SSL Certificates For Website Hosting
Thu Dec 08 2022 08:00:55 GMT+0000 (Coordinated Universal Time)
#1 Install Certbot snap install --classic certbot cp /etc/nginx/nginx.conf /etc/nginx/nginx-copy.conf VAR_DOMAIN_NAME='<Domain name>' cat /home/configs/nginx.conf |\ sed "s,server_name web_client,server_name web_client $VAR_DOMAIN_NAME,g" \ > /etc/nginx/nginx.conf certbot --no-eff-email --agree-tos -m hristo.trendafilov93@gmail.com ============================================================================= cat /home/configs/nginx-tls.conf |\ sed "s,__DOMAIN_NAME__,$VAR_DOMAIN_NAME,g" \ > /etc/nginx/nginx.conf systemctl restart nginx ============================================================================= # Add renew for the certificates to crontab 27 23 * * * /usr/bin/certbot-auto renew >> /var/log/le-renew.log ============================================================================= # Конфигурационните файлове - nginx-tls.conf ============================================================================= worker_processes auto; worker_rlimit_nofile 10240; pid /run/nginx.pid; events { worker_connections 10240; accept_mutex off; multi_accept off; } http { include /etc/nginx/mime.types; default_type application/octet-stream; map $http_upgrade $connection_upgrade { default upgrade; '' close; } map $host $scheme_for_domain { hostnames; default "http"; __DOMAIN_NAME__ "https"; } # Добавяне на IP-та, които да достъпват съръра по IP # "~127.0.0.1" "alow"; map $remote_addr $allowed_http_addresses { default "deny"; } server { server_name web_client __DOMAIN_NAME__; listen 0.0.0.0:80; listen 0.0.0.0:443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/__DOMAIN_NAME__/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/__DOMAIN_NAME__/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot if ($scheme_for_domain != $scheme) { return 301 $scheme_for_domain://$host$request_uri; } location '/.well-known/acme-challenge' { root /etc/letsencrypt/live; } set $http_request $scheme; if ($http_request = http ) { set $http_request "${http_request};${allowed_http_addresses}"; } if ($http_request = "http;deny" ) { return 400; } proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; gzip on; gzip_proxied any; gzip_vary on; gzip_comp_level 9; gzip_http_version 1.0; gzip_buffers 16 8k; gzip_min_length 50; gzip_types text/css text/plain text/javascript application/javascript application/json application/x-javascript application/xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/rss+xml application/atom_xml; client_max_body_size 100M; keepalive_timeout 300s; keepalive_requests 1000000; root /home/eventManager/client; location / { try_files $uri $uri/ /index.html; add_header Cache-Control 'no-store'; expires 0; } location ~* \.(?:css|js)$ { add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate'; } location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ { expires 5m; add_header Cache-Control 'public'; } location /api { proxy_set_header HOST $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Cache-Control 'no-store'; error_page 502 =200 /error.json; proxy_pass http://127.0.0.1:5000/api; } } } ============================================================================= - nginx.conf ============================================================================= worker_processes auto; worker_rlimit_nofile 10240; pid /run/nginx.pid; events { worker_connections 10240; accept_mutex off; multi_accept off; } http { include /etc/nginx/mime.types; default_type application/octet-stream; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # Добавяне на IP-та, които да достъпват съръра по IP # "~127.0.0.1" "alow"; map $remote_addr $allowed_http_addresses { default "deny"; } server { listen 0.0.0.0:80; server_name web_client; location '/.well-known/acme-challenge' { root /etc/letsencrypt/live; } set $http_request $scheme; if ($http_request = http ) { set $http_request "${http_request};${allowed_http_addresses}"; } if ($http_request = "http;deny" ) { return 400; } proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; gzip on; gzip_proxied any; gzip_vary on; gzip_comp_level 9; gzip_http_version 1.0; gzip_buffers 16 8k; gzip_min_length 50; gzip_types text/css text/plain text/javascript application/javascript application/json application/x-javascript application/xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/rss+xml application/atom_xml; client_max_body_size 100M; keepalive_timeout 300s; keepalive_requests 1000000; root /home/eventManager/client; location / { try_files $uri $uri/ /index.html; add_header Cache-Control 'no-store'; expires 0; } location ~* \.(?:css|js)$ { add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate'; } location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ { expires 5m; add_header Cache-Control 'public'; } location /api { proxy_set_header HOST $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Cache-Control 'no-store'; error_page 502 =200 /error.json; proxy_pass http://127.0.0.1:5000/api; } } } =============================================================================
Comments