Last active
July 17, 2022 00:59
-
-
Save webolizzer/a5be85c143f006cbd49062539aba5ca6 to your computer and use it in GitHub Desktop.
Nginx configuration to enable ACME Challenge support on all HTTP virtual hosts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#@@@ nginx virtual server configuration | |
### make link | |
# $ ln -s /etc/nginx/sites-available/DOMAIN_NAME.TLD /etc/nginx/sites-enabled/ | |
# $ nginx -t | |
# $ systemctl restart nginx | |
### letsencrypt | |
# $ cd /PATH_NAME/www | |
# $ mkdir _.letsencrypt | |
# $ certbot-auto certonly -a webroot --webroot-path=/PATH_NAME/www/_.letsencrypt/ --expand -d DOMAIN_NAME.TLD,www.DOMAIN_NAME.TLD | |
# $ systemctl restart nginx | |
### Expires map | |
# if you have mote than one domain, place this block in a separate file | |
# https://www.digitalocean.com/community/tutorials/how-to-implement-browser-caching-with-nginx-s-header-module-on-ubuntu-16-04 | |
map $sent_http_content_type $expires { | |
default off; | |
text/html epoch; | |
text/css max; | |
application/javascript max; | |
text/javascript max; | |
~image/ max; | |
} | |
#@@@ DOMAIN_NAME.TLD : 80 | |
server { | |
listen 80; | |
server_name DOMAIN_NAME.TLD | |
www.DOMAIN_NAME.TLD; | |
return 301 https://$host$request_uri; | |
} | |
#@@@ DOMAIN_NAME.TLD : 443 | |
### load balancing | |
upstream _DOMAIN_NAME_server { | |
ip_hash; | |
server 127.0.0.1:11400; | |
server 127.0.0.1:11401; | |
} | |
### | |
server { | |
listen 443 ssl; | |
server_name DOMAIN_NAME.TLD | |
www.DOMAIN_NAME.TLD; | |
### SSL | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME.TLD/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME.TLD/privkey.pem; | |
ssl_prefer_server_ciphers on; | |
ssl_session_timeout 10M; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; | |
### cache contoroll | |
expires $expires; | |
### / | |
location / { | |
proxy_pass http://_DOMAIN_NAME_server; | |
proxy_http_version 1.1; | |
### Prevent WebSocket Error "Lost connection to server each 60 seconds" | |
# https://groups.google.com/forum/#!topic/peerjs/A8L0eYaC-2s | |
proxy_read_timeout 86400s; | |
proxy_send_timeout 86400s; | |
### Prevent Error "Unexpected response code: 400" during WebSocket handshake | |
# https://github.com/socketio/socket.io/issues/1942#issuecomment-82352072 | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
### | |
proxy_set_header Host $host; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Port $server_port; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Request-Start $msec; | |
access_log off; | |
} | |
### letsencrypt | |
# https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622 | |
### Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) | |
location ^~ /.well-known/acme-challenge/ { | |
default_type "text/plain"; | |
root /PATH_NAME/www/_.letsencrypt; | |
} | |
### Hide /acme-challenge subdirectory and return 404 on all requests. | |
location = /.well-known/acme-challenge/ { | |
return 404; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment