As with all of these tutorials, the instructions should generally stand for any of the main cloud providers. This tutorial has some steps specific to Alibaba Cloud, mainly regarding configuring the security group for inbound access to port 443, but they are minor and can be skipped over for other providers.<\/p>\n
A few words about Domain Registration<\/h4>\n
Many people will register a domain through their hosting company, I recommend against that. I much prefer to keep my domain registration and hosting separate, this provides a more robust framework in case of unseen problems with your hosting providers infrastructure. That is to say, if your hosting goes down but your domain is registered elswhere, then it is very easy to just change your nameservers and get your site back online quickly.<\/p>\n<\/div>\n
I recommend Namecheap<\/a> or iwantmyname<\/a>\u00a0for domain registry, they are primarily domain registrars and resolve DNS and Nameserver changes quickly.<\/p>\n It goes without saying that you’ll need to have a registered domain to use for this tutorial, in my case I have a domain registered with Namecheap specifically for testing purposes and tutorials, the aptly chosen an-example-domain.com<\/a><\/p>\n Visit your Alibaba ECS console and make your way to the Alibaba Cloud DNS section. Then click the blue button in the top left to add a Domain Name:<\/p>\n A pop up box will appear with a text entry field, enter your domain name here and confirm:<\/p>\n Your domain will now appear in the list of Domain Names in the Alibaba Cloud DNS settings page.<\/p>\n Now we need to configure some DNS records to get everything working properly. Click the configure link that is highlighted in the screenshot below:<\/p>\n The link will take you to a configurations page where you can add your DNS records:<\/p>\n In my case, as mentioned earlier, my domain is registered with a third party domain registrar, that means my domain is using my registrar’s domain name server. As you can see in the screenshot above, Alibaba cloud DNS immediately checks the records and throws a warning telling me that I need to change my domain’s nameservers.<\/p>\n To do that, go to your domain registrar and locate the setting for DNS. Somewhere in the settings there will be a button for ‘Change Nameservers’ or ‘Use Custom Nameservers’, or something similar. With my domain at Namecheap it’s found in a dropdown called ‘Custom DNS’ under the ‘Nameservers’ setting, illustrated below:<\/p>\n Enter the nameservers provided by Alibaba and click save.<\/p>\n Now return to the Alibaba Cloud DNS settings page, and add DNS records for your domain. For this tutorial we are only adding two A<\/span> records. A<\/span> records are for your server’s ipv4 address, if this were a production site you would also need to add matching AAAA<\/span> records for ipv6 address, and several other records, such as an MX<\/span> record for your email server etc.<\/p>\n Add one type A<\/span> record for the Host @<\/span>, and another for the Host www<\/span>. The shortest TTL (Time Till Live) setting allowed by Alibaba’s DNS system is 10 minutes, which means that these changes will take at least that long to take effect on their end, although for changes to propagate across the internet can take up to 24 hours or more.<\/p>\n Your settings should look something like this:<\/p>\n Did I mention that I find that changes in DNS settings made with dedicated domain registrars tend to propagate faster than with hosting providers? I did, my apologies for belaboring a point.<\/p>\n In any case, you can check to see if your DNS changes have propagated with a service like whatsmydns.com<\/a> or by using the Domain Information Groper<\/a> dig<\/span> terminal command.<\/p>\n Once these changes have propagated you should be able to visit your site by using the domain, with or without the www subdomain:<\/p>\n Now we have our domains configured properly so we can visit our server with a url, we can begin to install our SSL certificates.<\/p>\n The web is moving towards a more secure future. SSL certificates protect visitors of your site by enabling HTTPS encryption on web servers. In the past SSL certificates were a moderately expensive addition to your hosting deemed only necessary for eCommerce sites or other sites that transmitted sensitive information.<\/p>\n Things have changed since those days, now it is considered best practice in web development to secure all sites with an SSL certificate. This has additional benefits to just increasing security, the latest generation of the HTTP protocol, HTTP\/2, requires an SSL certificate to be installed before it can be used. HTTP\/2 can dramatically increase the speed of a well configured site due to a range of improvements such as Single Connection Loads, Multiplexing, Header Compression, and more. You can find out more about HTTP\/2 here<\/a>.<\/p>\n There is also the not inconsequential matter that sites without SSL certificates are now being penalised by Google, with Chrome even throwing warnings for unsecured sites.<\/p>\n Let’s Encrypt<\/a>\u00a0is a free, automated, and open certificate authority (CA) provided by the Internet Security Research Group<\/a>, they have almost single-handedly accelerated the widespread adoption of SSL certificates in recent years, we should all be very grateful.<\/p>\n We will be using the Let’s Encrypt Certbot to obtain a free SSL certificate, Certbot is an awesome package that will automatically make most of the necessary NGINX configuration changes.<\/p>\n We will be installing the certbot<\/span> software from Let’s Encrypt’s separate external repository. That means we will need to add a new repository to our apt<\/span> package manager.<\/p>\n Unfortunately our Instance’s Ubuntu installation doesn’t have the required package installed to allow us to add external repositories.<\/p>\n Not to worry, that’s a quick fix, just enter the following command to install said package:<\/p>\n With that additional package we can now install certbot<\/span> with the following commands.<\/p>\n To add the repository:<\/p>\n Then update the package list to pick up the new repository’s package information:<\/p>\n And finally, install certbot<\/span> with apt-get<\/span>:<\/p>\n Now Certbot is ready to use, but before we can use it, we need to configure NGINX some more.<\/p>\n Yes I know, I did say Certbot can automatically configure the SSL for NGINX and add the necessary settings in the NGINX configuration file server block. But before it can do that NGINX needs to be configured for your domain name, at present it is only configured for an IP address.<\/p>\n Let’s update the config file:<\/p>\n Now replace the servers ipv4 address on the server_name<\/span> line with your domain name, remember to add both the domain with and without www<\/span> :<\/p>\n Your NGINX default config file server block should look something like the following:<\/p>\n Since the NGINX config file has been changed, it should be checked for syntax errors again:<\/p>\n All being well, reload it to load in the new configuration:<\/p>\n With these changes made, Certbot will now be able to locate the correct server block and update it automatically.<\/p>\n Next we’ll update the UFW firewall to allow HTTPS traffic.<\/p>\n The UFW firewall we configured previously in the series has only been configured for HTTP connections, this now needs adjusting to allow HTTPS traffic.<\/p>\n To do this we will allow ‘Nginx Full’ first:<\/p>\n And then delete the redundant ‘Nginx HTTP’ profile that we previously allowed:<\/p>\n Finally, check the firewall status with:<\/p>\n Your terminal should output the following:<\/p>\n With our firewall configured properly, we would normally be ready to obtain our SSL certificate, but Alibaba Cloud Hosting is a little bit different however.<\/p>\n Remember all that time ago, when we first provisioned the ECS instance, we added it to a Security Group? That\u00a0is Alibaba Cloud nonmenclature for their firewall, so that’s where we need to go now.<\/p>\n In the Alibaba Cloud Security Groups, you will see the default security group you attached, click the link to configure it’s rules:<\/p>\n For HTTPS connections with an SSL, we need our server to be listening on Port 443. Currently the security group has no rule configured to allow inbound connections to the server on this port.<\/p>\n Add a rule for Port 443 as follows:<\/p>\n Now<\/em> we’re ready to run Certbot to obtain and configure our SSL certificates, and configure server settings.<\/p>\n We will use Certbot’s NGINX plugin to obtain an SSL certificate for our domain, it will automagically take care of configuring NGINX and reloading the config when necessary. Enter the following command, using your own domain name:<\/p>\n This command runs certbot<\/span> with the aforementioned –nginx<\/span> plugin, and uses -d<\/span> to specify the domain names for which the certificate will be valid.<\/p>\n If everything was succesful certbot<\/span> will check to verify you control your domain, and upon verification will issue your certificate and ask you how you would like to configure your HTTPS settings:<\/p>\n I recommend to configure the redirects so that all traffic is served via HTTPS.<\/p>\n At this point you will be able to access your site using https:\/\/<\/span>, and you will get the reassuring green lock and security indicator.<\/p>\n Even though your site is secured with an SSL, it is using weak Diffie-Hellman parameters which means that the initial key exchange is still more vulnerable than we may wish.<\/p>\n To fix this create a new dhparam.pem<\/span> file and add it to the server<\/span> block.<\/p>\n Create the file using openssl<\/span>:<\/p>\n This may take some time, and will look like this:<\/p>\n When this process is complete, open up the default sites NGINX config file again:<\/p>\n And paste in the following code, this can be anywhere inside the server<\/span> block:<\/p>\n The entire server block should look like the following, notice the SSL configuration settings that have also been added by certbot:<\/span><\/p>\n Save the file and close the editor. And since we have altered the NGINX configuration again, we will need to check the syntax again:<\/p>\n If there are no errors, reload NGINX:<\/p>\nPart One – Configuring your Domain<\/h2>\n
Step 1. Add a Domain to Alibaba Cloud DNS<\/h2>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/add_3rd_party_domain_alibaba-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/enter_domain_name-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/configure_domain-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/nameserver_error-600x375.png\")
Step 2. Change Nameservers at your domain registrar<\/h2>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/change_your_domains_nameservers-600x120.png\")
Step 3. Enter DNS records<\/h2>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/configured_dns_records_www_@-600x375.png\")
Step 4. Test your domain<\/h2>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/domain_being_served-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/www_domain_being_served-600x375.png\")
Part Two – Securing NGINX with Let’s Encrypt SSL certificates<\/h2>\n
Step 5. Configuring Ubuntu to enable access to external repositories<\/h2>\n
$ sudo apt-get install -y software-properties-common\r\n<\/pre>\n
Step 6. Installing Certbot<\/h2>\n
$ sudo add-apt-repository ppa:certbot\/certbot\r\n<\/pre>\n
$ sudo apt-get update\r\n<\/pre>\n
$ sudo apt-get install python-certbot-nginx\r\n<\/pre>\n
Step 7. Setting up NGINX to serve domains<\/h2>\n
$ sudo nano \/etc\/nginx\/sites-available\/default\r\n<\/pre>\n
server_name an-example-domain.com<\/span> www.an-example-domain.com<\/span>;\r\n<\/pre>\n![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/setup_nginx_for_domains-600x613.png\")
$ sudo nginx -t\r\n<\/pre>\n
$ sudo systemctl reload nginx\r\n<\/pre>\n
Step 8. Updating the UFW Firewall<\/h2>\n
$ sudo ufw allow 'Nginx Full'\r\n<\/pre>\n
$ sudo ufw delete allow 'Nginx HTTP'\r\n<\/pre>\n
$ sudo ufw status\r\n<\/pre>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/set_ufw_for_nginx_https-600x468.png\")
Step 9. Configure Alibaba Cloud Security Group for HTTPS connections<\/h2>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/security_groups_overview-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/add_443_security_group_rule-600x375.png\")
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/security_group_with_443_ready_for_ssl-1-600x375.png\")
Step 10. Obtaining a Let’s Encrypt SSL Certificate<\/h2>\n
$ sudo certbot --nginx -d domain.com<\/span> -d www.domain.com<\/span>\r\n<\/pre>\n![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/configure_htst-600x175.png\")
Step. 11 Increase SSL security – Update Diffie-Hellman Parameters<\/h2>\n
$ sudo openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 2048\r\n<\/pre>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/update_diffie_hellman-600x612.png\")
$ sudo nano \/etc\/nginx\/sites-available\/default\r\n<\/pre>\n
ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;\r\n<\/pre>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/add_ssl_dhparam_complete_default_config-600x685.png\")
$ sudo nginx -t\r\n<\/pre>\n
$ sudo systemctl reload nginx\r\n<\/pre>\n
![\"\"](\"https:\/\/learningcurve.xyz\/wp-content\/uploads\/2017\/10\/https_www_domain_working-600x375.png\")