A quick note before beginning: I will not use or speak of wildcards in this procedure.
I will make another guide on how to implement TLS wildcards for subdomains.
I will be using a VPS from OVH, but any VPs will do (Digital Ocean, Milkyway) provided we have an SSH access to the server.
Since we’re hosting everything on a VPS (OVH) we need to make sure it’s properly up to date and secured.
sudo apt update && sudo apt upgrade -yWe avoid using the root account to access and work on the VPS server.
We create a new user (ie. john) to administrate the server.
apt install sudoadduser johnusermod -aG sudo johngroups john and sudo id john
sudo passwd -dl usernameWe want to connect to the VPS server without a password.
We create a key on the host machine a send it to the authoried_keys file on the VPS server.
We add change to the sshd_config file to prohibit SSH root login and only allow members of the sudo group.
We remove the firewall allow rule for SSH and add a rule for our new SSH defined port (ie. 9022).
ssh-keygen -t ed25519ssh-copy-id -i ~/.ssh/mykey john@ip-of-the-vps-serveruncomment the ssh port line and change 22 to something else (ie. 9022)
add the following modifications:
PubkeyAuthentication yes
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
AllowGroups sudo
these settings are fo a personnal use, to see all the options check https://www.ssh.com/academy/ssh/sshd_config
sudo systemctl restart sshdWe install UFW, the simple firewall manager.
We open only the necessary ports.
install UFW: sudo apt install ufw
at the moment only allow the new SSH port (ie. 9022) defined in the sshd.config file
sudo ufw allow 9022/tcp
sudo ufw enable
check the new firewall rules in place
sudo ufw status
The VPS server is configured and secured.
We can now install the webserser and the reverse proxy.
We install and configure Nginx.
We add A records on our domain registrar to point a domain (ie. myDomain.com) to the VPS server.
sudo apt install nginxsudo ufw allow 'Nginx Full' and check sudo ufw statusrm /etc/nginx/sites-enabled/default
unlink default in the /etc/nginx/sites-enabled directory.check the IP of your VPS server:
localip=$(hostname -I | cut -f1 -d' ')
echo $localip
set an A Record on your domain registrar for each subdomain you want to point to your server.
ie. for OVH:
if not already present, add a CNAME record for the sub-domains (ie. www, …)
install snapd
sudo apt update
sudo apt install snapd
insqtall certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
create the nginx config file: sudo nano /etc/nginx/sites-available/myDomain.com.conf
add the following:
server {
listen 80 default_server;
listen [::]:80 ipv6only=on default_server;
server_name myDomain.com www.myDomain.com;
root /var/www/myDomain.com;
index index index.html index.htm index.php;
location / {
try_files $uri $uri/ =404;
}
location ~ /(data|conf|bin|inc|vendor)/ {
deny all;
}
}
We do not add the 443 port now, Let’s Encrypt’s certbot will do it automatically.
Now that we have ourconfiguration in sites-available it’s time to link it to sites-enabled: ln -s /etc/nginx/sites-available/myDomain.com.conf /etc/nginx/sites-enabled/myDomain.com.conf
Let’s verify that the file in sites-enabled has the same data : nano /etc/nginx/sites-enabled/myDomain.com.conf, it should be the same
Reload Daemon and Nginx
systemctl daemon-reload
sudo systemctl reload nginx
we set the root of our domain to /var/www/myDomain.com:
sudo mkdir /var/www/myDomain.comsudo nano /var/www/myDomain.com/index.html <!DOCTYPE html>
<html>
<head>
<title>Welcome!</title>
</head>
<body>
<header>
<h1>Hello you!</h1>
</header>
</body>
</html>
go to the VPS server Ip address to test the result.
Run:
sudo certbot --nginx
provide an email address
accept the Let’s Encrypt agreement
choose the domains on which to add a certificate (ie. myDomain.com and <www.myDomain.com>)
the automatic renewal is configured automatically.
we can test automatic renewal for your certificates by running this command: sudo certbot renew --dry-run
we can test the result by going to: https://myDomain.com