Tested on Ubuntu 20.04 minimal install
Preparation: Setup a VPS and not down the IP 21.21.21.21 (replace with real IP) Add a subdomain and map it to the VPS IP via an A-Record to 21.21.21.21
Replace btcpay.yourdomain.tld with your actual subdomain.
SSH into your VPS and follow the steps:
# install nginx + certbot
apt install nginx-full certbot python3-certbot-nginx
# Delete the default vHost:
rm /etc/nginx/sites-enabled/default
# Create subdomain vHost
nano /etc/nginx/sites-available/btcpay.yourdomain.tld
copy+paste and adjust the IP2TOR ip
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size 500k;
http2_max_header_size 500k;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
client_max_body_size 100M;
server_name btcpay.yourdomain.tld;
location / {
# Replace with ip2tor port and IP you got from raspiblitz
proxy_pass https://X.X.X.X:37160;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
ln -s /etc/nginx/sites-available/btcpay.yourdomain.tld /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx
# test if the site is reachable, make sure DNS serves already from the correct IP
# create letsencrypt cert (reads your nginx config and does everything for you)
certbot --nginx -d btcpay.yourdomain.tld
# on question "Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access."
-> select "2: Redirect"
# certbot will update your nginx config and make everything work, nothing else to do
# just make sure certbot auto-renewal enabled
systemctl status certbot.timer
# and make sure renewal works
certbot renew --dry-run