diff --git a/Production-HTTPS-Setup.md b/Production-HTTPS-Setup.md new file mode 100644 index 0000000..e8c856c --- /dev/null +++ b/Production-HTTPS-Setup.md @@ -0,0 +1,87 @@ +## Production HTTPS Setup + +- In docker-compose.yml, uncomment production nginx and certbot services: +``` + nginx: + image: nginx:latest + depends_on: + - main + restart: unless-stopped + volumes: + - ./https/nginx/automatisch_letsencrypt_nginx.conf:/etc/nginx/conf.d/ + - ./certbot/conf:/etc/letsencrypt + - ./certbot/www:/var/www/certbot + ports: + - ${PORT}:${PORT} + - 443:443 + + certbot: + image: certbot/certbot:latest + command: certonly --webroot -w /var/www/certbot --keep-until-expiring --email ${SSL_CERT_EMAIL} -d ${HOST} --agree-tos + volumes: + - ./certbot/conf:/etc/letsencrypt + - ./certbot/www:/var/www/certbot + +``` +- Comment out local https nginx service: +``` + # for local https development using self-signed certs via openssl + # nginx: + # image: nginx:latest + # depends_on: + # - main + # ports: + # - "443:443" + # volumes: + # - ./https/certs/${SSL_SELF_SIGNED_CRT}:/etc/nginx/certs/${SSL_SELF_SIGNED_CRT}:ro + # - ./https/certs/${SSL_SELF_SIGNED_KEY}:/etc/nginx/certs/${SSL_SELF_SIGNED_KEY}:ro + # - ./https/nginx/automatisch_self_signed_nginx.conf:/etc/nginx/conf.d/ +``` +- Add SSL_CERT_EMAIL and HOST env vars: +``` +sudo nano .env +``` +``` +HOST=automatisch.lasthourhosting.org +SSL_CERT_EMAIL=support@shilohcode.com +``` +- Run `sudo docker compose up` to generate SSL cert +- There should be a new /certbot folder created at the project root, and the cert and key `.pem` files should be created at `/etc/letsencrypt/live` +- After this completes, stop the containers `ctrl+c` and edit the `/https/nginx/automatisch_letsencrypt_nginx.conf` file to use the new SSL certs. Copy the configs in `/https/nginx/temp.conf` and overwrite `/https/nginx/automatisch_letsencrypt_nginx.conf`. It should look like this (using staging as an example): +``` +events { + worker_connections 1024; +} + +http { + + server { + listen 7757; + server_name automatisch.lasthourhosting.org; + + location ~ /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl http2; + # use ssl letsencrypt certs + ssl_certificate /etc/letsencrypt/live/automatisch.lasthourhosting.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/automatisch.lasthourhosting.org/privkey.pem; + server_name automatisch.lasthourhosting.org; + + + location / { + proxy_pass http://automatisch.lasthourhosting.org:7757/; + } + + location ~ /.well-known/acme-challenge/ { + root /var/www/certbot; + } + } +} +``` +- Then rebuild the containers: `docker compose up -d`. After it is rebuilt we should be able to pull up Automatisch at (staging) `https://automatisch.lasthourhosting.org` with a valid cert