Skip to content

Instantly share code, notes, and snippets.

@christopher-baek

christopher-baek/.Configure nginx with Let's Encrypt.md

Created December 17, 2016 21:55
Show Gist options
  • Save christopher-baek/4c2faa8e5de0eeb2d88314e407edde16 to your computer and use it in GitHub Desktop.
Save christopher-baek/4c2faa8e5de0eeb2d88314e407edde16 to your computer and use it in GitHub Desktop.
Download ZIP
Configure nginx with Let's Encrypt
Raw
.Configure nginx with Let's Encrypt.md

Configure nginx with Let's Encrypt

nginx

Install nginx

sudo apt-get install nginx

Back Up Configuration

  • Just in case... copy all of /etc/nginx to /etc/nginx/original

Generate Diffie-Hellman Group

  • This will be used for configuring nginx SSL settings later

    sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Configure nginx

  • The DNS should already be configured (i.e., domain pointing to proper IP)
  • A server should be configured listening on 80 (HTTP) and 443 (HTTPS)
  • If necessary, any routing or firewalls should be configured so these ports are accessible from the Internet
  • Sample /etc/nginx/sites-enabled/YOURDOMAIN.conf 
    server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name YOURDOMAIN;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    include snippets/YOURDOMAIN-ssl.conf;
    include snippets/ssl-params.conf;

    server_name YOURDOMAIN;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Create Domain SSL Configuration Snippet

  • Create a snippet pointing to the file locations the Let's Encrypt tool will create
  • In /etc/nginx/snippets/YOURDOMAIN-ssl.conf... 
    ssl_certificate /etc/letsencrypt/live/YOURDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN/privkey.pem;

Create SSL Settings

  • For details, see https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
  • This is where the Diffie-Helman Group is used
  • In /etc/nginx/snipps/ssl-params.conf... 
    # from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Restart

sudo service nginx restart

Let's Encrypt

Download Tool

Run Auto Configuration

./letsencrypt-auto -d YOURDOMAIN --nginx -m YOUREMAIL --redirect --agree-tos

Renew

./letsencrypt-auto -d YOURDOMAIN1 -d YOURDOMAIN2 --nginx -m YOUREMAIL --redirect --agree-tos --renew-by-default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment