Nginx with Let's Encrypt on Ubuntu + Reverse proxy

Дусал нэвтэрхий толь-с

sudo su

Certbot суулгах

add-apt-repository ppa:certbot/certbot

apt install python-certbot-nginx

Nginx-ийн тохиргоогоо шалгах

Nginx тохиргооны файлд server_name зѳв бичигдсэн байх ёстой. /etc/nginx/sites-available/example.com

server_name example.com www.example.com;

Nginx тохиргоо алдаатай эсэхийг шалгах:

nginx -t

Тохиргоо идэвхжүүлэх: systemctl reload nginx

Firewall дээр портоо нээх

Гаднаас хандах портоо нээсэн байх хэрэгтэй. DNS тохиргоо мѳн зѳв байхгүй бол болохгүй. Let's Encrypt SSL үүсгэх үед автоматаар шалгахад холбогдох ёстой.


SSL Certificate үүсгэх

certbot --nginx -d example.com -d www.example.com

This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

If that's successful, certbot will ask how you'd like to configure your HTTPS settings.

Output

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser's security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

Let's finish by testing the renewal process.

Certbot автомат шинэчлэлтийг шалгах

Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within thirty days of expiration.

To test the renewal process, you can do a dry run with certbot:

certbot renew --dry-run

If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Жишээ Nginx тохиргооны файл

server {
    server_name server8.dusal.net www.server8.dusal.net;
    listen 443 ssl;

    location / {
        proxy_pass         http://192.168.100.6:3000/;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_body_buffer_size    128k;
	
            proxy_connect_timeout      90;
            proxy_send_timeout         90;
            proxy_read_timeout         90;

            proxy_buffer_size          4k;
            proxy_buffers              4 32k;
            proxy_busy_buffers_size    64k;
            proxy_temp_file_write_size 64k;

    }

    ssl_certificate /etc/letsencrypt/live/server8.dusal.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/server8.dusal.net/privkey.pem; # managed by Certbot
}


Өөр жишээ:

sudo nano /etc/nginx/sites-enabled/git.example.com


server {
    listen 80;
    server_name git.example.com;

    include snippets/letsencrypt.conf;
    return 301 https://git.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name git.example.com;

    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;

    client_max_body_size 50m;

    # Proxy headers
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/git.example.com/chain.pem;
    include snippets/letsencrypt.conf;
    include snippets/ssl.conf;

    # log files
    access_log /var/log/nginx/git.example.com.access.log;
    error_log /var/log/nginx/git.example.com.error.log;

    # Handle / requests
    location / {
       proxy_redirect off;
       proxy_pass http://127.0.0.1:3000;
    }
}