Introduction
Over the years solutions for better protection of websites have increased due to an unprecedented increase in cybercriminals. The importance of securing a website can be understood by the fact that Chrome will start marking any website without an SSL certificate as an insecure website with the release of Chrome 68.
Having an SSL ensures that the sensitive data of your website’s visitors will be transferred over a secure network. Despite this important component of SSL, many end-users and organizations have delayed their adoption due to the price of the certificates and the complexity of implementation. Today, getting an SSL certificate is much easier because there are initiatives like LetsEncrypt that provide them for free and have made their installation super simple. You can follow my previous article for steps to set up Let’sEncrypt and get an SSL certificate for your website.
Use-Case scenario:
In my previous article, I explained how you can use Let’sEncrypt to set up SSL for your application. What if you are hosting multiple applications on the same server and would like to use the same certificate for all the applications, this can be achieved by adding multiple server blocks in the conf files under sites-available.
In this example, I have three applications running as containers on my machine.
- jenkins listening on port 8081
- docker registry on port 5000
- docker registry ui on port 8080
1.) First you will have to get a Let’sEncrypt certificate for your domain using the steps explained in this article.
2.) In the previous article we use “listen 443” which will route all the incoming requests for port 443 and then use proxy_redirect and 301 to move the request permanently to the desired URL.
3.) Now to use SSL for multiple ports we can use multiple server blocks in the same file, but I prefer creating conf files for individual applications. This helps me manage these configurations easily and I can edit the file related to the application in case of any change in the future.
4.) I created three files as below under /etc/nginx/sites-available and then create a soft link under sites-enabled folder
5.) I have kept the content like this. If you notice I am listening on port 8446 for jenkins and using proxy pass to route it on port 8081, similarly I am listening on port 8445 and routing to port 5000 for docker-reg container.
<Jenkins.conf>
server {
listen 8446 http2 ssl;
server_name blog-test-vm.eastus2.cloudapp.azure.com;
access_log /var/log/nginx/blog-test-vm.eastus2.cloudapp.azure.com;
error_log /var/log/nginx/blog-test-vm.eastus2.cloudapp.azure.com;
location /.well-known/acme-challenge/ {
root /var/www/html/test; # Temp for generating letsencrypt
default_type text/plain;
}
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#Fix the “It appears that your reverse proxy set up is broken” error.
proxy_pass http://127.0.0.1:8081;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8081 http://blog-test-vm.eastus2.cloudapp.azure.com/;
#Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
}
ssl_certificate /etc/letsencrypt/live/blog-test-vm.eastus2.cloudapp.azure.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog-test-vm.eastus2.cloudapp.azure.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = blog-test-vm.eastus2.cloudapp.azure.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name blog-test-vm.eastus2.cloudapp.azure.com;
return 404; # managed by Certbot
}
<Docker-Reg.conf>
server {
listen 8445 http2 ssl;
server_name blog-test-vm.eastus2.cloudapp.azure.com;
access_log /var/log/nginx/blog-test-vm.eastus2.cloudapp.azure.com;
error_log /var/log/nginx/blog-test-vm.eastus2.cloudapp.azure.com;
location /.well-known/acme-challenge/ {
root /var/www/html/test; # Temp for generating letsencrypt
default_type text/plain;
}
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#Fix the “It appears that your reverse proxy set up is broken” error.
proxy_pass http://127.0.0.1:5000;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:5000 http://blog-test-vm.eastus2.cloudapp.azure.com/;
#Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
}
ssl_certificate /etc/letsencrypt/live/blog-test-vm.eastus2.cloudapp.azure.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog-test-vm.eastus2.cloudapp.azure.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = blog-test-vm.eastus2.cloudapp.azure.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name blog-test-vm.eastus2.cloudapp.azure.com;
return 404; # managed by Certbot
}
6.) Restart or reload nginx using systemctl restart nginx or systemctl reload nginx.
7.) Confirm you can use these sites using https :
The Tech Guy 
Hello, is there a way to do this so that one of the websites does not have the port showing? Only one of my ports will be user-facing
LikeLike
I am not sure, if I get the query right. Can you please explain in detail. What’s the exact ask here?
LikeLike