-
Notifications
You must be signed in to change notification settings - Fork 57
NGINX reverse proxy for Rocket.Chat Snap installation
To obtain a SSL certificate from Let's Encrypt you will need to add the Debian Stretch Backports repository. (see https://certbot.eff.org/lets-encrypt/debianstretch-nginx)
sudo apt edit-sources
append
# Backports
deb http://ftp.debian.org/debian stretch-backports main
to the end of the file. Save and exit your editor (in Nano: Ctrl+x, y, Return).
sudo apt update
to update your package lists.
If you get an error: "The following signatures couldn't be verified because the public key is not available"
sudo apt install dirmngr
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 8B48AD6246925553 # replace with the missing keys from the error
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 7638D0442B90D010
sudo apt update
sudo apt install nginx python-certbot-nginx -t stretch-backports
sudo systemctl disable snap.rocketchat-server.rocketchat-caddy.service
to disable the Caddy webserver that comes with the snap since we are going to use Nginx.
Replace <example.com> with your url everywhere you see it.
Create a new server block file
sudo nano /etc/nginx/sites-available/<example.com>
with following content:
# Upstream
upstream backend {
server 127.0.0.1:3000;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name <example.com>;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <example.com>;
error_log /var/log/nginx/rocketchat.access.log;
#ssl_certificate /etc/letsencrypt/live/<example.com>/fullchain.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/<example.com>/chain.pem;
#ssl_certificate_key /etc/letsencrypt/live/<example.com>/privkey.pem;
# Diffie-Hellman parameter for DHE ciphersuites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam3072.pem 3072
#ssl_dhparam /etc/ssl/certs/dhparam3072.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3; # TLSv1.3 Requires nginx >= 1.13.0
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# OCSP Stapling - fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.0.0.1 9.9.9.9 valid=300s;
resolver_timeout 5s;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# You can increase the limit if your need to.
client_max_body_size 200M;
# No Robots
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /";
}
location / {
proxy_pass http://backend/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}
Please adjust it to your needs, but leave the 3 lines ssl_certificate ssl_trusted_certificate ssl_trusted_certificate-key
commented out for now since we don't have the certificates yet and nginx won't start without this files.
For more information go to Nginx Documentation. For decent SSL sample configurations head to Mozilla SSL config generator.
sudo ln -s /etc/nginx/sites-available/<example.com> /etc/nginx/sites-enabled/<example.com>
link the server block file to the sites-enabled directory so nginx will load it.
sudo rm /etc/nginx/sites-enabled/default
delete the default server block file.
To test your configuration sudo nginx -t
. If all went well you can now restart nginx and obtain your SSL certificates.
sudo systemctl restart nginx
sudo certbot --nginx certonly
After answering some questions to certbot your new SSL certificates should be ready. See https://certbot.eff.org/lets-encrypt/debianstretch-nginx for more information.
sudo nano /etc/nginx/sites-available/<example.com>
again to uncomment ssl_certificate ssl_trusted_certificate ssl_trusted_certificate-key
lines. Restart nginx again.
sudo systemctl restart nginx
Now point your browser to <example.com> to access your Rocket.Chat server!