HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot

[Maxobus]

Otherwise you can edit the .json file.

Ok, I found /var/db/transmission/settings.json
Stopped the Jail, edited settings.json.
Changed string "rpc-url": "/transmission/" to "rpc-url": "/torrent/transmission/"
Restarted the Jail.

Now, going to 192.168.1.10:9091 GUI opens at http://192.168.1.10:9091/torrent/transmission/web/ and works normal.
But if I'm going to mydomain.com/torrent it opens the same https://mydomain.com/transmission/web/ with 404 error.

I believe we almost solve it...

 

[ZodiacUHD]

Can you just try to put

Code:

"rpc-url": "/transmission/"

in your json file
and

Code:

location /transmission {
	 proxy_pass http://192.168.1.10:9091;

in your NGINX conf file?

 

[Maxobus]

Finally, I solved it.
Just made as ZodiacUHD wrote:

Can you just try to put

Code:

"rpc-url": "/transmission/"

in your json file
and

Code:

location /transmission {
	 proxy_pass http://192.168.1.10:9091;

in your NGINX conf file?

It became accessible by mydomain.com/transmission
Then I replaced "transmission" with "torrent" in JSON and NGINX config file. And, finally, get access by mydomain.com/torrent.

Thank you a lot for cooperation

P.S. Chrome cached incorrect URLs, so I recommend to clear it, before playing with configs.

 

[ZodiacUHD]

I’m glad everything worked in the end, cheers.

 

[Jailer]

P.S. Chrome cached incorrect URLs, so I recommend to clear it, before playing with configs.

If you are ever unsure if this is the case open the URL in a new private window to test and see if it works.

 

[Bator92]

Hi!

I have a problem configuring Nginx. I followed the description in the first comment, but when I try to reach mycloud.cloud/nextcloud it redirects me to mycloud.cloud (the root). I have installed Nextcloud plugin from the plugin repository. I can reach it in my local network on the 192.168.1.4 IP address. What can I do in this situation? Thanks for your help. :)

My nginx.conf:

Code:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info. 
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	upstream transmissionweb {
		server 192.168.1.3:9091;
	}

	upstream nextcloud {
	server 192.168.1.4;
	}
	
	server {
	listen 443 ssl;
		server_name  mycloud.cloud;
		include ssl_common.conf;
		include proxy_setup.conf;
	}

	server {
		listen	   80;
		server_name  mycloud.cloud;
	return	   301 https://mycloud.cloud$request_uri;				   
	}

}

My proxy_setup.conf:

Code:

#location ^~ /transmission/ {
#	 proxy_pass http://192.168.1.3:9091;
#	 proxy_redirect off;
#	 proxy_pass_header  X-Transmission-Session-Id;
#	 proxy_set_header Host $host;
#	 proxy_set_header X-Real-IP $remote_addr;
#	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#}

location ^~ /transmission {
		proxy_pass		  http://transmissionweb;
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
		proxy_redirect	  off;
		proxy_buffering	 off;
		proxy_set_header	Host			$host;
		proxy_set_header	X-Real-IP	   $remote_addr;
	proxy_bind $server_addr;
	}
	
location / {
	 proxy_pass http://192.168.1.150:8080;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /plex {
	 proxy_pass http://192.168.1.2:32400/web/;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location ^~ /nextcloud {
	 proxy_pass		  http://nextcloud;
	 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	 proxy_redirect	  off;
	 proxy_buffering	 off;
	 proxy_set_header	Host			$host;
	 proxy_set_header	X-Real-IP	   $remote_addr;
	 proxy_bind $server_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

 

[ZodiacUHD]

Hi!

I have a problem configuring Nginx. I followed the description in the first comment, but when I try to reach mycloud.cloud/nextcloud it redirects me to mycloud.cloud (the root). I have installed Nextcloud plugin from the plugin repository. I can reach it in my local network on the 192.168.1.4 IP address. What can I do in this situation? Thanks for your help. :)

My nginx.conf:

Code:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	upstream transmissionweb {
		server 192.168.1.3:9091;
	}

	upstream nextcloud {
	server 192.168.1.4;
	}
	
	server {
	listen 443 ssl;
		server_name  mycloud.cloud;
		include ssl_common.conf;
		include proxy_setup.conf;
	}

	server {
		listen	   80;
		server_name  mycloud.cloud;
	return	   301 https://mycloud.cloud$request_uri;				  
	}

}

My proxy_setup.conf:

Code:

#location ^~ /transmission/ {
#	 proxy_pass http://192.168.1.3:9091;
#	 proxy_redirect off;
#	 proxy_pass_header  X-Transmission-Session-Id;
#	 proxy_set_header Host $host;
#	 proxy_set_header X-Real-IP $remote_addr;
#	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#}

location ^~ /transmission {
		proxy_pass		  http://transmissionweb;
		proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
		proxy_redirect	  off;
		proxy_buffering	 off;
		proxy_set_header	Host			$host;
		proxy_set_header	X-Real-IP	   $remote_addr;
	proxy_bind $server_addr;
	}
	
location / {
	 proxy_pass http://192.168.1.150:8080;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /plex {
	 proxy_pass http://192.168.1.2:32400/web/;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location ^~ /nextcloud {
	 proxy_pass		  http://nextcloud;
	 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	 proxy_redirect	  off;
	 proxy_buffering	 off;
	 proxy_set_header	Host			$host;
	 proxy_set_header	X-Real-IP	   $remote_addr;
	 proxy_bind $server_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Hey, did you setup a base URL for nextcloud? I remember i had a few issues with the plugin myself, but it was quite a bit of time ago. I hope i'll be able to help you.

 

[Maxobus]

I switched to subdomain (*.mydomain.com) instead of mydomain.com/* model.
Got the SSL certificates for every subdomain through Certbot as described in OP.

I my case every service (Transmission, Nextcloud, Emby and others) works without any problems and no need to change base URL.

 

[Bator92]

Hey, did you setup a base URL for nextcloud? I remember i had a few issues with the plugin myself, but it was quite a bit of time ago. I hope i'll be able to help you.

No, the base url is on the default setting. I couldn't find anything where I can change the base url. :(

UPDATE:
I have found the config.php where I can change the base url. But now if i hit 192.168.1.4 in my browser it redirects me to 192.168.1.4/nextcloud/login and my browser says "too many redirects"

Code:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'htaccess.RewriteBase' => '/',
  'instanceid' => 'oc1ajfs17c59',
  'passwordsalt' => 'yQq3QHeusbVNQpqIsEEVwhy69zK2QQ',
  'secret' => 'pjz4yNc8yLvzPk2ONUHygtDWm28MklY1MDMpmxwXnOUgYhJp',
  'trusted_domains' =>
  array (
	0 => '192.168.1.4',
	1 => 'mycloud.cloud',
  ),
  'datadirectory' => '/media',
  'overwrite.cli.url' => 'https://192.168.1.4',
  'dbtype' => 'mysql',
  'version' => '9.1.1.5',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'ncuser',
  'dbpassword' => 'ncpass',
  'logtimezone' => 'UTC',
  'installed' => true,
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => '/nextcloud',
);

 

[Bator92]

I switched to subdomain (*.mydomain.com) instead of mydomain.com/* model.
Got the SSL certificates for every subdomain through Certbot as described in OP.

I my case every service (Transmission, Nextcloud, Emby and others) works without any problems and no need to change base URL.

And how can I achieve this behaviour with Nginx?

 

[Maxobus]

And how can I achieve this behaviour with Nginx?

Forward 80 and 443 port on your router to the jail with nginx reverse proxy config. In my case it is 192.168.1.15.
Then configure nginx.conf like this:

Code:

	server {
		listen	   443 ssl;
		server_name  cloud.yourdomain.com;
		include ssl_cloud.conf;

	location / {
			proxy_pass http://192.168.1.11;
			proxy_redirect off;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 }
}

Where:
192.168.1.11 — my jail with Nextcloud.
cloud.yourdomain.com you need to change with your address.
ssl_cloud.conf is the same as ssl_common.conf in this guide, but you should change paths to the according certificates:

Code:

ssl_certificate /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.com/privkey.pem;

After that reload nginx in the shell: # service nginx reload
Done.

Going to cloud.yourdomain.com you will get to the Nextcloud page.

P.S. You need to add cloud.yourdomain.com in DNS, but it is out of the topic.

 

[Bator92]

Forward 80 and 443 port on your router to the jail with nginx reverse proxy config. In my case it is 192.168.1.15.
Then configure nginx.conf like this:

Code:

	server {
		listen	   443 ssl;
		server_name  cloud.yourdomain.com;
		include ssl_cloud.conf;

	location / {
			proxy_pass http://192.168.1.11;
			proxy_redirect off;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 }
}

Where:
192.168.1.11 — my jail with Nextcloud.
cloud.yourdomain.com you need to change with your address.
ssl_cloud.conf is the same as ssl_common.conf in this guide, but you should change paths to the according certificates:

Code:

ssl_certificate /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.yourdomain.com/privkey.pem;

After that reload nginx in the shell: # service nginx reload
Done.

Going to cloud.yourdomain.com you will get to the Nextcloud page.

P.S. You need to add cloud.yourdomain.com in DNS, but it is out of the topic.

I have added another A record (nextcloud.mycloud.cloud) next to the already existing mycloud.cloud in DNS. These records point to the same public IP address. Unfortunately, I cannot generate a certificate for nextcloud.mycloud.cloud with the following command:

Code:

./letsencrypt-auto --debug certonly --standalone -d nextcloud.mycloud.cloud

I got the following error:

Code:

root@nginx_1:/certbot # ./letsencrypt-auto --debug certonly --standalone -d nextcloud.mycloud.cloud
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for nextcloud.mycloud.cloud
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 861, in main
	return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 786, in certonly
	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 85, in _get_and_save_cert
	lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
	certr, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 318, in obtain_certificate
	self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
	self._respond(resp, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
	self._poll_challenges(chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. nextcloud.mycloud.cloud (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 135b459e6ec2823f8017cb16431e9801.3f93d87c279ab3bcccc17ea87341119e.acme.invalid from 84.3.166.109:443. Received 2 certificate(s), first certificate had names "mycloud.cloud"
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nextcloud.mycloud.cloud
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   135b459e6ec2823f8017cb16431e9801.3f93d87c279ab3bcccc17ea87341119e.acme.invalid
   from 84.3.166.109:443. Received 2 certificate(s), first certificate
   had names "mycloud.cloud"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

 

[Maxobus]

Looks like 443 port is busy.
Try to stop nginx with # service nginx stop
and retry.

 

[Bator92]

Looks like 443 port is busy.
Try to stop nginx with # service nginx stop
and retry.

Now it is working. Thanks for your help. :)

 

[Jan Banan]

Im on Freenas 11.1. Make a iocage jail that seems to work fine. have followed the howto a couple of times, and I keep getting this error when trying to start nginx.

Performing sanity check on nginx configuration:
nginx: [emerg] unknown directive "check" in /usr/local/etc/nginx/ssl_common.conf:9
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] unknown directive "check" in /usr/local/etc/nginx/ssl_common.conf:9
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx

If I # out line 9, i get the same error on the next line in the file and so on. # out ssl_common.conf in nginx.conf starts it without any erros. Any tips, or additional info I can give to help figure this out?

 

[ZodiacUHD]

It would help to see what is in you line n.9 of ssl_common.conf. Can you post you nginx file and your ssl_common.conf?

 

[Jan Banan]

sure, here is the nginx.conf

Code:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	server {
		listen 443;
		ssl on;
		server_name  www.mydomain.com;
		include ssl_common.conf;
		include proxy_setup.conf;

		#charset koi8-r;

		#access_log  logs/host.access.log  main;

		location / {
			root   /usr/local/www/nginx;
			index  index.html index.htm;
		}

		#error_page  404			  /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/local/www/nginx-dist;
		}

		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#	proxy_pass   http://127.0.0.1;
		#}

		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#	root		   html;
		#	fastcgi_pass   127.0.0.1:9000;
		#	fastcgi_index  index.php;
		#	fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#	include		fastcgi_params;
		#}

		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#	deny  all;
		#}
	}


	# another virtual host using mix of IP-, name-, and port-based configuration
	#
	#server {
	#	listen	   8000;
	#	listen	   somename:8080;
	#	server_name  somename  alias  another.alias;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}


	# HTTPS server
	#
	#server {
	#	listen	   443 ssl;
	#	server_name  localhost;

	#	ssl_certificate	  cert.pem;
	#	ssl_certificate_key  cert.key;

	#	ssl_session_cache	shared:SSL:1m;
	#	ssl_session_timeout  5m;

	#	ssl_ciphers  HIGH:!aNULL:!MD5;
	#	ssl_prefer_server_ciphers  on;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}

}

and here is the ssl_common.conf

Code:

# Thanks to https://cipherli.st/ for providing a great reference! Please
check out their site
# to make sure your SSL Configuration is up to date with current
standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older
browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GC$
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security
"max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff

 

[ZodiacUHD]

sure, here is the nginx.conf

Code:

#user  nobody;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	server {
		listen 443;
		ssl on;
		server_name  www.mydomain.com;
		include ssl_common.conf;
		include proxy_setup.conf;

		#charset koi8-r;

		#access_log  logs/host.access.log  main;

		location / {
			root   /usr/local/www/nginx;
			index  index.html index.htm;
		}

		#error_page  404			  /404.html;

		# redirect server error pages to the static page /50x.html
		#
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/local/www/nginx-dist;
		}

		# proxy the PHP scripts to Apache listening on 127.0.0.1:80
		#
		#location ~ \.php$ {
		#	proxy_pass   http://127.0.0.1;
		#}

		# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
		#
		#location ~ \.php$ {
		#	root		   html;
		#	fastcgi_pass   127.0.0.1:9000;
		#	fastcgi_index  index.php;
		#	fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
		#	include		fastcgi_params;
		#}

		# deny access to .htaccess files, if Apache's document root
		# concurs with nginx's one
		#
		#location ~ /\.ht {
		#	deny  all;
		#}
	}


	# another virtual host using mix of IP-, name-, and port-based configuration
	#
	#server {
	#	listen	   8000;
	#	listen	   somename:8080;
	#	server_name  somename  alias  another.alias;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}


	# HTTPS server
	#
	#server {
	#	listen	   443 ssl;
	#	server_name  localhost;

	#	ssl_certificate	  cert.pem;
	#	ssl_certificate_key  cert.key;

	#	ssl_session_cache	shared:SSL:1m;
	#	ssl_session_timeout  5m;

	#	ssl_ciphers  HIGH:!aNULL:!MD5;
	#	ssl_prefer_server_ciphers  on;

	#	location / {
	#		root   html;
	#		index  index.html index.htm;
	#	}
	#}

}

and here is the ssl_common.conf

Code:

# Thanks to https://cipherli.st/ for providing a great reference! Please
check out their site
# to make sure your SSL Configuration is up to date with current
standards! Be aware that in this
# example we use a slightly liberal cipherlist to allow for older
browsers on older devices, Eg.
# IE8, android 2.4, etc
# Enable Perfect Forward Secrecy (PFS)
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
# Disable SSLv2 and SSLv3 (BEAST and POODLE attacks)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable our strong DH Key
ssl_dhparam /usr/local/etc/ssl/dhparams.pem;
# Cipher-list for PFS.
ssl_ciphers
"EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GC$
ssl_ecdh_curve secp384r1;
# Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Requires nginx >= 1.5.9
ssl_stapling on;
# Requires nginx >= 1.3.7
ssl_stapling_verify on;
# Requires nginx => 1.3.7
resolver 8.8.8.8 4.4.4.4 valid=300s;
resolver_timeout 5s;
# HSTS Support
add_header Strict-Transport-Security
"max-age=63072000;includeSubdomains; preload";
# These headers can break applications, be careful!
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff

Looks like it's formatted all wrong... Is this the way it looks in your file?

 

[Jan Banan]

Looks like it's formatted all wrong... Is this the way it looks in your file?

That's what it looks like. The only thing I changed was the part after http as described in the how to

Sent from my Nexus 6P using Tapatalk

 

[ZodiacUHD]

The NGINX conf is fine, but make a new ssl_common.conf to be formatted as the one in my first post.