12. API service changes for Nginx - bohdanabadi/doroha-simulator GitHub Wiki
Api Service Changes for Nginx
Nginx Configuration
Let's connect to our server via ssh and create a server block configuration with :
sudo nano /etc/nginx/sites-available/api.bohdanabadi.com
This will create a configuration file and let's input the following configuration :
server {
listen 80;
server_name api.bohdanabadi.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name api.bohdanabadi.com;
ssl_certificate /etc/letsencrypt/live/api.bohdanabadi.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.bohdanabadi.com/privkey.pem;
location / {
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
The first block redirect any HTTP request to HTTPS, the second blocks listen to port 443 which is HTTPS and use a private and public key created in our earlier tutorial. Now let's remember that we have obtained the api certificate using certbot standalone server which runs on port 80 this would cause an issue when trying to renew and we ought to reconfigure renewing api with the following configuration.
After we are done we need to create a symbolic link in the `sites-enabled. We can use the following command :
sudo ln -s /etc/nginx/sites-available/api.bohdanabadi.com /etc/nginx/sites-enabled/
Certbot configuration
To resolve renewing certificates without a conflict in ports we need to delete our existing certificate using the following command sudo certbot delete --cert-name api.bohdanabadi.com and then re-obtain one using the following command sudo certbot --nginx -d api.bohdanabadi.com. We can verify that renewing certificates will not result in an error by confirming letsencrypt conf file sudo nano /etc/letsencrypt/renewal/api.bohdanabadi.com.conf and we can view the authenticator is nginx. And finally let's test renewing our certificate with the following command sudo certbot renew --dry-run.
Please note that certbot will auto configure nginx default and specific server block configuration. I had to remove most of the added configurations by certbot but kept the following :
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
These lines aren't necessary for obtaining and renewing Let's Encrypt certificates themselves, but they are crucial for the secure configuration of the SSL/TLS on your server once the certificates have been obtained.
The include /etc/letsencrypt/options-ssl-nginx.conf; line includes a set of pre-configured settings from Certbot that adjust your server to use secure protocols and cipher suites when establishing SSL/TLS connections. This doesn't affect certificate renewal, but it does affect the security of the connections using those certificates.
Similarly, ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; sets the Diffie-Hellman parameters, which are used in the secure key exchange between the server and the client. This is also not necessary for certificate renewal, but is a recommended security measure for connections that use the certificate.
Go API Modification
We also need to make sure our CORS configuration is correct, all our frontend origin request will be from https://www.traffic.bohdanabadi.com as mentioned in our previous wiki.
corsConfig := cors.DefaultConfig()
corsConfig.AllowOrigins = []string{"https://www.traffic.bohdanabadi.com"}
In addition because we are not using HTTPS directly on the api we should remove a line in our api-deploy.yml file.
REMOVE
# Enable binding our app to lower ports
ssh ${{ secrets.USERNAME }}@165.22.233.166 "sudo setcap 'cap_net_bind_service=+ep' ${{ secrets.APP_DIRECTORY }}/traffic-simulation-api"
Reload Nginx and test
And finally let's reload nginx and test if everything clicks now sudo systemctl reload nginx and open our browser and hit traffic.bohdanabadi.com or www.traffic.bohdanabadi.com.