This article is going to address how to install an SSL certificate with certbot and allow HTTPS requests to a site behind a reverse proxy server. I will use my site as an example, which is a WordPress site running inside a docker container behind nginx reverse proxy server on Ubuntu 18.04.
Before diving into the process, I would like to introduce a series of steps in a nutshell and things to be careful about.
To-Dos
- Install certbot
- Allow HTTPS through the Firewall to nginx
- Obtain a SSL certificate with certbot
- Edit wp-config.php to allow HTTPS requests
- Automate the certificate renewal with certbot
Things to keep in mind
- Make sure to allow SSH through the Firewall; otherwise, you would lock yourself out.
- HTTPS to HTTP requests are not allowed. After nginx is configured for HTTPS requests, the site behind won’t be able to use HTTP requests to retrieve data such as image and text.
Install certbot
Certbot automates the process of obtaining and installing a SSL certificate.
Add the repository for certbot:
$ sudo add-apt-repository ppa:certbot/certbot
Install certbot:
$ sudo apt install python-certbot-nginx
Allow HTTPS through the firewall to nginx
Check the current setting:
$ sudo ufw status
If your uncomplicated fire wall is inactive:
$ sudo ufw enable
Allow HTTPS traffic by ‘Nginx Full’:
$ sudo ufw allow 'Nginx Full'
Don’t forget to allow SSH if you haven’t:
$ sudo ufw allow 22/tcp
Obtain a SSL certificate with certbot
Configure certbot with its Nginx plugin:
$ sudo certbot --nginx -d geniuskouta.com -d geniuskouta.com
You will be asked to type an email address and agree to the terms and conditions. After that, you will select a choice over whether to redirect HTTP traffic to HTTPS. The settings will be written on your site’s nginx conf file.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Allow HTTPS requests to your WordPress site
First, make sure that your proxy server sets X-Forwarded-Proto https in its header.
server {
server_name geniuskouta.com geniuskouta.com;
location / {
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://xxx.xxx.xxx.xxx:8000;
# ...more config
}
#... more config
}
If you make changes to your site’s nginx conf file, you should reload the server to make sure the changes are reflected.
$ sudo nginx -t
$ sudo systemctl reload nginx
If your WordPress site is behind a proxy server and using https, you need to alert WordPress of that fact. Here is the documentation.
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
$_SERVER['SERVER_PORT'] = 443;
}
Lastly, make sure that your WordPress settings refer to the site URL with https at the beginning; otherwise, it would generate http links in your website, which will result in mixed content warnings.
Automate the certificate renewal with certbot
Test the renewal process by dry run command:
sudo certbot renew --dry-run
If this succeeds, your SSL certificate will be renewed automatically.
References
Thanks for reading.
Hope you enjoyed the article. If you have any question or opinion to share, feel free to write some comments.