Configure Nginx

Warning

Use Apache. Nginx is only used for bi.dream.gov.ua.

Allow HTTP/HTTPS traffic

Add to your service’s Pillar file:

nginx:
  public_access: True

This will:

  • Open ports 80 (HTTP) and 443 (HTTPS)

  • Install the Nginx service

  • Install and configure the Certbot tool for acquiring Let’s Encrypt certificates

Add sites

You can configure a site with the default configuration, or a custom configuration. Either case will end with:

  • Symlink the new file from the /etc/nginx/sites-enabled directory

  • Reload the Nginx service if the configuration changed

Note

To delete a virtual host, follow these instructions.

Default configuration

Add to your service’s Pillar file:

apache:
  public_access: True
  sites:
    mysite:
      include: default
      servername: myname.open-contracting.org
      serveraliases: ['myalias.open-contracting.org']
      context:
        mykey: myvalue

This will:

  • Create a /etc/nginx/sites-available/mysite.conf file that includes a /etc/nginx/sites-available/mysite.conf.include file, which, together, will:

    • Configure TLS certificates

    • Create virtual hosts serving ports 80 and 443

    • Set the virtual hosts’ servername and serveraliases, if any

    • Configure a HTTP to HTTPS permanent redirect

    • Add a Strict-Transport-Security header

    • Configure OCSP Stapling

Here, the /etc/nginx/sites-available/mysite.conf.include file uses the salt/nginx/files/sites/default.conf.include template with a mykey variable.

Custom configuration

Instead, add to your service’s Pillar file:

apache:
  public_access: True
  sites:
    mysite:
      configuration: mycustom
      servername: myname.open-contracting.org
      serveraliases: ['myalias.open-contracting.org']
      context:
        mykey: myvalue

This will:

  • Create a /etc/nginx/sites-available/mysite.conf file

Here, The /etc/nginx/sites-available/mysite.conf file uses the salt/nginx/files/sites/mycustom.conf template with servername, serveraliases and mykey variables.

Acquire SSL certificates

If the server name is new, you must:

  1. Add a CNAME record.

    Attention

    Let’s Encrypt will reach a Failed Validation limit if DNS is not propagated.

  2. Deploy the service, if not already done.

  3. Connect to the server

  4. Acquire SSL certificates, replacing DOMAIN:

    certbot --nginx -d DOMAIN

The service should now be available at its https:// web address. Certbot will auto-renew the certificates.

Tip

If you need to test the acquisition of certificates, use Let’s Encrypt’s staging environment.