Configure Nginx¶
Warning
Use Apache. Nginx is only used for bi.dream.gov.ua.
Allow HTTP/HTTPS traffic¶
Add to your server’s Pillar file:
nginx:
public_access: True
This will:
Open ports 80 (HTTP) and 443 (HTTPS)
Install the Nginx service
Install and configure the Certbot tool for acquiring Let’s Encrypt certificates
Add sites¶
You can configure a site with the default configuration, or a custom configuration. Either case will end with:
Symlink the new file from the
/etc/nginx/sites-enabled
directoryReload the Nginx service if the configuration changed
Note
To delete a virtual host, follow these instructions.
Default configuration¶
Add to your server’s Pillar file:
apache:
public_access: True
sites:
mysite:
include: default
servername: myname.open-contracting.org
serveraliases: ['myalias.open-contracting.org']
context:
mykey: myvalue
This will:
Create a
/etc/nginx/sites-available/mysite.conf
file that includes a/etc/nginx/sites-available/mysite.conf.include
file, which, together, will:Configure TLS certificates
Create virtual hosts serving ports 80 and 443
Set the virtual hosts’
servername
andserveraliases
, if anyConfigure a HTTP to HTTPS permanent redirect
Add a
Strict-Transport-Security
headerConfigure OCSP Stapling
Here, the /etc/nginx/sites-available/mysite.conf.include
file uses the salt/nginx/files/sites/default.conf.include
template with a mykey
variable.
Custom configuration¶
Instead, add to your server’s Pillar file:
apache:
public_access: True
sites:
mysite:
configuration: mycustom
servername: myname.open-contracting.org
serveraliases: ['myalias.open-contracting.org']
context:
mykey: myvalue
This will:
Create a
/etc/nginx/sites-available/mysite.conf
file
Here, The /etc/nginx/sites-available/mysite.conf
file uses the salt/nginx/files/sites/mycustom.conf
template with servername
, serveraliases
and mykey
variables.
Acquire SSL certificates¶
If the server name is new, you must:
-
Attention
Let’s Encrypt will reach a Failed Validation limit if DNS is not propagated.
Deploy the server, if not already done.
Acquire SSL certificates, replacing
DOMAIN
:certbot --nginx -d DOMAIN
The service should now be available at its https://
web address. Certbot will auto-renew the certificates.
Tip
If you need to test the acquisition of certificates, use Let’s Encrypt’s staging environment.