|
| 1 | +# Custom Domains |
| 2 | +tbd |
| 3 | + |
| 4 | +### Content |
| 5 | +- [Let's go HTTPS](#prerequisites) |
| 6 | + |
| 7 | +## Let's go HTTPS with a reverse proxy |
| 8 | + |
| 9 | +To set custom domains correctly we need to have a domain and SSL certificates. |
| 10 | + |
| 11 | +We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms. |
| 12 | + |
| 13 | +#### Prerequisites |
| 14 | +- a domain or a public hostname |
| 15 | +- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/) |
| 16 | +- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip) |
| 17 | +- possibility to add `CNAME` and `TXT` records |
| 18 | +- domain with an `A` record at your nginx host |
| 19 | + |
| 20 | + |
| 21 | +### Step 1: Create a nginx site for your SN instance |
| 22 | + |
| 23 | +Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice. |
| 24 | + |
| 25 | +<details><summary>A sample nginx site configuration to prepare for certbot</summary> |
| 26 | +Edit this configuration to match your configuration, you can have more domains. |
| 27 | + |
| 28 | +``` |
| 29 | +server { |
| 30 | + listen 80; |
| 31 | + listen [::]:80; |
| 32 | + server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld); |
| 33 | +
|
| 34 | + # for Let's Encrypt SSL issuance |
| 35 | + location /.well-known/acme-challenge/ { |
| 36 | + root /var/www/letsencrypt; |
| 37 | + try_files $uri =404; |
| 38 | + } |
| 39 | +} |
| 40 | +``` |
| 41 | +</details> |
| 42 | + |
| 43 | +after editing, send `sudo systemctl restart nginx` |
| 44 | + |
| 45 | +### Step 2: Get a certificate for your domains |
| 46 | +We can now get a certificate for your domain from Let's Encrypt/certbot. |
| 47 | + |
| 48 | +Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate. |
| 49 | + |
| 50 | +``` |
| 51 | +sudo certbot certonly \ |
| 52 | + --webroot -w /var/www/letsencrypt \ |
| 53 | + -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \ |
| 54 | + |
| 55 | + --agree-tos --no-eff-email \ |
| 56 | + --deploy-hook "systemctl reload nginx" |
| 57 | +``` |
| 58 | + |
| 59 | +If everything went smooth, we should now have a domain with a valid SSL certificate. |
| 60 | + |
| 61 | +### Step 3: Proxy everything to sndev! |
| 62 | + |
| 63 | +Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance |
| 64 | + |
| 65 | +<details><summary>A sample nginx reverse proxy config</summary> |
| 66 | +Edit this configuration to match your configuration, you can have more domains. |
| 67 | + |
| 68 | +``` |
| 69 | +server { |
| 70 | + listen 80; |
| 71 | + listen [::]:80; |
| 72 | + server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld); |
| 73 | +
|
| 74 | + # for Let's Encrypt SSL issuance |
| 75 | + location /.well-known/acme-challenge/ { |
| 76 | + root /var/www/letsencrypt; |
| 77 | + try_files $uri =404; |
| 78 | + } |
| 79 | +
|
| 80 | + # 301 to HTTPS |
| 81 | + location / { |
| 82 | + return 301 https://$host$request_uri; |
| 83 | + } |
| 84 | +} |
| 85 | +
|
| 86 | +server { |
| 87 | + listen 443 ssl http2; |
| 88 | + listen [::]:443 ssl http2; |
| 89 | + server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld); |
| 90 | +
|
| 91 | + ssl_certificate /etc/letsencrypt/live/your-domain.tld/fullchain.pem; |
| 92 | + ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem; |
| 93 | + include /etc/letsencrypt/options-ssl-nginx.conf; |
| 94 | + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; |
| 95 | +
|
| 96 | + # proxy everything to sndev |
| 97 | + location / { |
| 98 | + proxy_pass http://sndev-instance-ip:3000; |
| 99 | + proxy_http_version 1.1; |
| 100 | + proxy_set_header Upgrade $http_upgrade; |
| 101 | + proxy_set_header Connection "upgrade"; |
| 102 | + proxy_set_header Host $host; |
| 103 | + proxy_set_header X-Real-IP $remote_addr; |
| 104 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 105 | + proxy_set_header X-Forwarded-Proto $scheme; |
| 106 | + proxy_cache_bypass $http_upgrade; |
| 107 | + } |
| 108 | +
|
| 109 | + # optional security headers |
| 110 | + add_header X-Frame-Options "SAMEORIGIN"; |
| 111 | + add_header X-Content-Type-Options "nosniff"; |
| 112 | + add_header Referrer-Policy "no-referrer-when-downgrade"; |
| 113 | + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; |
| 114 | +} |
| 115 | +``` |
| 116 | +</details> |
| 117 | + |
| 118 | +### Step 4: Start sndev |
| 119 | +Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld` |
| 120 | + |
| 121 | +Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**! |
| 122 | + |
| 123 | +If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**. |
0 commit comments