to use it with their proxy. This makes it easier for people that aren't using their service to copy and use it.