This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Configure Nginx on RHEL 6.6 with Let's Encrypt
Attila Levente EGYEDI edited this page Mar 29, 2017
·
11 revisions
Edit the Nginx configuration file:
sudo vi /etc/nginx/conf.d/default.conf
Add the content below before the existing server block. Replace <HOSTNAME> with the actual host name, <HOST_IP> with the actual host ip address, and <LETS_ENCRYPT_PEM_PATH> with the path to the host's PEM file (e.g., /etc/letsencrypt/live/staging.metadatacenter.net/).
Note: This content is included in the http block if the main configuration file.
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
upstream cedar-backend-template {
server 127.0.0.1:9001;
}
upstream cedar-backend-repo {
server 127.0.0.1:9002;
}
upstream cedar-backend-schema {
server 127.0.0.1:9003;
}
upstream cedar-backend-terminology {
server 127.0.0.1:9004;
}
upstream cedar-backend-user {
server 127.0.0.1:9005;
}
upstream cedar-backend-valuerecommender {
server 127.0.0.1:9006;
}
upstream cedar-backend-resource {
server 127.0.0.1:9007;
}
upstream cedar-backend-folder {
server 127.0.0.1:9008;
}
upstream cedar-backend-group {
server 127.0.0.1:9009;
}
upstream cedar-backend-auth-https {
server 127.0.0.1:8543;
}
server {
listen 80;
server_name cedar.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cedar.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
root /srv/cedar/cedar-template-editor/app/;
try_files $uri /index.html;
}
}
server {
listen 80;
server_name template.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name template.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
allow <HOST_IP>;
deny all;
proxy_pass http://cedar-backend-template;
}
}
server {
listen 80;
server_name repo.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name repo.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-repo;
}
}
server {
listen 80;
server_name schema.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name schema.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-schema;
}
}
server {
listen 80;
server_name terminology.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name terminology.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-terminology;
}
location /api {
alias /srv/cedar/cedar-swagger-ui;
}
}
server {
listen 80;
server_name user.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name user.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-user;
}
}
server {
listen 80;
server_name valuerecommender.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name valuerecommender.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-valuerecommender;
}
location /api {
alias /srv/cedar/cedar-swagger-ui;
}
}
server {
listen 80;
server_name resource.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name resource.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
proxy_pass http://cedar-backend-resource;
}
location /api {
alias /srv/cedar/cedar-swagger-ui;
}
}
server {
listen 80;
server_name folder.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name folder.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
allow <HOST_IP>;
deny all;
proxy_pass http://cedar-backend-folder;
}
}
server {
listen 80;
server_name group.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name group.<HOSTNAME>;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
location / {
allow <HOST_IP>;
deny all;
proxy_pass http://cedar-backend-group;
}
}
server {
listen 80;
server_name auth.<HOSTNAME>;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name auth.<HOSTNAME>;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_certificate <LETS_ENCRYPT_PEM_PATH>/fullchain.pem;
ssl_certificate_key <LETS_ENCRYPT_PEM_PATH>/privkey.pem;
location / {
proxy_pass https://cedar-backend-auth-https;
}
}
Restart Nginx:
sudo service nginx restart