setup_nginx_proxy_and_certbot_with_nodejs_app

Using Rocky Linux 8 (on Digital Ocean), start from scratch. Using user root.

install EPEL

dnf install epel-release
dnf update

install nodejs

List all available streams:

dnf module list nodejs

Select a stream (version number) and install, (16 is the LTS version at 2021-12):

dnf module install nodejs:16

Check if we have nodejs installed:

node -v

setup a test nodejs server

Create a nodejs project:

mkdir test-server
cd test-server
touch package.json

We are using koa for the test server:

npm i koa

Copy and paste the hello world code from the offcial website and the index.js:

const Koa = require('koa');
const app = new Koa();

app.use(async ctx => {
  ctx.body = 'Hello World';
});

app.listen(3000);

Install pm2 globally:

npm i -g pm2

Use pm2 to start the test server:

pm2 start index.js

disable selinux

We don't want complicated selinux to stand in our way:

• use the editor to open /etc/selinux/config
• change SELINUX=enforcing into SELINUX=disabled
• restart the server

install and configure nginx

dnf install nginx

Set system service:

systemctl enable nginx
systemctl start nginx

Edit /etc/nginx/nginx.conf:

• read the config carefully, nginx.conf differs across linux distros:
  • find the http block, inside which there might be a server block
  • delete all the server blocks inside http block
  • there should be a line inside http block like this include /etc/nginx/conf.d/*.conf;
    • this load all the .conf files inside the /etc/nginx/conf.d/ directory, we try to organize our website configs in separate files
• in my case: create a your.domain.conf inside /etc/nginx/conf.d/

  # add a upstream config for future good
  upstream node {
      ip_hash;
      # make sure the port number is the same to the test server
      server 127.0.0.1:3000 weight=10;
  }
  
  server {
      listen       80;
      server_name  your.domain;
      
      # though not needed, you may need to create this root folder
      root   /root/www/;
      
      error_log    /var/log/nginx/hyde_error.log    error;
      access_log    /var/log/nginx/hyde_accss.log    main;
      
      location / {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host  $http_host;
          proxy_set_header X-Nginx-Proxy true;
          proxy_http_version 1.1;
          proxy_set_header Connection "";
          
          # upstream node
          proxy_pass    http://node;
      }
  }
  

• use nginx -t to check the syntax.
• use nginx -s reload to reload the config (or use systemctl)

install firewalld

Control the traffic with ease:

dnf install firewalld
systemctl enable firewalld
systemctl start firewalld

Add http and https rules

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Port 3000 should now be unavailable outside.

enable https support using certbot

Install certbot:

dnf install certbot python3-certbot-nginx

Use certbot, follow the steps, this will ask your email and domain name to continue:

certbot --nginx

Check /etc/nginx/conf.d/your.domain.conf, you should see certbot modified this file and add https config sections.

Set crontab for auto renew:

crontab -e

Add this line: 52 0,12 * * * root certbot renew --renew-hook 'nginx -s reload', basically means that at 0 and 12 certbot will automatically renew the cert and restart nginx.

Said that crond will monitor crontab files' modified time and reload them, but to make sure:

systemctl start crond

Should be OK now.