Update Production HTTPS Setup

2025-02-08 00:04:05 +00:00 · 2025-02-08 00:04:05 +00:00 · 2ec3505405
commit 2ec3505405
parent 0569a3b3e0
1 changed files with 59 additions and 66 deletions
--- a/Production-HTTPS-Setup.md
+++ b/Production-HTTPS-Setup.md
@ -7,8 +7,8 @@ ex):
 ```
 ENABLE_IPV6=true
 MAIN_HTTP_PORT=7757
-NGINX_HTTP_PORT=7758
-NGINX_HTTPS_PORT=7759
+NGINX_HTTP_PORT=80
+NGINX_HTTPS_PORT=443
 HOST=automatisch.lasthourhosting.org
 PROTOCOL=https
 APP_ENV=production
@ -29,12 +29,12 @@ IPV6_SUBNET=2001:db8:2::/64
      - main      
    restart: unless-stopped
    volumes:
-      - ./https/nginx/automatisch_letsencrypt_nginx.conf:/etc/nginx/conf.d/
+      - ./https/nginx/automatisch_letsencrypt_nginx.conf:/etc/nginx/conf.d/automatisch_letsencrypt_nginx.conf
      - ./certbot/conf:/etc/letsencrypt
      - ./certbot/www:/var/www/certbot
    ports:
-      - ${PORT}:${PORT}
-      - 443:443
+      - ${NGINX_HTTP_PORT}:${NGINX_HTTP_PORT}
+      - ${NGINX_HTTPS_PORT}:443
  
  certbot:
     image: certbot/certbot:latest
@ -71,84 +71,77 @@ SSL_CERT_EMAIL=support@shilohcode.com
 # initial nginx conf file needed when running certbot container the first time to generate ssl certs
 # replace <HOSTNAME> with your DNS i.e.automatisch.lasthourhosting.org

-events {
-    worker_connections  1024;
-}
+server {
+    
+    # nginx http port
+    listen 80;
+    listen [::]:80;         
+    server_name <HOSTNAME>;

-http {
+    location / {
+        
+        # Forward to Automatisch site which is running on port 7757
+        proxy_pass http://main:7757;
+    }               

-    server {
-        listen 7757;
-        server_name <HOSTNAME>;
-
-        location / {
-            proxy_pass http://<HOSTNAME>:7757;
-        }               
-
-        location ~ /.well-known/acme-challenge/ {
-            root /var/www/certbot;
-        }        
-    }
+    location ~ /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }        
 }
 ```
 - Run `sudo docker compose up` to generate SSL cert
 - There should be a new /certbot folder created at the project root, and the cert and key `.pem` files should be created at `/etc/letsencrypt/live`
- After this completes, stop the containers `ctrl+c` and overwrite the `automatisch_letsencrypt_nginx.conf` file with the `secondary_automatisch_letsencrypt_nginx.conf` file's contents which has the 443 https and SSL configs: `cp https/nginx/secondary_automatisch_letsencrypt_nginx.conf https/nginx/automatisch_letsencrypt_nginx.conf`
- `automatisch_letsencrypt_nginx.conf` should then look like this:
+- After this completes, stop the containers `ctrl+c` and overwrite the `automatisch_letsencrypt_nginx.conf` file with the `secondary_automatisch_letsencrypt_nginx.conf` file's contents which has the 443 https and SSL configs:
 ```
-  nginx:
-    image: nginx:latest
-    depends_on:
-      - main      
-    restart: unless-stopped
-    volumes:
-      - ./https/nginx/secondary_automatisch_letsencrypt_nginx.conf:/etc/nginx/conf.d/
-      - ./certbot/conf:/etc/letsencrypt
-      - ./certbot/www:/var/www/certbot
-    ports:
-      - ${PORT}:${PORT}
-      - 443:443
+cp https/nginx/secondary_automatisch_letsencrypt_nginx.conf https/nginx/automatisch_letsencrypt_nginx.conf
 ```

- Add the HOST entries to `automatisch_letsencrypt_nginx.conf` and save before continuing:
+- Add the HOST entries again to `automatisch_letsencrypt_nginx.conf` and save before continuing:
 ```
 # nginx conf file to use after LetsEncrypt SSL certs have been created
-# replace<HOSTNAME> with your DNS i.e.automatisch.lasthourhosting.org
+# replace <HOSTNAME> with your DNS i.e.automatisch.lasthourhosting.org

-events {
-    worker_connections  1024;
-}
+ 
+server {

-http {
-    
-    server {
-        listen 7757;
-        server_name <HOSTNAME>;
+    # nginx http port
+    listen 80;
+    listen [::]:80;        
+    server_name <HOSTNAME>;

-        location ~ /.well-known/acme-challenge/ {
-            root /var/www/certbot;
-        }
-
-        return 301 https://$host$request_uri;
+    location ~ /.well-known/acme-challenge/ {
+        root /var/www/certbot;
    }

-    server {
-        listen 443 ssl http2;
-        # use ssl letsencrypt certs
-        ssl_certificate      /etc/letsencrypt/live/<HOSTNAME>/fullchain.pem;
-        ssl_certificate_key  /etc/letsencrypt/live/<HOSTNAME>/privkey.pem;
-        server_name <HOSTNAME>;
-
-
-        location / {
-            proxy_pass http://<HOSTNAME>:7757/;
-        }               
-
-        location ~ /.well-known/acme-challenge/ {
-            root /var/www/certbot;
-        }        
-    }    
+    return 301 https://$host$request_uri;
 }
+
+server {
+
+    # nginx https port
+    listen      443 ssl http2;
+    listen      [::]:443 ssl http2;
+
+    # use ssl letsencrypt certs
+    ssl_certificate      /etc/letsencrypt/live/<HOSTNAME>/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/<HOSTNAME>/privkey.pem;
+    server_name <HOSTNAME>;
+
+
+    location / {
+
+        # Forward to Automatisch site which is running on port 7757
+        proxy_pass http://main:7757/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;            
+    }               
+
+    location ~ /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }        
+}    
 ```
 - Then rebuild the containers: `docker compose up -d`. After it is rebuilt we should be able to pull up Automatisch at (staging) `https://automatisch.lasthourhosting.org` with a valid cert
 ## Cronjob for auto SSL Cert renewals