PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
blocks:server:nginx [2022-12-13 13:47] – [NGINX Reverse Proxy] adminblocks:server:nginx [2025-09-15 13:19] (current) – [Acquire Let's Encypt certificates using DNS-01 challenge] mattias
Line 9: Line 9:
 It serves all static files (those under /public), rather than passing those requests on to Blocks. Offloading such work leaves more headroom in Blocks for dealing with its more advanced functions. It serves all static files (those under /public), rather than passing those requests on to Blocks. Offloading such work leaves more headroom in Blocks for dealing with its more advanced functions.
  
-====HTTPS, Domain name and Certificate====+=====HTTPS, Domain name and Certificate=====
 The nginx reverse proxy can also manage a secure HTTPS connection, thus offloading also the work of encryption and decryption from Blocks. HTTPS is increasingly a requirement for many advanced web features. This applies also to Blocks, which is entirely web based. For instance, the Camera, QR Scanner and Locator (when using QR Code or GPS) block types may have limited or no functionality unless  a secure HTTPS connection is used. The nginx reverse proxy can also manage a secure HTTPS connection, thus offloading also the work of encryption and decryption from Blocks. HTTPS is increasingly a requirement for many advanced web features. This applies also to Blocks, which is entirely web based. For instance, the Camera, QR Scanner and Locator (when using QR Code or GPS) block types may have limited or no functionality unless  a secure HTTPS connection is used.
  
Line 21: Line 21:
 Furthermore, if you want to access your Blocks server from the internet, you'll also need connection from the internet to your Blocks server. This is often handled in your router or IT infrastructure, for example using a method known as //port forwarding//. Having your Blocks server accessible through the internet makes it easy for visitors to connect to Blocks using their mobile phones. Furthermore, if you want to access your Blocks server from the internet, you'll also need connection from the internet to your Blocks server. This is often handled in your router or IT infrastructure, for example using a method known as //port forwarding//. Having your Blocks server accessible through the internet makes it easy for visitors to connect to Blocks using their mobile phones.
  
-===Obtaining a Certificate===+====Obtaining a Certificate====
 You must obtain a HTTPS certificate from an accredited //Certificate Authority// (CA). Furthermore, since certificates expire after some time, you must renew your certificate on a regular basis. Fortunately, there's a relatively painless method available to do all of this from [[https://letsencrypt.org|Let's Eencrypt]]. The server image comes with Let's Encrypt preinstalled, so once you've got your domain name registered with a DNS (you can check this using the //nslookup// terminal command), all you need to do is: You must obtain a HTTPS certificate from an accredited //Certificate Authority// (CA). Furthermore, since certificates expire after some time, you must renew your certificate on a regular basis. Fortunately, there's a relatively painless method available to do all of this from [[https://letsencrypt.org|Let's Eencrypt]]. The server image comes with Let's Encrypt preinstalled, so once you've got your domain name registered with a DNS (you can check this using the //nslookup// terminal command), all you need to do is:
  
Line 50: Line 50:
  
 Make sure to keep the space  after //server_name// as well as the semicolon after the domain name. Save the result by pressing ctrl-O followed by the Enter key, then exit the //nano// editor by ctrl-X.  Make sure to keep the space  after //server_name// as well as the semicolon after the domain name. Save the result by pressing ctrl-O followed by the Enter key, then exit the //nano// editor by ctrl-X. 
- 
-If you want to use HTTPS for all traffic, edit the file at **/etc/nginx/conf.d/pixilab.conf** by uncommenting (removing the #-signs) the last section under "Redirect ALL http request to https", so the last section in that file looks like this: 
- 
-<code> 
-# Redirect ALL http request to https 
-server { 
-    listen 80 default_server; 
-    server_name _; 
-    return 301 https://$host$request_uri; 
-} 
-</code> 
- 
-Save and exit //nano// again. 
  
 Make sure you've set good, strong passwords on all your Blocks users. Finally, while still as the //root// user, run the following commands, pressing enter after each. The first of these commands checks your new nginx configuration for errors. Pay close attention to any error messages that may appear.  Make sure you've set good, strong passwords on all your Blocks users. Finally, while still as the //root// user, run the following commands, pressing enter after each. The first of these commands checks your new nginx configuration for errors. Pay close attention to any error messages that may appear. 
Line 86: Line 73:
 If you get stuck, and need more details, follow the official //certbot// guide found [[https://certbot.eff.org/instructions?ws=nginx&os=debianbuster|here]], keeping in mind that all installations have already been done, so you can skip the first couple of steps. If you get stuck, and need more details, follow the official //certbot// guide found [[https://certbot.eff.org/instructions?ws=nginx&os=debianbuster|here]], keeping in mind that all installations have already been done, so you can skip the first couple of steps.
  
-===Using Local Wifi===+If you want to use HTTPS for all traffic, edit the file at **/etc/nginx/conf.d/pixilab.conf** by uncommenting (removing the #-signs) the last section under "Redirect ALL http request to https", so the last section in that file looks like this: 
 + 
 +<code> 
 +# Redirect ALL http request to https 
 +server { 
 +    listen 80 default_server; 
 +    server_name _; 
 +    return 301 https://$host$request_uri; 
 +
 +</code> 
 + 
 +Save and exit //nano// again, then test your configuration and restart nginx: 
 + 
 +<code> 
 +sudo /sbin/nginx -t 
 +sudo systemctl restart nginx 
 +</code> 
 + 
 +====Using Local Wifi====
  
 While you may use a local wifi network instead of making your Blocks server internet accessible, this adds more complexity for visitors in connecting to your system, since they must first connect to your local wifi and then to your blocks server. Both of these actions can be done from most modern smartphones using QR codes – but you will need two of those, and they need to be scanned in the right order. You of course also need to provide a wifi network with adequate performance and coverage. Thus, for most visitor-facing Blocks applications, internet access is the recommended method. While you may use a local wifi network instead of making your Blocks server internet accessible, this adds more complexity for visitors in connecting to your system, since they must first connect to your local wifi and then to your blocks server. Both of these actions can be done from most modern smartphones using QR codes – but you will need two of those, and they need to be scanned in the right order. You of course also need to provide a wifi network with adequate performance and coverage. Thus, for most visitor-facing Blocks applications, internet access is the recommended method.
Line 92: Line 97:
 If you do opt for a local wifi network, your method for setting up HTTPS also becomes a bit more complicated: If you do opt for a local wifi network, your method for setting up HTTPS also becomes a bit more complicated:
  
-  - You must provide internet access to your visitors through your local wifi. This is required both to expedite the wifi connection (many phones will refuse to connect to a wifi that doesn't have internet access) and to access the DNS.+  - You must provide internet access to your visitors through your local wifi. This is required both to expedite the wifi connection (many phones will hesitate to connect to a wifi that doesn't have internet access) and to access the DNS.
   - Your DNS entry must point to the IP address of your intranet Blocks server, now (hopefully) accessible through your wifi. That means that any attempts to access it from the internet will fail (since it's only available while on the in-house wifi). An "official" DNS entry is required since many smartphones and browsers use some form of "secure DNS", such as [[https://en.wikipedia.org/wiki/DNS_over_HTTPS|DNS over HTTPS]], and will ignore any in-house DNS.   - Your DNS entry must point to the IP address of your intranet Blocks server, now (hopefully) accessible through your wifi. That means that any attempts to access it from the internet will fail (since it's only available while on the in-house wifi). An "official" DNS entry is required since many smartphones and browsers use some form of "secure DNS", such as [[https://en.wikipedia.org/wiki/DNS_over_HTTPS|DNS over HTTPS]], and will ignore any in-house DNS.
   - You can't use the automatic "certbot" method mentioned above to obtain a certificate. You must instead use a more complicated DNS-based method.    - You can't use the automatic "certbot" method mentioned above to obtain a certificate. You must instead use a more complicated DNS-based method. 
 +
 +
 +
 + 
 +
 +
 +