PIXILAB Wiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
blocks:server:nginx [2023-03-16 17:46] – Moved "redirect all HTTP" to the bottom adminblocks:server:nginx [2025-09-15 13:19] (current) – [Acquire Let's Encypt certificates using DNS-01 challenge] mattias
Line 9: Line 9:
 It serves all static files (those under /public), rather than passing those requests on to Blocks. Offloading such work leaves more headroom in Blocks for dealing with its more advanced functions. It serves all static files (those under /public), rather than passing those requests on to Blocks. Offloading such work leaves more headroom in Blocks for dealing with its more advanced functions.
  
-====HTTPS, Domain name and Certificate====+=====HTTPS, Domain name and Certificate=====
 The nginx reverse proxy can also manage a secure HTTPS connection, thus offloading also the work of encryption and decryption from Blocks. HTTPS is increasingly a requirement for many advanced web features. This applies also to Blocks, which is entirely web based. For instance, the Camera, QR Scanner and Locator (when using QR Code or GPS) block types may have limited or no functionality unless  a secure HTTPS connection is used. The nginx reverse proxy can also manage a secure HTTPS connection, thus offloading also the work of encryption and decryption from Blocks. HTTPS is increasingly a requirement for many advanced web features. This applies also to Blocks, which is entirely web based. For instance, the Camera, QR Scanner and Locator (when using QR Code or GPS) block types may have limited or no functionality unless  a secure HTTPS connection is used.
  
Line 21: Line 21:
 Furthermore, if you want to access your Blocks server from the internet, you'll also need connection from the internet to your Blocks server. This is often handled in your router or IT infrastructure, for example using a method known as //port forwarding//. Having your Blocks server accessible through the internet makes it easy for visitors to connect to Blocks using their mobile phones. Furthermore, if you want to access your Blocks server from the internet, you'll also need connection from the internet to your Blocks server. This is often handled in your router or IT infrastructure, for example using a method known as //port forwarding//. Having your Blocks server accessible through the internet makes it easy for visitors to connect to Blocks using their mobile phones.
  
-===Obtaining a Certificate===+====Obtaining a Certificate====
 You must obtain a HTTPS certificate from an accredited //Certificate Authority// (CA). Furthermore, since certificates expire after some time, you must renew your certificate on a regular basis. Fortunately, there's a relatively painless method available to do all of this from [[https://letsencrypt.org|Let's Eencrypt]]. The server image comes with Let's Encrypt preinstalled, so once you've got your domain name registered with a DNS (you can check this using the //nslookup// terminal command), all you need to do is: You must obtain a HTTPS certificate from an accredited //Certificate Authority// (CA). Furthermore, since certificates expire after some time, you must renew your certificate on a regular basis. Fortunately, there's a relatively painless method available to do all of this from [[https://letsencrypt.org|Let's Eencrypt]]. The server image comes with Let's Encrypt preinstalled, so once you've got your domain name registered with a DNS (you can check this using the //nslookup// terminal command), all you need to do is:
  
Line 91: Line 91:
 </code> </code>
  
-===Using Local Wifi===+====Using Local Wifi====
  
 While you may use a local wifi network instead of making your Blocks server internet accessible, this adds more complexity for visitors in connecting to your system, since they must first connect to your local wifi and then to your blocks server. Both of these actions can be done from most modern smartphones using QR codes – but you will need two of those, and they need to be scanned in the right order. You of course also need to provide a wifi network with adequate performance and coverage. Thus, for most visitor-facing Blocks applications, internet access is the recommended method. While you may use a local wifi network instead of making your Blocks server internet accessible, this adds more complexity for visitors in connecting to your system, since they must first connect to your local wifi and then to your blocks server. Both of these actions can be done from most modern smartphones using QR codes – but you will need two of those, and they need to be scanned in the right order. You of course also need to provide a wifi network with adequate performance and coverage. Thus, for most visitor-facing Blocks applications, internet access is the recommended method.
Line 97: Line 97:
 If you do opt for a local wifi network, your method for setting up HTTPS also becomes a bit more complicated: If you do opt for a local wifi network, your method for setting up HTTPS also becomes a bit more complicated:
  
-  - You must provide internet access to your visitors through your local wifi. This is required both to expedite the wifi connection (many phones will refuse to connect to a wifi that doesn't have internet access) and to access the DNS.+  - You must provide internet access to your visitors through your local wifi. This is required both to expedite the wifi connection (many phones will hesitate to connect to a wifi that doesn't have internet access) and to access the DNS.
   - Your DNS entry must point to the IP address of your intranet Blocks server, now (hopefully) accessible through your wifi. That means that any attempts to access it from the internet will fail (since it's only available while on the in-house wifi). An "official" DNS entry is required since many smartphones and browsers use some form of "secure DNS", such as [[https://en.wikipedia.org/wiki/DNS_over_HTTPS|DNS over HTTPS]], and will ignore any in-house DNS.   - Your DNS entry must point to the IP address of your intranet Blocks server, now (hopefully) accessible through your wifi. That means that any attempts to access it from the internet will fail (since it's only available while on the in-house wifi). An "official" DNS entry is required since many smartphones and browsers use some form of "secure DNS", such as [[https://en.wikipedia.org/wiki/DNS_over_HTTPS|DNS over HTTPS]], and will ignore any in-house DNS.
   - You can't use the automatic "certbot" method mentioned above to obtain a certificate. You must instead use a more complicated DNS-based method.    - You can't use the automatic "certbot" method mentioned above to obtain a certificate. You must instead use a more complicated DNS-based method. 
 +
 +
 +
 + 
 +
 +
 +