SSL Certificates For Website Hosting

PHOTO EMBED

Thu Dec 08 2022 08:00:55 GMT+0000 (Coordinated Universal Time)

Saved by @HristoT #c#

#1 Install Certbot
snap install --classic certbot


cp /etc/nginx/nginx.conf /etc/nginx/nginx-copy.conf

VAR_DOMAIN_NAME='<Domain name>'
cat /home/configs/nginx.conf |\
  sed "s,server_name web_client,server_name web_client $VAR_DOMAIN_NAME,g" \
  > /etc/nginx/nginx.conf

certbot --no-eff-email --agree-tos -m hristo.trendafilov93@gmail.com
=============================================================================
cat /home/configs/nginx-tls.conf |\
  sed "s,__DOMAIN_NAME__,$VAR_DOMAIN_NAME,g" \
  > /etc/nginx/nginx.conf

systemctl restart nginx
=============================================================================
# Add renew for the certificates to crontab
27 23 * * * /usr/bin/certbot-auto renew >> /var/log/le-renew.log
=============================================================================
  
# Конфигурационните файлове
	- nginx-tls.conf
=============================================================================
worker_processes auto;
worker_rlimit_nofile 10240;
pid /run/nginx.pid;

events {
  worker_connections 10240;
  accept_mutex       off;
  multi_accept       off;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }
  
  map $host $scheme_for_domain {
    hostnames;
    default "http";
    __DOMAIN_NAME__ "https";
  } 
  
  # Добавяне на IP-та, които да достъпват съръра по IP
  #  "~127.0.0.1"     "alow";
  map $remote_addr $allowed_http_addresses {
    default        "deny";
   }

  server {
    
    server_name web_client __DOMAIN_NAME__;
    
    listen 0.0.0.0:80;
    listen 0.0.0.0:443 ssl http2; # managed by Certbot    
    ssl_certificate /etc/letsencrypt/live/__DOMAIN_NAME__/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/__DOMAIN_NAME__/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    if ($scheme_for_domain != $scheme) { 
      return 301 $scheme_for_domain://$host$request_uri;
    }
	
	location '/.well-known/acme-challenge' {
      root /etc/letsencrypt/live;
    }

    set $http_request $scheme;
    if ($http_request = http ) {
      set $http_request "${http_request};${allowed_http_addresses}";
    }
    if ($http_request = "http;deny" ) {
       return 400;
    }
    
    proxy_connect_timeout       300;
    proxy_send_timeout          300;
    proxy_read_timeout          300;
    send_timeout                300;

    gzip on;
    gzip_proxied any;
    gzip_vary on;
    gzip_comp_level 9;
    gzip_http_version 1.0;
    gzip_buffers 16 8k;
    gzip_min_length 50;
    gzip_types
      text/css
      text/plain
      text/javascript
      application/javascript
      application/json
      application/x-javascript
      application/xml
      application/xml+rss
      application/xhtml+xml
      application/x-font-ttf
      application/x-font-opentype
      application/vnd.ms-fontobject
      image/svg+xml
      image/x-icon
      application/rss+xml
      application/atom_xml;
  
    client_max_body_size 100M;
    
    keepalive_timeout  300s;     
    keepalive_requests 1000000;    

    root /home/eventManager/client;

    location / {
      try_files $uri $uri/ /index.html;
      add_header Cache-Control 'no-store';
      expires 0;
    }
    
    location ~* \.(?:css|js)$ {
      add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate';
    }
    
    location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ {    
      expires 5m;
      add_header Cache-Control 'public';
    } 
    
    location /api {
      proxy_set_header HOST $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      add_header Cache-Control 'no-store';

      error_page 502 =200 /error.json;
      proxy_pass http://127.0.0.1:5000/api;
    }
  }
}
=============================================================================
	- nginx.conf
=============================================================================
  
worker_processes auto;
worker_rlimit_nofile 10240;
pid /run/nginx.pid;

events {
  worker_connections 10240;
  accept_mutex       off;
  multi_accept       off;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }
  
  # Добавяне на IP-та, които да достъпват съръра по IP
  #  "~127.0.0.1"     "alow";
  map $remote_addr $allowed_http_addresses {
    default        "deny";
   }

  server {

    listen 0.0.0.0:80;

    server_name web_client;
	
	location '/.well-known/acme-challenge' {
      root /etc/letsencrypt/live;
    }

    set $http_request $scheme;
    if ($http_request = http ) {
      set $http_request "${http_request};${allowed_http_addresses}";
    }
    if ($http_request = "http;deny" ) {
       return 400;
    }

    proxy_connect_timeout       300;
    proxy_send_timeout          300;
    proxy_read_timeout          300;
    send_timeout                300;

    gzip on;
    gzip_proxied any;
    gzip_vary on;
    gzip_comp_level 9;
    gzip_http_version 1.0;
    gzip_buffers 16 8k;
    gzip_min_length 50;
    gzip_types
      text/css
      text/plain
      text/javascript
      application/javascript
      application/json
      application/x-javascript
      application/xml
      application/xml+rss
      application/xhtml+xml
      application/x-font-ttf
      application/x-font-opentype
      application/vnd.ms-fontobject
      image/svg+xml
      image/x-icon
      application/rss+xml
      application/atom_xml;

    client_max_body_size 100M;

    keepalive_timeout  300s;
    keepalive_requests 1000000;

   root /home/eventManager/client;

    location / {
      try_files $uri $uri/ /index.html;
      add_header Cache-Control 'no-store';
      expires 0;
    }

    location ~* \.(?:css|js)$ {
      add_header Cache-Control 'no-cache, public, must-revalidate, proxy-revalidate';
    }

    location ~* \.(?:jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf)$ {
      expires 5m;
      add_header Cache-Control 'public';
    }

    location /api {
      proxy_set_header HOST $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      add_header Cache-Control 'no-store';

      error_page 502 =200 /error.json;
      proxy_pass http://127.0.0.1:5000/api;
    }
  }
}
=============================================================================
content_copyCOPY