-
Notifications
You must be signed in to change notification settings - Fork 5
6. Securing the site with HTTPS
In this tutorial you will use CertBot to create an SSL certificate for your domain, and then add it to your Nginx configuration. This will encrypt all web traffic to your server (and hide the Not Secure warnings in your browser).
-
These instructions are written for Debian-based Linux distributions (Debian, Ubuntu, Raspbian...). You may need to change some of the commands for them to work in other Linux distros, and Windows is unsupported and will most likely not work.
-
You need a Hermes server already running through Nginx and the ports open in your router in order to follow these instructions! Follow guides #1, #2, #3 and #4 to get this.
-
You also need a domain to encrypt. Follow guide #5 to get one.
In order to enable HTTPS on the site, you need an SSL certificate. To get this file we will use certbot, which is an easy and free way of getting it.
To install certbot, enter the following command:
sudo apt install -y certbotFirst you need to stop the Nginx server because the process of getting the cert needs port 80, which Nginx uses.
sudo systemctl stop nginxThen, run certbot to get your certificate:
sudo certbot certonlyIt will ask you for different things, fill in the information it asks you for.
When it asks you how to authenticate, choose option 1 (Spin up a temporary webserver).
If it worked, it'll give you the path to your certificate. If it didn't, then read the logs to see what went wrong and retry the process.
The Nginx server configuration is stored in the file /etc/nginx/sites-available/default. We will replace this file with our own version, which will forward our node.js server to port 80 of our server. This will also let us add HTTPS to the site for increased security.
First of all, we will rename the default file so we can use our own, but still be able to restore it in case anything happens. To achieve this, enter the following command:
sudo mv /etc/nginx/sites-available/default /etc/nginx/sites-available/default.http
Create the new config file with this command: sudo nano /etc/nginx/sites-available/default. This will open a text editor, into which you can paste the code for the server (Now with HTTPS support):
server {
listen 80;
server_name {DOMAIN};
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name {DOMAIN};
ssl_certificate /etc/letsencrypt/live/{DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{DOMAIN}/privkey.pem;
location / {
proxy_pass http://localhost:8080;
proxy_ssl_trusted_certificate /etc/letsencrypt/live/{DOMAIN}/fullchain.pem;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
}
Remember to replace {DOMAIN} with the domain you used for the certificate generation process.
What the script does is redirect connections on port 80 (HTTP) to port 443 (HTTPS), and encrypts that using the certificates you created previously.
Once you have the config in the file, press CTRL + X to exit and Y to save your changes. Then use these commands to verify your config is correct and restart Nginx:
sudo nginx -t
sudo systemctl restart nginx
Now, go back to your browser and connect to your domain. You should now be connected to a "secure" version of the site (this means HTTPS is active).
You should now have HTTPS on your server!
- If you don't, go back and make sure you did everything correctly.
- If you do, you can continue to the next step