Nginx as reverse proxy with acme (letsencrypt): Difference between revisions
m (Marked a dead link.) |
|||
Line 102: | Line 102: | ||
==== Diffie–Hellman Parameters ==== | ==== Diffie–Hellman Parameters ==== | ||
In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this] wiki section): | In the above configuration <var>ssl_dhparam</var> is used, so we need to generate a global <code>dhparam</code> file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (<var>dsaparam</var>) to generate our <code>dhparam</code> file (see [https://wiki.openssl.org/index.php/Manual:Dhparam(1)#OPTIONS this]{{dead link}} wiki section): | ||
{{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}} | {{Cmd|openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096}} |
Revision as of 22:07, 20 December 2021
Introduction
This setup will allow you to have multiple servers/containers accessible via a single IP address with the added benefit of a centralized generation of letsencrypt certificates and secure https (according to ssllabs ssltest). Be aware that you first need to setup a regular HTTP server in order to be able to generate your HTTPS certificates and keys. After you have generated them, you can then add your HTTPS host based configuration.
See the NGINX page for general information about Nginx, starting/stopping the service etc.
Installation
For this howto, we need three tools: NGINX, acme-client and openssl (to generate Diffie–Hellman Parameters).
apk update apk add nginx acme-client openssl
Setup
NGINX HTTP
Global configuration
First step is to refactor our global nginx.conf
. Its target at a low traffic http server, to increase performance make changes at top level.
Contents of /etc/nginx/nginx.conf
SSL configuration
Configure a file with all SSL-parameters that we can include in the virtual hosts configs later on.
The security settings are taken from https://cipherli.st. Please also read https://hstspreload.org for details about HSTS.
Contents of /etc/nginx/conf.d/ssl-params.inc
Diffie–Hellman Parameters
In the above configuration ssl_dhparam is used, so we need to generate a global dhparam
file. We want to use a 4096 key size, but this can take a very long time. Because of this, we are adding an extra option (dsaparam) to generate our dhparam
file (see this[Dead Link] wiki section):
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
At this point, you should be able to (re)start your nginx server, but it will not use any of the security features yet.
Per site configuration files (conf.d)
Since Alpine v3.5, we ship NGINX with a default.conf
within the /etc/nginx/conf.d directory.
To add support for another website, you can add files with the .conf extension to this directory:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Common configuration includes
If you need to setup multiple proxy setups, you can include duplicated data such as shown below:
Contents of /etc/nginx/conf.d/proxy_set_header.inc
acme-client
To allow NGINX to support https, we need to add certificates and support for ACME (Automatic Certificate Management Environment) responses.
ACME responses
Contents of /etc/nginx/conf.d/acme.inc
And add this to your proxy configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Automatic generation of certificates
Create the following file:
Contents of /etc/periodic/weekly/acme-client
Make it executable:
chmod +x /etc/periodic/weekly/acme-client
This script will run weekly to verify whether one of your certificates is outdated and renew them when needed.
If you have several domains, you can add them to the hosts= variable with a space between each domain. This will create a separate certificate and key for each:
hosts="alpinelinux.org example.com foo.org bar.io"
Initial generation of keys and certificates
To create your initial certificates and keys, you have to run this manually the first time:
/etc/periodic/weekly/acme-client
Watch the output and see if all goes well. When it's finished, you should have files in:
/etc/ssl/acme/alpinelinux.nl/fullchain.pem /etc/ssl/acme/private/alpinelinux.org/privkey.pem
NGINX HTTPS
Per site HTTPS configuration
Add the following below the previous HTTP configuration:
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Redirect HTTP to HTTPS
Create the following file:
Contents of /etc/nginx/conf.d/redirect_http.inc
Update host configuration
Contents of /etc/nginx/conf.d/alpinelinux.org.conf
Complete host example with IPv6 support
Contents of /etc/nginx/conf.d/alpinelinux.org.conf