We have kind of a strange use-case scenario setup. Currently, we have a server that is only open to certain set of whitelisted IP’s on the internet. I also perform HTTP forwarding to HTTPS for this site. I have 2 main questions on my setup:
- With LE probing on port 80, and while I have a port redirect from 80 to 443, is it still possible to have LE auto-renew? Or do I have to disable the port forward and manually run a renewal?
- Does LE list its public IP’s anywhere? It shouldn’t be the end of the world since I can leave 80 open to all, and then just have HTTPS traffic allowed in for only the whitelisted hosts
Here is my current nginx.conf setup:
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
# tcp_nopush on;
# tcp_nodelay on;
keepalive_timeout 65;
# types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
gzip on;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/x-javascript
application/json
application/xml
application/xml+rss;
# server_names_hash_bucket_size 128;
server {
listen 80 default_server;
server_name test.domain.com;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
}
server {
listen 443 ssl http2;
server_name localhost;
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
client_max_body_size 10M;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
satisfy any;
allow all;
}
## 500 error page - using default HTML directory for CentOS; change if desired. Sample error page and image background included in repository
error_page 500 502 503 504 /50x.html;
location ~ /50x.(html|png) {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/test.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/test.domain.com/privkey.pem;
## SSL Configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# Protocol and Cipher configuration
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS - instructs browsers to only connect to you via HTTPS in the future
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling --- Disabled as it requires additional work on your end. For more info, see
#ssl_stapling on;
#ssl_stapling_verify on;
## Verify chain of trust of OCSP response using Root CA and Intermediate certs
## You will need to fetch this certificate from the signer of your SSL cert (location varies by company you purchased a cert from)
#ssl_trusted_certificate /etc/nginx/ROOT-CERTS-FOR-YOUR-CA.crt;
resolver 8.8.8.8;
}
}