text 设置SSL（与VPS的HTTP连接）

Posted 2021-05-03

---
title: "Add SSL encryption"
output: html_notebook
---

# Objective

To implement SSL encryption (So it appears as HTTPS in the web browser) easily. 

Main instructions in https://www.jasperginn.nl/shiny-server-series-pt3/


## Get Certbot

Go to the sbin folder on your server and download certbot-auto:

```
cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
```

Make the script executable:
`sudo chmod a+x /usr/local/sbin/certbot-auto`

## Modify the nginx configuration
if nginx is not installed, do it with `sudo apt-get install nginx -y`.

`sudo nano /etc/nginx/sites-available/default`

And add right below `server_name _;`:
```
location ~ /.well-known {
    allow all;
}
```

Restart nginx: 
`sudo service nginx restart` 

## Certbot setup

Take your root location and your domain name (with www. and without it) and fill them out in the and parts in the command below. Don’t forget to change <.extension> to your extension (e.g. .nl, .com, .eu). Then, execute this command:

`sudo certbot-auto certonly -a webroot --webroot-path=/var/www/html -d <your-domain-name>.<extension> -d www.<your-domain-name>.<extension>`

Accept the steps that prompt on. Remember that all the parameters passeed have to access a website. Modify the hosting as necessary for this to happen.

Next, we generate a strong Diffie–Hellman group for extra security:

`sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048`

## Ensure periodic renewal

SSL certificates expire every couple of months or so, so it’s a good idea to refresh our certificate regularly. We’ll set up a cron job that does this every week. Access cron by executing the following:

`sudo  crontab -e`

Add the following lines:
```
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload
```

## Change the nginx configuration file

Back up the nginx configuration in case something goes wrong. Then, delete the config and open a new default config file:
`sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default2`

Delete default
`sudo rm /etc/nginx/sites-available/default`

Make a new default config
`sudo nano /etc/nginx/sites-available/default`

Copy the new configuration file: 
```
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Server config

server {
        # SSL config
        listen 443 ssl default_server;
        ssl_certificate /etc/letsencrypt/live/<your-domain-name>/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/<your-domain-name>/privkey.pem;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

       # Root location
        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        # Server name
        server_name <your-domain-name>;

        # For certbot to create SSL certificates
        location ~ /.well-known {
          allow all;
        }

        # Open shiny server
        location /apps/ {
          proxy_pass http://127.0.0.1:3838/;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }

        # Rstudio server
        location /editor/ {
          proxy_pass http://127.0.0.1:8787/;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
        }

        # auth0 server
        location /private-apps/ {
          proxy_set_header    Host $host;

          # This points to our shiny-auth0 authentication proxy,
          # change localhost:3000 to suit the configuration of
          # your shiny-auth0 config
          proxy_pass          http://localhost:3000;
          proxy_redirect      http://localhost:3000/ $scheme://$host/;

          proxy_http_version  1.1;
          # The following lines enable WebSockets proxying, do not remove them
          # as they are used by Shiny Server to improve user experience
          #proxy_set_header Upgrade $http_upgrade;
          #proxy_set_header Connection $connection_upgrade;

          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";

          proxy_connect_timeout 7d;
          proxy_send_timeout 7d;
          proxy_read_timeout 7d;
       }
}


server {

        listen 80;
        server_name <your-domain-name> <your-other-domain-name-with-www>;
        return 301 https://$host$request_uri;

}
```

Note that many decisions are taken about the defaults of how the server handles the incoming requests

Important: You need to replace <your-domain-name> with the following:

- In lines 19-20, replace the text by the name of the folder where the keys are stored (it was especified by the terminal, normally is the domain name)
- In lines 39 and 91, replace the text by your custom domain name, without `www` (and in the second case, with, too)

The best? copy-paste into a notepad, replace the values and paste back in the nano editor:
`sudo nano /etc/nginx/sites-available/default` 

## Restart and check

Restart nginx:`sudo service nginx restart`