HTTPS support with an Nginx Let's Encrypt reverse proxy on Ubuntu - JustaPenguin/assetto-server-manager GitHub Wiki
N.B. Since version 1.7.4, Assetto Server Manager is capable of natively handling TLS. This page is only useful if you need to maintain the server behind a proxy for any reason.
These instructions have been tested on a DigitalOcean droplet running Ubuntu 18.04, with Assetto Server Manager 1.7.3 (Premium) installed.
Prerequisites/Assumptions:
- A modern Ubuntu (or similar) host, running Assetto Server Manager
- a registered (sub)domain, correctly configured to send browsers to your Assetto Server Manager host on the default port 8772, e.g. http://your.server.here:8772/
- Any firewall is configured to permit ports 80 and 443 inbound to your host (and 8772 initially for testing)
- A user account on your host with
sudo
privileges. Otherwise, run allsudo
commands below as theroot
user and remove the prefixsudo
. - No other servers already listening on ports 80 or 443 on the same host
- Nginx not already installed
First let's install Nginx
sudo apt update && sudo apt -y install nginx
Set up a basic reverse proxy to Server Manager on port 80 first
Create this file using your preferred text editor: /etc/nginx/conf.d/assetto-server-manager.conf
Add the following contents to that file:
server {
listen 80;
listen [::]:80;
server_name your.server.here;
client_max_body_size 256m;
location / {
proxy_pass http://localhost:8772;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Restart Nginx with:
sudo systemctl restart nginx.service
At this point you should be able to load http://your.server.here/ (without the port 8772) and everything should be working.
Next we install Let's Encrypt TLS certificates with Certbot
# if using Ubuntu 18.04 (Bionic)
sudo apt -y install python-certbot-nginx
or
# if using Ubuntu 20.04 (Focal)
sudo apt -y install python3-certbot-nginx
Run the configurator like this, and answer the questions:
sudo certbot --nginx
If you've done things correctly, you should be all set. I elected to say "yes" to the automatic redirection from port 80 (http) to 443 (https).
A tiny bit of (optional) hardening
Nearly nobody needs TLS older than 1.2 any more, so we can strip out TLSv1 and TLSv1.1 support.
sudo sed -i 's/TLSv1 TLSv1.1 //' /etc/letsencrypt/options-ssl-nginx.conf
sudo systemctl restart nginx.service
If you are concerned about the warning at the top of that file that CertBot won't work, please read the explanation.
Firewall tidy-up
Now you can block direct access to port 8772 through your firewall, then verify the following:
- http://your.server.here:8772/ should no longer work
- http://your.server.here/ should redirect you to https
- https://your.server.here/ should load fine