docs: Add nginx reverse-proxy example

matifali · matifali · commit 2c7f0cfd9af7 · 2023-02-13T17:56:42.000+03:00
This PR adds nginx reverse-proxy example to provision coder with tls certificate using letsencrypt certbot. This will partially resolve #6086.
diff --git a/docs/admin/configure.md b/docs/admin/configure.md
@@ -46,7 +46,8 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`).
 
 The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example.
 
-- Example: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
+- Caddy: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
+- Nginx: [Run Coder with Nginx and LetsEncrypt](https://../../../examples/web-server/nginx)
 
 ## PostgreSQL Database
 
diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md
@@ -0,0 +1,100 @@
+# How to use nginx as a reverse-proxy with letsencrypt
+
+## Requirements
+
+1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server.
+2. Install **nginx** (assuming you're on debian/ubuntu):
+
+- `sudo apt install nginx`
+
+3. Stop **nginx** :
+
+- `sudo service stop nginx`
+
+## Adding Coder deployment subdomain
+
+> this example assumes coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`.
+
+- create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN`
+
+- and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN`
+
+## Install and configure letsencrypt certbot
+
+Install letsencrypt **certbot** : follow the instructions on [certbot website](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard)
+
+## Create dns provider credentials
+
+- Create an API token for the dns provider you're using : e.g cloudflare [here](https://dash.cloudflare.com/profile/api-tokens) with the following permissions :
+  - Zone - DNS - Edit
+- Create a file in `.secrets/certbot/cloudflare.ini` with the following content :
+  - `dns_cloudflare_api_token = YOUR_API_TOKEN`
+
+## Create the certificate
+
+- Create the wildcard certificate :
+
+```console
+sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com
+```
+
+## Configure nginx
+
+Edit the file with : `sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN` and add the following content :
+
+```nginx
+server {
+    server_name YOUR_SUBDOMAIN;
+
+    # HTTP configuration
+    listen 80;
+    listen [::]:80;
+
+    # HTTP to HTTPS
+    if ($scheme != "https") {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    # HTTPS configuration
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    location / {
+        proxy_pass  http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+}
+```
+
+> Don't forget to change :
+>
+> - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com`
+> - the port and ip in `proxy_pass` if applicable
+
+## Automatic certificates refreshing
+
+- Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot`
+- Make it executable : `sudo chmod +x /etc/cron.weekly/certbot`
+- And add this code :
+
+```sh
+#!/bin/sh
+sudo certbot renew -q
+```
+
+## Restart nginx
+
+- `sudo service nginx restart`
+
+And that's it, you should now be able to access coder via `https://YOUR_SUBDOMAIN` !
