Nodejs Nginx with http and https on Compute engine
Do steps 1 to 15 from this post. On step 4, check both Allow HTTP traffic and Allow HTTPS traffic. After these 15 steps, a simple node app is up and running locally on your compute engine instance, but it’s not yet available to the world yet. To open it to the world, instead of using iptables from step 16 on that post, do the following with Nginx, enable both http and https.
1. Update package manager and install Nginx
sudo apt-get update sudo apt-get install nginx
2. Check if it is installed successfully from command line, and from the browser by entering the external ip address of your compute engine server, with http. A Welcome to nginx page should be displayed. Before the ssl certificate is added, it can only be accessed through http. ex: http://123.456.78.9
curl localhost
3. Configuring NGINX as Reverse Proxy for the nodejs app. Go to the nginx sites available folder, back up the default config, and create a new one with the following.
cd /etc/nginx/sites-available sudo mv default default.bak sudo vim default
server { listen 80; server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME; location / { proxy_pass "http://127.0.0.1:8080"; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_cache_bypass $http_upgrade; } }
4. Restart nginx, and verify the change from command line and browser
sudo service nginx restart curl localhost
5. Create ssl certificate.
sudo mkdir /etc/nginx/ssl sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
6. Update the nginx config file default to the following to enable https, the changes are the new lines listen 443 ssl;
, ssl_certificate /etc/nginx/ssl/nginx.crt;
, and ssl_certificate_key /etc/nginx/ssl/nginx.key;
.
server { listen 80; server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME; listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; location / { proxy_pass "http://127.0.0.1:8080"; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_cache_bypass $http_upgrade; } }
7. Restart nginx, and verify the your compute engine instance’s external ip address can be accessed with https in the browser. On Chrome, a warning page will be displayed, click advanced, and then click proceed to and then the page will be rendered with https. This warning is there because the certificate is self signed and not verifiable by the CA.
sudo service nginx restart
8. Link domain name to the compute engine instance.
9. Instead of self signed certificate, there are free certificates available from letsencrypt, but a registered domain name is required.
You’ll need to add the Certbot PPA to your list of repositories. To do so, run the following commands on the command line on the machine:
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update
Install Certbot
sudo apt-get install certbot python-certbot-nginx
Get and install certificate
sudo certbot --nginx
Or, just get a certificate
sudo certbot certonly --nginx
After the installing the certificate with certbot, this is what it will look like in the nginx config file at /etc/nginx/sites-available/default
server { server_name example.com; location / { proxy_pass "http://127.0.0.1:8080"; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_cache_bypass $http_upgrade; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = example.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name example.com; return 404; # managed by Certbot }
Test automatic renewal, the Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run
The command to renew certbot is installed in one of the following locations:
/etc/crontab/ /etc/cron.*/* systemctl list-timers
Confirm that Certbot worked. To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
Search within Codexpedia
Search the entire web