Skip to content

Instantly share code, notes, and snippets.

@zhaiduo
Forked from publiclass1/Install-letscrypt.md
Created May 2, 2018 06:50
Show Gist options
  • Select an option

  • Save zhaiduo/be315c1c5d76b8c41c129a4590cd637e to your computer and use it in GitHub Desktop.

Select an option

Save zhaiduo/be315c1c5d76b8c41c129a4590cd637e to your computer and use it in GitHub Desktop.
Install letscrypt with nginx

INSTALL LET’S ENCRYPT

To start, we need to install some tools that Let’s Encrypt depends on, then clone the letsencrypt repository to our server.

# Install tools that Let’s Encrypt requires
sudo apt-get install bc

# Clone the Let’s Encrypt repository to your server
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

To check that the domain is pointing to your droplet, run the following (make sure to replace app.example.com with the domain you just configured):

dig +short app.example.com
# output should be your droplet’s IP address, e.g. 138.68.11.65

GENERATE THE SSL CERTIFICATE.

Now that the domain is pointed to our server, we can generate the SSL certificate:

# Move into the Let’s Encrypt directory
cd /opt/letsencrypt

# Create the SSL certificate
./certbot-auto certonly --standalone

SETUP AUTO-RENEWAL FOR THE SSL CERTIFICATE

For security, Let’s Encrypt certificates expire every 90 days, which seems pretty short. (By contrast, most paid SSL certificates are valid for at least a year.)

/opt/letsencrypt/certbot-auto renew

To set this up, run the following command in the terminal to edit the server’s cron jobs:

sudo crontab -e
00 1 * * 1 /opt/letsencrypt/certbot-auto renew >> /var/log/letsencrypt-renewal.log
30 1 * * 1 /bin/systemctl reload nginx

INSTALL NGINX

Installing NGINX is no different from most of the other tools we’ve downloaded so far. Use apt-get to download and install it:

sudo apt-get install nginx
sudo nano /etc/nginx/sites-enabled/default
# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
}

CREATE A SECURE DIFFIE-HELLMAN GROUP

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
sudo nano /etc/nginx/snippets/ssl-params.conf

We need to create a new file on our server to hold these settings — if we add another domain to this server, we can reuse them this way — which we’ll do with the following command:

# See https://cipherli.st/ for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;

CONFIGURE YOUR DOMAIN TO USE SSL

sudo nano /etc/nginx/sites-enabled/default
# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name app.example.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/app.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:5000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }
}

Test nginx

sudo nginx -t

Start NGIX

sudo systemctl start nginx

Credits

Original Post

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment