Dana Miller
Ricardo Pinho
For AtoM/Ubuntu1604 we used the free https://letsencrypt.org/
from Electronic Frontier Foundation: https://www.eff.org/
Don't forget to donate to support the project!
https://supporters.eff.org/donate/support-work-on-certbot
https://certbot.eff.org/#ubuntuxenial-nginx
# Install python-certbot
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
#Certbot has an Nginx plugin, which is supported on many platforms, and automates both obtaining and installing certs:
sudo certbot --nginx -d [your_atom_domain]
Just follow the instructions... and it will work like a charm... and update certs regularly.
Cheers
I am trying to configure Atom nginx to use SSL and HSTS. Every configuration I have tried fails when nginx reloads. I have the certs in place and have no luck so far getting https to work.
--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To post to this group, send email to ica-ato...@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/3e5c8025-5cfc-47bb-a9d3-a931a3c4467f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
David Hume
listen 80;
server_name _;
# possibly other stuff
# redirect to https
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name _;
ssl_certificate /path/to/fullchain;
ssl_certificate_key /path/to/keyfile;
# and so on
}
Dana Miller
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
ssl_certificate /etc/nginx/ssl/gsarcarchives2_gsfc_nasa_gov.pem;
ssl_certificate_key /etc/nginx/ssl/gsarcarchives2_gsfc_nasa_gov.key;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2;
atom.conf
##
upstream atom {
server unix:/var/run/php5-fpm.atom.sock;
}
server {
listen 80;
root /usr/share/nginx/atom;
# http://wiki.nginx.org/HttpCoreModule#server_name
# _ means catch any, but it's better if you replace this with your server
# name, e.g. archives.foobar.com
server_name _;
client_max_body_size 72M;
# http://wiki.nginx.org/HttpCoreModule#try_files
location / {
try_files $uri /index.php?$args;
}
location ~ /\. {
deny all;
return 404;
}
location ~* (\.yml|\.ini|\.tmpl)$ {
deny all;
return 404;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
return 404;
}
location ~* /uploads/r/(.*)/conf/ {
}
location ~* ^/uploads/r/(.*)$ {
include /etc/nginx/fastcgi_params;
set $index /index.php;
fastcgi_param SCRIPT_FILENAME $document_root$index;
fastcgi_param SCRIPT_NAME $index;
fastcgi_pass atom;
}
location ~ ^/private/(.*)$ {
internal;
alias /usr/share/nginx/atom/$1;
}
location ~ ^/(index|qubit_dev)\.php(/|$) {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_pass atom;
}
location ~* \.php$ {
deny all;
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl ;
server_name gsarcarchives2.gsfc.nasa.gov www.gsarcarchives2.gsfc.nasa.gov;
root /usr/share/nginx/atom;
}
This gets the https to display the welcome page in https. When i modify it to make port 80 redirect perm to 443 and add in the other stuff to the 443 section it fails to start.
Dana Miller
On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote:
Dana Miller
On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote:
David Hume
add_header Strict-Transport-Security max-age=15768000;
Dana Miller
On Tuesday, February 26, 2019 at 12:50:17 PM UTC-5, Dana Miller wrote: