Networking

Using Let's Encrypt and Nginx to Configure HTTPS Access

Introduction

To encrypt HTTP data transmission, we need to use HTTPS certificates. Let’s Encrypt provides free certificates.

Configure Nginx Forwarding

We need to configure Nginx on our server so that Let’s Encrypt can verify our domain. Below is the configuration file for Nginx on my server:

server {
    listen       80;
    server_name  www.unrealblue.cc;
    
    location / {
        return 301 https://$host$request_uri;
    }

    location ~ /.well-known/acme-challenge {
        root /var/www/html;
        allow all;
    }
}

Explanation: The first location directive forwards all HTTP requests on port 80 to HTTPS connections. The second location directive means that if /.well-known is accessed, use the /var/www/html directory we provided.

Save this file as default.conf.

Here I used an Nginx Docker container for deployment, so I didn’t install Nginx directly.

FROM nginx
LABEL MAINTAINER linanwx@gmail.com
RUN apt update
RUN apt install -y certbot
RUN mkdir -p /var/www/html
COPY ./default.conf /etc/nginx/conf.d/
EXPOSE 80:80
EXPOSE 443:443
VOLUME ["/etc/letsencrypt/"]

Save the first code segment as default.conf and the second code segment as Dockerfile, then run docker build -t nginx-server .

Run docker run -it --rm -d -p80:80 -p443:443 --net=server-net --name nginx-server -v $PWD/letsencrypt:/etc/letsencrypt nginx-server to start the container in the background.

Generate Certificates

Run docker exec -it nginx-server /bin/bash to enter the container. Run the following commands to generate the certificate:

openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048
certbot certonly --agree-tos -a webroot --webroot-path=/var/www/html -d www.unrealblue.cc -m linanwx@gmail.com

The certbot program will access your domain to confirm your domain ownership, which uses the Nginx configuration from the previous step. There are also some parameters that you can understand by checking the help documentation. Additionally, unless you are certain you want to deploy to a production server, use the –test-cert parameter during the testing phase, as there are limits on the number of certificates that can be generated. Another point is generating dhparam. This is a parameter for the Diffie-Hellman key exchange protocol, which takes relatively long to generate. We will use this in Nginx later.

If everything goes well, you will obtain the certificates stored in the /etc/letsencrypt/ directory. Also, because we used a volume when starting the container, the certificates will appear on the host machine.

Configure Nginx HTTPS

Create a new file named https.conf:

# https://www.jianshu.com/p/f7f39cb24423
server {
    listen 443 ssl;
    server_name www.unrealblue.cc;

    ssl_certificate                 /etc/letsencrypt/live/www.unrealblue.cc/fullchain.pem;
    ssl_trusted_certificate         /etc/letsencrypt/live/www.unrealblue.cc/fullchain.pem;
    ssl_certificate_key             /etc/letsencrypt/live/www.unrealblue.cc/privkey.pem;
    ssl_dhparam                     /etc/letsencrypt/live/dhparams.pem;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    ssl_prefer_server_ciphers  on;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        1d;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    add_header Strict-Transport-Security max-age=60;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    # location = /gfwlist {
    #     proxy_pass http://server-handy:8081;
    # }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

Save this file. Then modify the Dockerfile as follows:

FROM nginx
LABEL MAINTAINER linanwx@gmail.com
RUN apt update
RUN apt install -y certbot
RUN mkdir -p /var/www/html
COPY ./default.conf /etc/nginx/conf.d/
COPY ./https.conf /etc/nginx/conf.d/
EXPOSE 80:80
EXPOSE 443:443
VOLUME ["/etc/letsencrypt/"]

Here, the https.conf file is also copied in.

Restart the container, visit https://127.0.0.1, and you can see the access is successful.

image.png

When testing in a local environment, you will be prompted that the certificate is not correct. Click continue.

image.png

comments powered by Disqus
© 2025 Nansen Li(李楠森)
Built with Hugo
Theme Stack designed by Jimmy