Nginx as reverse proxy with acme (letsencrypt): Difference between revisions
mNo edit summary |
Tag: Undo |
||
(8 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
== Installation == | == Installation == | ||
For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg| | For this howto, we need three tools: [[Nginx|NGINX]], {{pkg|acme-client}} and {{pkg|openssl}} (to generate [https://wiki.openssl.org/index.php/Diffie-Hellman_parameters Diffie–Hellman Parameters]). | ||
{{Cmd|apk update | {{Cmd|apk update | ||
apk add nginx acme-client | apk add nginx acme-client openssl}} | ||
== Setup == | == Setup == | ||
Line 72: | Line 72: | ||
Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.<br> | Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.<br> | ||
The security settings are | The security settings are inspired by the [https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=modern&openssl=1.1.1k&guideline=5.7 Mozilla SSL Configuration Generator]. Please also read https://hstspreload.org for details about HSTS. | ||
{{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https:// | {{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https://ssl-config.mozilla.org | ||
ssl_protocols TLSv1.3 | |||
ssl_prefer_server_ciphers off; | |||
ssl_prefer_server_ciphers | ssl_session_timeout 1d; | ||
ssl_session_cache shared:SSL:10m; | ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; # Requires nginx >= 1.5.9 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
Line 99: | Line 96: | ||
add_header X-Robots-Tag none; | add_header X-Robots-Tag none; | ||
</nowiki>}} | </nowiki>}} | ||
==== Per site configuration files (conf.d) ==== | ==== Per site configuration files (conf.d) ==== | ||
Line 208: | Line 197: | ||
{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki> | {{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki> | ||
server { | server { | ||
listen | listen 443 ssl http2; | ||
listen [::]:443 ssl http2; | |||
server_name alpinelinux.org | server_name alpinelinux.org | ||
ssl on; | ssl on; | ||
Line 222: | Line 212: | ||
} | } | ||
</nowiki>}} | </nowiki>}} | ||
=== Redirect HTTP to HTTPS === | === Redirect HTTP to HTTPS === |
Latest revision as of 16:48, 28 May 2024
Introduction
This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.
See the NGINX page for general information about Nginx, starting/stopping the service etc.
Installation
For this howto, we need three tools: NGINX, acme-client and openssl (to generate Diffie–Hellman Parameters).
apk update apk add nginx acme-client openssl
Setup
NGINX HTTP
Global configuration
First step is to refactor our global nginx.conf
. Its target at a low traffic http server, to increase performance make changes at top level.
Contents of /etc/nginx/nginx.conf
SSL configuration
Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.
The security settings are inspired by the Mozilla SSL Configuration Generator. Please also read https://hstspreload.org for details about HSTS.
Contents of /etc/nginx/conf.d/ssl-params.inc
Per site configuration files (conf.d)
Since Alpine v3.5, we ship NGINX with a default.conf
within the /etc/nginx/conf.d directory.
To add support for another website, you can add files with the .conf extension to this directory:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Common configuration includes
If you need to setup multiple proxy setups, you can include duplicated data such as shown below:
Contents of /etc/nginx/conf.d/proxy_set_header.inc
acme-client
To allow NGINX to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.
ACME responses
Contents of /etc/nginx/conf.d/acme.inc
And add this to your proxy configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Automatic generation of certificates
Create the following file:
Contents of /etc/periodic/weekly/acme-client
Make it executable:
chmod +x /etc/periodic/weekly/acme-client
This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.
If you have several domains, you can add them to the hosts= variable with a space between each domain. This will create a separate certificate and key for each:
hosts="alpinelinux.org example.com foo.org bar.io"
Initial generation of keys and certificates
To create your initial certificates and keys, you have to run this manually the first time:
/etc/periodic/weekly/acme-client
Watch the output and see if all goes well. When it's finished, you should have files in:
/etc/ssl/acme/alpinelinux.nl/fullchain.pem /etc/ssl/acme/private/alpinelinux.org/privkey.pem
NGINX HTTPS
Per site HTTPS configuration
Add the following below the previous HTTP configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Redirect HTTP to HTTPS
Create the following file:
Contents of /etc/nginx/conf.d/redirect_http.inc
Update host configuration
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Complete host example with IPv6 support
Contents of /etc/nginx/conf.d/alpinelinux.org.conf