sudo apt install certbot python3-certbot-nginx
Note : I am using nginx
Run Certbot to request and install SSL certificates for your domains. You'll need to run Certbot separately for each domain:
I do have two domains
- neogenacademy.com
- api.neogenacademy.com
So you know what to do bitch
certbot --nginx -d neogenacademy.com certbot --nginx -d api.neogenacademy.com
These commands will automatically configure Nginx with the SSL certificates for each domain. It will ask several shitty questions you have no fucking idea on.
Just copy their whole shit into chatgpt and it will help you with that.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
The choice between redirecting HTTP traffic to HTTPS or not depends on your specific requirements and preferences. Here's a brief explanation of the options presented:
1. **No redirect**: Choosing option 1 means that your server will continue serving both HTTP and HTTPS traffic. This option is suitable if you want to support both HTTP and HTTPS access to your website. It can be useful during the transition phase or if you have specific reasons to keep HTTP access available.
2. **Redirect**: Choosing option 2 will configure your server to redirect all HTTP traffic to HTTPS. This means that whenever a user tries to access your website using HTTP, they will be automatically redirected to the HTTPS version. This option is recommended if you want to enforce HTTPS and ensure that all traffic is securely encrypted. It provides a better user experience by automatically redirecting users to the secure version of your website.
If you choose option 2, it's important to ensure that your website works correctly on HTTPS. Make sure all the necessary resources (CSS, JavaScript, images, etc.) are loaded securely over HTTPS. Additionally, verify that any API endpoints or backend services your website depends on are also accessible over HTTPS.
Consider the security and privacy implications of your website and the data transmitted between the server and clients. If your website handles sensitive information, such as user login credentials or personal data, it's generally recommended to use HTTPS and enable the redirect to enforce secure connections.
Ultimately, the choice depends on your specific use case and requirements. If you're unsure, you can start with option 1 (no redirect) and later enable the redirect to HTTPS once you have verified that everything works correctly.
All done I hope with the prompts. Now check your nginx sites confiq file and surprise MFFF!
⚡ root@ubuntu-s-4vcpu-8gb-intel-sgp1-01 ~ cat /etc/nginx/sites-available/my-react-app
server {
listen 80;
server_name neogenacademy.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name api.neogenacademy.com;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
⚡ root@ubuntu-s-4vcpu-8gb-intel-sgp1-01 ~ cat /etc/nginx/sites-available/my-react-app
server {
listen 80;
server_name neogenacademy.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/neogenacademy.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/neogenacademy.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name api.neogenacademy.com;
location / {
proxy_pass http://localhost:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
NOTE : there is a symbolic link from /etc/nginx/sites-available/my-react-app to /etc/nginx/sites-enabled/. To learn more, check this out : Config nginx with symlink | Explanation on How Nginx works with Symbolic Link
After updating the configuration, you'll need to restart Nginx for the changes to take effect:
sudo systemctl restart nginx
With these changes, Nginx should now be configured to serve your website over HTTPS using the SSL certificate you obtained from Let's Encrypt.
You can test the SSL configuration of your websites using the SSL Labs test:
neogenacademy.com: https://www.ssllabs.com/ssltest/analyze.html?d=neogenacademy.com api.neogenacademy.com: https://www.ssllabs.com/ssltest/analyze.html?d=api.neogenacademy.com
Congratulations on enabling HTTPS for your websites!
. . . . .
Still having some issues ?
Are you using any firewall in your server ?
sudo ufw status
Status: inactive
As we have already seen the nginx configuration we have two public ports 3000 and 5000 opened, so guessing you are already using firewall and necessary ports are open.
though as you didn't have ssl so 443 is not opened yet. So can be something like this ?
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
3000/tcp ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
27018 ALLOW Anywhere
27019 ALLOW Anywhere
27020 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
27018 (v6) ALLOW Anywhere (v6)
27019 (v6) ALLOW Anywhere (v6)
27020 (v6) ALLOW Anywhere (v6)
Yes need to allow 443 :
sudo ufw allow 443
Now check again :
sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
3000/tcp ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
27018 ALLOW Anywhere
27019 ALLOW Anywhere
27020 ALLOW Anywhere
443 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
3000/tcp (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
27018 (v6) ALLOW Anywhere (v6)
27019 (v6) ALLOW Anywhere (v6)
27020 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Hopefully we are done here. At least for 3 months* ????
Truly unhinged, but very helpful! Thank you!