Skip to content

Instantly share code, notes, and snippets.

@MKRhere

MKRhere/README.md

Last active March 15, 2020 06:16
Show Gist options
  • Save MKRhere/09fb6d1e6a338b180c28c8a93e7a60bc to your computer and use it in GitHub Desktop.
Save MKRhere/09fb6d1e6a338b180c28c8a93e7a60bc to your computer and use it in GitHub Desktop.
Download ZIP
nginx reverse proxy & acme.sh (stateless) configuration
Raw
README.md
  1. Create all attached files below as-is. Directory structure:
etc
├── nginx
│   ├── sites-enabled
│   │   └── domain.tld.port.conf (several)
│   └── ssl
│       ├── .conf # file attached as ssl.conf
│       ├── well-known.conf # file attached
│       ├── dhparam.pem # generated
│       ├── fullchain.crt # generated
│       └── crt.key # generated
  1. Run acme.sh --register-account
[Thu 20 Feb 2020 03:50:02 PM CET] Registering account
[Thu 20 Feb 2020 03:50:04 PM CET] ACCOUNT_THUMBPRINT='yE8E0qQPemsGL'

You'll get an ACCOUNT_THUMBPRINT, which you should add to the return value of well-known as <ACCOUNT_THUMBPRINT> in /etc/nginx/ssl/well-known.conf

  1. Run: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

  2. Edit $/sites-enabled/<domain.tld.port.conf> and add your <DOMAIN.TLD> and internal <PORT> for nginx listen on

  3. sudo systemctl restart nginx

  4. Get certs: acme.sh --issue -d <DOMAIN.TLD> --stateless

You can repeat -d <DOMAIN.TLD> for as many domains as you want.

  1. Install certs:
sudo acme.sh --install-cert -d <DOMAIN.TLD> --key-file /etc/nginx/ssl/cert.key --fullchain-file /etc/nginx/ssl/fullchain.crt

  1. Uncomment last line in /etc/nginx/sites-enabled/domain.tld.port.conf

  2. sudo systemctl restart nginx

Raw
domain.tld.port.conf
# /etc/nginx/sites-enabled/domain.tld.port.conf
server {
listen 80;
listen [::]:80;
server_name <DOMAIN.TLD>;
include /etc/nginx/ssl/well-known.conf;
location / {
proxy_pass http://localhost:<PORT>;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# uncomment at step 8
# include /etc/nginx/ssl/.conf;
}
Raw
ssl.conf
# /etc/nginx/ssl/.conf
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/fullchain.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
Raw
well-known.conf
# /etc/nginx/ssl/well-known.conf
location ~ ^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$ {
default_type text/plain;
# Set <ACCOUNT_THUMBPRINT> after step 2
return 200 "$1.<ACCOUNT_THUMBPRINT>";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment