Add SSL

Video Lecture

Add SSL Add SSL Add SSL

Description

Lets make http://ballgame.your-domain.tld have an SSL certificate and repoint all HTTP traffic to HTTPS

Install Certbot

1
sudo apt install certbot

Now we can run CertBot

1
sudo certbot certonly

Select option 2. In the next few steps it will want to know the webroot of our application since it wil put a temporary file into the folder and try and retrieve it using the domain name. This is to very that we control this server and domain name.

The web root folder will be the root folder that our nodejs server is serving to the browser client. According to my setup, that will be /var/www/ballgame/dist/client/

Note

If you domain name hasn't fully propagated across the internet yet, then Certbot will not be able to validate your request with your IP and you will need to try again in an hour or so.

You should see a message indicating that the certificate was issued. It will also indicate the folder where Certbot saved your new certificate keys.

Replace your Nginx ballgame.conf with the script below, while also updating the folder location of the ssl_certificate and ssl_certificate_key properties below to match those given to you by Certbot.

Also replace occurrences of YOUR-DOMAIN-NAME with your actual domain name that you received the certificates for.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name  YOUR-DOMAIN-NAME;
    ssl_certificate      /etc/letsencrypt/live/YOUR-DOMAIN-NAME/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/YOUR-DOMAIN-NAME/privkey.pem;

    location /socket.io/ {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass "http://localhost:3000/socket.io/";
    }
    location / {
        proxy_pass           http://127.0.0.1:3000/;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name  YOUR-DOMAIN-NAME;
    return 301 https://YOUR-DOMAIN-NAME$request_uri;
}

Note

If you are not also serving SocketIO, then you can exclude the above lines 9-13

Now visit https://ballgame.your-domain.tld

or visit my ballgame address to see the working example

https://ballgame.sbcode.net