Proxy server_Applying ssl certificates_Nginx proxy server - SomethingWithHorizons/mailserver GitHub Wiki
-
Generate a
dhparam.pemfile required to setup SSL connections:openssl dhparam -out /etc/nginx/dhparam.pem 2048
đĄ Grab a cup of coffee, this can take a while (how long depends on your CPU power).
âšī¸ Please see: dhparam.pem specific information and/or keyless-ssl details.
-
Create
/etc/nginx/ssl_params:+ # Path to the PUBLIC and PRIVATE KEYS to enable SSL connections to this server: + ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; + + # SSL PROTOCLS TO USE (the ones still considered safe): + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; + + # Specify that server ciphers should be preferred over client ciphers: + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # Specify the file with DH parameters for DHE ciphers (made in step 1): + ssl_dhparam dhparam.pem;
â ī¸ Replaceexample.orgby your domain (2x). -
Create a new default vhost for HTTPS connections
/etc/nginx/sites-enabled/default-https:+ server { + listen 443 ssl http2 default_server; + include ssl_params; + + location / { + root /var/www/html; + index index.nginx-debian.html; + } + }
-
Create a new vhost for webmail
/etc/nginx/sites-enabled/webmail:+ server { + listen 80; + include letsencrypt_params; + + server_name webmail.example.org; + + location / { + return 301 https://$host$request_uri; + } + } + + server { + listen 443 ssl http2; + include ssl_params; + server_name webmail.example.org; + + location / { + include proxy_params; + proxy_pass http://<WEBMAIL IP>:80; + } + }
â ī¸ Replaceexample.orgby your domain (2x).â ī¸ Replace<WEBMAIL IP>to the IP of your webmail server/container/vm.đĄ Repeate this step for each HTTP/HTTPS service to be hosted.
-
Reload nginx service to have the changes effectuated:
service nginx reload