NGINX reverse proxy for Rocket.Chat Snap installation - RocketChat/Rocket.Chat.RaspberryPi GitHub Wiki

Adding Nginx reverse proxy to your Raspbian Stretch Installation of Rocket.Chat Server

Backports Repository

To obtain a SSL certificate from Let's Encrypt you will need to add the Debian Stretch Backports repository. (see https://certbot.eff.org/lets-encrypt/debianstretch-nginx)

sudo apt edit-sources append

# Backports
deb http://ftp.debian.org/debian stretch-backports main

to the end of the file. Save and exit your editor (in Nano: Ctrl+x, y, Return).

sudo apt update to update your package lists.

If you get an error: "The following signatures couldn't be verified because the public key is not available"

sudo apt install dirmngr
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 8B48AD6246925553 # replace with the missing keys from the error
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 7638D0442B90D010
sudo apt update

Install Snapd, Nginx and Certbot

sudo apt install nginx python-certbot-nginx -t stretch-backports sudo systemctl disable snap.rocketchat-server.rocketchat-caddy.service to disable the Caddy webserver that comes with the snap since we are going to use Nginx.

Nginx configuration

Replace <example.com> with your url everywhere you see it.

Create a new server block file

sudo nano /etc/nginx/sites-available/<example.com> with following content:

# Upstream
upstream backend {
    server 127.0.0.1:3000;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
	server_name <example.com>;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
	listen [::]:443 ssl http2;
    server_name <example.com>;

    error_log /var/log/nginx/rocketchat.access.log;

    #ssl_certificate         /etc/letsencrypt/live/<example.com>/fullchain.pem;
    #ssl_trusted_certificate /etc/letsencrypt/live/<example.com>/chain.pem;
    #ssl_certificate_key     /etc/letsencrypt/live/<example.com>/privkey.pem;

    # Diffie-Hellman parameter for DHE ciphersuites
        # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam3072.pem 3072
    #ssl_dhparam /etc/ssl/certs/dhparam3072.pem;

    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3; # TLSv1.3 Requires nginx >= 1.13.0 
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # OCSP Stapling - fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling        on;
    ssl_stapling_verify on;
    resolver            1.0.0.1 9.9.9.9 valid=300s;
    resolver_timeout    5s; 

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;";

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # You can increase the limit if your need to.
    client_max_body_size 200M;

    # No Robots
    location = /robots.txt {
        return 200 "User-agent: *\nDisallow: /";
    }

    location / {
        proxy_pass http://backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

Please adjust it to your needs, but leave the 3 lines ssl_certificate ssl_trusted_certificate ssl_trusted_certificate-key commented out for now since we don't have the certificates yet and nginx won't start without this files. For more information go to Nginx Documentation. For decent SSL sample configurations head to Mozilla SSL config generator.

sudo ln -s /etc/nginx/sites-available/<example.com> /etc/nginx/sites-enabled/<example.com> link the server block file to the sites-enabled directory so nginx will load it.

sudo rm /etc/nginx/sites-enabled/default delete the default server block file.

To test your configuration sudo nginx -t. If all went well you can now restart nginx and obtain your SSL certificates.

sudo systemctl restart nginx
sudo certbot --nginx certonly

After answering some questions to certbot your new SSL certificates should be ready. See https://certbot.eff.org/lets-encrypt/debianstretch-nginx for more information.

sudo nano /etc/nginx/sites-available/<example.com> again to uncomment ssl_certificate ssl_trusted_certificate ssl_trusted_certificate-key lines. Restart nginx again.

sudo systemctl restart nginx

Test your installation

Now point your browser to <example.com> to access your Rocket.Chat server!

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️