Add info on a basic nginx setup
Nathan Steel
5 years ago
parent
8747f62cf8
commit
58973d13c8
@ -0,0 +1,32 @@
|
|||||||
|
# HTTPS/SSL
|
||||||
|
|
||||||
|
To make your website safer.
|
||||||
|
It's also good for SEO, and having people actually be willing to us your site.
|
||||||
|
|
||||||
|
## Install certbot
|
||||||
|
And it's nginx module
|
||||||
|
`apt install python3-certbot-nginx`
|
||||||
|
|
||||||
|
## Start certbot
|
||||||
|
`certbot --nginx`
|
||||||
|
This will ask for an email, for renewals
|
||||||
|
`certbot --nginx --register-unsafely-without-email`
|
||||||
|
This will not ask for an email (although it's probably a good idea to use one)
|
||||||
|
|
||||||
|
Read the terms and accept what you want. E.g. if you don't want to give
|
||||||
|
your email to anyone, deny that.
|
||||||
|
|
||||||
|
When it asks for auto redirects, select option 2
|
||||||
|
|
||||||
|
### Apply SSL changes (if 2 selected)
|
||||||
|
`systemctl reload nginx`
|
||||||
|
|
||||||
|
## Automatic SSL certificated renewal
|
||||||
|
With a crontab
|
||||||
|
|
||||||
|
`crontab -e`
|
||||||
|
|
||||||
|
Add a line containing
|
||||||
|
`0 0 1 * * certbot --nginx renew`
|
||||||
|
Every 1 month, it will try to renew your SSL certificates
|
||||||
|
|
||||||
@ -0,0 +1,62 @@
|
|||||||
|
# Nginx
|
||||||
|
|
||||||
|
## Install
|
||||||
|
`apt install nginx`
|
||||||
|
|
||||||
|
## Make the site directory, and index
|
||||||
|
`mkdir /var/www/<website>'
|
||||||
|
'touch /var/www/<website>/index.html'
|
||||||
|
### Git
|
||||||
|
If you're using git VC for the website then after making the directory
|
||||||
|
just `git clone <repo>` and checkout the appropriate release/branch.
|
||||||
|
|
||||||
|
## Make a config
|
||||||
|
`vim /etc/nginx/sites-available/<website>`
|
||||||
|
|
||||||
|
### Basic config
|
||||||
|
`server {
|
||||||
|
listen 80 ;
|
||||||
|
listen [::]:80 ;
|
||||||
|
server_name <domain>, www.<domain> ;
|
||||||
|
root /var/www/<website> ;
|
||||||
|
index index.html index.htm ;
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404 ;
|
||||||
|
}
|
||||||
|
}`
|
||||||
|
|
||||||
|
#### Basic description of above:
|
||||||
|
listen - listen to port 80 on ipv4 and ipv6
|
||||||
|
server_name - the website/url that someone connecting to the server is looking for
|
||||||
|
root - directory for the website (commonly kept in `/var/www/<websitename>`
|
||||||
|
index - the default file to load when connecting to the site. In order of desc priority
|
||||||
|
location - how the server should lookup files, if these aren't met throw a 404 error
|
||||||
|
|
||||||
|
#### Example Configs
|
||||||
|
Some examples can be found on nginx's site [here](https://www.nginx.com/resources/wiki/start/topics/examples/full/)
|
||||||
|
|
||||||
|
|
||||||
|
## Enable the site
|
||||||
|
This uses the config we build, by creating a symbolic link to it.
|
||||||
|
`ln -s /etc/nginx/sites-available/<website> /etc/nginx/sites-enabled/<website>`
|
||||||
|
|
||||||
|
### Restart nginx
|
||||||
|
`sudo systemctl reload nginx`
|
||||||
|
Using reload will not restart the service if a config is incorrect, so this is
|
||||||
|
generally safer, especially in a working environment.
|
||||||
|
|
||||||
|
## Allow http traffic
|
||||||
|
If you've not got a firewall installed, this can be ignored. If you do, for
|
||||||
|
example after installing adar's _base you're going to want to allow traffic.
|
||||||
|
|
||||||
|
Http
|
||||||
|
`ufw allow 80`
|
||||||
|
Https (recommended, all sites need SSL these days)
|
||||||
|
`ufw allow 443`
|
||||||
|
|
||||||
|
## WIP
|
||||||
|
|
||||||
|
## Internal address
|
||||||
|
Edit `/etc/hosts` line `127.0.0.1 localhost` to `127.0.0.1 \*.localhost`
|
||||||
|
Edit `.../sites-available/<website>` server_name and add <address>,localhost
|
||||||
|
|
||||||
Loading…
Reference in New Issue