Skip to content

Instantly share code, notes, and snippets.

@mehmetsefabalik

mehmetsefabalik/ssl-nginx.md

Last active August 28, 2020 21:58
Show Gist options
  • Save mehmetsefabalik/326ce03382e86cbf82c75d63d57d7dac to your computer and use it in GitHub Desktop.
Save mehmetsefabalik/326ce03382e86cbf82c75d63d57d7dac to your computer and use it in GitHub Desktop.
Download ZIP
setup an ngnix proxy server with ssl on linux
Raw
ssl-nginx.md

install nginx

  • sudo apt install nginx
  • sudo rm /etc/nginx/sites-available/default
  • sudo rm /etc/nginx/sites-enabled/default

setup nginx config for the first time

  • sudo vim /etc/nginx/sites-available/yourdomainname.com
server {
     listen 80;

     server_name yourdomainname.com www.yourdomainname.com;

location / {
     proxy_pass http://localhost:3000;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
     proxy_set_header Host $host;
     proxy_cache_bypass $http_upgrade;
}
}
  • sudo ln -s /etc/nginx/sites-available/yourdomainname.com /etc/nginx/sites-enabled/yourdomainname.com

restart nginx

  • sudo nginx -t
  • sudo service nginx restart

install certbot

  • sudo add-apt-repository ppa:certbot/certbot
  • sudo apt-get update
  • sudo apt-get install python-certbot-nginx

create ssl certificate

  • sudo certbot --nginx certonly

configure nginx

  • sudo vim /etc/nginx/sites-available/yourdomainname.com
server {
     listen 80;
 
     server_name yourdomainname.com www.yourdomainname.com;
 
     return 301 https://yourdomainname.com$request_uri;
 }

server {
     listen 443 ssl http2;
 
     server_name www.yourdomainname.com;
 
     ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
 
     return 301 https://yourdomainname.com$request_uri;
}
 
server {
     listen 443 ssl http2;
 
     server_name yourdomainname.com;
    
     ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
 
    location / {
         proxy_pass http://localhost:3000;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
       
         add_header Content-Security-Policy "img-src * 'self' data: blob: https:; default-src 'self' https://*.googleapis.com https://*.googletagmanager.com https://*.google-analytics.com https://s.ytimg.com https://www.youtube.com https://yourdomainname.com https://*.googleapis.com https://*.gstatic.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';" always; 
         add_header X-Xss-Protection "1; mode=block" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header Access-Control-Allow-Origin "https://yourdomainname.com";
         add_header Referrer-Policy "origin-when-cross-origin" always;
         add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
     }
}

restart nginx

  • sudo nginx -t
  • sudo service nginx restart

setup a cron job to check for certificate renewal

  • sudo crontab -e
0 0,12 * * * certbot renew >/dev/null 2>&1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment