Nginx as reverse proxy with acme (letsencrypt): Difference between revisions
m (→SSL configuration: Updated SSL configuration to make sense with nginx 1.16.1 and up.) |
Tag: Undo |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 73: | Line 73: | ||
Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.<br> | Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.<br> | ||
The security settings are inspired by the [https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=modern&openssl=1.1.1k&guideline=5.7 Mozilla SSL Configuration Generator]. Please also read https://hstspreload.org for details about HSTS. | The security settings are inspired by the [https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=modern&openssl=1.1.1k&guideline=5.7 Mozilla SSL Configuration Generator]. Please also read https://hstspreload.org for details about HSTS. | ||
{{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https:// | {{Cat|/etc/nginx/conf.d/ssl-params.inc|<nowiki># secure nginx, see https://ssl-config.mozilla.org | ||
ssl_protocols TLSv1.3 | ssl_protocols TLSv1.3 | ||
ssl_prefer_server_ciphers off; | ssl_prefer_server_ciphers off; | ||
ssl_session_timeout 1d; | |||
ssl_session_cache shared:SSL:10m; | ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; # Requires nginx >= 1.5.9 | ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
Line 95: | Line 96: | ||
add_header X-Robots-Tag none; | add_header X-Robots-Tag none; | ||
</nowiki>}} | </nowiki>}} | ||
==== Per site configuration files (conf.d) ==== | ==== Per site configuration files (conf.d) ==== | ||
Line 204: | Line 197: | ||
{{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki> | {{Cat|/etc/nginx/conf.d/alpinelinux.org.conf|<nowiki> | ||
server { | server { | ||
listen | listen 443 ssl http2; | ||
listen [::]:443 ssl http2; | |||
server_name alpinelinux.org | server_name alpinelinux.org | ||
ssl on; | ssl on; | ||
Line 218: | Line 212: | ||
} | } | ||
</nowiki>}} | </nowiki>}} | ||
=== Redirect HTTP to HTTPS === | === Redirect HTTP to HTTPS === |
Latest revision as of 16:48, 28 May 2024
Introduction
This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.
See the NGINX page for general information about Nginx, starting/stopping the service etc.
Installation
For this howto, we need three tools: NGINX, acme-client and openssl (to generate Diffie–Hellman Parameters).
apk update apk add nginx acme-client openssl
Setup
NGINX HTTP
Global configuration
First step is to refactor our global nginx.conf
. Its target at a low traffic http server, to increase performance make changes at top level.
Contents of /etc/nginx/nginx.conf
SSL configuration
Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.
The security settings are inspired by the Mozilla SSL Configuration Generator. Please also read https://hstspreload.org for details about HSTS.
Contents of /etc/nginx/conf.d/ssl-params.inc
Per site configuration files (conf.d)
Since Alpine v3.5, we ship NGINX with a default.conf
within the /etc/nginx/conf.d directory.
To add support for another website, you can add files with the .conf extension to this directory:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Common configuration includes
If you need to setup multiple proxy setups, you can include duplicated data such as shown below:
Contents of /etc/nginx/conf.d/proxy_set_header.inc
acme-client
To allow NGINX to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.
ACME responses
Contents of /etc/nginx/conf.d/acme.inc
And add this to your proxy configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Automatic generation of certificates
Create the following file:
Contents of /etc/periodic/weekly/acme-client
Make it executable:
chmod +x /etc/periodic/weekly/acme-client
This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.
If you have several domains, you can add them to the hosts= variable with a space between each domain. This will create a separate certificate and key for each:
hosts="alpinelinux.org example.com foo.org bar.io"
Initial generation of keys and certificates
To create your initial certificates and keys, you have to run this manually the first time:
/etc/periodic/weekly/acme-client
Watch the output and see if all goes well. When it's finished, you should have files in:
/etc/ssl/acme/alpinelinux.nl/fullchain.pem /etc/ssl/acme/private/alpinelinux.org/privkey.pem
NGINX HTTPS
Per site HTTPS configuration
Add the following below the previous HTTP configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Redirect HTTP to HTTPS
Create the following file:
Contents of /etc/nginx/conf.d/redirect_http.inc
Update host configuration
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Complete host example with IPv6 support
Contents of /etc/nginx/conf.d/alpinelinux.org.conf