systems-guide/nginx-certbot.md

Serve with Nginx and certify with Certbot SSL

Note: snapd isnt stable on Almalinux 10 at the time of writing, you might wanna install it via pip or some other way.

Installing packages

# Install packages
sudo dnf install snapd nginx && systemctl enable nginx && systemctl start nginx
# Snapd for certbot (https certs)
sudo systemctl enable --now snapd.socket &&
sudo ln -s /var/lib/snapd/snap /snap &&
sudo ln -s /snap/bin/certbot /usr/bin/certbot &&
sudo snap install --classic certbot &&
sudo ln -s /snap/bin/certbot /usr/bin/certbot

This installed our nginx and certbot.

Serving a website via nginx

Create an empty config file

nvim /etc/nginx/conf.d/$YOUR_SERVICE.conf

and then add

server {
	server_name sub.yourdomain.com

	location / {
		root html;
		index index.html;
	}
}

then

sudo certbot --nginx -d sub.yourdomain.com
sudo certbot renew --dry-run # test renewal

This is all you need to have a self-renewing certificate for a service or website.

Passing the traffic thru to your APIs with upstream

For an API service, do the same as above point, but go into your config and change the /your_api block to include:

upstream your_api {
    server 127.0.0.1:3498;
}

# ...

server {

  # ...

  location / {
        proxy_pass         http://your_api;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # WebSocket support (if needed)
        proxy_set_header   Upgrade           $http_upgrade;
        proxy_set_header   Connection        "Upgrade";

        # Timeouts
        proxy_connect_timeout 5s;
        proxy_read_timeout    60s;
        proxy_send_timeout    60s;
    }

  # ...

}