From 2c7f0cfd9af7f75655001fdce1beffcabcdeae34 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 17:56:42 +0300 Subject: [PATCH 01/31] docs: Add nginx reverse-proxy example This PR adds nginx reverse-proxy example to provision coder with tls certificate using letsencrypt certbot. This will partially resolve #6086. --- docs/admin/configure.md | 3 +- examples/web-server/nginx/README.md | 100 ++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 examples/web-server/nginx/README.md diff --git a/docs/admin/configure.md b/docs/admin/configure.md index ea28afaa403ef..4baa230b2752a 100644 --- a/docs/admin/configure.md +++ b/docs/admin/configure.md @@ -46,7 +46,8 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`). The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example. -- Example: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy) +- Caddy: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy) +- Nginx: [Run Coder with Nginx and LetsEncrypt](https://../../../examples/web-server/nginx) ## PostgreSQL Database diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md new file mode 100644 index 0000000000000..996cd04733951 --- /dev/null +++ b/examples/web-server/nginx/README.md @@ -0,0 +1,100 @@ +# How to use nginx as a reverse-proxy with letsencrypt + +## Requirements + +1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server. +2. Install **nginx** (assuming you're on debian/ubuntu): + +- `sudo apt install nginx` + +3. Stop **nginx** : + +- `sudo service stop nginx` + +## Adding Coder deployment subdomain + +> this example assumes coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. + +- create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` + +- and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` + +## Install and configure letsencrypt certbot + +Install letsencrypt **certbot** : follow the instructions on [certbot website](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) + +## Create dns provider credentials + +- Create an API token for the dns provider you're using : e.g cloudflare [here](https://dash.cloudflare.com/profile/api-tokens) with the following permissions : + - Zone - DNS - Edit +- Create a file in `.secrets/certbot/cloudflare.ini` with the following content : + - `dns_cloudflare_api_token = YOUR_API_TOKEN` + +## Create the certificate + +- Create the wildcard certificate : + +```console +sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com +``` + +## Configure nginx + +Edit the file with : `sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN` and add the following content : + +```nginx +server { + server_name YOUR_SUBDOMAIN; + + # HTTP configuration + listen 80; + listen [::]:80; + + # HTTP to HTTPS + if ($scheme != "https") { + return 301 https://$host$request_uri; + } # managed by Certbot + + # HTTPS configuration + listen [::]:443 ssl ipv6only=on; # managed by Certbot + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } +} +``` + +> Don't forget to change : +> +> - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` +> - the port and ip in `proxy_pass` if applicable + +## Automatic certificates refreshing + +- Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot` +- Make it executable : `sudo chmod +x /etc/cron.weekly/certbot` +- And add this code : + +```sh +#!/bin/sh +sudo certbot renew -q +``` + +## Restart nginx + +- `sudo service nginx restart` + +And that's it, you should now be able to access coder via `https://YOUR_SUBDOMAIN` ! From d29da64902474666b24f33c9eaebc7af4e1628f1 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 18:03:37 +0300 Subject: [PATCH 02/31] change nginx example to to absolute path --- docs/admin/configure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/configure.md b/docs/admin/configure.md index 4baa230b2752a..64c08ef3fe371 100644 --- a/docs/admin/configure.md +++ b/docs/admin/configure.md @@ -47,7 +47,7 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`). The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example. - Caddy: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy) -- Nginx: [Run Coder with Nginx and LetsEncrypt](https://../../../examples/web-server/nginx) +- Nginx: [Run Coder with Nginx and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/nginx) ## PostgreSQL Database From 3c247a5e4b5d8d76365f1474976c22b8f37f2f86 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:39:07 +0300 Subject: [PATCH 03/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 996cd04733951..2aada509253b6 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -1,4 +1,4 @@ -# How to use nginx as a reverse-proxy with letsencrypt +# How to use NGINX as a reverse-proxy with LetsEncrypt ## Requirements From 8a961763af17a867f2af5fa0a751e92eb5e333d1 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:39:24 +0300 Subject: [PATCH 04/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 2aada509253b6..29c8f073f86e7 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -3,7 +3,7 @@ ## Requirements 1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server. -2. Install **nginx** (assuming you're on debian/ubuntu): +2. Install **nginx** (assuming you're on Debian/Ubuntu): - `sudo apt install nginx` From 4f25817386328f001a21ef9ee0d13b0ee75fde2d Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:39:51 +0300 Subject: [PATCH 05/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 29c8f073f86e7..1b56a6eb493fb 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -13,7 +13,7 @@ ## Adding Coder deployment subdomain -> this example assumes coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. +> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. - create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` From 099428ac3b91f13f19193b91decc0c4db44fe59a Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:40:00 +0300 Subject: [PATCH 06/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 1b56a6eb493fb..76a55f73ed353 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -19,7 +19,7 @@ - and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` -## Install and configure letsencrypt certbot +## Install and configure LetsEncrypt Certbot Install letsencrypt **certbot** : follow the instructions on [certbot website](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) From d3913b3c726b2f38d330a96b478cb30545c2c594 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:40:15 +0300 Subject: [PATCH 07/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 76a55f73ed353..d469fc616cd6e 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -15,9 +15,9 @@ > This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. -- create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` +- Create NGINX configuration for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` -- and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` +- Activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` ## Install and configure LetsEncrypt Certbot From 7f8d7951412edef47fb1b69e31e7a0de449d8086 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:40:40 +0300 Subject: [PATCH 08/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index d469fc616cd6e..5e53ae7b4cbdc 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -21,7 +21,7 @@ ## Install and configure LetsEncrypt Certbot -Install letsencrypt **certbot** : follow the instructions on [certbot website](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) +Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) ## Create dns provider credentials From 3d306a4945d60c1e3f1aeafb3e88770fc07c3461 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:40:50 +0300 Subject: [PATCH 09/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 5e53ae7b4cbdc..37cdba3c560ce 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -93,7 +93,7 @@ server { sudo certbot renew -q ``` -## Restart nginx +## Restart NGINX - `sudo service nginx restart` From 69eb387be85b664a4bed4471b9191a26e2c0126b Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:41:19 +0300 Subject: [PATCH 10/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 37cdba3c560ce..8ad2413e47ebf 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -23,10 +23,12 @@ Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) -## Create dns provider credentials +## Create DNS provider credentials + +- Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: -- Create an API token for the dns provider you're using : e.g cloudflare [here](https://dash.cloudflare.com/profile/api-tokens) with the following permissions : - Zone - DNS - Edit + - Create a file in `.secrets/certbot/cloudflare.ini` with the following content : - `dns_cloudflare_api_token = YOUR_API_TOKEN` From c1111b323b888f853d374c5983cd2441147a56e6 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:41:35 +0300 Subject: [PATCH 11/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 8ad2413e47ebf..9c2201f919955 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -34,7 +34,7 @@ Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbo ## Create the certificate -- Create the wildcard certificate : +- Create the wildcard certificate: ```console sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com From af32c58ed0ac074519f41d6e412fdcf4397ac3c2 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:41:46 +0300 Subject: [PATCH 12/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 9c2201f919955..80950cc8aadd7 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -99,4 +99,4 @@ sudo certbot renew -q - `sudo service nginx restart` -And that's it, you should now be able to access coder via `https://YOUR_SUBDOMAIN` ! +And that's it, you should now be able to access Coder via `https://YOUR_SUBDOMAIN`! From b672a1fd81620cab712d241a0b926be9134fc0a9 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:41:58 +0300 Subject: [PATCH 13/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 80950cc8aadd7..732272f1cbd29 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -84,7 +84,7 @@ server { > - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` > - the port and ip in `proxy_pass` if applicable -## Automatic certificates refreshing +## Refresh certificates automatically - Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot` - Make it executable : `sudo chmod +x /etc/cron.weekly/certbot` From f08025992d8be6b293a4e3130eb1f2dcbd0a4321 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:42:09 +0300 Subject: [PATCH 14/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 732272f1cbd29..155a81aa456ac 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -9,7 +9,9 @@ 3. Stop **nginx** : -- `sudo service stop nginx` + ```console + sudo service stop nginx + ``` ## Adding Coder deployment subdomain From 838e008235ed332ebec4e78d0c41e29b457f6b06 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 19:42:23 +0300 Subject: [PATCH 15/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 155a81aa456ac..217c34b80c257 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -7,7 +7,7 @@ - `sudo apt install nginx` -3. Stop **nginx** : +3. Stop NGINX: ```console sudo service stop nginx From 23dd1e3db19ea4d0c18e9468dfcd189f94cccd60 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 22:08:47 +0300 Subject: [PATCH 16/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 217c34b80c257..f4710050c2174 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -5,7 +5,9 @@ 1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server. 2. Install **nginx** (assuming you're on Debian/Ubuntu): -- `sudo apt install nginx` + ```console + sudo apt install nginx + ``` 3. Stop NGINX: From 7a7e7e4aeff867d30c7c9ec8132b1916af627905 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 22:09:44 +0300 Subject: [PATCH 17/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index f4710050c2174..1fe389b2cb188 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -19,7 +19,7 @@ > This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. -- Create NGINX configuration for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` +- Create NGINX configuration for this app: `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` - Activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` From a5abc856093bf701983d21800d6366f6af3be825 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 22:24:30 +0300 Subject: [PATCH 18/31] refactor: replaced bullets with numbered lists --- examples/web-server/nginx/README.md | 137 ++++++++++++++++------------ 1 file changed, 81 insertions(+), 56 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 1fe389b2cb188..816f3c1a991ef 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -3,6 +3,7 @@ ## Requirements 1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server. + 2. Install **nginx** (assuming you're on Debian/Ubuntu): ```console @@ -12,76 +13,90 @@ 3. Stop NGINX: ```console - sudo service stop nginx - ``` + sudo service stop nginx + ``` ## Adding Coder deployment subdomain > This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. -- Create NGINX configuration for this app: `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN` +1. Create NGINX configuration for this app: + + ```console + sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN + ``` + +2. Activate this file : -- Activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN` + ```console + sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN + ``` ## Install and configure LetsEncrypt Certbot -Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) +1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) ## Create DNS provider credentials -- Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: +1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: + - Zone - DNS - Edit - - Zone - DNS - Edit +2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content : -- Create a file in `.secrets/certbot/cloudflare.ini` with the following content : - - `dns_cloudflare_api_token = YOUR_API_TOKEN` + - `dns_cloudflare_api_token = YOUR_API_TOKEN` ## Create the certificate -- Create the wildcard certificate: +1. Create the wildcard certificate: -```console -sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com -``` + ```console + sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com + ``` ## Configure nginx -Edit the file with : `sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN` and add the following content : - -```nginx -server { - server_name YOUR_SUBDOMAIN; - - # HTTP configuration - listen 80; - listen [::]:80; - - # HTTP to HTTPS - if ($scheme != "https") { - return 301 https://$host$request_uri; - } # managed by Certbot - - # HTTPS configuration - listen [::]:443 ssl ipv6only=on; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - - location / { - proxy_pass http://127.0.0.1:3000; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $server_name; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; +1. Edit the file with : + + ```console + sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN + ``` + +2. Add the following content : + + ```nginx + server { + server_name YOUR_SUBDOMAIN; + + # HTTP configuration + listen 80; + listen [::]:80; + + # HTTP to HTTPS + if ($scheme != "https") { + return 301 https://$host$request_uri; + } + + # HTTPS configuration + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } } -} -``` + ``` > Don't forget to change : > @@ -90,17 +105,27 @@ server { ## Refresh certificates automatically -- Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot` -- Make it executable : `sudo chmod +x /etc/cron.weekly/certbot` -- And add this code : +1. Create a new file in `/etc/cron.weekly` : + + ```console + sudo touch /etc/cron.weekly/certbot + ``` + +2. Make it executable : + + ```console + sudo chmod +x /etc/cron.weekly/certbot + ``` + +3. And add this code : -```sh -#!/bin/sh -sudo certbot renew -q -``` + ```sh + #!/bin/sh + sudo certbot renew -q + ``` ## Restart NGINX - `sudo service nginx restart` -And that's it, you should now be able to access Coder via `https://YOUR_SUBDOMAIN`! +And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! From 3f1353ece3cf2cd578b0e56727f4cf3baff3b3ab Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 22:31:36 +0300 Subject: [PATCH 19/31] remove the ambiguous ip addr. --- examples/web-server/nginx/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 816f3c1a991ef..4099255f33b11 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -85,7 +85,7 @@ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { - proxy_pass http://127.0.0.1:3000; + proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; @@ -101,7 +101,6 @@ > Don't forget to change : > > - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` -> - the port and ip in `proxy_pass` if applicable ## Refresh certificates automatically From 8e5531ded1ef88944bc0e07b35e9b7dbf2e01210 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 22:39:26 +0300 Subject: [PATCH 20/31] fixed a typo --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 4099255f33b11..3cfc96fc8e6bc 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -50,7 +50,7 @@ 1. Create the wildcard certificate: ```console - sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com + sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com ``` ## Configure nginx From 8c343f0d638fdaf584b2aeb201d923461390c06c Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 13 Feb 2023 23:19:10 +0300 Subject: [PATCH 21/31] correctly handle the wildcard subdomain --- examples/web-server/nginx/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 3cfc96fc8e6bc..1eae2eafc6633 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -65,7 +65,7 @@ ```nginx server { - server_name YOUR_SUBDOMAIN; + server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; # HTTP configuration listen 80; @@ -89,7 +89,7 @@ proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $server_name; + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; From 86e7dae083f9584aa434e9187ff4e77511688203 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 14 Feb 2023 01:10:50 +0300 Subject: [PATCH 22/31] simplified after testing --- examples/web-server/nginx/README.md | 41 +++++++++++++++++------------ 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 1eae2eafc6633..0b6e37dfeb61d 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -2,18 +2,20 @@ ## Requirements -1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server. +1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/coder/v1.20/setup/installation#step-1-create-a-subdomain) for more information. +1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. + > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. -2. Install **nginx** (assuming you're on Debian/Ubuntu): +2. Install NGINX (assuming you're on Debian/Ubuntu): ```console sudo apt install nginx ``` -3. Stop NGINX: +3. Stop NGINX service: ```console - sudo service stop nginx + sudo systemctl stop nginx ``` ## Adding Coder deployment subdomain @@ -26,7 +28,7 @@ sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN ``` -2. Activate this file : +2. Activate this file: ```console sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN @@ -41,9 +43,17 @@ 1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: - Zone - DNS - Edit -2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content : +2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content: - - `dns_cloudflare_api_token = YOUR_API_TOKEN` + ```ini + dns_cloudflare_api_token = YOUR_API_TOKEN + ``` + +3. Set the correct permissions: + + ```console + sudo chmod 600 ~/.secrets/certbot/cloudflare.ini + ``` ## Create the certificate @@ -55,13 +65,13 @@ ## Configure nginx -1. Edit the file with : +1. Edit the file with: ```console sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN ``` -2. Add the following content : +2. Add the following content: ```nginx server { @@ -81,14 +91,11 @@ listen 443 ssl; ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -98,25 +105,25 @@ } ``` -> Don't forget to change : +> Don't forget to change: > > - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` ## Refresh certificates automatically -1. Create a new file in `/etc/cron.weekly` : +1. Create a new file in `/etc/cron.weekly`: ```console sudo touch /etc/cron.weekly/certbot ``` -2. Make it executable : +2. Make it executable: ```console sudo chmod +x /etc/cron.weekly/certbot ``` -3. And add this code : +3. And add this code: ```sh #!/bin/sh @@ -125,6 +132,6 @@ ## Restart NGINX -- `sudo service nginx restart` +- `sudo systemctl restart nginx` And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! From 7d28e51b71a51407a3a8173c501bbd4817c7c8d8 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 14 Feb 2023 01:27:20 +0300 Subject: [PATCH 23/31] fmt: prettier formatting --- examples/web-server/nginx/README.md | 143 ++++++++++++++-------------- 1 file changed, 73 insertions(+), 70 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index 0b6e37dfeb61d..aac9b26439711 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -2,21 +2,23 @@ ## Requirements -1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/coder/v1.20/setup/installation#step-1-create-a-subdomain) for more information. -1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. +1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. + +2. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. + > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. -2. Install NGINX (assuming you're on Debian/Ubuntu): +3. Install NGINX (assuming you're on Debian/Ubuntu): - ```console - sudo apt install nginx - ``` + ```console + sudo apt install nginx + ``` -3. Stop NGINX service: +4. Stop NGINX service: - ```console - sudo systemctl stop nginx - ``` + ```console + sudo systemctl stop nginx + ``` ## Adding Coder deployment subdomain @@ -24,15 +26,15 @@ 1. Create NGINX configuration for this app: - ```console - sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN - ``` + ```console + sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN + ``` 2. Activate this file: - ```console - sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN - ``` + ```console + sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN + ``` ## Install and configure LetsEncrypt Certbot @@ -41,69 +43,70 @@ ## Create DNS provider credentials 1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: - - Zone - DNS - Edit + + - Zone - DNS - Edit 2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content: - ```ini - dns_cloudflare_api_token = YOUR_API_TOKEN - ``` + ```ini + dns_cloudflare_api_token = YOUR_API_TOKEN + ``` 3. Set the correct permissions: - ```console - sudo chmod 600 ~/.secrets/certbot/cloudflare.ini - ``` + ```console + sudo chmod 600 ~/.secrets/certbot/cloudflare.ini + ``` ## Create the certificate 1. Create the wildcard certificate: - ```console - sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com - ``` + ```console + sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com + ``` ## Configure nginx 1. Edit the file with: - ```console - sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN - ``` + ```console + sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN + ``` 2. Add the following content: - ```nginx - server { - server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; - - # HTTP configuration - listen 80; - listen [::]:80; - - # HTTP to HTTPS - if ($scheme != "https") { - return 301 https://$host$request_uri; - } - - # HTTPS configuration - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; - - location / { - proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - } - } - ``` + ```nginx + server { + server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; + + # HTTP configuration + listen 80; + listen [::]:80; + + # HTTP to HTTPS + if ($scheme != "https") { + return 301 https://$host$request_uri; + } + + # HTTPS configuration + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; + + location / { + proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } + } + ``` > Don't forget to change: > @@ -113,22 +116,22 @@ 1. Create a new file in `/etc/cron.weekly`: - ```console - sudo touch /etc/cron.weekly/certbot - ``` + ```console + sudo touch /etc/cron.weekly/certbot + ``` 2. Make it executable: - ```console - sudo chmod +x /etc/cron.weekly/certbot - ``` + ```console + sudo chmod +x /etc/cron.weekly/certbot + ``` 3. And add this code: - ```sh - #!/bin/sh - sudo certbot renew -q - ``` + ```sh + #!/bin/sh + sudo certbot renew -q + ``` ## Restart NGINX From a642933d5ff3a0cee9cedc3c1598ec63c7d64c30 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 14 Feb 2023 01:36:37 +0300 Subject: [PATCH 24/31] Adapt to the coder style guide --- examples/web-server/nginx/README.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index aac9b26439711..a24221ff09856 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -4,7 +4,7 @@ 1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. -2. You'll need a subdomain and the a wildcard subdomain configured that resolves to server's public ip. +2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public ip. > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. @@ -108,9 +108,14 @@ } ``` -> Don't forget to change: -> -> - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + > Don't forget to change: + > `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + +3. Test the configuration: + + ```console + sudo nginx -t + ``` ## Refresh certificates automatically @@ -135,6 +140,8 @@ ## Restart NGINX -- `sudo systemctl restart nginx` +```console +sudo systemctl restart nginx +``` And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! From 77149bccfed46573f56d6952aa9abcfaa0b493b3 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Tue, 14 Feb 2023 12:01:05 +0300 Subject: [PATCH 25/31] fix: agent disconnection --- examples/web-server/nginx/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index a24221ff09856..ebf28debfebbf 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -99,6 +99,7 @@ proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 4b5362c59feb4cf9dfebff8520aed6ffefdd4549 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 15:54:20 +0300 Subject: [PATCH 26/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index ebf28debfebbf..a6323fd42e42c 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -4,7 +4,7 @@ 1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. -2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public ip. +2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public IP address. > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. From 35247ed96cb5df298b764fa3e29935b7f579add8 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 15:54:29 +0300 Subject: [PATCH 27/31] Update docs/admin/configure.md Co-authored-by: Ben Potter --- docs/admin/configure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/configure.md b/docs/admin/configure.md index 64c08ef3fe371..8e5ed24917204 100644 --- a/docs/admin/configure.md +++ b/docs/admin/configure.md @@ -47,7 +47,7 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`). The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example. - Caddy: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy) -- Nginx: [Run Coder with Nginx and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/nginx) +- NGINX: [Run Coder with Nginx and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/nginx) ## PostgreSQL Database From 30163f4358ffd9576b7c1d8f9364d95e64a3dcaf Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 15:57:46 +0300 Subject: [PATCH 28/31] Update examples/web-server/nginx/README.md Co-authored-by: Ben Potter --- examples/web-server/nginx/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index a6323fd42e42c..df1a26d1d1c9f 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -38,7 +38,7 @@ ## Install and configure LetsEncrypt Certbot -1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) +1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal&tab=wildcard). Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin. ## Create DNS provider credentials From 5b5436871fdb8bbd153ceb3e41d73f194e808561 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:08:08 +0300 Subject: [PATCH 29/31] updated with suggested changes --- docs/admin/configure.md | 8 ++++---- examples/web-server/nginx/README.md | 28 +++++++++++++++++----------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/docs/admin/configure.md b/docs/admin/configure.md index 8e5ed24917204..7132f0308d5d2 100644 --- a/docs/admin/configure.md +++ b/docs/admin/configure.md @@ -4,7 +4,7 @@ of the options, run `coder server --help` on the host. ## Access URL `CODER_ACCESS_URL` is required if you are not using the tunnel. Set this to the external URL -that users and workspaces use to connect to Coder (e.g. https://coder.example.com). This +that users and workspaces use to connect to Coder (e.g. ). This should not be localhost. > Access URL should be a external IP address or domain with DNS records pointing to Coder. @@ -53,7 +53,7 @@ The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and a Coder uses a PostgreSQL database to store users, workspace metadata, and other deployment information. Use `CODER_PG_CONNECTION_URL` to set the database that Coder connects to. If unset, PostgreSQL binaries will be -downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. +downloaded from Maven () and store all data in the config root. > Postgres 13 is the minimum supported version. @@ -61,8 +61,8 @@ If you are using the built-in PostgreSQL deployment and need to use `psql` (aka the PostgreSQL interactive terminal), output the connection URL with the following command: ```console -$ coder server postgres-builtin-url -$ psql "postgres://coder@localhost:49627/coder?sslmode=disable&password=feU...yI1" +coder server postgres-builtin-url +psql "postgres://coder@localhost:49627/coder?sslmode=disable&password=feU...yI1" ``` ## System packages diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index df1a26d1d1c9f..e122d452245af 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -2,9 +2,9 @@ ## Requirements -1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. +1. Start a Coder deployment and be sure to set the following [configuration values](https://coder.com/docs/v2/latest/admin/configure):. -2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public IP address. +2. Configure your DNS provider to point your CODER_SUBDOMAIN and \*.CODER_SUBDOMAIN to your server's public IP address. > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. @@ -22,18 +22,18 @@ ## Adding Coder deployment subdomain -> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. +> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `CODER_SUBDOMAIN` e.g. `coder.example.com`. 1. Create NGINX configuration for this app: ```console - sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN + sudo touch /etc/nginx/sites-available/CODER_SUBDOMAIN ``` 2. Activate this file: ```console - sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN + sudo ln -s /etc/nginx/sites-available/CODER_SUBDOMAIN /etc/nginx/sites-enabled/CODER_SUBDOMAIN ``` ## Install and configure LetsEncrypt Certbot @@ -52,6 +52,12 @@ dns_cloudflare_api_token = YOUR_API_TOKEN ``` + ```console + mkdir -p ~/.secrets/certbot + touch ~/.secrets/certbot/cloudflare.ini + vi ~/.secrets/certbot/cloudflare.ini + ``` + 3. Set the correct permissions: ```console @@ -71,14 +77,14 @@ 1. Edit the file with: ```console - sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN + sudo nano /etc/nginx/sites-available/CODER_SUBDOMAIN ``` 2. Add the following content: ```nginx server { - server_name YOUR_SUBDOMAIN *.YOUR_SUBDOMAIN; + server_name CODER_SUBDOMAIN *.CODER_SUBDOMAIN; # HTTP configuration listen 80; @@ -92,8 +98,8 @@ # HTTPS configuration listen [::]:443 ssl ipv6only=on; listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem; + ssl_certificate /etc/letsencrypt/live/CODER_SUBDOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/CODER_SUBDOMAIN/privkey.pem; location / { proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 @@ -110,7 +116,7 @@ ``` > Don't forget to change: - > `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + > `CODER_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` 3. Test the configuration: @@ -145,4 +151,4 @@ sudo systemctl restart nginx ``` -And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! +And that's it, you should now be able to access Coder at `https://CODER_SUBDOMAIN` e.g. `https://coder.example.com`. From 4d0deb6658dfe5dd8c23e8d08cb5ffd690ec8ace Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:26:48 +0300 Subject: [PATCH 30/31] updated with requested changes --- examples/web-server/nginx/README.md | 33 +++++++++++++++++------------ 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index e122d452245af..a94a15b4ebb4d 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -2,9 +2,17 @@ ## Requirements -1. Start a Coder deployment and be sure to set the following [configuration values](https://coder.com/docs/v2/latest/admin/configure):. +1. Start a Coder deployment and be sure to set the following [configuration values](https://coder.com/docs/v2/latest/admin/configure): -2. Configure your DNS provider to point your CODER_SUBDOMAIN and \*.CODER_SUBDOMAIN to your server's public IP address. + ```console + CODER_HTTP_ADDRESS=127.0.0.1:3000 + CODER_ACCESS_URL=https://coder.example.com + CODER_WILDCARD_ACCESS_URL=*coder.example.com + ``` + + Throughout the guide, be sure to replace `coder.example.com` with the domain you intend to use with Coder. + +2. Configure your DNS provider to point your coder.example.com and \*.coder.example.com to your server's public IP address. > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. @@ -22,18 +30,18 @@ ## Adding Coder deployment subdomain -> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `CODER_SUBDOMAIN` e.g. `coder.example.com`. +> This example assumes Coder is running locally on `127.0.0.1:3000` and that you're using `coder.example.com` as your subdomain. 1. Create NGINX configuration for this app: ```console - sudo touch /etc/nginx/sites-available/CODER_SUBDOMAIN + sudo touch /etc/nginx/sites-available/coder.example.com ``` 2. Activate this file: ```console - sudo ln -s /etc/nginx/sites-available/CODER_SUBDOMAIN /etc/nginx/sites-enabled/CODER_SUBDOMAIN + sudo ln -s /etc/nginx/sites-available/coder.example.com /etc/nginx/sites-enabled/coder.example.com ``` ## Install and configure LetsEncrypt Certbot @@ -55,7 +63,7 @@ ```console mkdir -p ~/.secrets/certbot touch ~/.secrets/certbot/cloudflare.ini - vi ~/.secrets/certbot/cloudflare.ini + nano ~/.secrets/certbot/cloudflare.ini ``` 3. Set the correct permissions: @@ -77,14 +85,14 @@ 1. Edit the file with: ```console - sudo nano /etc/nginx/sites-available/CODER_SUBDOMAIN + sudo nano /etc/nginx/sites-available/coder.example.com ``` 2. Add the following content: ```nginx server { - server_name CODER_SUBDOMAIN *.CODER_SUBDOMAIN; + server_name coder.example.com *.coder.example.com; # HTTP configuration listen 80; @@ -98,8 +106,8 @@ # HTTPS configuration listen [::]:443 ssl ipv6only=on; listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/CODER_SUBDOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/CODER_SUBDOMAIN/privkey.pem; + ssl_certificate /etc/letsencrypt/live/coder.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/coder.example.com/privkey.pem; location / { proxy_pass http://127.0.0.1:3000; # Change this to your coder deployment port default is 3000 @@ -115,8 +123,7 @@ } ``` - > Don't forget to change: - > `CODER_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + > Don't forget to change: `coder.example.com` by your (sub)domain 3. Test the configuration: @@ -151,4 +158,4 @@ sudo systemctl restart nginx ``` -And that's it, you should now be able to access Coder at `https://CODER_SUBDOMAIN` e.g. `https://coder.example.com`. +And that's it, you should now be able to access Coder at your sub(domain) e.g. `https://coder.example.com`. From 065ed25dd4f1f952e7ae6e51a47625fee16cb40f Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 20:52:53 +0300 Subject: [PATCH 31/31] add reference to certbot docs for other dns providers --- examples/web-server/nginx/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/web-server/nginx/README.md b/examples/web-server/nginx/README.md index a94a15b4ebb4d..c09edb5099db0 100644 --- a/examples/web-server/nginx/README.md +++ b/examples/web-server/nginx/README.md @@ -50,7 +50,9 @@ ## Create DNS provider credentials -1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: +> This example assumes you're using CloudFlare as your DNS provider. For other providers, refer to the [CertBot documentation](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins). + +1. Create an API token for the DNS provider you're using: e.g. [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: - Zone - DNS - Edit