tags: - TLS certificates - letsencrypt categories: - informational comments: true
Example domain: example.com
Example sub-domain: git.example.com
Web server IP: 192.168.1.100
Both domain and sub-domain will redirect to backend services Removing the redirect stanza will server files from the root
for the domain
mkdir -p /var/www/html/exampleand (sub-domain)
mkdir -p /var/www/html/git_examplenginx that supports php backend
To enable user1 to write to root
chown -R user1:user1 /var/www/html /var/www/letsencryptUsing git to create and push pages to nginx root
sudo -i -u user1
mkdir examplecurl -vI https://example.com curl -vI https://git.example.com
mkdir -p /var/www/letsencryptcat >/etc/nginx/conf/sites-available/example_com<<EOF
server {
root /var/www/html/example;
index index.html index.htm index.php;
server_name example.com;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_session_cache shared:SSL:40m;
ssl_session_tickets on;
listen 192.168.1.100:443 ssl;
include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
access_log /var/log/nginx/hexo-access.log;
error_log /var/log/nginx/hexo-error.log;
location / {
proxy_pass https://192.168.1.120:8888;
}
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
}
listen 192.168.1.100:80;
server_name example.com;
return 404;
}
EOFcat >/etc/nginx/conf/sites-available/git_example_com<<EOF
server {
root /var/www/html/git_example;
index index.html index.htm index.php;
server_name git.example.com;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/lets-encrypt-x3-cross-signed.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_session_cache shared:SSL:40m;
ssl_session_tickets on;
listen 192.168.1.100:443 ssl;
include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://192.168.1.110:3000;
}
access_log /var/log/nginx/softserve-access.log;
error_log /var/log/nginx/softserve-error.log;
}
server {
listen 192.168.1.100:80;
server_name git.example.com;
location ~ /\.well-known/acme-challenge/ {
allow all;
root /var/www/letsencrypt;
try_files $uri =404;
break;
}
}
EOFnginx -t
systemctl reload nginxletsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -d git.example.com
letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt -d example.comFrom
#ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;To
ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;Then, check syntax and reload the configurations
nginx -t
systemctl reload nginxcat >/etc/cron.d/letsencrypt<<EOF
1 1 * * * /usr/bin/letsencrypt renew --renew-hook "/etc/init.d/nginx reload"
EOFapt update
apt install --no-install-recommends nginx letsencrypt certbot php-fpm php-mysqlcat >/etc/nginx/nginx.conf<<EOF
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 2048;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 50M;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
gzip_disable “MSIE [1-6]\.(?!.*SV")
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOFcat >/etc/letsencrypt/options-ssl-nginx.conf<<EOF
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";
EOFincrease Diffie-Hellman key strength
openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 4096
cat >/etc/php/7.3/fpm/php.ini<<EOF
allow_url_fopen = On
allow_url_include = Off
[Assertion]
auto_append_file =
auto_globals_jit = On
auto_prepend_file =
[bcmath]
bcmath.scale = 0
[browscap]
cgi.fix_pathinfo=0
[CLI Server]
cli_server.color = On
[COM]
[curl]
[Date]
date.timezone = "America/Toronto"
[dba]
default_charset = "UTF-8"
default_mimetype = "text/html"
default_socket_timeout = 60
disable_classes =
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
display_errors = Off
display_startup_errors = Off
doc_root =
enable_dl = Off
engine = On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
[exif]
expose_php = Off
file_uploads = On
[filter]
[gd]
html_errors = On
ibase.allow_persistent = 1
ibase.dateformat = "%Y-%m-%d"
ibase.max_links = -1
ibase.max_persistent = -1
ibase.timeformat = "%H:%M:%S"
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
[iconv]
ignore_repeated_errors = Off
ignore_repeated_source = Off
[imap]
implicit_flush = Off
[Interbase]
[intl]
[ldap]
ldap.max_links = -1
log_errors_max_len = 1024
log_errors = On
mail.add_x_header = Off
[mail function]
max_execution_time = 120
max_file_uploads = 20
max_input_time = 60
[mbstring]
memory_limit = 128M
[MySQLi]
mysqli.allow_persistent = On
mysqli.default_host =
mysqli.default_port = 3306
mysqli.default_pw =
mysqli.default_socket =
mysqli.default_user =
mysqli.max_links = -1
mysqli.max_persistent = -1
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_memory_statistics = Off
mysqlnd.collect_statistics = On
[OCI8]
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.defaultbinmode = 1
odbc.defaultlrl = 4096
odbc.max_links = -1
odbc.max_persistent = -1
[opcache]
[openssl]
output_buffering = 4096
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.default_socket=
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.ignore_notice = 0
pgsql.log_notice = 0
pgsql.max_links = -1
pgsql.max_persistent = -1
[Phar]
[PHP]
[PostgreSQL]
post_max_size = 32M
precision = 14
register_argc_argv = Off
report_memleaks = On
request_order = "GP"
serialize_precision = -1
[Session]
session.auto_start = 0
session.cache_expire = 180
session.cache_limiter = nocache
session.cookie_domain =
session.cookie_httponly =
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_samesite =
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.gc_probability = 0
session.name = PHPSESSID
session.referer_check =
session.save_handler = files
session.serialize_handler = php
session.sid_bits_per_character = 5
session.sid_length = 26
session.trans_sid_tags = "a=href,area=href,frame=src,form="
session.use_cookies = 1
session.use_only_cookies = 1
session.use_strict_mode = 0
session.use_trans_sid = 0
short_open_tag = Off
SMTP = localhost
smtp_port = 25
[soap]
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_enabled=1
soap.wsdl_cache_limit = 5
soap.wsdl_cache_ttl=86400
[sqlite3]
[sysvshm]
[Tidy]
tidy.clean_output = Off
unserialize_callback_func =
upload_max_filesize = 32M
user_dir =
variables_order = "GPCS"
zend.assertions = -1
zend.enable_gc = On
zlib.output_compression = Off
EOFhttps://www.letscloud.io/community/how-to-set-up-an-nginx-with-certbot-on-ubuntu https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04 https://scaron.info/blog/improve-your-nginx-ssl-configuration.html