4.6 KiB

Raw Blame History

How to use NGINX as a reverse-proxy with LetsEncrypt

Requirements

Start a Coder deployment and be sure to set the following configuration values:
```
CODER_HTTP_ADDRESS=127.0.0.1:3000
CODER_ACCESS_URL=https://coder.example.com
CODER_WILDCARD_ACCESS_URL=*coder.example.com
```
Throughout the guide, be sure to replace coder.example.com with the domain you intend to use with Coder.
Configure your DNS provider to point your coder.example.com and *.coder.example.com to your server's public IP address.

For example, to use coder.example.com as your subdomain, configure coder.example.com and *.coder.example.com to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard.
Install NGINX (assuming you're on Debian/Ubuntu):
```
sudo apt install nginx
```
Stop NGINX service:
```
sudo systemctl stop nginx
```

Adding Coder deployment subdomain

This example assumes Coder is running locally on 127.0.0.1:3000 and that you're using coder.example.com as your subdomain.

Create NGINX configuration for this app:

sudo touch /etc/nginx/sites-available/coder.example.com

Activate this file:

sudo ln -s /etc/nginx/sites-available/coder.example.com /etc/nginx/sites-enabled/coder.example.com

Install and configure LetsEncrypt Certbot

Install LetsEncrypt Certbot: Refer to the CertBot documentation. Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin.

Create DNS provider credentials

This example assumes you're using CloudFlare as your DNS provider. For other providers, refer to the CertBot documentation.

Create an API token for the DNS provider you're using: e.g. CloudFlare with the following permissions:
- Zone - DNS - Edit

Create a file in .secrets/certbot/cloudflare.ini with the following content:

dns_cloudflare_api_token = YOUR_API_TOKEN

mkdir -p ~/.secrets/certbot
touch ~/.secrets/certbot/cloudflare.ini
nano ~/.secrets/certbot/cloudflare.ini

Set the correct permissions:

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Create the certificate

Create the wildcard certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com

Configure nginx

Edit the file with:

sudo nano /etc/nginx/sites-available/coder.example.com

Add the following content:

server {
    server_name coder.example.com *.coder.example.com;

    # HTTP configuration
    listen 80;
    listen [::]:80;

    # HTTP to HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    # HTTPS configuration
    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/coder.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/coder.example.com/privkey.pem;

    location / {
        proxy_pass  http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    }
}

Don't forget to change: coder.example.com by your (sub)domain

Test the configuration:
```
sudo nginx -t
```

Refresh certificates automatically

Create a new file in /etc/cron.weekly:
```
sudo touch /etc/cron.weekly/certbot
```
Make it executable:
```
sudo chmod +x /etc/cron.weekly/certbot
```
And add this code:
```
#!/bin/sh
sudo certbot renew -q
```

Restart NGINX

sudo systemctl restart nginx

And that's it, you should now be able to access Coder at your sub(domain) e.g. https://coder.example.com.

4.6 KiB Raw Blame History