About

Previously we have seen a rough predefined field of the default configuration file, and managed to launch our website.

This time we will go over setting up some of the other commonly required services like HTTPS.

We can begin by completely deleting the entire contents of the default config site at:

Plain Text

sudo nano /etc/nginx/sites-available/default

Dont worry, we will learn how to write the configurations ourselfs.

The minimally required block

You may copy the following code into the config file. Change the IP_ADDRESS to the server's external IP address. Do note its just the ip address. not https://34.150.150.150/ or anything fancy. Once done, save, exit, and restart nginx.

Plain Text

server {
    listen 80;  
    server_name IP_ADDRESS;
    
    location / {
        include proxy_params;  
        proxy_pass http://localhost:5000/;  
    }
}

proxy_pass here is where your application is running on localhost. Besure to change the port number!
listen defines the port where users from the internet accesses your website. Nginx will forward requests from this port to the proxy_pass url
server_name is where NGIX receives requests from. This should be the external ip address of your VPS or your domain name

Once you have restarted nginx you'll notice your site is still running without any issue. This is the minimally required configuration to run your site.

About server_name

In the default configurations we saw they had used server_name _; instead. This is a wildcard declaration of saying "for every server_name I received..."

This will be useful later on when we filter for requests that used a DNS wildcard (www.site.com instead of site.com) or IP address. But for now, lets keep it using our IP address.

Advanced connections

Websockets

If your application uses websockets to push realtime changes on the webpage, using some of the following libraries:

socketIO (python)

You will need to extend your configuration to include the following new parameters:

Plain Text

...
location / {
    include proxy_params;
    proxy_pass http://localhost:5000/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
}

SSL (Https)

Our localhost applications will never use a HTTPS unless specified or created otherwise. Enabling HTTPS is often done within nginx configurations.

SSL requires the following components:

domain name (not IP addresses).
SSL Certificate

Luckily we do not need to get the certificate and configure nginx ourself, and we can use certbot for this. Reference, 2

Dependency
Certbot uses the snap command to install. Besure snap is installed. Get it from here: https://snapcraft.io/docs/installing-snap-on-debian {: .prompt-info}

Plain Text

sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Then run the certbot to inject nginx configrations and get our ssl cert automatically:

Plain Text

sudo certbot --nginx -d yourdomain.com

To confirm that it is working, visit the https variant of your website.

SSL(HTTPS) Manual setup

Reference

An option to use SSL without domain name is to do a self signed certificate. Which will show a warning on chrome when a user visits your website.

You will need to configure Nignx SSL and generate your own SSL certificate using openSSL

Step 1: Generate your 2 SSL files

SSL configuration comes in 2 files, note the file extensions

domain.name.pem or bundle.crt
domain.name.key

Here's how each file looks like:

Plain Text

Plain Text

I did not get a .pem
Some SSL generators will create bundle files instead of .pem this is normal as SSL certificates are consists of a primary and intermediate files (crt) you will have to concatonate them. Read more here {: .prompt-info}

Step 2: Add them to server

Next you will need to write these contents to your nginx server respectively:

Plain Text

sudo nano /etc/ssl/stone.com.pem
sudo nano /etc/ssl/stone.com.key

Make sure to use your own domain names!

Step 3: Configure Nginx

Then within the configuration file:

Plain Text

sudo nano /etc/nginx/sites-available/default

we add the following directive to indicate SSL usage

Plain Text

server {
    listen 443 ssl;
    server_name stone.com;
    
    ssl_certificate     "/etc/ssl/stone.com.pem";
    ssl_certificate_key "/etc/ssl/stone.com.key";
    
    location / {
        include proxy_params;
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

That's it. Save, exit, test, and restart nginx. Your site can now be accessed via HTTPS

Plain Text

sudo nginx -t
sudo systemctl restart nginx

Hiding IP Addresses and enforce domain name

SSL Security concerns

When you have registered a domain name, you'll notice how you can still access your website directly via IP, circumventing the domain name. This is not good as it will allow attackers to bypass DNS security infrastructures like Cloudflares'

To address this gap, we must configure our nginx to only allow connections via domain name:

Plain Text

sudo nano /etc/nginx/sites-available/default

We need to define a default server block in which all connection attempts made via IP will be immediately rejected:

Plain Text

# The default always sits on top. 

# Normal http block
server {
    listen 80;
    server_name stone.com;
    location / {
        include proxy_params;
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}
# The normal SSL block
server {
    listen 443 ssl;
    server_name lwp.asia;
    
    ssl_certificate     "/etc/ssl/stone.com.pem";
    ssl_certificate_key "/etc/ssl/stone.com.key";
    
    location / {
        include proxy_params;
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
    }
}

# Our catch all. This will reject all http connection via IP
server {
    listen      80 default_server;
    listen      [::]:80 default_server;
    server_name "";
    return      444;
    # Or alternatively redirect to domain
    # return 301 http://stone.com$request_uri;
}

But wait, we can also access the website via direct IP using HTTPS! We need extend to our default block for direct HTTPS as well:

Plain Text

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 default_server;
  listen [::]:443 default_server;

  ssl_reject_handshake on;

  server_name "";
  return 444;
}

stackoverflow

With Cloudflare, too many redirects

Sometimes with cloudflare's DNS redirect requests we may encounter too many redirects error when we configure nginx to redirect http requests to https

Plain Text

# Normal http block
server {
    listen 80;
    server_name lwp.asia;
    return 301 https://$host$request_uri; 
}

The problem is caused by cloudflare always using http to connect to your origin server. To solve this you must configure on cloudflare side to use strict SSL, thus rendering your http nginx config not used at all.