SlideShare a Scribd company logo

NGiNX, VHOSTS & SSL (let's encrypt)

M
Marcel Cattaneo

This document presents a simple guide to start with NGiNX implementing SSL using Certbot, providing certificates which we'll use for our web services.

Technology
1 of 10
NGINX, VHOSTS & SSL (let’s encrypt) by Marcel Fox E-mail: contato@marcelfox.com This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. In this small document, we’ll go through steps in order to install the necessary components to start up a NGINX server with a lot of vhost blocks in which we’ll add some services like roundcube and postfixadmin using SSL confguration, without interfring on the HTTPS access of our websites. INSTALL NGINX: We’re using the Debian Stretch distribution, so we're going to keep focused on this environment, but it's most likely that this document will also work well for any debian-like. The principle of this article will be NGINX service thus, you can also use this document for any other distribution with some minor changes like adjusting the package-manager and package names, for instance. NGINX on Debian Stretch has three types of packages: nginx-extras - nginx web/proxy server (extended version) nginx-full - nginx web/proxy server (standard version) nginx-light - nginx web/proxy server (basic version) We're going to install nginx-full package. # apt-get install nginx-full Enable the nginx service: # systemctl enable nginx # systemctl start nginx You can check if the server is up by accessing the main IP of your server on a browser.
DEFAULT CONFS: The confguration fles are located at: '/etc/nginx/nginx.conf' The default confguration is enough to provide a solid and standard web server, but if you're willing to go a little deeper in the main server confguration, I highly recommend you to access the docs: https://www.nginx.com/resources/admin-guide/ In the 'http' section of the confguration fle, we can notice that NGiNX stores vhost fles at: include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; And there's a main default confguration providing a 'catch all' set, that returns nginx's welcome page for any http request to the server: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } } The 'server_name _;' provide the 'catch all' confguration, it means that for any domains, ips that responds the server, NGiNX will return any index stored at: '/var/www/html' which is the root directory for this server block.
VHOST EXAMPLE: The main goal of this NGINX instance is to serve muliple domains using the main server's IP. NGiNX will redirect any requests based on the given domain, and will return the document root confgured on the vhost fle that represents this domain. So in this case, we're going to use the domain 'example.tld' in our vhost fles, you can replace 'example.tld' with a domain of your choice. # cat /etc/nginx/sites-available/example.conf server { listen 80; root /root/www/example; index index.php index.html index.htm index.nginx-debian.html; server_name www.example.tld example.tld; location / { try_files $uri $uri/ =404; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } } This basic vhost confguration provides PHP support via php-fpm and for every request made to 'example.tld', NGiNX will return any index fle located at the root directory for the application which is '/root/www/example'. Once the vhost fle were created at '/etc/nginx/sites-available', you must create a symbolic link for it on '/etc/nginx/sites-enabled': # ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled After that you must reload NGINX: # nginx -s reload or # systemctl reload nginx If you wxant to disxable the vhost, you'll just need to unlink the symbolic link and reload the server again: # unlink /etc/nginx/sites-enabled/example.conf
CERTBOT (LET'S ENCRYPT ) Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates. A more complete defnition you'll fnd at: https://certbot.ef.org/about/ You can install Certbot on Debian using the package-manager: # apt-get install certbot Certbot is a very simple tool in which will genarate and install certifcates for the given domains, using a very small line of code. Certbot generate certifcates by making requests for: http://example.tld/.well-known/acme-challenge We'll use the following root directory to store Certbot SSL certifcates: /var/www/html/letsencrypt So it's important to create this directory and add a location block for each vhost of the domain that you'll generate the certifcate: # mkdir /var/www/html/letsencrypt Add this location block into the server block on the default fle and also in the vhost of the domain that you want to issue your certifcate: server { listen 80; ... location /.well-known/acme-challenge { root /var/www/html/letsencrypt; } ... } After that you must restart your nginx service: # nginx -t && nginx -s reload
To genarate a new certifcate with Certbot you just need to use the following line: # certbot certonly --webroot -w /var/www/html/letsencrypt/ -d example.tld -d server.example.tld -d mail.example.tld -d www.example.tld Explaining what this whole line does: certonly: (subcommand) Obtain or renew a cert, but do not install it. --webroot: (plugin) Place fles in a server's webroot folder for authentication. -w: (argument) Webroot path in which Certbot will store the certifcates. -d: (argument) Domain that'll respond the certifcate. When the command is issued, the following message is shown: # certbot certonly --webroot -w /var/www/html/letsencrypt/ -d example.tld -d mail.example.tld Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for example.tld http-01 challenge for mail.example.tld Using the webroot path /var/www/html/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.tld/fullchain.pem. Your cert will expire on 2017-12-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le The certifcates will be located at '/etc/letsencrypt/live/example.tld/': # tree /etc/letsencrypt/live/example.tld/ /etc/letsencrypt/live/example.tld/ ├── cert.pem -> ../../archive/example.tld/cert1.pem ├── chain.pem -> ../../archive/example.tld/chain1.pem ├── fullchain.pem -> ../../archive/example.tld/fullchain1.pem ├── privkey.pem -> ../../archive/example.tld/privkey1.pem └── README
BASIC SSL FOR SERVICES Imagine that you want to provide common services like roundcube and postfixadmin, for inumerous vhosts and domains. A simple option to serve those will be redirect any service requests to the hostname of your web server instead of create a new server block for each domain individualy. NGiNX will respond these service requests as the follow: domxain/service request hostnxame/service http://example.tld/mail > redirects > https://server.example.tld/mail http://mydomain.com/mail > redirects > https://server.example.tld/mail For this conception, a default SSL block server will respond those request for every domain if these domains have a correct redirection rule for the hostname. We'll better explain it on the examples below: Add or edit the follow SSL block server of your default NGiNX host fle (where example.tld is the domain in which you've already generated a certificate): server { listen 443 ssl; server_name _; root /usr/share/webapps/; index index.php; charset utf-8; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; ## # Configuration from https://cipherli.st/ ## ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 144.217.94.121 144.217.129.179 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #Commented because was not loading Roundcube messages. add_header X-Content-Type-Options nosniff; ## # END ## location / { try_files $uri $uri/ index.php; } } Important to notcie that our 'root' directive is pointing at the root directory where our web services are located.
Now, inside this new SSL server block, we'll add the services locations: server { listen 443 ssl; ... location ~ /mail(/.*.php)$ { fastcgi_split_path_info ^(.+.php)(/.+)$; include fastcgi_params; fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; } location ~ /postfixadmin(/.*.php)$ { fastcgi_split_path_info ^(.+.php)(/.+)$; include fastcgi_params; fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; } ... } You must restart the NGiNX services in order to activate the changes. After that, NGiNX will respond these locations for the hostname as mentioned before. But for every domxain that'll use those services we must have to add a redirection rule into their vhost, which is very simple: location /mail { return 301 https://server.example.tld$request_uri; } location /postfixadmin { return 301 https://server.example.tld$request_uri; } Again, you must restart NGINX for the changes take efect. Now if you access: http://mydomain.com/mail You'll be redirect to: https://server.example.tld/mail
SSL FOR YOUR WEBSITE: In order to NGiNX respond HTTPS conection for the SSL certifcate's domain, you need to add a SSL block server into the domain's vhost fle, here follows a good example as a whole, of a basic vhost confguration for a single domain: server { listen 80; server_name www.example.tld example.tld; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name www.example.tld example.tld; root /var/www/html; index index.php; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; ## # Configuration from https://cipherli.st/ ## ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 144.217.94.121 144.217.129.179 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #Commented because was not loading Roundcube messages. add_header X-Content-Type-Options nosniff; ## # END ## charset utf-8; client_max_body_size 75M; location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location /mail { return 301 https://server.example.tld$request_uri; } location /postfixadmin { return 301 https://server.example.tld$request_uri; } location /.well-known/acme-challenge { root /var/www/html/letsencrypt; } }
ON YOUR OWN First of all thank you to be interested on this document and I hope that this one have been clarifed your mind about NGiNX and SSL services. This document was based in a major research that can be resumed with these links below: https://www.rosehosting.com/blog/setup-and-confgure-a-mail-server-with-postfxadmin/ https://wiki.archlinux.org/index.php/Roundcube#Webserver_.28Nginx.29 https://www.nginx.com/blog/free-certifcates-lets-encrypt-and-nginx/ https://certbot.ef.org/#debianstretch-nginx https://cipherli.st/ https://www.ssllabs.com/ssltest/index.html A good advice is to manage the security of your vhosts blocks, so here goes a small addition to the roundcube location block to increase security: location / { try_files $uri $uri/ index.php; } location ~ ^/mail/favicon.ico$ { root /usr/share/webapps/roundcubemail/skins/classic/images; log_not_found off; access_log off; expires max; } # Robots file location ~ ^/mail/robots.txt { allow all; log_not_found off; access_log off; } # Deny Protected directories location ~ ^/mail/(config|temp|logs)/ { deny all; } location ~ ^/mail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; } location ~ ^/mail/(bin|SQL)/ { deny all; } # Hide .md files location ~ ^/mail/(.+.md)$ { deny all; } # Hide all dot files location ~ ^/mail/. { deny all; access_log off; log_not_found off; } ... }
For any further informations or questions: website: marcelfox.com emxail: contato@marcelfox.com twitter: @marcelfox whxatsxapp: +5583999295882 THANKS!

Recommended

Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
Squid server
Squid serverSquid server
Squid server
Rohit Phulsunge
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
Ortus Solutions, Corp
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
13bcs0012
 

Recommended

Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
jasembo
 
Squid Server
Squid ServerSquid Server
Squid Server
Sumant Garg
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
Squid server
Squid serverSquid server
Squid server
Rohit Phulsunge
 
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin JonesITB2019 NGINX Overview and Technical Aspects - Kevin Jones
ITB2019 NGINX Overview and Technical Aspects - Kevin Jones
Ortus Solutions, Corp
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
13bcs0012
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Amit Aggarwal
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
Nutan Kumar Panda
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlation
rahul8590
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
VEXXHOST Private Cloud
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail server
Integrated Circuit Design Research & Education Center (ICDREC)
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
ymtech
 
Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9
عطاءالمنعم اثیل شیخ
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
Nginx internals
Nginx internalsNginx internals
Nginx internals
liqiang xu
 
Dockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networkingDockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networking
Andreas Schmidt
 
Squid
SquidSquid
Squid
Syeda Javeria
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total Security
Robert Bernier
 
Squid
SquidSquid
Squid
Chirag Gupta
 
Proxy
ProxyProxy
Proxy
leminhvuong
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPHow To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
Matt Dunlap
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
Ben Hall
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 
Rhel5
Rhel5Rhel5
Rhel5
Yash Gulati
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 

More Related Content

What's hot

Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Amit Aggarwal
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
Nutan Kumar Panda
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlation
rahul8590
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
VEXXHOST Private Cloud
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
Men and Mice
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail server
Integrated Circuit Design Research & Education Center (ICDREC)
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
ymtech
 
Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9
عطاءالمنعم اثیل شیخ
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
Nginx internals
Nginx internalsNginx internals
Nginx internals
liqiang xu
 
Dockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networkingDockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networking
Andreas Schmidt
 
Squid
SquidSquid
Squid
Syeda Javeria
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total Security
Robert Bernier
 
Squid
SquidSquid
Squid
Chirag Gupta
 
Proxy
ProxyProxy
Proxy
leminhvuong
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPHow To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
Matt Dunlap
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
Ben Hall
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
Men and Mice
 

What's hot (20)

Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlation
 
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOSHow To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
How To Securely Set Up Shipyard 2.0.10 with TLS on CoreOS
 
Kea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISCKea DHCP – the new open source DHCP server from ISC
Kea DHCP – the new open source DHCP server from ISC
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail server
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
 
Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9Installing lemp with ssl and varnish on Debian 9
Installing lemp with ssl and varnish on Debian 9
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
 
Nginx internals
Nginx internalsNginx internals
Nginx internals
 
Dockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networkingDockerffm meetup 20150113_networking
Dockerffm meetup 20150113_networking
 
Squid
SquidSquid
Squid
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total Security
 
Squid
SquidSquid
Squid
 
Proxy
ProxyProxy
Proxy
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPHow To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
 
Deploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows ContainersDeploying applications to Windows Server 2016 and Windows Containers
Deploying applications to Windows Server 2016 and Windows Containers
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runit
 

Similar to NGiNX, VHOSTS & SSL (let's encrypt)

Rhel5
Rhel5Rhel5
Rhel5
Yash Gulati
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
VCP Muthukrishna
 
How to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web ServerHow to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web Server
AboutSSL
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
Edorian
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocol
Armenuhi Abramyan
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
RapidSSLOnline.com
 
install nginx SSL.pdf
install nginx SSL.pdfinstall nginx SSL.pdf
install nginx SSL.pdf
mooodiuu
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
Making Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch FixMaking Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch Fix
Diana Tkachenko
 
VMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation NotesVMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation Notes
Grit Suwa
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
Conrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
Vipin Mandale
 
Enabling SSL Elasticsearch on server
Enabling SSL Elasticsearch on serverEnabling SSL Elasticsearch on server
Enabling SSL Elasticsearch on server
Omkar Rane
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
Sreenivas Makam
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
NGINX, Inc.
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
Jonas Segovia Velazquez
 
Configuration of Apache Web Server On CentOS 8
Configuration of Apache Web Server On CentOS 8Configuration of Apache Web Server On CentOS 8
Configuration of Apache Web Server On CentOS 8
Kaan Aslandağ
 

Similar to NGiNX, VHOSTS & SSL (let's encrypt) (20)

Rhel5
Rhel5Rhel5
Rhel5
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
How to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web ServerHow to Install SSL Certificate in Red Hat Linux Apache Web Server
How to Install SSL Certificate in Red Hat Linux Apache Web Server
 
Nginx - The webserver you might actually like
Nginx - The webserver you might actually likeNginx - The webserver you might actually like
Nginx - The webserver you might actually like
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocol
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
install nginx SSL.pdf
install nginx SSL.pdfinstall nginx SSL.pdf
install nginx SSL.pdf
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
 
Making Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch FixMaking Spinnaker Go @ Stitch Fix
Making Spinnaker Go @ Stitch Fix
 
VMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation NotesVMWare VSphere4 Documentation Notes
VMWare VSphere4 Documentation Notes
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
Enabling SSL Elasticsearch on server
Enabling SSL Elasticsearch on serverEnabling SSL Elasticsearch on server
Enabling SSL Elasticsearch on server
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
 
Configuration of Apache Web Server On CentOS 8
Configuration of Apache Web Server On CentOS 8Configuration of Apache Web Server On CentOS 8
Configuration of Apache Web Server On CentOS 8
 

Recently uploaded

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 

Recently uploaded (20)

zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 

NGiNX, VHOSTS & SSL (let's encrypt)

  • 1. NGINX, VHOSTS & SSL (let’s encrypt) by Marcel Fox E-mail: contato@marcelfox.com This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. In this small document, we’ll go through steps in order to install the necessary components to start up a NGINX server with a lot of vhost blocks in which we’ll add some services like roundcube and postfixadmin using SSL confguration, without interfring on the HTTPS access of our websites. INSTALL NGINX: We’re using the Debian Stretch distribution, so we're going to keep focused on this environment, but it's most likely that this document will also work well for any debian-like. The principle of this article will be NGINX service thus, you can also use this document for any other distribution with some minor changes like adjusting the package-manager and package names, for instance. NGINX on Debian Stretch has three types of packages: nginx-extras - nginx web/proxy server (extended version) nginx-full - nginx web/proxy server (standard version) nginx-light - nginx web/proxy server (basic version) We're going to install nginx-full package. # apt-get install nginx-full Enable the nginx service: # systemctl enable nginx # systemctl start nginx You can check if the server is up by accessing the main IP of your server on a browser.
  • 2. DEFAULT CONFS: The confguration fles are located at: '/etc/nginx/nginx.conf' The default confguration is enough to provide a solid and standard web server, but if you're willing to go a little deeper in the main server confguration, I highly recommend you to access the docs: https://www.nginx.com/resources/admin-guide/ In the 'http' section of the confguration fle, we can notice that NGiNX stores vhost fles at: include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; And there's a main default confguration providing a 'catch all' set, that returns nginx's welcome page for any http request to the server: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } } The 'server_name _;' provide the 'catch all' confguration, it means that for any domains, ips that responds the server, NGiNX will return any index stored at: '/var/www/html' which is the root directory for this server block.
  • 3. VHOST EXAMPLE: The main goal of this NGINX instance is to serve muliple domains using the main server's IP. NGiNX will redirect any requests based on the given domain, and will return the document root confgured on the vhost fle that represents this domain. So in this case, we're going to use the domain 'example.tld' in our vhost fles, you can replace 'example.tld' with a domain of your choice. # cat /etc/nginx/sites-available/example.conf server { listen 80; root /root/www/example; index index.php index.html index.htm index.nginx-debian.html; server_name www.example.tld example.tld; location / { try_files $uri $uri/ =404; } location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } } This basic vhost confguration provides PHP support via php-fpm and for every request made to 'example.tld', NGiNX will return any index fle located at the root directory for the application which is '/root/www/example'. Once the vhost fle were created at '/etc/nginx/sites-available', you must create a symbolic link for it on '/etc/nginx/sites-enabled': # ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled After that you must reload NGINX: # nginx -s reload or # systemctl reload nginx If you wxant to disxable the vhost, you'll just need to unlink the symbolic link and reload the server again: # unlink /etc/nginx/sites-enabled/example.conf
  • 4. CERTBOT (LET'S ENCRYPT ) Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates. A more complete defnition you'll fnd at: https://certbot.ef.org/about/ You can install Certbot on Debian using the package-manager: # apt-get install certbot Certbot is a very simple tool in which will genarate and install certifcates for the given domains, using a very small line of code. Certbot generate certifcates by making requests for: http://example.tld/.well-known/acme-challenge We'll use the following root directory to store Certbot SSL certifcates: /var/www/html/letsencrypt So it's important to create this directory and add a location block for each vhost of the domain that you'll generate the certifcate: # mkdir /var/www/html/letsencrypt Add this location block into the server block on the default fle and also in the vhost of the domain that you want to issue your certifcate: server { listen 80; ... location /.well-known/acme-challenge { root /var/www/html/letsencrypt; } ... } After that you must restart your nginx service: # nginx -t && nginx -s reload
  • 5. To genarate a new certifcate with Certbot you just need to use the following line: # certbot certonly --webroot -w /var/www/html/letsencrypt/ -d example.tld -d server.example.tld -d mail.example.tld -d www.example.tld Explaining what this whole line does: certonly: (subcommand) Obtain or renew a cert, but do not install it. --webroot: (plugin) Place fles in a server's webroot folder for authentication. -w: (argument) Webroot path in which Certbot will store the certifcates. -d: (argument) Domain that'll respond the certifcate. When the command is issued, the following message is shown: # certbot certonly --webroot -w /var/www/html/letsencrypt/ -d example.tld -d mail.example.tld Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: http-01 challenge for example.tld http-01 challenge for mail.example.tld Using the webroot path /var/www/html/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.tld/fullchain.pem. Your cert will expire on 2017-12-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le The certifcates will be located at '/etc/letsencrypt/live/example.tld/': # tree /etc/letsencrypt/live/example.tld/ /etc/letsencrypt/live/example.tld/ ├── cert.pem -> ../../archive/example.tld/cert1.pem ├── chain.pem -> ../../archive/example.tld/chain1.pem ├── fullchain.pem -> ../../archive/example.tld/fullchain1.pem ├── privkey.pem -> ../../archive/example.tld/privkey1.pem └── README
  • 6. BASIC SSL FOR SERVICES Imagine that you want to provide common services like roundcube and postfixadmin, for inumerous vhosts and domains. A simple option to serve those will be redirect any service requests to the hostname of your web server instead of create a new server block for each domain individualy. NGiNX will respond these service requests as the follow: domxain/service request hostnxame/service http://example.tld/mail > redirects > https://server.example.tld/mail http://mydomain.com/mail > redirects > https://server.example.tld/mail For this conception, a default SSL block server will respond those request for every domain if these domains have a correct redirection rule for the hostname. We'll better explain it on the examples below: Add or edit the follow SSL block server of your default NGiNX host fle (where example.tld is the domain in which you've already generated a certificate): server { listen 443 ssl; server_name _; root /usr/share/webapps/; index index.php; charset utf-8; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; ## # Configuration from https://cipherli.st/ ## ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 144.217.94.121 144.217.129.179 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #Commented because was not loading Roundcube messages. add_header X-Content-Type-Options nosniff; ## # END ## location / { try_files $uri $uri/ index.php; } } Important to notcie that our 'root' directive is pointing at the root directory where our web services are located.
  • 7. Now, inside this new SSL server block, we'll add the services locations: server { listen 443 ssl; ... location ~ /mail(/.*.php)$ { fastcgi_split_path_info ^(.+.php)(/.+)$; include fastcgi_params; fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; } location ~ /postfixadmin(/.*.php)$ { fastcgi_split_path_info ^(.+.php)(/.+)$; include fastcgi_params; fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; } ... } You must restart the NGiNX services in order to activate the changes. After that, NGiNX will respond these locations for the hostname as mentioned before. But for every domxain that'll use those services we must have to add a redirection rule into their vhost, which is very simple: location /mail { return 301 https://server.example.tld$request_uri; } location /postfixadmin { return 301 https://server.example.tld$request_uri; } Again, you must restart NGINX for the changes take efect. Now if you access: http://mydomain.com/mail You'll be redirect to: https://server.example.tld/mail
  • 8. SSL FOR YOUR WEBSITE: In order to NGiNX respond HTTPS conection for the SSL certifcate's domain, you need to add a SSL block server into the domain's vhost fle, here follows a good example as a whole, of a basic vhost confguration for a single domain: server { listen 80; server_name www.example.tld example.tld; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name www.example.tld example.tld; root /var/www/html; index index.php; ssl_certificate /etc/letsencrypt/live/example.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.tld/privkey.pem; ## # Configuration from https://cipherli.st/ ## ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 144.217.94.121 144.217.129.179 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; #add_header X-Frame-Options DENY; #Commented because was not loading Roundcube messages. add_header X-Content-Type-Options nosniff; ## # END ## charset utf-8; client_max_body_size 75M; location ~ .php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } location /mail { return 301 https://server.example.tld$request_uri; } location /postfixadmin { return 301 https://server.example.tld$request_uri; } location /.well-known/acme-challenge { root /var/www/html/letsencrypt; } }
  • 9. ON YOUR OWN First of all thank you to be interested on this document and I hope that this one have been clarifed your mind about NGiNX and SSL services. This document was based in a major research that can be resumed with these links below: https://www.rosehosting.com/blog/setup-and-confgure-a-mail-server-with-postfxadmin/ https://wiki.archlinux.org/index.php/Roundcube#Webserver_.28Nginx.29 https://www.nginx.com/blog/free-certifcates-lets-encrypt-and-nginx/ https://certbot.ef.org/#debianstretch-nginx https://cipherli.st/ https://www.ssllabs.com/ssltest/index.html A good advice is to manage the security of your vhosts blocks, so here goes a small addition to the roundcube location block to increase security: location / { try_files $uri $uri/ index.php; } location ~ ^/mail/favicon.ico$ { root /usr/share/webapps/roundcubemail/skins/classic/images; log_not_found off; access_log off; expires max; } # Robots file location ~ ^/mail/robots.txt { allow all; log_not_found off; access_log off; } # Deny Protected directories location ~ ^/mail/(config|temp|logs)/ { deny all; } location ~ ^/mail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ { deny all; } location ~ ^/mail/(bin|SQL)/ { deny all; } # Hide .md files location ~ ^/mail/(.+.md)$ { deny all; } # Hide all dot files location ~ ^/mail/. { deny all; access_log off; log_not_found off; } ... }
  • 10. For any further informations or questions: website: marcelfox.com emxail: contato@marcelfox.com twitter: @marcelfox whxatsxapp: +5583999295882 THANKS!