Nodejs Nginx with http and https on Compute engine

Do steps 1 to 15 from this post. On step 4, check both Allow HTTP traffic and Allow HTTPS traffic. After these 15 steps, a simple node app is up and running locally on your compute engine instance, but it’s not yet available to the world yet. To open it to the world, instead of using iptables from step 16 on that post, do the following with Nginx, enable both http and https.

1. Update package manager and install Nginx

sudo apt-get update
sudo apt-get install nginx

2. Check if it is installed successfully from command line, and from the browser by entering the external ip address of your compute engine server, with http. A Welcome to nginx page should be displayed. Before the ssl certificate is added, it can only be accessed through http. ex: http://123.456.78.9

curl localhost

3. Configuring NGINX as Reverse Proxy for the nodejs app. Go to the nginx sites available folder, back up the default config, and create a new one with the following.

cd /etc/nginx/sites-available
sudo mv default default.bak
sudo vim default
server {
  listen 80;
  server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME;

  location / {
    proxy_pass "http://127.0.0.1:8080";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_cache_bypass $http_upgrade;
  }
}

4. Restart nginx, and verify the change from command line and browser

sudo service nginx restart
curl localhost

5. Create ssl certificate.

sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

6. Update the nginx config file default to the following to enable https, the changes are the new lines listen 443 ssl;, ssl_certificate /etc/nginx/ssl/nginx.crt;, and ssl_certificate_key /etc/nginx/ssl/nginx.key;.

server {
  listen 80;
  server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME;

  listen 443 ssl;

  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

  location / {
    proxy_pass "http://127.0.0.1:8080";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_cache_bypass $http_upgrade;
  }
}

7. Restart nginx, and verify the your compute engine instance’s external ip address can be accessed with https in the browser. On Chrome, a warning page will be displayed, click advanced, and then click proceed to and then the page will be rendered with https. This warning is there because the certificate is self signed and not verifiable by the CA.

sudo service nginx restart

8. Link domain name to the compute engine instance.

9. Instead of self signed certificate, there are free certificates available from letsencrypt, but a registered domain name is required.

You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Install Certbot

sudo apt-get install certbot python-certbot-nginx

Get and install certificate

sudo certbot --nginx

Or, just get a certificate

sudo certbot certonly --nginx

After the installing the certificate with certbot, this is what it will look like in the nginx config file at /etc/nginx/sites-available/default

server {
  server_name example.com;
  location / {
    proxy_pass "http://127.0.0.1:8080";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_cache_bypass $http_upgrade;
  }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
  listen 80;
  server_name example.com;
    return 404; # managed by Certbot
}

Test automatic renewal, the Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run

The command to renew certbot is installed in one of the following locations:

/etc/crontab/
/etc/cron.*/*
systemctl list-timers

Confirm that Certbot worked. To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.

Search within Codexpedia

Custom Search

Search the entire web

Custom Search