107 lines
2.1 KiB
Markdown
107 lines
2.1 KiB
Markdown
# Serve with Nginx and certify with Certbot SSL
|
|
|
|
Note: `snapd` isnt stable on Almalinux 10 at the time of writing, you might wanna install it via `pip` or some other way.
|
|
|
|
## Installing packages
|
|
|
|
```sh
|
|
# Install packages
|
|
sudo dnf install snapd nginx && systemctl enable nginx && systemctl start nginx
|
|
# Snapd for certbot (https certs)
|
|
sudo systemctl enable --now snapd.socket &&
|
|
sudo ln -s /var/lib/snapd/snap /snap &&
|
|
sudo ln -s /snap/bin/certbot /usr/bin/certbot &&
|
|
sudo snap install --classic certbot &&
|
|
sudo ln -s /snap/bin/certbot /usr/bin/certbot
|
|
```
|
|
|
|
This installed our nginx and certbot.
|
|
|
|
## Serving a website via nginx
|
|
|
|
Create an empty config file
|
|
|
|
```sh
|
|
nvim /etc/nginx/conf.d/$YOUR_SERVICE.conf
|
|
```
|
|
|
|
and then add
|
|
|
|
```nginx
|
|
server {
|
|
server_name sub.yourdomain.com
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
```
|
|
|
|
then
|
|
|
|
```sh
|
|
sudo certbot --nginx -d sub.yourdomain.com
|
|
sudo certbot renew --dry-run # test renewal
|
|
```
|
|
|
|
This is all you need to have a self-renewing certificate for a service or website.
|
|
|
|
## Passing the traffic thru to your APIs with `upstream`
|
|
|
|
For an API service, do the same as above point, but go into your config and change the `/your_api` block to include:
|
|
|
|
```nginx
|
|
upstream your_api {
|
|
server 127.0.0.1:3498;
|
|
}
|
|
|
|
# ...
|
|
|
|
server {
|
|
|
|
# ...
|
|
|
|
location / {
|
|
proxy_pass http://your_api;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket support (if needed)
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 5s;
|
|
proxy_read_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
}
|
|
|
|
# ...
|
|
|
|
}
|
|
|
|
```
|
|
|
|
Test and reload nginx by:
|
|
|
|
```sh
|
|
# Test configuration
|
|
sudo nginx -t
|
|
# Reload nginx
|
|
sudo systemctl reload nginx
|
|
```
|
|
|
|
## Deleting Certbot certificates
|
|
|
|
```sh
|
|
# List your certificates
|
|
sudo certbot certificates
|
|
# Delete by name
|
|
sudo certbot delete --cert-name sub.domain.com
|
|
```
|
|
|