Welcome to Centmin Mod Community
Register Now

Nginx Letsencrypt FQDN SSL?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by anthony parsons, Jul 10, 2018.

  1. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    Is there a place to insert SSL for the FQDN so when using cloudflare, and forcing SSL for the domain (which will force it for sub-domains), things work... like trying to lookup php info, accessing phpmyadmin, etc, via the FQDN???

    I understand how to modify the nginx .conf files and can create a .csr, etc, to use the cloudflare ssl... BUT, I don't understand the ins and outs of centmin mod yet, and whether this is done easily another way.

    Or if I modify virtual.conf, whether future upgrades of centminmod will screw up my modifications.
     
  2. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    The only thing that can mess up virtual.conf main host is if you install phpmyadmin.sh addon. Otherwise, you can manually setup main hostname outlined in Getting Started Guide step 1 with HTTPS using vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS

    type on domain fieldin main host name domain which has to have valid DNS A record pointing to server ip i.e. host.domain.com and check box that says Generate Self-Signed SSL / Letsencrypt SSL HTTPS Vhost (File ONLY) *

    Vhost type = basic and hit submit

    follow first 3 acme.sh commands only to get letsencrypt ssl cert but edit web root from
    /home/nginx/domains/host.domain.com/public to point to /usr/local/nginx/html and remove www. domain from -d

    enable letsencrypt in 123.09beta01 - 3 commands
    Code (Text):
    touch /etc/centminmod/custom_config.inc
    echo "LETSENCRYPT_DETECT='y'" >> /etc/centminmod/custom_config.inc
    /usr/local/src/centminmod/addons/acmetool.sh acmeupdate
    

    get letsencrypt ssl cert - 1 line cmd - webroot defined by -w /usr/local/nginx/html
    Code (Text):
    /root/.acme.sh/acme.sh --force --issue --days 60 -d host.domain.com -w /usr/local/nginx/html -k 2048 --useragent centminmod-centos-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-host.domain.com.log --log-level 2
    

    install letsencrypt ssl cert - 2 line cmds
    Code (Text):
    mkdir -p /usr/local/nginx/conf/ssl/host.domain.com
    /root/.acme.sh/acme.sh --installcert -d host.domain.com --certpath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-fullchain-acme.key
    

    then make a copy of /usr/local/nginx/conf/conf.d/virtual.conf as /usr/local/nginx/conf/conf.d/virtual.ssl.conf
    Code (Text):
    cp -a /usr/local/nginx/conf/conf.d/virtual.conf /usr/local/nginx/conf/conf.d/virtual.ssl.conf
    

    now edit within /usr/local/nginx/conf/conf.d/virtual.ssl.conf with ssl cert lines so looks like
    Code (Text):
    server {
      listen 443 ssl http2;
      server_name host.domain.com;
    
      ssl_certificate      /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.key;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # dual cert supported ssl ciphers
      ssl_ciphers     EECDH+CHACHA20-draft:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+ECDSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+SHA384:EECDH+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/host.domain.com/host.domain.com-acme.cer;
    
            root   html;
            access_log              /var/log/nginx/localhost.access.log     combined buffer=8k flush=1m;
            error_log               /var/log/nginx/localhost.error.log      error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
            location /nginx_status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            #allow youripaddress;
            deny all;
            }
    
                location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #Enables directory listings when index file not found
    #autoindex  on;
              
                }
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/include_opcache.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    #include /usr/local/nginx/conf/vts_mainserver.conf;
    
           }
    

    restart nginx
    Code (Text):
    ngxrestart
    

    now you should be able to access both https and non-https hostname and then if all is working do a non-https to https 302 temp redirect

     
    • Like Like x 1
  3. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    Yer, I have phpmyadmin installed. That works correctly.
     
  4. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  5. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    Via centmin mod.
     
  6. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Strange would of thought it would conflict.
     
  7. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    phpmyadmin ssl works, but trying to access anything else at server.anthonyparsons.com (my test centmin mod at this stage) won't recognise SSL. Saying all that, I'm about to go change out the lets encrypt and any default certs for the cloudflare one via your other instructions... to speed up the ssl handshake and such. With that I can add as many sub-domains as I want to it at creation, so one does all.

    SSL - Cloudflare - Improving Cloudflare Connections To Origin Server - Use ECDSA SSL Certs
     
  8. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You can probably try this to fix the conflict if you installed phpmyadmin.sh.

    1. Get the contents of /usr/local/nginx/conf/phpmyadmin_https.conf and place it in your above created
    /usr/local/nginx/conf/conf.d/virtual.ssl.conf main hostname HTTPS nginx vhost within server{} context

    2. Backup locally copy of phpmyadmin.sh auto generated self-signed SSL cert HTTPS vhost at /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf

    3. Then take the below following values contained within /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf and transpose them into your above created
    /usr/local/nginx/conf/conf.d/virtual.ssl.conf main hostname HTTPS nginx vhost within server{} context
    Code (Text):
    keepalive_timeout 3000;
    client_body_buffer_size 256k;
    client_body_timeout 3000s;
    client_header_buffer_size 256k;
    ## how long a connection has to complete sending
    ## it's headers for request to be processed
    client_header_timeout 60s;
    client_max_body_size 512m;
    connection_pool_size 512;
    directio 512m;
    ignore_invalid_headers on;
    large_client_header_buffers 8 256k;
    


    4. Then remove /usr/local/nginx/conf/conf.d/phpmyadmin_ssl.conf

    5. Test Nginx config & Restart Nginx & PHP-FPM
    Code (Text):
    nginx -t
    nprestart
    
     
    • Like Like x 1
  9. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    Will try that to resolve the conflict before I tinker elsewhere. Thanks.
     
  10. anthony parsons

    anthony parsons Premium Member Premium Member

    46
    12
    8
    Feb 12, 2017
    Ratings:
    +15
    Local Time:
    6:37 AM
    Current yum stable
    10.1
    Amazing. Thank you George. Worked a charm... now to the cloudflare improvements. :D
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    35,099
    7,748
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,948
    Local Time:
    6:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Thanks for the confirmation :)
     
    • Like Like x 1
..