Changes for page How to setup an Nginx reverse proxy and also provide a global X.509 certificate for it
Last modified by Alexandru Pentilescu on 2023/06/25 18:53
From version 8.1
edited by Alexandru Pentilescu
on 2022/06/11 22:40
on 2022/06/11 22:40
Change comment:
There is no comment for this version
To version 11.1
edited by Alexandru Pentilescu
on 2022/06/11 23:09
on 2022/06/11 23:09
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -222,7 +222,8 @@ 222 222 Finally, let's see how we can configure an X509 certificate globally! 223 223 224 224 225 -= Configuring a global X.509 certificate= 225 += Configuring a global X.509 certificate = 226 + 226 226 This is the easiest part of this article. Whenever you wish to encrypt a request to a specific server block in Nginx, just add the "include /etc/nginx/snippets/ssl.conf" directive in its server block and you're pretty much done. 227 227 Now, what should this ssl.conf snippets file contain? Easy: 228 228 ... ... @@ -235,10 +235,16 @@ 235 235 Now, I admit, these file paths are usually generated by the certbot utility. Configuring certbox is outside the scope of this article and I will not cover it. 236 236 certbot is also an utility specific for the Let's Encrypt CA, which might differ from your own certificate authority. But, regardless of which CA you choose to use, everything should boil down to 3 ".pem" files at the end, one containing your public key that will be delived to the visitor, one containing the fullchain and one containing the private key which will be used by Nginx to decrypt incoming traffic with. 237 237 239 +Technically, the ssl_certificate_key should point to your private key file. DO NOT, UNDER ANY CIRCUMSTANCES, GIVE THIS TO ANYONE. This has to be kept private and only you and Nginx should have access to it. 240 + 241 +chain.pem contains your public certificate along with the CA's intermediate certificate that signed your certificate. 242 + 243 +fullchain.pem contains everything that chain.pem contains, plus the certificate's authority's own public root certificate, which was used in signing the intermediate certificate mentioned above, one that should be recognized by any visitor's web browser. 244 + 238 238 As such, please change these file paths to the 3 files that you will be using from your respective CA. If in doubt, always ask for professional help from a sysadmin! 239 239 247 += Testing our setup and deploying = 240 240 241 -= Testing our setup and deploying/= 242 242 We're almost done! For completeness' sake, here's my gitea.conf Nginx configuration file as well, so that you have a base to start out with: 243 243 244 244 {{code language="nginx"}} ... ... @@ -277,4 +277,6 @@ 277 277 sudo systemctl enable nginx 278 278 {{/code}} 279 279 287 +Also you might have to open firewall ports 80 and 443 to allow Nginx to listen to these. This is specific to your distro so please do that manually. On my end, I don't remember having to do that. I think just installing Nginx did that automatically. Your mileage may vary. 288 + 280 280 That's it! Happy coding!