MOCs
Load Balancing
This config has 2 servers my.server1.com and my.server2.com and combines them. Nginx proxies that group of servers under the name http://server_group this can be renamed. In this config it uses weight which routes 3 requests to my.server1.com before routing 1 to my.server2.com
http {
upstream server_group {
server my.server1.com weight=3;
server my.server2.com;
}
server {
location / {
proxy_pass http://server_group;
}
}
}Certbot Guide
Nginx Install
sudo apt update
sudo apt install nginx
Certbot
Resource link: https://certbot.eff.org/instructions?ws=other\&os=pip 
Install: Nginx Certbot
apt install python3 python3-venv libaugeas0
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot certbot-nginx
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
Install: cloudflare plugin
/opt/certbot/bin/pip install certbot certbot-dns-cloudflare
Option 1: User nginx reverse proxy with certbot nginx
Make Nginx config:
Make file for domain:
sudo nano /etc/nginx/sites-available/yourdomain.com
Config setup: (This config will be auto managed by cert bot)
server {
listen 80;
server_name <sub-domain>.yourdomain.com;
location / {
proxy_pass http://your_backend_server_address;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Now simlink your available site to enabled:
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
Now test config and restart nginx:
nginx -t
systemctl restart nginx
Make nginx cert
certbot --nginx
Follow instructions on screen (Adding screenshots soon)
Test cert renew:
sudo certbot renew --dry-run
Option 2: User nginx reverse proxy with certbot cloudflare
Cloudflare API token used by Certbot
Make .ini file for domain in:
mkdir -p /home/<user>/.secrets/certbot/
/home/<user>/.secrets/certbot/
Contents in file:
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
Save and close file
Now change file permissions:
chmod 600 /path/to/file/<nameoffile>.ini
Make cert:
certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /home/<user>/.secrets/certbot/<nameoffile>.ini \
--dns-cloudflare-propagation-seconds 60 \
-d "*.example.com"
Test cert renew:
sudo certbot renew --dry-run
Make Nginx config:
Root-Domain:
This section is for if you’re making a nginx reverse proxy for just your root domain and no subdomains.
Make file for domain:
sudo nano /etc/nginx/sites-available/yourdomain.com
Config setup: (This config WON’T be auto managed by certbot)
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://your_backend_server_address;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Sub-Domain:
This section is for if you’re using sub-domains.
Make file for domain:
sudo nano /etc/nginx/sites-available/<sub-domain>.yourdomain.com
Config setup: (This config WON’T be auto managed by certbot)
server {
listen 443 ssl http2;
server_name <sub-domain>.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://your_backend_server_address;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Now simlink your available site to enabled:
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
Now test config and restart nginx:
nginx -t
systemctl restart nginx
Auto renew with cron
contrab -e
# To renew on the first day of each month
0 0 1 * * root certbot renew --quiet
Extras
Http Password:
sudo apt-get update
sudo apt-get install apache2-utils
# -c is used to create the file
sudo htpasswd -c /etc/nginx/.<passwordfile> <username>
# If file already exsists and want to add user
sudo htpasswd /etc/nginx/.<passwordfile> <anotherusername>
# In nginx config add the line below in location
location / {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.<passwordfile>; # The path to the password file
}