From 5ef232df48a8014699edaa6c0ed2706ab3d91204 Mon Sep 17 00:00:00 2001 From: Francisco Pombal Date: Tue, 28 May 2019 15:23:55 +0100 Subject: [PATCH] updated and simplified NGINX config --- ...ertificates-and-NGINX-SSL-reverse-proxy.md | 79 ++++++++----------- 1 file changed, 34 insertions(+), 45 deletions(-) diff --git a/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy.md b/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy.md index 7be01f8..dc35031 100644 --- a/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy.md +++ b/Linux-WebUI-HTTPS-with-Let's-Encrypt-certificates-and-NGINX-SSL-reverse-proxy.md @@ -1,11 +1,11 @@ # Introduction -This is probably the easiest, most extensible and trouble-free way of setting up qBittorrent's WebUI with SSL. It combines ideas from these other articles of the wiki: [1][qbt-webui-https], [2][qbt-reverse-proxy]. +This is probably the easiest, most extensible and trouble-free way of setting up qBittorrent's WebUI with HTTPS. It combines ideas from these other articles of the wiki: [1][qbt-webui-https], [2][qbt-reverse-proxy]. The benefit of this setup is that with one single domain and certificate you are able to setup secure HTTPS access to various different services in your server alongside one another. For example, you may have qBittorrent's WebUI accessible at `yourdomain.com/qbt`, a simple homepage served with Apache at `yourdomain.com`, your Nextcloud instance at `yourdomain.com/nextcloud`, etc. This guide assumes you have a working qbitorrent-nox setup (check [this][qbt-nox-wiki-setup] article if you haven't). This guide also assumes that: -* you know how to and can forward ports on your router. +* you know how to and can forward ports on your router, to forward ports 80 and 443. * you have setup a DNS pointing to the IP you are running the Web UI from (you can use a free one like [Duck DNS][duckdns-url]). The overall architecture of the system will be: @@ -42,16 +42,21 @@ sudo apt install nginx 1. Access your WebUI, and go to Tools -> Options -> WebUI 2. Change the following settings if they are not already like so: -* Server domains: 127.0.0.1 -* Port: some free port on your system that is NOT accessible through the outside world. In this case we will use 30000 +* Server domains: localhost +* Port: some free port on your system that is NOT accessible through the outside world. In this case we will use `30000` * Use UPnP / NAT-PMP to forward the port from my router: unchecked. * Use HTTPS instead of HTTP: unchecked. ## Set up NGINX -1. Forward ports 80 and 443 in your router, and let the them through your firewall. -If you have `ufw` as your system firewall, it is as simple as `sudo ufw allow 80 && sudo ufw allow 443 && sudo ufw reload` +1. Forward ports 80 and 443 in your router. +2. Allow ports 80 and 443 through your system firewall if you have one. +If you have `ufw` as your system firewall, it is as simple as: + +```bash +sudo ufw allow 80 && sudo ufw allow 443 && sudo ufw reload +``` 2. Clear the default files ```shell @@ -85,21 +90,26 @@ server { # if, when creating the certificate (see below) it goes to another folder, be sure # to change these lines accordingly ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; ssl on; - ssl_session_cache builtin:1000 shared:SSL:10m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; - ssl_stapling on; + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_ecdh_curve prime256v1:secp384r1:secp521r1; + ssl_session_cache shared:TLS:50m; + ssl_session_timeout 1d; # default is 5 min + ssl_session_tickets off; + # OCSP stapling + ssl_stapling on; ssl_stapling_verify on; access_log /var/log/nginx/yourdomain.access.log; location /qbt/ { # you can use any other port other than 30000 as long as it is available on your system - proxy_pass http://127.0.0.1:30000/; + proxy_pass http://localhost:30000/; proxy_set_header X-Forwarded-Host $server_name:$server_port; proxy_hide_header Referer; proxy_hide_header Origin; @@ -108,17 +118,21 @@ server { add_header X-Frame-Options "SAMEORIGIN"; # see note } - # OPTIONAL: you can have a simple webpage, for example, served at the root of the domain (more below) - #location / { - # you can use any other port other than 8080 as long as it is available on your system - #proxy_pass http://127.0.0.1:8080/; + # OPTIONAL: serve static HTML files at the root of the domain, like a simple homepage + location / { + root /var/www/html; + try_files $uri $uri/ =404; + } + + # OPTIONAL: you can add more "location { (...) }" stanzas for other services, such as Nextcloud, etc + #location /other_webapp { + # change the location and port to the location and port the application is actually listening on + #proxy_pass http://localhost:8080/; #proxy_set_header Host $host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto $scheme; #} - - # you can add more "location { (...) }" stanzas for other services, such as Nextcloud, etc } ``` @@ -128,9 +142,9 @@ Run the following commands to obtain your certificate (replace `yourdomain.com` ```shell sudo certbot --nginx certonly --preferred-challenges http --must-staple --redirect --hsts --uir --staple-ocsp --rsa-key-size 4096 --domain yourdomain.com --domain www.yourdomain.com ``` -Take note of the location where certbot stored the certificate, and adjust the nginx configuration file if needed. -If your certbot is setup correctly, it will renew your certificate automatically, so you do not need to worry. -You can manually test the renewal process with `sudo certbot renew --dry-run`, or actually manually renew your certificates with `sudo certbot renew `. +Take note of the location where `certbot` stored the certificate, and adjust the nginx configuration file if needed. +If your `certbot` is setup correctly, it will renew your certificate automatically, so you do not need to worry. +You can manually test the renewal process with `sudo certbot renew --dry-run`, or actually manually renew your certificates with `sudo certbot renew`. Note: the following five options used above are optional, but good for hardened security: * --rsa-key-size 4096 @@ -149,31 +163,6 @@ Start nginx: Access your WebUI via `yourdomain.com/qbt`. You should see the qbittorrent Web UI and the indication that your connection is over HTTPS. -# OPTIONAL: foundation for interoperability with other services - -As stated before, you can add more "location { (...) }" stanzas to your nginx config file to enable access to other services. - -Example for a simple homepage with Apache: - -1. In the nginx config example above, you can uncomment the `location "/" { ...` stanza to have a homepage accessible at `yourdomain.com`. - -2. Create a simple "hellow world" HTML file, `index.html` under `/var/www/html` - -3. Create an apache config for yout page (at `/etc/apache2/sites-available`), which can be as simple as: -```shell - - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error-homepage.log - CustomLog ${APACHE_LOG_DIR}/access-homepage.log combined - -``` -Don't forget to create the symbolic link at `/etc/apache2/sites-enabled`. - -4. Restart nginx and apache. You should now have: -* A simple homepage, at `yourdomain.com` -* qBittorrent WebUI at `yourdomain.com/qbt` - [qbt-webui-https]:https://github.com/qbittorrent/qBittorrent/wiki/Linux-Web-UI-setting-up-HTTPS-with-Let's-Encrypt-certificates [qbt-reverse-proxy]:https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI