~cadence/tube-docs

tube-docs/docs/Proxy with nginx.md -rw-r--r-- 5.2 KiB
5f92172cCadence Ember Rename newleaf folder for sorting reasons 4 months ago

#Proxy with nginx

#Prerequisites

Install nginx from the package manager.

#Configuration

# cd /etc/nginx

SSL options are from Mozilla's SSL configuration generator.

Download dhparam.pem: (Why?)

# mkdir -p /etc/nginx/ssl
# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem

Delete the default "it works" server that comes with nginx:

# rm sites-enabled/default

#NewLeaf

Create a file inside the directory /etc/nginx/sites-available (suggested name: newleaf-proxy) with contents like this:

server {
    listen 80;
    listen [::]:80;
    server_name newleaf.example.com; # [1]

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name newleaf.example.com; # [1]

    ssl_certificate /etc/letsencrypt/live/newleaf.example.com/fullchain.pem; # [2]
    ssl_certificate_key /etc/letsencrypt/live/newleaf.example.com/privkey.pem; # [2]
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ssl/dhparam; # [3]

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:3000;
    }
}
  • [1] Write your actual domain here in place of newleaf.example.com, without capital letters.
  • [2] Write your actual domain here in place of newleaf.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
  • [3] More information.

Set the configuration as enabled:

# cd /etc/nginx/sites-enabled
# ln -sv ../sites-available/newleaf-proxy .

#CloudTube

(If you are installing NewLeaf only, you can skip this section.)

Create a file inside the directory /etc/nginx/sites-available (suggested name: cloudtube-proxy) with contents like this:

server {
    listen 80;
    listen [::]:80;
    server_name cloudtube.example.com; # [1]

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloudtube.example.com; # [1]

    ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
    ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ssl/dhparam;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:10412;
    }
}
  • [1] Write your actual domain here in place of cloudtube.example.com, without capital letters.
  • [2] Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.

Set the configuration as enabled:

# cd /etc/nginx/sites-enabled
# ln -sv ../sites-available/cloudtube-proxy .

#Apply changes

Check your configuration. If there are errors, find them and fix them. This sample config should be good on its own.

# nginx -t

Once there are no errors in the configuration, start nginx:

# systemctl start nginx

Enable the nginx service to automatically start nginx after a machine reboot:

# systemctl enable nginx

If nginx is already running, you only have to reload the configuration:

# systemctl reload nginx

#CAA for DNS

Now set up CAA for your DNS. You must set up DNS before you can do this. (Why is CAA important?)

  1. First, go to the SSLMate CAA record generator.
  2. Enter your domain name, then press "auto-generate policy".
  3. Scroll the list and make sure all boxes are unchecked except for the one that has your certificate authority.
  4. If it's all good, go down to the "publish your CAA policy" section and examine the first code block. You need to create a DNS record with this information on your domain.

#Conclusion

Once you've set everything up, open your domain (ex: https://cloudtube.example.com) in your browser and check that:

  1. The CloudTube home page appears
  2. You are connected over HTTPS

Now that that works, run the Qualys SSL Labs server test to make sure your configuration is secure. The test will take a few minutes to run.