Nginx as Reverse Proxy and LetsEncrypt

nginx reverse-proxy certbot

Although there's aplethora of articles on the web about this, I'm still having issues getting this to work.

I've set up nginx on ubunto 18.04 - everythings is patched to date.

I installed Certbot (sudo apt-get install python-certbot-nginx)

I'm using "default" config as I'm not going to be running anything on this server except the reverse proxy:

Heres the config - working fine on http:

##
# Default server configuration
#
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html;

    server_name _;

    location / {

            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
    }
}
#
## Redirect to internal servers
#
# HomeAssistant
server {
    listen 80;
    server_name hass.mysite.com;

    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
            proxy_pass http://192.168.1.245:8123;
            proxy_buffering off;
    }
}
#
# SSH Tunnel
server {
    listen 80;
    server_name remote.mysite.com;

    proxy_set_header Host   $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
            proxy_pass http://192.168.1.250:443;
            proxy_buffering off;
    }
}

I'm happy to redirect all external connections to https and leave internal as http.

If I run sudo certbot --nginx I get this and can approve both sites

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hass.mysite.com
2: remote.mysite.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input

There's no prompt from Certbot to redirect all traffic to https and I;m struggling to set it up to do so - do I have to configure "listen 443" on each redirect?


Solution 1:

Ok, after a lot of trial and error, it seems that it didn't like certificating subdomains without the parent domain.

Luckily I'm running in a VM so I rolled back to before the Certbot install.

I commented out this line in the config:

server_name _;

..and added the root domain sites:

server {
    server_name mysite.com www.mysite.com;

    root /var/www/html;

    index index.html index.htm mysite.html;
}

I then got certificates for the root domains:

sudo certbot --nginx -d mysite.com -d www.mysite.com

When I did this, Certbot added the SSL config successfully to the root domains, so I went ahead with certifying the subdomains and this also worked fine.

Related

how to serve multiple Domains from one Computer in a local network
DNS is not propagating even after 48 hours on GoDaddy
No domain controller can be contacted when domain joining a server
Apache reverse proxy preserving ssl
Programmatically detect Chrony time sync events
What is the number of different magic properties that a hellfire ring can have? [duplicate]
How can I get Create A World to find my game data?
Transfer steam app data (TF2) from Mac to PC
What abilities can be blocked by sivir's/nocturne's spell shield?
How much gold do champion kills give on Proving Grounds?
Is it possible to play Scrolls offline?
How much memory is needed to run a Minecraft Server in 1.6.2? [duplicate]