From d283071e7e4b8de94d514f0c1460ffa75f1899ff Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Fri, 10 Dec 2021 22:55:54 +0000 Subject: [PATCH] --- .../ayanova/docs/ops-install-linux-server.md | 79 +++++++++++++++++-- 1 file changed, 74 insertions(+), 5 deletions(-) diff --git a/docs/8.0/ayanova/docs/ops-install-linux-server.md b/docs/8.0/ayanova/docs/ops-install-linux-server.md index 01338a8f..e4055b8d 100644 --- a/docs/8.0/ayanova/docs/ops-install-linux-server.md +++ b/docs/8.0/ayanova/docs/ops-install-linux-server.md @@ -274,7 +274,7 @@ A static IP address is **required** to host AyaNova on the internet. If you have ##### Registered domain name -An internet domain name is required to get an SSL certificate for secure encrypted communications between the AyaNova server and the end user across the internet. An entry will need to be made in your DNS record for your domain to provide a name to access the AyaNova server and it must point to the static IP address of your router or server. If the only service on your domain will be AyaNova then you can use the root domain name i.e. `example.com` or `www.example.com` but it's more common to use a subdomain specifically for AyaNova, i.e. `ayanova.example.com`. +An internet domain name is required to get an SSL certificate for secure encrypted communications between the AyaNova server and the end user across the internet. An entry will need to be made in your DNS record for your domain to provide a name to access the AyaNova server and it must point to the static IP address of your router or server. If the only service on your domain will be AyaNova then you can use the root domain name i.e. `example.com` or `www.example.com` but it's more common to use a subdomain specifically for AyaNova, i.e. `ayanova.example.com`. This DNS record needs to be in place and active **before** proceeding and can take minutes to hours to propagate so be sure to do this as soon as possible. @@ -374,6 +374,7 @@ Open the existing `default` config file in an editor, replace it's contents **en ``` server { listen 80; + #server_name ayanova.example.com www.ayanova.example.com; location / { proxy_pass http://127.0.0.1:7575; proxy_http_version 1.1; @@ -387,6 +388,8 @@ server { } ``` +Note that the server name is _intentionally_ commented out with a # symbol for now. In a later step you will uncomment it and replace the example domain with the one registered previously. + In a later step the Lets Encrypt Certbot will automatically update this file with the correct settings for ongoing use, this is only the initial configuration to allow Lets Encrypt access. Confirm that NGINX sees the configuration as valid: @@ -401,14 +404,80 @@ Restart NGINX so the new configuration takes effect: sudo systemctl restart nginx ``` -#### Confirm DNS is active +#### Confirm DNS has propagated + Confirm that you can now navigate to AyaNova web app login page through regular un-encrypted HTTP via the domain name configured earlier. i.e. `http://ayanova.yourdomain.com` or `http://yourdomain.com` if not using a subdomain. +Once DNS has propagated and you see the AyaNova web app login page over unecrypted HTTP it's time for the next step. +If DNS has propogated but you see an NGINX error page instead, confirm that AyaNova server is up and running and re-check the NGINX configuration. -### Login to AyaNova web app +### Add domain name to NGNIX config -Open your web browser and navigate to the AyaNova server URL. Assuming the default port of 7575 is in use then the URL would be http://YOUR_AYANOVA_SERVER_IP_ADDRESS:7575 -The AyaNova login page should open and allow login. +Open the NGINX config file previously modified again in your editor, remove the `#` symbol that is commenting out the `server_name` line and replace the server name `example.com` with your domain and or subdomain names previously registered, save and exit. + +### SSL Certificate through Lets Encrypt + +Install the Lets Encrypt Certbot application and it's NGINX handler at the server: + +```bash +sudo apt install certbot python3-certbot-nginx +``` + +Request a certificate from Lets Encrypt for the domain or subdomains previously registered and set in the NGINX config file: + +```bash +sudo certbot --nginx -d ayanova.example.com -d www.ayanova.example.com +``` + +(Each separate server name and dns record can be appended to the command line with `-d [YOUR_DOMAIN]`) + +Accept the prompts choose the option to redirect to https. Certbot will re-write the default config file to properly include the https ports and SSL certificates. + +The NGINX default config file will now have new entries looking something like this: + +``` +server { + server_name ayanova.example.com www.ayanova.example.com; + location / { + proxy_pass http://127.0.0.1:7575; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/green.helloayanova.com/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/green.helloayanova.com/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = green.helloayanova.com) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name ayanova.example.com www.ayanova.example.com; + return 404; # managed by Certbot + + +} +``` + +Certbot will also install a systemd timer event which will auto-renew the SSL certificate if it is within 30 days of expiration. Certificates are valid for 90 days currently with Let's Ecrypt. + +#### Confirm AyaNova can be access securely + +Confirm that you can now navigate to AyaNova web app login page through encrypted HTTPS via the domain name configured earlier. i.e. `https://ayanova.yourdomain.com` or `https://yourdomain.com` if not using a subdomain. + +You should now see the login page through an encrypted SSL connection and AyaNova is ready for use. ## Getting started and using AyaNova