|
2 | 2 |
|
3 | 3 | ## Requirements |
4 | 4 |
|
5 | | -1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/coder/v1.20/setup/installation#step-1-create-a-subdomain) for more information. |
6 | | -1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. |
| 5 | +1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. |
| 6 | + |
| 7 | +2. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. |
| 8 | + |
7 | 9 | > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. |
8 | 10 |
|
9 | | -2. Install NGINX (assuming you're on Debian/Ubuntu): |
| 11 | +3. Install NGINX (assuming you're on Debian/Ubuntu): |
10 | 12 |
|
11 | | - ```console |
12 | | - sudo apt install nginx |
13 | | - ``` |
| 13 | + ```console |
| 14 | + sudo apt install nginx |
| 15 | + ``` |
14 | 16 |
|
15 | | -3. Stop NGINX service: |
| 17 | +4. Stop NGINX service: |
16 | 18 |
|
17 | | - ```console |
18 | | - sudo systemctl stop nginx |
19 | | - ``` |
| 19 | + ```console |
| 20 | + sudo systemctl stop nginx |
| 21 | + ``` |
20 | 22 |
|
21 | 23 | ## Adding Coder deployment subdomain |
22 | 24 |
|
23 | 25 | > This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. |
24 | 26 |
|
25 | 27 | 1. Create NGINX configuration for this app: |
26 | 28 |
|
27 | | - ```console |
28 | | - sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN |
29 | | - ``` |
| 29 | + ```console |
| 30 | + sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN |
| 31 | + ``` |
30 | 32 |
|
31 | 33 | 2. Activate this file: |
32 | 34 |
|
33 | | - ```console |
34 | | - sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN |
35 | | - ``` |
| 35 | + ```console |
| 36 | + sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN |
| 37 | + ``` |
36 | 38 |
|
37 | 39 | ## Install and configure LetsEncrypt Certbot |
38 | 40 |
|
|
41 | 43 | ## Create DNS provider credentials |
42 | 44 |
|
43 | 45 | 1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: |
44 | | - - Zone - DNS - Edit |
| 46 | + |
| 47 | + - Zone - DNS - Edit |
45 | 48 |
|
46 | 49 | 2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content: |
47 | 50 |
|
48 | | - ```ini |
49 | | - dns_cloudflare_api_token = YOUR_API_TOKEN |
50 | | - ``` |
| 51 | + ```ini |
| 52 | + dns_cloudflare_api_token = YOUR_API_TOKEN |
| 53 | + ``` |
51 | 54 |
|
52 | 55 | 3. Set the correct permissions: |
53 | 56 |
|
54 | | - ```console |
55 | | - sudo chmod 600 ~/.secrets/certbot/cloudflare.ini |
56 | | - ``` |
| 57 | + ```console |
| 58 | + sudo chmod 600 ~/.secrets/certbot/cloudflare.ini |
| 59 | + ``` |
57 | 60 |
|
58 | 61 | ## Create the certificate |
59 | 62 |
|
60 | 63 | 1. Create the wildcard certificate: |
61 | 64 |
|
62 | | - ```console |
63 | | - sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com |
64 | | - ``` |
| 65 | + ```console |
| 66 | + sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com |
| 67 | + ``` |
65 | 68 |
|
66 | 69 | ## Configure nginx |
67 | 70 |
|
68 | 71 | 1. Edit the file with: |
69 | 72 |
|
70 | | - ```console |
71 | | - sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN |
72 | | - ``` |
| 73 | + ```console |
| 74 | + sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN |
| 75 | + ``` |
73 | 76 |
|
74 | 77 | 2. Add the following content: |
75 | 78 |
|
76 | | - ```nginx |
77 | | - server { |
78 | | - server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; |
79 | | - |
80 | | - # HTTP configuration |
81 | | - listen 80; |
82 | | - listen [::]:80; |
83 | | - |
84 | | - # HTTP to HTTPS |
85 | | - if ($scheme != "https") { |
86 | | - return 301 https://$host$request_uri; |
87 | | - } |
88 | | - |
89 | | - # HTTPS configuration |
90 | | - listen [::]:443 ssl ipv6only=on; |
91 | | - listen 443 ssl; |
92 | | - ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; |
93 | | - ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; |
94 | | - |
95 | | - location / { |
96 | | - proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 |
97 | | - proxy_http_version 1.1; |
98 | | - proxy_set_header Upgrade $http_upgrade; |
99 | | - proxy_set_header Host $host; |
100 | | - proxy_set_header X-Real-IP $remote_addr; |
101 | | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
102 | | - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; |
103 | | - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; |
104 | | - } |
105 | | - } |
106 | | - ``` |
| 79 | + ```nginx |
| 80 | + server { |
| 81 | + server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; |
| 82 | +
|
| 83 | + # HTTP configuration |
| 84 | + listen 80; |
| 85 | + listen [::]:80; |
| 86 | +
|
| 87 | + # HTTP to HTTPS |
| 88 | + if ($scheme != "https") { |
| 89 | + return 301 https://$host$request_uri; |
| 90 | + } |
| 91 | +
|
| 92 | + # HTTPS configuration |
| 93 | + listen [::]:443 ssl ipv6only=on; |
| 94 | + listen 443 ssl; |
| 95 | + ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; |
| 96 | + ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; |
| 97 | +
|
| 98 | + location / { |
| 99 | + proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 |
| 100 | + proxy_http_version 1.1; |
| 101 | + proxy_set_header Upgrade $http_upgrade; |
| 102 | + proxy_set_header Host $host; |
| 103 | + proxy_set_header X-Real-IP $remote_addr; |
| 104 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 105 | + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; |
| 106 | + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; |
| 107 | + } |
| 108 | + } |
| 109 | + ``` |
107 | 110 |
|
108 | 111 | > Don't forget to change: |
109 | 112 | > |
|
113 | 116 |
|
114 | 117 | 1. Create a new file in `/etc/cron.weekly`: |
115 | 118 |
|
116 | | - ```console |
117 | | - sudo touch /etc/cron.weekly/certbot |
118 | | - ``` |
| 119 | + ```console |
| 120 | + sudo touch /etc/cron.weekly/certbot |
| 121 | + ``` |
119 | 122 |
|
120 | 123 | 2. Make it executable: |
121 | 124 |
|
122 | | - ```console |
123 | | - sudo chmod +x /etc/cron.weekly/certbot |
124 | | - ``` |
| 125 | + ```console |
| 126 | + sudo chmod +x /etc/cron.weekly/certbot |
| 127 | + ``` |
125 | 128 |
|
126 | 129 | 3. And add this code: |
127 | 130 |
|
128 | | - ```sh |
129 | | - #!/bin/sh |
130 | | - sudo certbot renew -q |
131 | | - ``` |
| 131 | + ```sh |
| 132 | + #!/bin/sh |
| 133 | + sudo certbot renew -q |
| 134 | + ``` |
132 | 135 |
|
133 | 136 | ## Restart NGINX |
134 | 137 |
|
|
0 commit comments