So after a long debate I’ve decided to drop cloud-flare in lieu of HTTP/2 support. A few months ago I added Lets-encrypt my (3) MX Servers, https://jersey.jacobdevans.com for example, which means I also added Mutual-TLS Email support (yay security and encryption). Since that was going so well I decided to go with nginx as an SSL proxy and keep apache for the backend (wordpress, htaccess). So now I am able to support the fancy http/2 protocol with SSL, still waiting for OpenSSL 1.0.2 ALPN but this will do for now.
So if you are looking to set this up yourself, here’s what I did for my nginx config.
I have 2) shared configuration files, the SSL config and the file redirection. Since LetsEncrypt uses http to verify ownership of the domain, I had to be able to drop a file and do this verification for domains hosted on other machines.
Before you can add the ssl certificate and key, you’ll need to generate the certificate file with either standalone or setup nginx without ssl first, but this config does make it easy to renew (via webroot).
/etc/nginx/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html/letsencrypt;
}
location = /.well-known/acme-challenge/ {
return 404;
}
/etc/nginx/letsencrypt-ssl.conf
ssl_certificate /etc/letsencrypt/live/www.jacobdevans.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.jacobdevans.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:AES256+EECDH"; ssl_session_cache shared:SSL:30m; ssl_session_timeout 30m; add_header Strict-Transport-Security "max-age=31536000"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
And then in each virtual host, I added this config.
/etc/nginx/conf.d/000-default.conf
server {
listen 80;
listen [::]:80;
server_name _;
include letsencrypt.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://[2001:470:8:1dc::5]:80;
proxy_read_timeout 90;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
include letsencrypt-ssl.conf;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://[2001:470:8:1dc::5]:80;
proxy_read_timeout 90;
}
}
Now most of you know, letsencrypt certificates expire every 90 days, and are designed to be renewed every 60, so here’s that script.
/etc/cron.d/letsencrypt
7 7 * * * root /opt/certbot/certbot-auto renew >/dev/null 14 14 * * * root /opt/certbot/certbot-auto renew >/dev/null
https://letsencrypt.org/getting-started/ recommends running this twice a day on a random minute/hour, so I picked these.
I hope this helps!