Let's Encrypt with NGINX, with redirect and whitelisted IP's

We have kind of a strange use-case scenario setup. Currently, we have a server that is only open to certain set of whitelisted IP’s on the internet. I also perform HTTP forwarding to HTTPS for this site. I have 2 main questions on my setup:

  1. With LE probing on port 80, and while I have a port redirect from 80 to 443, is it still possible to have LE auto-renew? Or do I have to disable the port forward and manually run a renewal?
  2. Does LE list its public IP’s anywhere? It shouldn’t be the end of the world since I can leave 80 open to all, and then just have HTTPS traffic allowed in for only the whitelisted hosts

Here is my current nginx.conf setup:

user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    # tcp_nopush          on;
    # tcp_nodelay         on;

    keepalive_timeout   65;
    # types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    index   index.html index.htm;

    gzip  on;

# server_names_hash_bucket_size 128;

server {
        listen 80 default_server;
        server_name test.domain.com;

        location /.well-known/acme-challenge {
                root /var/www/letsencrypt;

server {
        listen 443 ssl http2;
        server_name localhost;

        location / {
                proxy_pass      http://localhost:8080;
                proxy_set_header        X-Forwarded-Host $host;
                proxy_set_header    X-Forwarded-Server $host;
                proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header    X-Real-IP $remote_addr;
                proxy_redirect      off;
                client_max_body_size 10M;
                proxy_connect_timeout 30s;
                proxy_read_timeout 60s;
                satisfy any;
                allow all;

## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
    error_page   500 502 503 504  /50x.html;
    location ~ /50x.(html|png) {
        root   /usr/share/nginx/html;


    ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;

## SSL Configuration
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/nginx/dhparam.pem;

    # Protocol and Cipher configuration
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # HSTS  - instructs browsers to only connect to you via HTTPS in the future
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling --- Disabled as it requires additional work on your end. For more info, see
        #ssl_stapling on;
        #ssl_stapling_verify on;

        ## Verify chain of trust of OCSP response using Root CA and Intermediate certs
                ## You will need to fetch this certificate from the signer of your SSL cert (location varies by company you purchased a cert from)
        #ssl_trusted_certificate /etc/nginx/ROOT-CERTS-FOR-YOUR-CA.crt;


The http-01 challenge will follow a redirect to https, yes.

The IPs cannot be relied upon: IP addresses of outbound validators stability over time - #3 by jsha

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.