adityathebe · November 10, 2018 13:59
diff --git a/ssl-setup.sh b/ssl-setup.sh
 # Source :: https://code.lengstorf.com/deploy-nodejs-ssl-digitalocean/

 # Install tools that Let’s Encrypt requires
 sudo apt-get install bc

 # Clone the Let’s Encrypt repository to your server
 sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

 # Move into the Let’s Encrypt directory
 cd /opt/letsencrypt

 # Create the SSL certificate
 ./certbot-auto certonly --standalone

 # Setup autorenewal
 # /opt/letsencrypt/certbot-auto renew
 # sudo crontab -e
 # 00 1 * * 1 /opt/letsencrypt/certbot-auto renew >> /var/log/letsencrypt-renewal.log
 # 30 1 * * 1 /bin/systemctl reload nginx


 # Point Your Domain to the App
 sudo apt-get install nginx

 sudo nano /etc/nginx/sites-enabled/default
 # HTTP — redirect all traffic to HTTPS
 server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
 }


 # CREATE A SECURE DIFFIE-HELLMAN GROUP
 sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

 # CREATE A CONFIGURATION FILE FOR SSL
 sudo nano /etc/nginx/snippets/ssl-params.conf

 # See https://cipherli.st/ for details on this configuration
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off; # Requires nginx >= 1.5.9
 ssl_stapling on; # Requires nginx >= 1.3.7
 ssl_stapling_verify on; # Requires nginx => 1.3.7
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

 # Add our strong Diffie-Hellman group
 ssl_dhparam /etc/ssl/certs/dhparam.pem;




 sudo nano /etc/nginx/sites-enabled/default
 # HTTPS — proxy all requests to the Node app
 server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name app.example.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:5000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
 }
	# Source :: https://code.lengstorf.com/deploy-nodejs-ssl-digitalocean/

	# Install tools that Let’s Encrypt requires
	sudo apt-get install bc

	# Clone the Let’s Encrypt repository to your server
	sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

	# Move into the Let’s Encrypt directory
	cd /opt/letsencrypt

	# Create the SSL certificate
	./certbot-auto certonly --standalone

	# Setup autorenewal
	# /opt/letsencrypt/certbot-auto renew
	# sudo crontab -e
	# 00 1 * * 1 /opt/letsencrypt/certbot-auto renew >> /var/log/letsencrypt-renewal.log
	# 30 1 * * 1 /bin/systemctl reload nginx


	# Point Your Domain to the App
	sudo apt-get install nginx

	sudo nano /etc/nginx/sites-enabled/default
	# HTTP — redirect all traffic to HTTPS
	server {
	listen 80;
	listen [::]:80 default_server ipv6only=on;
	return 301 https://$host$request_uri;
	}


	# CREATE A SECURE DIFFIE-HELLMAN GROUP
	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

	# CREATE A CONFIGURATION FILE FOR SSL
	sudo nano /etc/nginx/snippets/ssl-params.conf

	# See https://cipherli.st/ for details on this configuration
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	# Add our strong Diffie-Hellman group
	ssl_dhparam /etc/ssl/certs/dhparam.pem;




	sudo nano /etc/nginx/sites-enabled/default
	# HTTPS — proxy all requests to the Node app
	server {
	# Enable HTTP/2
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name app.example.com;

	# Use the Let’s Encrypt certificates
	ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;

	# Include the SSL configuration from cipherli.st
	include snippets/ssl-params.conf;

	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-NginX-Proxy true;
	proxy_pass http://localhost:5000/;
	proxy_ssl_session_reuse off;
	proxy_set_header Host $http_host;
	proxy_cache_bypass $http_upgrade;
	proxy_redirect off;
	}
	}