Nginx
Nginx will handle SSL connections and reverse-proxy traffic to Phoenix. Install it (you should still be operating as root).
apt install nginx
By default, nginx creates and runs under the user, www-data. We want it to use our web user instead. Substitute www-data with web in nginx.conf, and change the ownership of the log directory.
sed -i 's/www-data/web/g' /etc/nginx/nginx.conf
chown web -R /var/log/nginx
The default configuration that comes with nginx is mostly fine. But, we'll want to add some specifics that we can refer to for proxying and SSL connections.
Create (or update) a proxy_params config file.
/etc/nginx/proxy_params
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-NginX-Proxy true;
client_max_body_size 600m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
Create (or update) a ssl_params config file.
/etc/nginx/ssl_params
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Notice that last line. You'll create dhparam.pem in the next section.
Next, you'll create a server config. This config will instruct nginx to:
- Use SSL
- Redirect non-SSL traffic to the appropriate SSL URL
- Accept upgrade requests (for websockets)
- Block traffic that references a host other than your domain
- Serve a special directory for letsencrypt (created in the next section)
- Send all other traffic to the upstream Phoenix server
Create a server config for your domain (replace "EXAMPLE.com" with your own domain).
/etc/nginx/sites-available/example.com.conf
upstream phoenix {
server 127.0.0.1:4000;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name EXAMPLE.com;
include ssl_params;
# ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
location / {
include proxy_params;
proxy_pass http://phoenix;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /.well-known/acme-challenge {
root /var/web/letsencrypt;
}
}
server {
listen 80;
server_name EXAMPLE.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge {
root /var/web/letsencrypt;
}
# Deny illegal host headers
if ($host !~* ^EXAMPLE.com$) {
return 444;
}
}
Important
Notice the two commented out ssl_certificate lines. They are commented because you haven't created the certificates yet. You'll create those in the next section, but nginx needs to be able to run in the meantime. Once the certificates are created, you'll uncomment those lines.
Symlink the server config to sites-enabled and restart nginx (replace "example.com" with your domain).
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/example.com.conf
service nginx restart