Configure HTTPS Nginx

Configure HTTPS Nginx

by John Vincent


Posted on August 9, 2018


This is part of a series of discussions regarding Deploying to a Digital Ocean Droplet. For more details, please see Overview of johnvincent.io website

Configure Nginx for SSL

Stop Nginx:

sudo systemctl stop nginx

Now configure each domain and subdomain

Configure johnvincent.io

sudo vi /etc/nginx/sites-available/https/johnvincent.io
server {
    listen 80;
    listen [::]:80;
    server_name johnvincent.io www.johnvincent.io;
    return 301 https://www.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name johnvincent.io;
    return 301 https://www.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

    root /var/www/johnvincent.io/html;

    index index.html;

    server_name www.johnvincent.io;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }
	location /private {
		auth_basic           "Private Area";
		auth_basic_user_file /etc/nginx/.htpasswd; 
	}
    location ~ /.well-known {
         allow all;
    }
    location = /analytics.js {
        proxy_pass https://www.google-analytics.com;
        expires 31536000s;
        proxy_set_header Pragma "public";
        proxy_set_header Cache-Control "max-age=31536000, public";
    }
    location = /feed.xml {
        types        { }
        default_type "application/rss+xml";
    }
    location /junk {
        try_files $uri =503;
    }
    error_page 404 /error;
}

Configure music

sudo vi /etc/nginx/sites-available/https/music
server {
    listen 80;
    listen [::]:80;
  	server_name music.johnvincent.io www.music.johnvincent.io;
    return 301 https://www.music.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
		include snippets/ssl-music-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name music.johnvincent.io;
    return 301 https://www.music.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-music-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

		root /var/www/music/html;
    index index.html;

    server_name www.music.johnvincent.io;

   location / {
      try_files $uri /index.html;
    }
		location /api {
			proxy_pass http://localhost:3001;
		}
    location = /analytics.js {
        proxy_pass https://www.google-analytics.com;
        expires 31536000s;
        proxy_set_header Pragma "public";
        proxy_set_header Cache-Control "max-age=31536000, public";
    }   
    location /junk {
        try_files $uri =503;
    }
		location ~*  \.(svg|jpg|jpeg|png|gif|ico|css|js|pdf)$ {
      add_header Cache-Control "max-age=31536000";
      access_log off;
  #   expires 30d;
    }
}

Configure mygithub

sudo vi /etc/nginx/sites-available/https/mygithub
server {
    listen 80;
    listen [::]:80;
  	server_name mygithub.johnvincent.io www.mygithub.johnvincent.io;
    return 301 https://www.mygithub.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
		include snippets/ssl-mygithub-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name mygithub.johnvincent.io;
    return 301 https://www.mygithub.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-mygithub-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

		root /var/www/mygithub/html;
    index index.html;

    server_name www.mygithub.johnvincent.io;

   location / {
      try_files $uri /index.html;
    }
    location = /analytics.js {
        proxy_pass https://www.google-analytics.com;
        expires 31536000s;
        proxy_set_header Pragma "public";
        proxy_set_header Cache-Control "max-age=31536000, public";
    }   
    location /junk {
        try_files $uri =503;
    }
		location ~*  \.(svg|jpg|jpeg|png|gif|ico|css|js|pdf)$ {
      add_header Cache-Control "max-age=31536000";
      access_log off;
  #   expires 30d;
    }
}

Configure jekyll

sudo vi /etc/nginx/sites-available/https/jekyll
server {
    listen 80;
    listen [::]:80;
    server_name jekyll.johnvincent.io www.jekyll.johnvincent.io;
    return 301 https://www.jekyll.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-jekyll-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name jekyll.johnvincent.io;
    return 301 https://www.jekyll.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-jekyll-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

	root /var/www/jekyll/html;

    index index.html;

        server_name www.jekyll.johnvincent.io;

    location / {
        try_files $uri $uri/ =404;
    }
	location = /feed.xml {
        types        { } 
        default_type "application/rss+xml";
    } 
    location ~ /.well-known {
         allow all;
    }
}

Configure images

sudo vi /etc/nginx/sites-available/https/images
server {
    listen 80;
    listen [::]:80;
    server_name images.johnvincent.io www.images.johnvincent.io;
    return 301 https://www.images.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-images-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name images.johnvincent.io;
    return 301 https://www.images.johnvincent.io$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-images-johnvincent.io.conf;
    include snippets/ssl-params.conf;
    include h5bp/basic.conf;

	root /var/www/images/html;

    index index.html;

        server_name www.images.johnvincent.io;

    location / {
        try_files $uri $uri/ =404;
    }
    location ~ /.well-known {
         allow all;
    }
}

Configure linkedin

sudo vi /etc/nginx/sites-available/https/linkedin
server {
    listen 80;
    listen [::]:80;
    server_name linkedin.johnvincent.io www.linkedin.johnvincent.io;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-linkedin-johnvincent.io.conf;
    include snippets/ssl-params.conf;

    server_name linkedin.johnvincent.io www.linkedin.johnvincent.io;
    return 301 https://www.linkedin.com/in/john-vincent-io/;
}

Configure other subdomains

The remaining subdomains should also be configured. Use the above as a pattern.

Enable Server Blocks

Use symlinks as files in /etc/nginx/sites-enabled will be run by the server.

Create script file ~/bin/enable-https

#!/bin/sh
#
#  script to enable SSL
#
cd /etc/nginx/sites-enabled/
#
echo "Remove previous symbolic links"
sudo rm /etc/nginx/sites-enabled/johnvincent.io
sudo rm /etc/nginx/sites-enabled/music
sudo rm /etc/nginx/sites-enabled/mygithub
sudo rm /etc/nginx/sites-enabled/rijksmuseum
sudo rm /etc/nginx/sites-enabled/internet-resources
sudo rm /etc/nginx/sites-enabled/peg-solitaire
sudo rm /etc/nginx/sites-enabled/omnifood
sudo rm /etc/nginx/sites-enabled/images
sudo rm /etc/nginx/sites-enabled/jekyll
sudo rm /etc/nginx/sites-enabled/test
sudo rm /etc/nginx/sites-enabled/linkedin
#
echo "Create symbolic links to HTTPS files"
sudo ln -s /etc/nginx/sites-available/https/johnvincent.io /etc/nginx/sites-enabled/johnvincent.io
sudo ln -s /etc/nginx/sites-available/https/music /etc/nginx/sites-enabled/music
sudo ln -s /etc/nginx/sites-available/https/mygithub /etc/nginx/sites-enabled/mygithub
sudo ln -s /etc/nginx/sites-available/https/rijksmuseum /etc/nginx/sites-enabled/rijksmuseum
sudo ln -s /etc/nginx/sites-available/https/internet-resources /etc/nginx/sites-enabled/internet-resources
sudo ln -s /etc/nginx/sites-available/https/peg-solitaire /etc/nginx/sites-enabled/peg-solitaire
sudo ln -s /etc/nginx/sites-available/https/omnifood /etc/nginx/sites-enabled/omnifood
sudo ln -s /etc/nginx/sites-available/https/images /etc/nginx/sites-enabled/images
sudo ln -s /etc/nginx/sites-available/https/jekyll /etc/nginx/sites-enabled/jekyll
sudo ln -s /etc/nginx/sites-available/https/test /etc/nginx/sites-enabled/test
sudo ln -s /etc/nginx/sites-available/https/linkedin /etc/nginx/sites-enabled/linkedin
ls -la
#
echo "Handle PM2 tasks"
handle-pm2
#
echo "Restarting Nginx"
nginx-restart
#
echo "Mongo Status"
mongo-status
#
echo "Completed"

Execute ~/bin/enable-https

Test from browser, now using port 443:

They all should be working.

https://www.johnvincent.io
https://johnvincent.io

https://www.music.johnvincent.io
https://music.johnvincent.io

https://www.mygithub.johnvincent.io
https://mygithub.johnvincent.io

https://www.images.johnvincent.io
https://images.johnvincent.io

https://www.jekyll.johnvincent.io
https://jekyll.johnvincent.io

https://www.rijksmuseum.johnvincent.io
https://rijksmuseum.johnvincent.io

https://www.internet-resources.johnvincent.io
https://internet-resources.johnvincent.io

https://www.peg-solitaire.johnvincent.io
https://peg-solitaire.johnvincent.io

https://www.omnifood.johnvincent.io
https://omnifood.johnvincent.io

https://www.linkedin.johnvincent.io
https://linkedin.johnvincent.io

https://www.test.johnvincent.io
https://test.johnvincent.io

Test SSL Certificates

Ensure all scores are A+

https://www.ssllabs.com/ssltest/analyze.html?d=johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=music.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=mygithub.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=images.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=jekyll.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=rijksmuseum.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=internet-resources.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=peg-solitaire.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=omnifood.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=linkedin.johnvincent.io

https://www.ssllabs.com/ssltest/analyze.html?d=test.johnvincent.io