configure https on prod-one
Hello,
I would like to configure https access for my webserver using Talkyard.
I suppose I have to obtain a let's encrypt certificate and then install it somewhere in the project, enabling some configuration files.
Anybody can help me with a small tutorial?
Thank you so much!
KajMagnus @KajMagnus2018-08-04 14:44:47.958ZHello Alberto! I'll try to write about that tomorrow or on Monday
- In reply toblur⬆:KajMagnus @KajMagnus2018-08-07 11:31:36.609Z2018-08-11 08:01:16.357Z
Hi @blur,
something like steps below should work. I'm posting this now, in case you want to read or ask something. I'll test the instructions myself tomorrow, and then I'll send you a message. Plz don't try to do this before I've tested myself :- )Do as follows to enable HTTPS: (Ubuntu 18.04)
[EDIT] I'll simplify this. I'll remove some files. Wait ... tomorrow .... [/EDIT]
[EDIT 2] Ok so never mind this whole reply. I'll post a new reply instead ... Here: https://www.talkyard.io/-104#post-9 — read that instead. [/EDIT 2]
-
Update your DNS server so that the community hostname, like
forum.yoursite.com, points to your Talkyard server's IP address. -
On the Talkyard server, install Certbot: (that's a Let'sEncrypt client; it generates free HTTPS certs)
$ sudo apt install certbot(or read here if you use an earlier Ubuntu version).
-
Generate a cert. Edit the below command: type your email and forum address. Then test it once, with
--dry-run. Then remove--dry-runand run it for real — now, a cert should get generated.sudo -i # become root cd /opt/talkyard/ certbot certonly --dry-run --config-dir /opt/talkyard/data/certbot/ --email you@yoursite.com --webroot -w /opt/talkyard/data/certbot-challenges/ -d forum.yoursite.com -
Create a config file and start actually using the cert: (it'll get mounted inside the Nginx container and enabled automatically)
nano /opt/talkyard/conf/web/sites-enabled-manual/my-talkyard-sites.confThe file should contain:
server { include /etc/nginx/server-listen.conf; server_name forum.yoursite.com; ssl_certificate /etc/certbot/live/forum.yoursite.com/fullchain.pem; ssl_certificate_key /etc/certbot/live/forum.yoursite.com/privkey.pem; include /etc/nginx/server-ssl.conf; include /etc/nginx/server-limits.conf; include /etc/nginx/server-locations.conf; }Replace
forum.yoursite.comwith the address to your forum (at 3 locations in the file).(The file paths in the file, e.g.
/etc/nginx/server-listen.conf, are to files already included in the Docker web image.) -
Change to HTTPS: edit
docker-compose.ymland replaceserver-listen-http.confwithserver-listen-https.conf, like so:... web: ... volumes: - ./conf/web/server-listen-https.conf:/etc/nginx/server-listen.conf:ro -
Reload this new configuration: send the
reloadsignal to Nginx, like so:# cd /opt/talkyard/ # docker-compose exec web nginx -t # this tests the config — don't continue if something is wrong # docker-compose exec web nginx -s reload -
Go to
https://forum.yoursite.com— check in the browser address bar that the cert is ok. (The page will be blank.) -
Edit
/opt/talkyard/conf/app/play.confso the app server starts generating https links:talkyard.secure=trueand restart the app server; in Bash:
cd /opt/talkyard/ docker-compose restart app # takes maybe 10 seconds
What are your thoughts? What parts are maybe confusing and would be good if I explained better?- BAlberto @blur
Thanks for your reply: I'm going to wait your test before try it definitively.
In these days I tried to figure it out in different ways, for example adding a path inside the docker compose file in order to mount the key and the certificate (I made a copy), because I can't understand how containers can reach my local/etc/letsencryptfolder.
I think the following:ssl_certificate /etc/certbot/live/forum.yoursite.com/fullchain.pem; ssl_certificate_key /etc/certbot/live/forum.yoursite.com/privkey.pem;is trying to search files inside
/etc/certbot/live/forum.yoursite.comwhich is a directory that should be mounted inside the docker compose file.
What aboutinclude /etc/nginx/server-listen.conf;? Is still necessary enable the mountpoint forserver-listen-https.conf?
Should I add references about the newly created fileforum.yoursite.com.confsomewhere or is it included by docker runtime?
I also hope I am been clear.
Thank you for your support!
KajMagnus @KajMagnus2018-08-08 07:26:55.743Z2018-08-08 07:38:08.294Z(I need to wait 12 - 24 hours from now, with testing this. Because when I was going to add a new DNS server CNAME, Gandi.net first required me to migrate to some new "LiveDNS" something.)
1. About containers and
/etc/letsencrypt: If you loook in the docker-compose.yml file: (this is from a test server)root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat docker-compose.yml ... services: web: image: $DOCKER_REPOSITORY/talkyard-web:$VERSION_TAG # dockerfile: https://github.com/debiki/talkyard/blob/master/docker/web/Dockerfile restart: always volumes: - ./conf/web/server-listen-http.conf:/etc/nginx/server-listen.conf:ro - ./conf/web/sites-enabled-manual/:/etc/nginx/sites-enabled-manual/:ro - ./data/sites-enabled-auto-gen/:/etc/nginx/sites-enabled-auto-gen/:ro ———> - ./data/certbot/:/etc/certbot/:ro <————— look - ./data/certbot-challenges/.well-known/:/opt/nginx/html/.well-known/:ro - ./data/uploads/:/opt/talkyard/uploads/:ro # Mount here so standard monitoring tools looking for Nginx logs will work. - /var/log/nginx/:/var/log/nginx/There you can see that the certs are placed in
./data/certbot/on the host, which is/opt/talkyard/data/certbot/(since the current directory./is/opt/talkyard/). That's where the certs are to be placed, on the host — and that's why thecertbotcommand above has this flag:--config-dir /opt/talkyard/data/certbot/.That directory is, via docker-compose.yml, mounted at
/etc/certbot/inside the Nginx container. Therefore it's accessible to Nginx, at the standard/etc/certbotlocation. (Not/etc/letsencrypt— they renamed the client from Letsencrypt to Certbot and moved to/etc/certbot/)
2. About
server-listen.conf— oh seems I forgot one thing. You need to changehttptohttpsin docker-compose.yml, look here:volumes: ... - ./conf/web/server-listen-http.conf:/etc/nginx/server-listen.conf:roThat maps the
server-listen-http.conffile, to theserver-listen.conffile inside Nginx. And that-listen-httpfile listens on HTTP port 80:root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat ./conf/web/server-listen-http.conf # The backlog should be the same as net.core.somaxconn in /etc/sysctl.conf, # set in ../../scripts/configure-ubuntu.sh. listen 80 backlog=8192; listen [::]:80 backlog=8192;You need to edit docker-compose.yml and add a
sso becomes:- ./conf/web/server-listen-https.conf:/etc/nginx/server-listen.conf:roThat file,
server-listen-https.conf, listens on HTTPS port 443:root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat ./conf/web/server-listen-https.conf # The backlog should be the same as net.core.somaxconn in /etc/sysctl.conf, # set in ../../scripts/configure-ubuntu.sh. listen 443 ssl backlog=8192; listen [::]:443 ssl backlog=8192;3. About: "Should I add references about the newly created file forum.yoursite.com.conf somewhere" — when you do this:
nano /opt/talkyard/data/sites-enabled/forum.yoursite.com.conf
nano ./conf/web/sites-enabled-manual/forum.yoursite.com.confit gets created in a directory that's mounted inside the Docker Nginx container already, at .... oops now I see I typed the wrong file path, fixed. Then it'll get included automatically, because in the container, it appears here:
/etc/nginx/sites-enabled-manual/and I've configured Nginx to auto-enable all sites in that directory . So you don't need to add it to anywhere else.4. You also want to redirect HTTP port 80 to HTTPS. Do that (when HTTPS works already) by editing:
/opt/talkyard/conf/web/sites-enabled-manual/default-server.confand comment in this line:#include /etc/nginx/http-redirect-to-https.conf(That file is already included in the Docker image, and creates a server at port 80 that redirects everything to 443.)
B.t.w. the plan is that all this be done automatically, in the future. I've created a container,
certgen, that later on will generate HTTPS certs as required, and create Nginx config files that loads the certs. (Probably will not happen the nearest 6 months.)
-
- Progress
- KajMagnus @KajMagnus2018-08-09 14:32:10.863Z
Hmm @blur I actually got a bit confused myself, because there're so many Nginx files and sometimes included in the Docker image, sometimes on the host. I'm now making some changes, so there'll be only one single Nginx file to edit, to enable HTTPS. I'll notify you again in one or two days ...
- KajMagnus @KajMagnus2018-08-11 07:45:14.390Z
Hello again @blur now I've simplified things, and written docs:
-
New docs: /opt/talkyard/docs/setup-https.md
-
Simplification: Now there's just one Nginx config file to edit, to enable HTTPS and to redirect HTTP to HTTPS:
/opt/talkyard/conf/sites-enabled-manual/talkyard-servers.conf -
Addition: A cron job that auto renews the cert (see the new docs).
You can comment out (e.g. rename to
... .conf.disabled) other files in yoursites-enabled-manual/directory, and instead copy-paste thetalkyard-servers.conffile into there, and then follow the new docs instructions.(I moved the directory
conf/web/sites-enabled-manual/to justconf/sites-enabled-manual/, and I move-renamed the fileconf/app/play.conftoconf/play-framework.conf. You can just ignore this, because yourdocker-compose.ymlfile mounts things in the correct way, regardless. If, however, you want to move-rename things in the same way, you too, ... then do that, and also update the corresponding paths indocker-compose.yml.) -